Jump to content

Originating network not detected for email sent to Hotmail


Recommended Posts

Every time I report a spam message received at my Hotmail account, SpamCop determines the contact for "administrator of network where email originates" to be report_spam@hotmail.com.

However, inspection of the mail headers shows that not to be the case, e.g.:

Received: from AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5)
 by AS8P193MB2382.EURP193.PROD.OUTLOOK.COM with HTTPS; Tue, 3 Oct 2023
 15:28:10 +0000
Received: from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32)
 by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct
 2023 15:28:09 +0000
Received: from DB8EUR05FT010.eop-eur05.prod.protection.outlook.com
 (2603:10a6:10:28d:cafe::15) by DU2PR04CA0207.outlook.office365.com
 (2603:10a6:10:28d::32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.33 via Frontend
 Transport; Tue, 3 Oct 2023 15:28:09 +0000
Authentication-Results: spf=pass (sender IP is 209.85.214.181)
 smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
 header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass
 reason=100
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
 209.85.214.181 as permitted sender) receiver=protection.outlook.com;
 client-ip=209.85.214.181; helo=mail-pl1-f181.google.com; pr=C
Received: from mail-pl1-f181.google.com (209.85.214.181) by
 DB8EUR05FT010.mail.protection.outlook.com (10.233.238.203) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6863.25 via Frontend Transport; Tue, 3 Oct 2023 15:28:09 +0000
X-IncomingTopHeaderMarker:
 OriginalChecksum:1830A70AD80F9A9C5DDA0956A6565E0F07486E1A53319B5F648B1C48091097A4;UpperCasedChecksum:F6F09C646996FB69260BCD16869957B70CCEA6E4056F0FB0C4A00A22B3220D63;SizeAsReceived:2722;Count:15
Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1c724577e1fso8065395ad.0
        for <REDACTED@hotmail.com>; Tue, 03 Oct 2023 08:28:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1696346889; x=1696951689; darn=hotmail.com;
        h=to:from:subject:mime-version:date:message-id:from:to:cc:subject
         :date:message-id:reply-to;
        bh=SrLg2YvJLmqd/+QGi/H6iXVpfTMuSJ/YkMnF3dKFxcY=;
        b=inLfrt/5c226G2qeHRW4LBG8CN1hEFspRxBc9OpLZPfy1DvHy0Rm1Dp7rH3cnObzwC
         FfiF5OopH1nHYCNRSlLcHA4Yh8ON5/lcd3HyF4gqx4bM4fjEhnX15ardKHATJYUwIiL5
         WhTgym6KzAZ6ssPgkqRH1CMXh9d6Vrmmwl7+MqIlokt/4tygvusCi67m5nLGUyElcrIn
         vhfgWV3Zr/AK/LDK7XmcPvhVKnn6l3/DcrXqONCWO8NRgBUsFuxHiyajDcjG196dTnqm
         niLqcDuMFZK5J8vVBeRzbaY2QFc/XIKm7V2zyGizduZmYlrve9w7ZB9ahIGOm1mMUQHp
         ghLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1696346889; x=1696951689;
        h=to:from:subject:mime-version:date:message-id:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=SrLg2YvJLmqd/+QGi/H6iXVpfTMuSJ/YkMnF3dKFxcY=;
        b=XOtzEjAUbRUhMuueFPR3cxa3uJh0E4nxH6DENlHbGRgnvj3ygVTKM85EtLFCSkQTEi
         a4FfE/fN1Z0T7iIHFAuAw08LHeyDw5AIek6yP2cbwavAjmUu5YC1JS17D49ifZ1mQhqT
         kSHejXedg0LyL0uZDDTfY5qh3m0tzIkinDQKCWNa6zHcD1s3FJBKLgNTTmBgXQ/2HGbK
         /orVUdXUx5qlytYpufirA73Gt5P5Xp2FlAPvrjT0sETStHbtX/7FFw+ULYlSWkYp9nuT
         BPlfHBdCxsFeJP9dN/ede/WXndmIrm1nfQHihly32ZRIM61XIJtYbW1vOQiQSFR5OxR6
         tEyw==
X-Gm-Message-State: AOJu0YwJLUyGX20LZl+O5SxCIaqp3yQjJHIWR9rYgpaDz36Pc85hu5CP
	pxUgS3eaH+6OurJqH5F8ex7xaRUEB+YoUA==
X-Google-Smtp-Source: AGHT+IHjAbwzOFNeIlpniig2zRnSU6TaV+3PT+rABrqG4ehNHpUCCJLU505M1rpEM7ZWBMKSNJw0EA==
X-Received: by 2002:a17:902:f7cf:b0:1c6:dcb:1e31 with SMTP id h15-20020a170902f7cf00b001c60dcb1e31mr13918357plw.4.1696346888858;
        Tue, 03 Oct 2023 08:28:08 -0700 (PDT)
Return-Path: REDACTED@gmail.com
Received: from [172.26.16.51] ([43.153.79.51])
        by smtp.gmail.com with ESMTPSA id n11-20020a170902e54b00b001c446f12973sm1693302plf.203.2023.10.03.08.28.08
        for <REDACTED@hotmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 03 Oct 2023 08:28:08 -0700 (PDT)

It seems to me that this email originated from Google, but this is not being picked up by SpamCop.  Is it missing some of the earlier headers added lower down due to something Microsoft have have inserted.  Or am I missing something?

Or maybe it relates to this:

Quote
Parsing header:

Received:  from AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) by AS8P193MB2382.EURP193.PROD.OUTLOOK.COM with HTTPS; Tue, 3 Oct 2023 15:28:10 +0000

host 2603:10a6:20b:44c:0:0:0:5 (getting name) no name
Possible spammer: 2603:10a6:20b:44c:0:0:0:5
Received line accepted

Received:  from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32) by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:44c::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct 2023 15:28:09 +0000

Masking IP-based 'by' clause.

Received:  from DU2PR04CA0207.eurprd04.prod.outlook.com (2603:10a6:10:28d::32) by AS8P193MB2383.EURP193.PROD.OUTLOOK.COM with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.36; Tue, 3 Oct 2023 15:28:09 +0000

host 2603:10a6:10:28d:0:0:0:32 (getting name) no name
2603:10a6:20b:44c:0:0:0:5 not listed in cbl.abuseat.org
2603:10a6:20b:44c:0:0:0:5 not listed in dnsbl.sorbs.net
2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2382.EURP193.PROD.OUTLOOK.COM
2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2383.EURP193.PROD.OUTLOOK.COM
2603:10a6:20b:44c:0:0:0:5 is not an MX for AS8P193MB2382.EURP193.PROD.OUTLOOK.COM
Possible spammer: 2603:10a6:10:28d:0:0:0:32
Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake.
Routing details for 2603:10a6:20b:44c:0:0:0:5
[refresh/show] Cached whois for 2603:10a6:20b:44c:0:0:0:5 : abuse@microsoft.com
Using best contacts abuse@microsoft.com
Using rdns to route to correct Microsoft department
host 2603:10a6:20b:44c:0:0:0:5 (getting name) no name

failed, using default abuse@hotmail.com

abuse@hotmail.com redirects to report_spam@hotmail.com

Chain error AS8P193MB2383.EURP193.PROD.OUTLOOK.COM not equal to last sender received line discarded

It seems SpamCop may be rejecting genuine Microsoft hostnames as fake when they are in fact not.

 

Edited by jakeqz
remove extra blank lines from paste
Link to comment
Share on other sites

2 hours ago, jakeqz said:

Every time I report a spam message received at my Hotmail account, SpamCop determines the contact for "administrator of network where email originates" to be report_spam[AT]hotmail[DOI]com.

Years ago Hotmail abuse wanted SpamCop reported to a different address. This may now be a ignored legacy address?
Might pay to click refresh for IP address to see if it changes
Just tried refresh and seems a hard coded to a now bitbined address IMO 

Edited by petzl
Link to comment
Share on other sites

23 hours ago, petzl said:

Years ago Hotmail abuse wanted SpamCop reported to a different address. This may now be a ignored legacy address?

You seem to be answering a different question from the one I asked.

It seems that SpamCop is failing to parse the email headers received at Microsoft accounts, for example failing to recognize that the originator of a spam email was Google (or whomever), and thus failing to send spam reports to the originator's ISP.

This is not related to the reporting address for spam originating from Microsoft's systems.  I am referring to spam that has originated elsewhere, that is *received* by a Microsoft-based email account.

 

Link to comment
Share on other sites

14 minutes ago, Lking said:

If you would provide the Tracking URI for the message the rest of us could see the parser's results.

https://www.spamcop.net/sc?id=z6863858533zda313e960ea36c0c2f11f0d79ce8ae4fz

(Didn't want to divulge personal information on a public forum and cant redact information from this.  But the spammers already have my email address.  So be enlightened :))

Link to comment
Share on other sites

Quote
Date: Tue, 03 Oct 2023 08:28:08 -0700 (PDT)
Content-Type: multipart/alternative; boundary="===============1958825142170769511=="
Subject: Jacob, Payment for order no. GHF383FZ is approved
From: "Jacob Hotson" <thandekathande13@gmail.com>
To: x
X-IncomingHeaderCount: 15

SpamCop anticipated your concern. You see a slightly different screen then the rest of us see.

If you logout and browse the forum as a "guest" and go to you post clicking on the Tracking URL I think you will see the redacted email.

Link to comment
Share on other sites

like Lking said, the parser removes personal info ( as well as possible) . That's why the tracking URL is always helpful.


The problem with hotmail/outlook/microsoft is that their host names do not return IP addresses

Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake.

so already the first host, failing to return the IP address, causes the parser to throw away the remaining Received: lines and therefore uses the first IP address (in this case the IPv6 given on the Received: for that host) to find the abuse contact.

This is Microsoft's fault that they try to hide their hosts and therefore the spam is presumed to come from them. They should fix their DNS records or keep getting hit by reports.

 

 

Link to comment
Share on other sites

2 minutes ago, RobiBue said:

The problem with hotmail/outlook/microsoft is that their host names do not return IP addresses

Host AS8P193MB2383.EURP193.PROD.OUTLOOK.COM (checking ip) IP not found ; AS8P193MB2383.EURP193.PROD.OUTLOOK.COM discarded as fake.

so already the first host, failing to return the IP address, causes the parser to throw away the remaining Received: lines and therefore uses the first IP address (in this case the IPv6 given on the Received: for that host) to find the abuse contact.

This is Microsoft's fault that they try to hide their hosts and therefore the spam is presumed to come from them. They should fix their DNS records or keep getting hit by reports

That's what I thought.  But why can't SpamCop carry on parsing the `Received` header lines to get to the originator, regardless of Microsoft's shenanigans.  That way, we would be able to report spam to the originating ISP, who might actually listen.

Link to comment
Share on other sites

SC doesn't continue past the first unmatched host due to the nature of spams:
spammers historically insert/inject fake Received: headers to fool systems to keep parsing past the actual spammer host. and that's where SC usually does its best and stops at the first fake encounter. it is unfortunate that M$ handles their MX hosts the way they do, causing them to be marked as spam source.
I maintain that M$ needs to fix their system to the way it was intended, and not the way they would prefer it to be hidden.

Link to comment
Share on other sites

Posted (edited)
27 minutes ago, RobiBue said:

SC doesn't continue past the first unmatched host due to the nature of spams:
spammers historically insert/inject fake Received: headers to fool systems to keep parsing past the actual spammer host. and that's where SC usually does its best and stops at the first fake encounter. it is unfortunate that M$ handles their MX hosts the way they do, causing them to be marked as spam source.
I maintain that M$ needs to fix their system to the way it was intended, and not the way they would prefer it to be hidden.

Hmm.  M$ spam filtering is awful.  They keep putting genuine mail in the Junk folder and spam in the inbox, regardless of DKIM or SPF.  It was so atrocious that I used to have a filter to move any email with `@` in the sender address to the inbox - until they decided that filters could only be run after spam classification and not on the 'junk mail' folder.  They also randomly reject messages with 550 codes because "part of your network is on our blocklist".  These are emails sent via GoDaddy.  I've tried to contact both companies to resolve the problem.  Both blame each other.

If Microsoft made cars, they would crash every 50 miles.  I hope they are not involved with self-driving cars.  Though I don't trust the other players either.  Once they are unleashed, I will be cowering at home, watching RoboCop or 2001.

Edited by jakeqz
Link to comment
Share on other sites

Soooo I get my new M$car and a couple years down the track the V2 SW updates stipulate I can only fill up at M$petrol stations and soon after that I can only use certified M$mechanics and genuine parts for service and repairs. Then the M$battery model is released with 256 cameras to ensure a personalized experience and the battery slowly fails 4 years on and a new one costs an arm and a leg. Bill buys out tesla and twitter so he can corner the market...again and boast about being the world's richest twit on his account.

Edited by ninth
add
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...