When we get a suspicious email, we make a copy of the headers and then look for questionable email addresses and ip addresses in the route. If we find something we think is a spam source, we block the incoming email address and ip address as needed. Now I'm questioning that practice.
Here's why. If you look at the portion of the header below, the email went through a server named VULTR-GUEST.local at ip 18.104.22.168. Checking the ip, it's registered to a server in Frankfurt Germany - not what we expect. BUT, my question is, it left that server and went through a couple more registered to outlook.com (Office365 I assume) before finally delivered to our mail server.
Does it matter that the path took it through that German server, or is the last server before delivery to our system the only one we need to look at and be concerned about?
Here's a little of the middle portion of the header:
(2603:10b6:405:39::24) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.407.1 via Frontend
Transport; Wed, 10 Jan 2018 20:43:08 +0000
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (22.214.171.124) by
BY2NAM05FT032.mail.protection.outlook.com (10.152.100.169) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_RSA_WITH_AES_256_GCM_SHA384) id
15.20.345.12 via Frontend Transport; Wed, 10 Jan 2018 20:43:07 +0000
Received: from VULTR-GUEST.local (126.96.36.199) by
CY1PR05MB2331.namprd05.prod.outlook.com (10.166.192.153) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.407.1; Wed, 10 Jan 2018 20:43:00 +0000
From: =?utf-8?B?RHJvcMyDYm94?= <firstname.lastname@example.org>
Date: Wed, 10 Jan 2018 20:43:00 +0000