Jump to content

Is Spamcop parser finding correct sender for Hotmail spam?


MyNameHere
 Share

Recommended Posts

I've noticed that all the spam I report from my Hotmail account is reported to the same place for the message source: danorm [at] microsoft.com

After trying and discarding a bunch of received lines, the parser always ends up with an address that looks like "2a01:111:f400:7e4a:0:0:0:208," which is then reported to the above email address. For the past week, at least, the "2a01:111:f400" part has been constant, with some minor variations in the "7e4a" part and the "208" part.

This happens even for legitimate emails that I parsed just to see where they would be reported....

Any ideas?

Thanks!

Link to comment
Share on other sites

Received: from SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) by CY1PR19MB0444.namprd19.prod.outlook.com (10.164.0.15) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Mailbox Transport; Wed, 23 Dec 2015 11:25:21 +0000Received: from BY1PR19CA0038.namprd19.prod.outlook.com (10.162.139.176) by SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) with Microsoft SMTP Server (TLS) id 15.1.361.13; Wed, 23 Dec 2015 11:25:21 +0000Received: from BL2NAM02FT006.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e46::208) by BY1PR19CA0038.outlook.office365.com (2a01:111:e400:51a3::48) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Frontend Transport; Wed, 23 Dec 2015 11:25:20 +0000Received: from BAY004-MC5F5.hotmail.com (10.152.76.55) by BL2NAM02FT006.mail.protection.outlook.com (10.152.76.239) with Microsoft SMTP Server (TLS) id 15.1.355.15 via Frontend Transport; Wed, 23 Dec 2015 11:25:19 +0000Received: from ded1.exinary.com ([199.217.119.143]) by BAY004-MC5F5.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);	 Wed, 23 Dec 2015 03:25:18 -0800From: Google Reminder <guama[at]sunmed.com>

Of course I don't know about "all" your other spam, but the example you provided in #5 above never left microsoft; so the parser assumes the reliable source must be microsoft.

As an email header goes through the internet getting to its destination each server adds a 'Received:' entry to the header, parts of which can easily be forged. In this case

Received: from ded1.exinary.com ([199.217.119.143]) can not be relied on to be valid. For example if I do a WhoIs on the domain name I get:

Registrant Name: Support Team

Registrant Organization: Exinary Technologies Pvt Ltd

Registrant Street: Technopark Campus, Trivandrum

Registrant City: Trivandrum

Registrant State/Province: Kerala

Registrant Postal Code: 695581

Registrant Country: IN

Registrant Phone: +91.8129291097

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: mail[at]exinary.com

Notice the country code IN (India)

On the other hand doing a WhoIs on the IP address results in:

OrgName: Hosting Solutions International, Inc.

OrgId: SERVE-6

Address: 210 North Tucker Blvd.

Address: Suite 910

City: Saint Louis

StateProv: MO

PostalCode: 63101

Country: US

Even the casual observer would question why one of the high tech companies in the Technopark in India would use a St Louis MO hosting service. So dropping back to the server in 'BAY004' for hotmail we end up with Microsoft as a place to send the spam report. QED

Link to comment
Share on other sites

I would suggest re-adding mailhosts for your email address at https://www.spamcop.net/mcgi?action=mhedit. Microsoft has a lot of mail servers involved with their stuff, and I'm thinking your SpamCop settings might not be up to date. I have accounts at Hotmail and protected by Microsoft's cloud filtering service, so when I look at your tracking URL, it shows the MS IPs as verified and actually targets the last IP as the source of the spam.

Parsing header:
host 2a01:111:f400:7e46:0:0:0:208 = mail-bl2nam02lp0208.outbound.protection.outlook.com (cached)
mail-bl2nam02lp0208.outbound.protection.outlook.com is 2a01:111:f400:7e46:0:0:0:208
0: Received: from SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) by CY1PR19MB0444.namprd19.prod.outlook.com (10.164.0.15) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Mailbox Transport; Wed, 23 Dec 2015 11:25:21 +0000
Internal handoff at Hotmail/MSN

1: Received: from BY1PR19CA0038.namprd19.prod.outlook.com (10.162.139.176) by SN1PR19MB0445.namprd19.prod.outlook.com (10.163.228.23) with Microsoft SMTP Server (TLS) id 15.1.361.13; Wed, 23 Dec 2015 11:25:21 +0000
Internal handoff at Hotmail/MSN

2: Received: from BL2NAM02FT006.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e46::208) by BY1PR19CA0038.outlook.office365.com (2a01:111:e400:51a3::48) with Microsoft SMTP Server (TLS) id 15.1.361.13 via Frontend Transport; Wed, 23 Dec 2015 11:25:20 +0000
Hostname verified: mail-bl2nam02lp0208.outbound.protection.outlook.com
Hotmail/MSN received mail from Hotmail/MSN ( 2a01:111:f400:7e46:0:0:0:208 )

3: Received: from BAY004-MC5F5.hotmail.com (10.152.76.55) by BL2NAM02FT006.mail.protection.outlook.com (10.152.76.239) with Microsoft SMTP Server (TLS) id 15.1.355.15 via Frontend Transport; Wed, 23 Dec 2015 11:25:19 +0000
Internal handoff at Hotmail/MSN

4: Received: from ded1.exinary.com ([199.217.119.143]) by BAY004-MC5F5.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143); Wed, 23 Dec 2015 03:25:18 -0800
Hostname verified: ded1.exinary.com
Hotmail/MSN received mail from sending system 199.217.119.143

Tracking message source: 199.217.119.143:
Routing details for 199.217.119.143
[refresh/show] Cached whois for 199.217.119.143 : abuse[at]hostingsolutionsinternational.com
Using abuse net on abuse[at]hostingsolutionsinternational.com
abuse net hostingsolutionsinternational.com = postmaster[at]hostingsolutionsinternational.com, abuse[at]hostingsolutionsinternational.com
Using best contacts postmaster[at]hostingsolutionsinternational.com abuse[at]hostingsolutionsinternational.com
Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Wed, 23 Dec 2015 03:25:18 -0800
Message is 12.6 days old
199.217.119.143 not listed in cbl.abuseat.org
199.217.119.143 not listed in dnsbl.sorbs.net
199.217.119.143 not listed in accredit.habeas.com
199.217.119.143 not listed in plus.bondedsender.org
199.217.119.143 not listed in iadb.isipp.com
I'm not sure if it's better or worse, but my config points to the IP that connected to Hotmail to send the spam, rather than reporting it to Hotmail itself. I don't know if the ISP is going to do anything about the IP sending spam through Hotmail, or how vigilant Hotmail is about removing spammers, so I don't know which method of reporting would be more effective.
Link to comment
Share on other sites

I would suggest re-adding mailhosts for your email address at https://www.spamcop.net/mcgi?action=mhedit. Microsoft has a lot of mail servers involved with their stuff, and I'm thinking your SpamCop settings might not be up to date. I have accounts at Hotmail and protected by Microsoft's cloud filtering service, so when I look at your tracking URL, it shows the MS IPs as verified and actually targets the last IP as the source of the spam.

[snip]

Yep, I think you're psychic. Just this morning I went to the mailhosts and found that nothing was set up. I thought I had done that, but I did it again, and now it's finding non-Microsoft sources for most of my spam emails.

Thanks!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...