Jump to content
Sign in to follow this  
efa

source IP is wrong

Recommended Posts

hi,

I received this scam/fraud spam:

https://www.spamcop.net/sc?id=z6489923983z26622d4c582ecd9c34c736063540b444z

seems the parse header engine identified the source IP as:

IPv6: 2002:aed:24f5:0:0:0:0:0

that is a 6to4 range and embed the IPv4: 10.237.36.245

that is a private LAN address, so cannot be the source IP.

What is the real source IP, and his responsible admin?

 

Share this post


Link to post
Share on other sites
16 minutes ago, efa said:

that is a private LAN address, so cannot be the source IP.

Google/Gmail are playing silly buggers. the are putting in a network IP as a received point

You need to remove the 2nd line so it leaves no space (or just put "truncated" in its place) 

Received: by 2002:aed:24f5:0:0:0:0:0 with SMTP id u50-v6csp3903022qtc; 

SpamCop will then parse it fine.

https://www.spamcop.net/sc?id=z6490007164za1e5f4bb82209c71fb6fe63221171191z

Share this post


Link to post
Share on other sites

I'm quite sure that 62.149.158.115/Aruba is not the mail source IP, as Aruba is the host of destination mail with @pvi.it domain

Edited by efa

Share this post


Link to post
Share on other sites
2 hours ago, efa said:

62.149.158.115

is where Gmail servers accepted the email from.

spf=pass (google.com: domain of direttivo-return-6263-attilio.bongiovanni=gmail.com@pvi.it designates 62.149.158.115 as permitted sender) smtp.mailfrom="direttivo-return-6263-attilio.bongiovanni=gmail.com@pvi.it"

Share this post


Link to post
Share on other sites

we have an alias hosted on Aruba servers that is <direttivo pvi.it>

this alias redirect to some real emails, one of them is:

<attilio.bongiovanni gmail.com>

from where the headers come from.

 

So spam come from an unknown IP, goes to <direttivo pvi.it> hosted on Aruba servers, them redirected to the google account.

The question is: what is the real source IP of the spam?

Edited by efa

Share this post


Link to post
Share on other sites
2 hours ago, efa said:

The question is: what is the real source IP of the spam?

62.149.158.214 abuse@staff.xxx

Still same black hat abuse address  who don't care

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×