Jump to content

Some spam emails can't be processed by SC: "No source IP address found, cannot proceed."


remay

Recommended Posts

I am getting sporadic spam/scam emails into my hosting company's email server that are MISSING the first 2-3 lines of the headers, which makes them unreportable to SC (or any other abuse contact).

Below and attached is a recent email that is missing the first 2-3 lines of the headers. I have contacted my hosting company about this issue and they claim the emails are this way because of the way they have been sent, NOT by the way their email server is processing them. For emails that have this problem, the hosting company claims the following:

Look at the two lines: Received by and Received from.
First one say  in the end "with smtp"  and 2nd one says in the end  "with http"
a) "With smtp" means:  mail server received the email from any  "Email Client".
Since smtp server received it directly from an external IP, it shows the IP address
b) "With http" means: email is sent from Google's web interface. And google's smtp server received email from its local webmail server side scri_pt. So Google put an internal machine ID  in place of IP (Since the IP would be local IP of google http server).
Its common for Gmail and Hotmail. They don't disclose sender IP if email is sent from webmail. So you can just report that machine ID to google and their system will track and take care of spammer.


I don't know if my hosting company is correct or not! I find it hard to believe that email can be delivered like this.

Does anyone else experience this?

If you look at the email headers, notice there is "X-SmarterMail" processing that has taken place. Could THAT processing be whacking the email headers?

 


(missing: Return-Path: ... )
(missing: Received: from .... by emailserver3.[myserver].com with SMTP ... )
(missing: date/time stamp when email was received by emailserver3.[myserver].com)
(Below is the COMPLETE email with headers, as retrieved from the email server)

Received: by 2002:a19:ca4e:0:0:0:0:0 with HTTP; Tue, 12 May 2020 13:18:03 -0700 (PDT)
From: chigozie gozie <cgozie7@gmail.com>
To: undisclosed-recipients:;
Subject: From Mrs mush and Daughter / Greetings to you & your Family,
Date: Tue, 12 May 2020 13:18:03 -0700
Message-ID: <CAFWVug3jN-fUYxfwT-+Ke=eV1zPUC8YgAAaHqZrZggcK7Or=tA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-Path: <cgozie7@gmail.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=7SmJkwt4HYfF2+9MdyFUN5MRVV9+Jx70aj2/gB7yE5Y=; b=ki1I49xVqumSL5IOZUVkhNZP/mbeTjCd55mRcc3rn0xzTzbw+XIMvhlHtHN31gL6Yy VpdVJDIGMQlQTGS5jyOBBdlFAbCR4TrAObZOn1IjUtDET/yXAxL0hIAtFn67BJeGpSq9 OVBn0jJAxVH3kvFIyuV2mJDCLsnwJvv6ZnwARFim8bsz/O8cJfcTpDm3k7tfnBDKg7pk PgwCg4SALREfPKlmBOAzNc0VLEdg2+Of6Bp4HVK6bwVdr6qTQNspkFWzn8AFB7GqfDfV lRwapEtzhFdnHK1OAQLAcVMUTYMdeuUXnC9YTgcE9I50A+oamPeI+Gcv8XyScvp/zT/+ wHUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7SmJkwt4HYfF2+9MdyFUN5MRVV9+Jx70aj2/gB7yE5Y=; b=mLkvgeHYws87ffHFK/X7fYaD+xQCgH4q3QcQtDYKv1KexQDzqNrf7/2bOPZuOgrhtA 49jrJM+WSeQApLSGDMHpwljPaXUgwl3Su3NWCWVuXsYiLKNLYYoKluamC05iZ/SHRi78 mRmsebD9AQWbFCgUjyZS7RbB5Mj7RcqOTStWJxXZpeEHhvgf8X30GSalFvo7/Ynyk/Cv 9xrgmpnxLkPZKh0ImTjZ/WQUcU9j/Kdm4dKv+g084KXf24Tr4xZy2d/ksVHMY7pykhly Wx1LamwCoYA6qBZJsa2IxXboKRdpcdjzH0JH4euDTGnxL1inWdqiXj9UQnPtY/jrVXXn H+jA==
X-Gm-Message-State: AOAM531WVDpQFIJu5hqAU+0FlfwuXQ3+ZeenhkmMzFoM946I7OtlqX9K shAXTq4XrMQ3fGPWomXBeEo3o4ySlcXZiYeUzr0=
X-Google-Smtp-Source: ABdhPJwYz4FnLavDHVG8D6ByLaN1QzmMuItOFtalxTj5kOEDpcnKdry4u++7KRab0WJho9xhbLdrHNgMQt1YZDuK2K8=
X-Received: by 2002:ac2:58d7:: with SMTP id u23mr6545768lfo.119.1589314683974; Tue, 12 May 2020 13:18:03 -0700 (PDT)
X-CTCH-RefId: str=0001.0A09020D.5EBB0483.004D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-AVLevel: Unknown
X-Rcpt-To: <x>
X-SmarterMail-spam: SPF [Pass]: -2, Cyren [Unknown]: 0, SpamAssassin [raw:7]: 12, DK [None]: 0, DKIM [Pass]: -1
X-SmarterMail-SpamDetail: spam detection software, running on the system "spamassassin1.serverpoint.com", has
X-SmarterMail-SpamDetail: identified this incoming email as possible spam.  The original message
X-SmarterMail-SpamDetail: has been attached to this so you can view it (if it isn't spam) or label
X-SmarterMail-SpamDetail: similar future email.  If you have any questions, see
X-SmarterMail-SpamDetail: the administrator of that system for details.
X-SmarterMail-SpamDetail: Content preview:  Dearest, This mail might come to you as a surprise and the
X-SmarterMail-SpamDetail: temptation to ignore it, I am Mrs Joyce mush and Daughter, from Cote D'Ivoire.
X-SmarterMail-SpamDetail: I want to transfer the sum of $3,500,000 Usd in your account, you help me
X-SmarterMail-SpamDetail: invest it in your country for my daughter future education. [...]
X-SmarterMail-SpamDetail: Content analysis details:   (7.3 points, 6.0 required)
X-SmarterMail-SpamDetail: pts rule name              description
X-SmarterMail-SpamDetail: ---- ---------------------- --------------------------------------------------
X-SmarterMail-SpamDetail: 0.0 T_WHOAMI               EmailFilter1
X-SmarterMail-SpamDetail: 3.0 SUBJ_YOUR_FAMILY       Subject contains "Your Family"
X-SmarterMail-SpamDetail: 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
X-SmarterMail-SpamDetail: (cgozie7[at]gmail.com)
X-SmarterMail-SpamDetail: 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
X-SmarterMail-SpamDetail: digit (cgozie7[at]gmail.com)
X-SmarterMail-SpamDetail: 0.0 LOTS_OF_MONEY          Huge... sums of money
X-SmarterMail-SpamDetail: 1.0 FREEMAIL_REPLY         From and body contain different freemails
X-SmarterMail-SpamDetail: 0.0 FILL_THIS_FORM         Fill in a form with personal information
X-SmarterMail-SpamDetail: 2.0 FILL_THIS_FORM_LONG    Fill in a form with personal information
X-SmarterMail-SpamDetail: 1.0 MONEY_FRAUD_3          Lots of money and several fraud phrases
X-SmarterMail-TotalSpamWeight: 9

Dearest,
This mail might come to you as a surprise and the temptation to  ignore it,
I am Mrs Joyce mush and Daughter, from Cote D'Ivoire.  I want to
transfer the sum of $3,500,000 Usd in your account, you  help me
invest it in your country for my daughter future education.

Recently my  doctor told me that my health condition is very bad due
to cancer  problem having known my condition i decided to contact you.

Send me these informations; Full name, Address, Sex, Age, Occupation,
Phone/Mobile,State of origin, Country.I am waiting for your reply so
that i give you more details . Hoping to receive your response
immediately, E-mail Reply To; joycemush3@gmail.com

Thanks.
Sincerely .
From Mrs mush and Daughter.
 

0-2-2.txt

Link to comment
Share on other sites

22 hours ago, remay said:

I don't know if my hosting company is correct or not! I find it hard to believe that email can be delivered like this.

 Does anyone else experience this?

If you look at the email headers, notice there is "X-SmarterMail" processing that has taken place. Could THAT processing be whacking the email headers?

I have not seen any missing headers in my emails.  It is customary to place the headers by the receiving email server.  The problem you will have with your hosting company not providing that information is you do not know the IP of where the spam came from.  Not knowing the IP makes it unreportable.

Per RFC2076 section 3.4, your hosting company should not be modifying any existing headers, but per the email, it does appear they are modifying and removing them.  If might be good if they were to bring their server into RFC compliance.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...