crouc Posted September 12, 2017 Share Posted September 12, 2017 Greetings, we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Return-Path: <susi-brewu@SPAMTRAP.INVALID> X-Original-To: FORWARDER@MANITU-SPAMTRAP.INVALID Delivered-To: FORWARDER@MANITU-SPAMTRAP.INVALID Received: from mout-xforward.SPAMTRAP.INVALID (mout-xforward.SPAMTRAP.INVALID [82.165.159.12]) by gollum.manitu.net (Postfix) with ESMTP id 1AC8F79207A for <FORWARDER@MANITU-SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:19 +0200 (CEST) Received: from mail2.our-domain ([our-IP]) by mx-ha.SPAMTRAP.INVALID (mxgmx017 [212.227.15.9]) with ESMTPS (Nemesis) id 1M7bhv-1dr3Rl0dhN-0083iD for <susi-brewu@SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:16 +0200 Received: from User (185.118.164.141) by owa.our-domain (192.168.20.231) with Microsoft SMTP Server id 14.2.247.3; Thu, 31 Aug 2017 01:20:01 +0200 X-CheckPoint: {59A7481B-A4-AA0DBE57-C0000000} X-MAIL-CPID: 30104665C72DC72407D2835D26D562D5 X-Control-Analysis: str=0001.0A0C0206.59A74822.008B,ss=3,re=0.000,recu=0.000,reip=0.000,vtr=str,vl=0,cl=3,cld=1,fgs=0 Reply-To: <generaleseguross@groupmail.com> From: <info@our-domain> Subject: Gewinner Date: Wed, 30 Aug 2017 16:20:01 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0009_01C2A9A6.71C82E9A" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: <75913c41-3874-4592-a56a-036ec007c8c4@ex.our-domain.local> To: Undisclosed recipients:; X-Originating-IP: [185.118.164.141] Envelope-To: <susi-brewu@SPAMTRAP.INVALID> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This is a header from the second wave: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Received: from A1-destroyeR.txucwqwcedquzp2bt1attwsbkg.ax.internal.cloudapp.net (23.100.9.31) by owa.our-domain (192.168.20.231) with Microsoft SMTP Server (TLS) id 14.2.247.3; Mon, 11 Sep 2017 17:10:01 +0200 Content-Type: multipart/mixed; boundary="===============0168328789==" MIME-Version: 1.0 Subject: OFFIZIELLE... To: Recipients <info@our-domain> From: <info@our-domain> Date: Mon, 11 Sep 2017 15:09:55 +0000 Reply-To: <generaleseguross@groupmail.com> Message-ID: <4985ba81-504e-4e06-9dc3-7f76430c2929@ex.our-domain.local> Return-Path: info@our-domain X-Originating-IP: [23.100.9.31] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Kind regards. Link to comment Share on other sites More sharing options...
gnarlymarley Posted September 12, 2017 Share Posted September 12, 2017 This would sure be easier to read if we had the tracking URL. If I see this correctly, then it appears that the email was forwarded through 82.165.159.12. Since I am not familiar with this IP, I will take the route of it possibly okay. Another SpamCop user can take that one on. From what I see, the order of the headers are "Our-IP" and then 185.118.164.141. This would mean that 185.118.164.141 probably used your router to send the email. 2 hours ago, crouc said: Received: from mail2.our-domain ([our-IP]) by mx-ha.SPAMTRAP.INVALID (mxgmx017 [212.227.15.9]) with ESMTPS (Nemesis) id 1M7bhv-1dr3Rl0dhN-0083iD for <susi-brewu@SPAMTRAP.INVALID>; Thu, 31 Aug 2017 20:16:16 +0200 Received: from User (185.118.164.141) by owa.our-domain (192.168.20.231) with Microsoft SMTP Server id 14.2.247.3; Thu, 31 Aug 2017 01:20:01 +0200 If we assume that it did come from your IP, then I would guess you already checked the server logs. The next thing I would check is your NAT router and make sure did not get hacked. I have had email seen plenty of email come directly from routers, where it completely bypasses the email server. Link to comment Share on other sites More sharing options...
petzl Posted September 12, 2017 Share Posted September 12, 2017 7 hours ago, crouc said: Greetings, we have problems with a spammer who fakes his header with one of our mail addresses and also in some parts our mail server IP, but the origin in the first spam wave a week ago is 185.118.164.141. Yesterday this week the second wave started from 23.100.9.31. As it seems clear that the sending IP is not ours, I wonder why we where blacklistet by spamcop. How can I prevent this from happing again? SPF is set for our domain and mail server IP. IP 23.100.9.31 is a Boitnet?https://www.talosintelligence.com/reputation_center/lookup?search=23.100.9.31 I count 12 reports made through SpamCop last one "Submitted: 9/12/2017, 10:50:49 AM +1000: OFFIZIELLE GEWINNBENACHRITIGUNG" This may or may not be a shared IP (speak to your provider) That said do a scan FOR MALWARE - THEN Change Password - ALL computers mobiles using that IP The Malware infection/trojan is described herehttps://www.abuseat.org/lookup.cgi?ip=23.100.9.31 Believed infected with "SendSafe" - Windows Defender will pick it up. Cleaning it ?? 23.100.9.31 is listed This IP address was detected and listed 73 times in the past 28 days, and 3 times in the past 24 hours. The most recent detection was at Tue Sep 12 09:25:00 2017 UTC +/- 5 minutes This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably sendsafe. Link to comment Share on other sites More sharing options...
crouc Posted September 18, 2017 Author Share Posted September 18, 2017 Thanks for helping! The reason was a bad account password Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.