Jump to content

Inconsistent detection of X-Originating-IP by SC processing


Recommended Posts

When submitting the numerous African scam emails to SC, SC inconsistently detects the X-Originating-IP address that is contained in most of them.

Below are some examples. I'd say that about 10% of X-Originating-IP addresses listed in emails submitted to SC are detected and reported by SC

For the rest of those IP addresses, it requires manual email submission outside of SC to the abuse contacts.

Why does SC detect and report so few of the X-Originating-IP addresses?


(detected X-Originating-IP )


(did NOT detect X-Originating-IP  - NOTE that I tried removing the brackets and did a test submission, but the IP address was still not detected)
X-Originating-IP: []

X-Originating-IP: []

Link to comment
Share on other sites

Looking at the spams, it would appear that the spammer is adding the X-Originating-IP header to confuse the matter.  I do not see that IP listed in any Received lines.

As it stands, I can trust any spam as far back as my border server.  I cannot trust it past that.  My border server will have the logs with the IP that for whom I need to report.  They in turn can use their logs and pass it up to their suspected source.

Link to comment
Share on other sites

Well, ok... I guess.

That still doesn't explain the inconsistency in SC dection.

Here are more examples:

(picked up originating IP but not hotmail IP addr)

Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03hn0242.outbound.protection.outlook.com. [])

Received: from [] ( 

(detected X-Originating-IP )
X-Originating-IP: []

As far as confusing the matter, I feel the X-Originating-IP address is valid enough since they almost ALWAYS lead back to afrinic.net controlled IP addresses. SO I will CONTINUE to report them manually. I just wish SC would do it more consistently, because it DOES sometimes.


Link to comment
Share on other sites

SC does not pay any attention to the header lines add by any unknown application starting with X-??? for example "X-Originating-IP: []"

In your last example the IP address []  was identified from

1: Received: from I-PC ( by DM5PR0101MB3131.prod.exchangelabs.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id; Tue, 19 Sep 2017 03:57:59 +0000

No unique hostname found for source:
Hotmail/MSN received mail from sending system

not from the X-Originationg-IP line.  You will notice SC also ignored the line, X-OriginatorOrg: mail.uc.edu 

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...