Jump to content

NEW ISSUE/BUG - Parsing Outlook headers and showing Hotmail reporting address


Cutsnake88
 Share

Recommended Posts

I do a few reports a day. My email comes in through Outlook365 Exchange and I generally report messages that hit my quarantine.

Just in the past few days, about half of the messages I report to Spamcop come back saying that the report will go to Hotmail, when the sender is clearly someone else. Below is a screenshot. Looking at the header, the email is clearly coming from Sendgrid.

I haven't change the way I'm reporting, and report using the full (huge) Outlook365 Exchange headers. What's going on?

 

Spamcop_reporting_error.png

Link to comment
Share on other sites

https://www.spamcop.net/sc?id=z6365955700z76292dfde07e1d1d20f190a3456f09f4z

The Tracking URI from above so others can see what the parser did, and why report was sent to hotmail.

Quote
3: Received: from ME1AUS01FT007.eop-AUS01.prod.protection.outlook.com (2a01:111:f400:7eb4::204) by ME1PR01CA0078.outlook.office365.com (2603:10c6:200:18::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.14 via Frontend Transport; Mon, 27 Mar 2017 10:46:29 +0000

Hostname verified: mail-me1aus01lp0204.outbound.protection.outlook.com

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Tracking message source: 2603:10c6:200:18:0:0:0:11:

Routing details for 2603:10c6:200:18:0:0:0:11
[refresh/show] Cached whois for 2603:10c6:200:18:0:0:0:11 : abuse@microsoft.com
abuse@hotmail.com redirects to report_spam@hotmail.com
Using best contacts report_spam@hotmail.com

This post does not provide a suggested correction to the abuse@ address for this IP so moved up a level

Link to comment
Share on other sites

The email headers don't look at ALL like a forgery. I've attached a PDF of the top part of the (munged) headers, with the very obvious Sendgrid stuff highlighted.

This is the kind of headers (with a bunch of other X- lines below this) that Outlook365 Exchange always has, and up until the past few days, they've all parsed fine. Now, some parse perfectly, others do what this one has done.

 

Spamcop - sendgrid.pdf

Link to comment
Share on other sites

1. the link you provided is not accessible to anyone except you.

2.  The Tracking URL in my post, copied from your original post, gives everyone access to the munged spam, and the information the parser provided.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...