Jump to content

X-Originating-IP parsing problems

Steve

By Steve
in SpamCop Reporting Help

Recommended Posts

Steve Advanced Member

Steve

Posted
Posted 
Delivered-To: x
Received: by 10.25.215.152 with SMTP id q24csp535241lfi;
        Thu, 24 Aug 2017 09:51:44 -0700 (PDT)
X-Received: by 10.98.139.141 with SMTP id e13mr7047592pfl.192.1503593504252;
        Thu, 24 Aug 2017 09:51:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1503593504; cv=none;
        d=google.com; s=arc-20160816;
        b=fBJmIS25wTFiKufRoEtHIR4yY+RxpAmVw1qETMO6BmHmkoD/kNAByCdzdg2gLc+9OB
         EV5W7bmHtpyYOl7HVu+Q27UOcRSno/9RUQBhdIGmxouQDwkxgCFfIRp8NJph2zqXl347
         7y14tU6P8NQ5SD9m/X3vMXFzfyOs4l28urC/MFYWzcAyKHfeEL9/JwIOjDUIB49xSTlX
         jjLpRDuEe2lqlwLY6w/qa8QBqqzFZ34g7OkM6AvjNFknBhjKuyD82blBy+7nhRg0vzgH
         PcoRRilbtrkshECm+fbMIfB8hyLBf+mMc0M/XwX3sHY3tRsnZ7zdMP44Gc/BY7mu7pNw
         N4Hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:subject:message-id:reply-to
         :from:date:arc-authentication-results;
        bh=rPAAmo/5jRgIb94r0jqE8K1b0fFvRv5wn0ibit2p+KY=;
        b=Qtk+gWgPsqzkTIZEX98e505OVUCCR7xNDkxlaxrk0tMknMfZQq+fA3QfzxdHMpoS5P
         Irze7G9SvkNz7aWjG46mTjiY6ouYdX6bh8hZfoO7TjCombVU9iu9jRnVhb8NT5jGaMCN
         Iy66gywmK36qdgd5TgkswLHZ42TqdLO6Wt2Sb1HqG+YzFlJXYpxOkICVe4vtIuVQ0esI
         s71PSMYp/ZsEi7+rqxjlJKl+dslH0dUtYeyfmKDoCFD85aTg5w3Tfb3rsV4ae3u+lDPe
         5BSy12/zva0/BbIva4sZ/vWxXoYxUYAZnefPmLuB8Z/YvUy0ROjRx9aeq9pKHWtANcy5
         iQwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of www.@athena.ocn.ne.jp designates 153.149.236.41 as permitted sender) smtp.mailfrom=WWW.@athena.ocn.ne.jp
Return-Path: <WWW.@athena.ocn.ne.jp>
Received: from mbkd0340.ocn.ad.jp (mbkd0340.ocn.ad.jp. [153.149.236.41])
        by mx.google.com with ESMTP id j125si1438059pfg.305.2017.08.24.09.51.30;
        Thu, 24 Aug 2017 09:51:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of www.@athena.ocn.ne.jp designates 153.149.236.41 as permitted sender) client-ip=153.149.236.41;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of www.@athena.ocn.ne.jp designates 153.149.236.41 as permitted sender) smtp.mailfrom=WWW.@athena.ocn.ne.jp
Received: from mf-smf-ucb005.ocn.ad.jp (mf-smf-ucb005.ocn.ad.jp [153.149.231.4]) by mbkd0340.ocn.ad.jp (Postfix) with ESMTP id 9F0BC128035D; Fri, 25 Aug 2017 01:50:59 +0900 (JST)
Received: from mf-smf-ucb005.ocn.ad.jp (mf-smf-ucb005 [153.149.231.4]) by mf-smf-ucb005.ocn.ad.jp (Postfix) with ESMTP id 7C6D760709; Fri, 25 Aug 2017 01:50:59 +0900 (JST)
Received: from ntt.pod01.mv-mta-ucb026 (mv-mta-ucb026.ocn.ad.jp [153.149.142.100]) by mf-smf-ucb005.ocn.ad.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v7OGoXcD065068; Fri, 25 Aug 2017 01:50:55 +0900
Received: from vcwebmail.ocn.ad.jp ([153.149.227.165]) by ntt.pod01.mv-mta-ucb026 with id 14qu1w0013akymp014quba; Thu, 24 Aug 2017 16:50:55 +0000
Received: from mzcstore142.ocn.ad.jp (mz-cb142p.ocn.ad.jp [114.147.59.200]) by vcwebmail.ocn.ad.jp (Postfix) with ESMTP; Fri, 25 Aug 2017 01:50:54 +0900 (JST)
Date: Fri, 25 Aug 2017 01:50:54 +0900 (JST)
From: Taka Benson <"WWW."@athena.ocn.ne.jp>
Reply-To: Taka Benson <dhlcourierservicebej@hotmail.com>
Message-ID: <1703504187.5321643.1503593454940.JavaMail.root@athena.ocn.ne.jp>
Subject: Information
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
X-Originating-IP: [5.45.62.153]

Information

Contact DHL Courier for your compensation Bank card valued $1,500,000.00 USD is been registered and your ATM CARD package is under Mr. Albert Godwin's care reach him via email: (dhlcourierservicebej@hotmail.com) for more information on how to claim it.

Greetings,

 

I almost always have problems getting SC to parse the X-Originating-IP in OCN/NTT emails I receive (such as the one above). I end up having to report the emails with those IP addresses separately through SpamCop to the ISP. Why won't it recognize those IP addresses? Most originate from Benin (41.xx.xxx.xxx/197.xxx.xxx.xx). In this case, when I parsed the email again with this IP address, the X-Originating-IP resulted in the email being sent to abuse@avast.com

 

Tracking link: https://www.spamcop.net/sc?id=z6401117976z6d5deab26600019361ed7458288314dez

 

 

Steve

Link to comment
Share on other sites
Steve Advanced Member

Steve

Posted
  • Author
Posted
10 hours ago, Lking said:

are you accounting for:

 

It doesn't parse the X-Originating-IP most of the time. And that message is not displayed (except for the 1st received line in all www.@xxx.ocn.ne.jp emails with "xxx" taking the place of whatever happens to be first part of the email address. In this example, fuga is in front of the ocn.ne.jp part of the email address). This example is from an email dated 8/25/17:

Quote
1: Received: from mf-smf-ucb001.ocn.ad.jp (mf-smf-ucb001.ocn.ad.jp [153.149.227.3]) by mbkd0338.ocn.ad.jp (Postfix) with ESMTP id AB8561206FE6; Sat, 26 Aug 2017 09:53:41 +0900 (JST)

Hostname verified: mf-smf-ucb001.ocn.ad.jp

 

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

 Steve

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...