remay Posted September 18, 2017 Posted September 18, 2017 When submitting the numerous African scam emails to SC, SC inconsistently detects the X-Originating-IP address that is contained in most of them. Below are some examples. I'd say that about 10% of X-Originating-IP addresses listed in emails submitted to SC are detected and reported by SC. For the rest of those IP addresses, it requires manual email submission outside of SC to the abuse contacts. Why does SC detect and report so few of the X-Originating-IP addresses? (detected X-Originating-IP )X-Originating-IP: 41.85.176.110https://www.spamcop.net/sc?id=z6403748467z699c93e5f840844ede2b8d8d2a237554zX-Originating-IP: 41.85.176.110https://www.spamcop.net/sc?id=z6404117097zb4a331cc2a42604adca1ee392ccaabc0z(did NOT detect X-Originating-IP - NOTE that I tried removing the brackets and did a test submission, but the IP address was still not detected)X-Originating-IP: [41.86.234.162]https://www.spamcop.net/sc?id=z6406866999z99adf4922fa966b5fed68ebaf3b2fd37zX-Originating-IP: [41.85.161.155]https://www.spamcop.net/sc?id=z6406728731z23dd15f2eb5e25f40a46806c87083ddaz
gnarlymarley Posted September 18, 2017 Posted September 18, 2017 Looking at the spams, it would appear that the spammer is adding the X-Originating-IP header to confuse the matter. I do not see that IP listed in any Received lines. As it stands, I can trust any spam as far back as my border server. I cannot trust it past that. My border server will have the logs with the IP that for whom I need to report. They in turn can use their logs and pass it up to their suspected source.
remay Posted September 25, 2017 Author Posted September 25, 2017 Well, ok... I guess. That still doesn't explain the inconsistency in SC dection. Here are more examples: (picked up originating IP but not hotmail IP addr) Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03hn0242.outbound.protection.outlook.com. [104.47.42.242]) Received: from [192.168.43.78] (105.112.40.40) https://www.spamcop.net/sc?id=z6409167115za761b3104214b72db296057e7e7d1c25z(detected X-Originating-IP )X-Originating-IP: [154.118.6.108]https://www.spamcop.net/sc?id=z6407552726zb56b967b54eb78cfb1ad7d9571f6e59fz As far as confusing the matter, I feel the X-Originating-IP address is valid enough since they almost ALWAYS lead back to afrinic.net controlled IP addresses. SO I will CONTINUE to report them manually. I just wish SC would do it more consistently, because it DOES sometimes.
Lking Posted September 25, 2017 Posted September 25, 2017 SC does not pay any attention to the header lines add by any unknown application starting with X-??? for example "X-Originating-IP: [154.118.6.108]" In your last example the IP address [154.118.6.108] was identified from Quote 1: Received: from I-PC (154.118.6.108) by DM5PR0101MB3131.prod.exchangelabs.com (10.174.182.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.56.11; Tue, 19 Sep 2017 03:57:59 +0000 No unique hostname found for source: 154.118.6.108 Hotmail/MSN received mail from sending system 154.118.6.108 not from the X-Originationg-IP line. You will notice SC also ignored the line, X-OriginatorOrg: mail.uc.edu
Recommended Posts
Archived
This topic is now archived and is closed to further replies.