[Resolved] Spammer fakes header with our domain and IP which leads to blacklisting

[crouc]

Greetings,

we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Return-Path: <susi-brewu@SPAMTRAP.INVALID>
X-Original-To: FORWARDER@MANITU-SPAMTRAP.INVALID
Delivered-To: FORWARDER@MANITU-SPAMTRAP.INVALID
Received: from mout-xforward.SPAMTRAP.INVALID (mout-xforward.SPAMTRAP.INVALID [82.165.159.12])
    by gollum.manitu.net (Postfix) with ESMTP id 1AC8F79207A
    for <FORWARDER@MANITU-SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:19 +0200 (CEST)
Received: from mail2.our-domain ([our-IP]) by mx-ha.SPAMTRAP.INVALID
 (mxgmx017 [212.227.15.9]) with ESMTPS (Nemesis) id 1M7bhv-1dr3Rl0dhN-0083iD
 for <susi-brewu@SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:16 +0200
Received: from User (185.118.164.141) by owa.our-domain (192.168.20.231)
 with Microsoft SMTP Server id 14.2.247.3; Thu, 31 Aug 2017 01:20:01 +0200
X-CheckPoint: {59A7481B-A4-AA0DBE57-C0000000}
X-MAIL-CPID: 30104665C72DC72407D2835D26D562D5
X-Control-Analysis: str=0001.0A0C0206.59A74822.008B,ss=3,re=0.000,recu=0.000,reip=0.000,vtr=str,vl=0,cl=3,cld=1,fgs=0
Reply-To: <generaleseguross@groupmail.com>
From: <info@our-domain>
Subject: Gewinner
Date: Wed, 30 Aug 2017 16:20:01 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01C2A9A6.71C82E9A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <75913c41-3874-4592-a56a-036ec007c8c4@ex.our-domain.local>
To: Undisclosed recipients:;
X-Originating-IP: [185.118.164.141]
Envelope-To: <susi-brewu@SPAMTRAP.INVALID>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

This is a header from the second wave:

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Received: from
A1-destroyeR.txucwqwcedquzp2bt1attwsbkg.ax.internal.cloudapp.net
(23.100.9.31) by owa.our-domain (192.168.20.231) with Microsoft SMTP
Server (TLS) id 14.2.247.3; Mon, 11 Sep 2017 17:10:01 +0200
Content-Type: multipart/mixed; boundary="===============0168328789=="
MIME-Version: 1.0
Subject: OFFIZIELLE...
To: Recipients <info@our-domain>
From: <info@our-domain>
Date: Mon, 11 Sep 2017 15:09:55 +0000
Reply-To: <generaleseguross@groupmail.com>
Message-ID: <4985ba81-504e-4e06-9dc3-7f76430c2929@ex.our-domain.local>
Return-Path: info@our-domain
X-Originating-IP: [23.100.9.31]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Kind regards.

 

[gnarlymarley]

This would sure be easier to read if we had the tracking URL.  If I see this correctly, then it appears that the email was forwarded through 82.165.159.12.  Since I am not familiar with this IP, I will take the route of it possibly okay.  Another SpamCop user can take that one on.

From what I see, the order of the headers are "Our-IP" and then 185.118.164.141.  This would mean that 185.118.164.141 probably used your router to send the email.

2 hours ago, crouc said:

Received: from mail2.our-domain ([our-IP]) by mx-ha.SPAMTRAP.INVALID
 (mxgmx017 [212.227.15.9]) with ESMTPS (Nemesis) id 1M7bhv-1dr3Rl0dhN-0083iD
 for <susi-brewu@SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:16 +0200
Received: from User (185.118.164.141) by owa.our-domain (192.168.20.231)
 with Microsoft SMTP Server id 14.2.247.3; Thu, 31 Aug 2017 01:20:01 +0200

If we assume that it did come from your IP, then I would guess you already checked the server logs.  The next thing I would check is your NAT router and make sure did not get hacked.  I have had email seen plenty of email come directly from routers, where it completely bypasses the email server.

[petzl]

7 hours ago, crouc said:

Greetings,

we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP.

IP 23.100.9.31 is a Boitnet?
https://www.talosintelligence.com/reputation_center/lookup?search=23.100.9.31

 I count 12 reports made through SpamCop  last one
"Submitted: 9/12/2017, 10:50:49 AM +1000: 
OFFIZIELLE GEWINNBENACHRITIGUNG"

This may or may not be a shared IP (speak to your provider)
That said do a scan FOR MALWARE - THEN Change Password - ALL computers mobiles using that IP
The Malware infection/trojan is described here
https://www.abuseat.org/lookup.cgi?ip=23.100.9.31

Believed infected with "SendSafe"   - Windows Defender will pick it up. Cleaning it ??

23.100.9.31 is listed

This IP address was detected and listed 73 times in the past 28 days, and 3 times in the past 24 hours. The most recent detection was at Tue Sep 12 09:25:00 2017 UTC +/- 5 minutes

This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably sendsafe.

 

 

[crouc]

Thanks for helping!

The reason was a bad account password