source IP is wrong

[efa]

hi,

I received this scam/fraud spam:

https://www.spamcop.net/sc?id=z6489923983z26622d4c582ecd9c34c736063540b444z

seems the parse header engine identified the source IP as:

IPv6: 2002:aed:24f5:0:0:0:0:0

that is a 6to4 range and embed the IPv4: 10.237.36.245

that is a private LAN address, so cannot be the source IP.

What is the real source IP, and his responsible admin?

 

[petzl]

16 minutes ago, efa said:

that is a private LAN address, so cannot be the source IP.

Google/Gmail are playing silly buggers. the are putting in a network IP as a received point

You need to remove the 2nd line so it leaves no space (or just put "truncated" in its place) 

Received: by 2002:aed:24f5:0:0:0:0:0 with SMTP id u50-v6csp3903022qtc; 

SpamCop will then parse it fine.

https://www.spamcop.net/sc?id=z6490007164za1e5f4bb82209c71fb6fe63221171191z

[efa]

I'm quite sure that 62.149.158.115/Aruba is not the mail source IP, as Aruba is the host of destination mail with @pvi.it domain

Edited October 2, 2018 by efa

[petzl]

2 hours ago, efa said:

62.149.158.115

is where Gmail servers accepted the email from.

spf=pass (google.com: domain of direttivo-return-6263-attilio.bongiovanni=gmail.com@pvi.it designates 62.149.158.115 as permitted sender) smtp.mailfrom="direttivo-return-6263-attilio.bongiovanni=gmail.com@pvi.it"

[efa]

we have an alias hosted on Aruba servers that is <direttivo pvi.it>

this alias redirect to some real emails, one of them is:

<attilio.bongiovanni gmail.com>

from where the headers come from.

 

So spam come from an unknown IP, goes to <direttivo pvi.it> hosted on Aruba servers, them redirected to the google account.

The question is: what is the real source IP of the spam?

Edited October 3, 2018 by efa

[petzl]

2 hours ago, efa said:

The question is: what is the real source IP of the spam?

62.149.158.214 abuse@staff.xxx

Still same black hat abuse address  who don't care

Edited October 3, 2018 by petzl