Jump to content

NEW ISSUE/BUG - Parsing Outlook headers and showing Hotmail reporting address


Recommended Posts

I do a few reports a day. My email comes in through Outlook365 Exchange and I generally report messages that hit my quarantine.

Just in the past few days, about half of the messages I report to Spamcop come back saying that the report will go to Hotmail, when the sender is clearly someone else. Below is a screenshot. Looking at the header, the email is clearly coming from Sendgrid.

I haven't change the way I'm reporting, and report using the full (huge) Outlook365 Exchange headers. What's going on?



Link to comment
Share on other sites


The Tracking URI from above so others can see what the parser did, and why report was sent to hotmail.

3: Received: from ME1AUS01FT007.eop-AUS01.prod.protection.outlook.com (2a01:111:f400:7eb4::204) by ME1PR01CA0078.outlook.office365.com (2603:10c6:200:18::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.14 via Frontend Transport; Mon, 27 Mar 2017 10:46:29 +0000

Hostname verified: mail-me1aus01lp0204.outbound.protection.outlook.com

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Tracking message source: 2603:10c6:200:18:0:0:0:11:

Routing details for 2603:10c6:200:18:0:0:0:11
[refresh/show] Cached whois for 2603:10c6:200:18:0:0:0:11 : abuse@microsoft.com
abuse@hotmail.com redirects to report_spam@hotmail.com
Using best contacts report_spam@hotmail.com

This post does not provide a suggested correction to the abuse@ address for this IP so moved up a level

Link to comment
Share on other sites

The email headers don't look at ALL like a forgery. I've attached a PDF of the top part of the (munged) headers, with the very obvious Sendgrid stuff highlighted.

This is the kind of headers (with a bunch of other X- lines below this) that Outlook365 Exchange always has, and up until the past few days, they've all parsed fine. Now, some parse perfectly, others do what this one has done.


Spamcop - sendgrid.pdf

Link to comment
Share on other sites

1. the link you provided is not accessible to anyone except you.

2.  The Tracking URL in my post, copied from your original post, gives everyone access to the munged spam, and the information the parser provided.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...