remay

Inconsistent detection of X-Originating-IP by SC processing

4 posts in this topic

When submitting the numerous African scam emails to SC, SC inconsistently detects the X-Originating-IP address that is contained in most of them.

Below are some examples. I'd say that about 10% of X-Originating-IP addresses listed in emails submitted to SC are detected and reported by SC

For the rest of those IP addresses, it requires manual email submission outside of SC to the abuse contacts.

Why does SC detect and report so few of the X-Originating-IP addresses?

 

(detected X-Originating-IP )
X-Originating-IP: 41.85.176.110
https://www.spamcop.net/sc?id=z6403748467z699c93e5f840844ede2b8d8d2a237554z

X-Originating-IP: 41.85.176.110
https://www.spamcop.net/sc?id=z6404117097zb4a331cc2a42604adca1ee392ccaabc0z


(did NOT detect X-Originating-IP  - NOTE that I tried removing the brackets and did a test submission, but the IP address was still not detected)
X-Originating-IP: [41.86.234.162]
https://www.spamcop.net/sc?id=z6406866999z99adf4922fa966b5fed68ebaf3b2fd37z

X-Originating-IP: [41.85.161.155]
https://www.spamcop.net/sc?id=z6406728731z23dd15f2eb5e25f40a46806c87083ddaz
 

Share this post


Link to post
Share on other sites

Looking at the spams, it would appear that the spammer is adding the X-Originating-IP header to confuse the matter.  I do not see that IP listed in any Received lines.

As it stands, I can trust any spam as far back as my border server.  I cannot trust it past that.  My border server will have the logs with the IP that for whom I need to report.  They in turn can use their logs and pass it up to their suspected source.

Share this post


Link to post
Share on other sites

Well, ok... I guess.

That still doesn't explain the inconsistency in SC dection.

Here are more examples:

(picked up originating IP but not hotmail IP addr)

Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03hn0242.outbound.protection.outlook.com. [104.47.42.242])

Received: from [192.168.43.78] (105.112.40.40) 
https://www.spamcop.net/sc?id=z6409167115za761b3104214b72db296057e7e7d1c25z


(detected X-Originating-IP )
X-Originating-IP: [154.118.6.108]
https://www.spamcop.net/sc?id=z6407552726zb56b967b54eb78cfb1ad7d9571f6e59fz
 

As far as confusing the matter, I feel the X-Originating-IP address is valid enough since they almost ALWAYS lead back to afrinic.net controlled IP addresses. SO I will CONTINUE to report them manually. I just wish SC would do it more consistently, because it DOES sometimes.

 

Share this post


Link to post
Share on other sites

SC does not pay any attention to the header lines add by any unknown application starting with X-??? for example "X-Originating-IP: [154.118.6.108]"

In your last example the IP address [154.118.6.108]  was identified from

Quote
1: Received: from I-PC (154.118.6.108) by DM5PR0101MB3131.prod.exchangelabs.com (10.174.182.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.11; Tue, 19 Sep 2017 03:57:59 +0000

No unique hostname found for source: 154.118.6.108
Hotmail/MSN received mail from sending system 154.118.6.108

not from the X-Originationg-IP line.  You will notice SC also ignored the line, X-OriginatorOrg: mail.uc.edu 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now