• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 75
  • Last Modified:

help in identifying email headers

A user received an email with a threat.  I looked at the headers on the original email, but I'm a little puzzled as who the sender is.
Can anyone help me figure out the sending ISP or domain name?
As it looks like the sender is from mydomain.com, which I changed from my actual domain name, but how would that be possible?

to: GB@gmail.com
Reply-To: stone_castle79@yahoo.com
X-Source:
X-Cmae-Envelope: MS4wfLtixYZbNphNoTWoj7lekuBKBhpAtXdlyL3+LCH10Wb4G1C5xTaaLBth7cy6LGM33q7r6MG7+DBRM3vHMntJHAL1gMB6iEMvwD0uYQ2h3APx6sXpvxEn OGhaCdhpcmxSSVha5NRWwMc+nm3vASBakApuXhGyl3jZeh/nNL6IS8GZ0FgGGJw7i1CeqIRU4T6HjjnY4Hbnxa+iYorWeWqcYItHj4cdWlI0yuKxmnmKX/sy
Arc-Seal: i=1; a=rsa-sha256; t=1518499219; cv=none; d=google.com; s=arc-20160816; b=rQO9e4fAItoBkDRk9OGqPQVrDheobUAXy0quGR7c5p0vTScJsSbD9+tpoM5Z5ULncv Luz7dIvJMTWQgiuh5rVPFtT02HxFlKtGvXqZPW3rBpR2MlS6+0vfe6oVQWHIJYQsNA34 mZ79pBbIorJ2Z/z1HMD913CT1Sjuj6zPN14FrjNlmrKLXq7kGqigJND8hAdeFEdZiHkb EQAssz2F+HQhxhknn3WdaAiA71tC9OuVAkKCsVbksf7dAEFlCIDto5BLehUuIgFwb7/u 5xjP0gSmEjvjADQRcigPWscYyMxjwd07IdgHnn7AqstEg5vxE8dSFQ0vfF6boi0t+PN9 begA==
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - a2plcpnl0589.prod.iad2.secureserver.net
X-Antiabuse: Original Domain - gmail.com
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - mydomain.com
X-Received: by 10.200.26.79 with SMTP id q15mr57888qtk.174.1518499219513; Mon, 12 Feb 2018 21:20:19 -0800 (PST)
X-Wpcf7-Content-Type: text/plain
X-Source-Args:
Return-Path: <brad@mydomain.com>
Arc-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning brad@mydomain.com does not designate 198.71.225.37 as permitted sender) smtp.mailfrom=brad@mydomain.com
X-Google-Smtp-Source: AH8x224MVkS9ZjALO7rGfeg/SXclO8BzlTLmiy4gy+IgWBl4Waiv4sGmClRYx/RKrnHRtYp9XqHq
Mime-Version: 1.0
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning brad@mydomain.com does not designate 198.71.225.37 as permitted sender) smtp.mailfrom=brad@mydomain.com
Content-Disposition: inline
X-Source-Dir:
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-disposition:content-transfer-encoding:date :subject:reply-to:to:sender:from:message-id :arc-authentication-results; bh=BpJQV9NvxujrAxT28fj3I09CEdF0id/FuvjrnUL1MFc=; b=urvUwR+ZZi86HU0DM4EqWU3Ytbh4bHeTwgG27r9XE/4Kor2+vJMIMwhs49NsfzOFG0 6eISpO9dXXBWgBqCAYL/taxA+jOBgnZSsYG8/u3O5A71E+5MKYdbN5XITT6oDE///6EK Hs/8yS9WEqEi1rvDJ+iyUPNJ9uVuMT5XELs+sUZsFRPy5auIVTEWczEDvc+liqbuWDuS aHo+eddwMkrpOMPZaXhGyBhEzUdJrjMSlj09d+nvrkZdXVWm8bXKEYrd8yWiQiZz6F7+ Llgd82U5Ik159Hs0f3/OtIPdokjj3rAcYrbBcqsEs9pCSXhyw/N+RZZtI4KNhVRLL6RO Wxow==
X-Mailer: Postman SMTP 1.7.2 for WordPress (https://wordpress.org/plugins/postman-smtp/)
Message-Id: <5a827593.87b1370a.12cda.b891SMTPIN_ADDED_MISSING@mx.google.com>
Sender: brad@mydomain.com
Content-Transfer-Encoding: quoted-printable
X-Get-Message-Sender-Via: a2plcpnl0589.prod.iad2.secureserver.net: acl_c_authenticated_local_user: mydomain
X-Authenticated-Sender: a2plcpnl0589.prod.iad2.secureserver.net: mydomain
Content-Type: text/plain; charset=UTF-8
Delivered-To: GB@gmail.com
Received-Spf: softfail (google.com: domain of transitioning brad@mydomain.com does not designate 198.71.225.37 as permitted sender) client-ip=198.71.225.37;
Received: by 10.74.106.219 with SMTP id k88csp3799495ooe; Mon, 12 Feb 2018 21:20:19 -0800 (PST)
Received: from a2nlsmtp01-03.prod.iad2.secureserver.net (a2nlsmtp01-03.prod.iad2.secureserver.net. [198.71.225.37]) by mx.google.com with ESMTPS id a129si1760340qkf.441.2018.02.12.21.20.19 for <GB@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Feb 2018 21:20:19 -0800 (PST)
Received: from a2plcpnl0589.prod.iad2.secureserver.net ([198.71.236.84]) by : HOSTING RELAY : with SMTP id lSzuewThWNMFylSzueZNQM; Mon, 12 Feb 2018 22:19:18 -0700
Received: from [127.0.0.1] (port=52530 helo=localhost) by a2plcpnl0589.prod.iad2.secureserver.net with esmtp (Exim 4.89) (envelope-from <brad@mydomain.com>) id 1elSzu-003Llz-G6 for GB@gmail.com; Mon, 12 Feb 2018 22:19:18 -0700
Granite Bay Contact Form Message
0
Dan
Asked:
Dan
  • 4
  • 3
2 Solutions
 
Daryl GawnSystem AdministratorCommented:
someone spoofed your domain.com via a script etc, you can in theory send from any address but depending on what hops it goes through then it may or may not be recieved in this case it was

the sending address is 198.71.225.37 https://www.abuseipdb.com/whois/198.71.225.37  http://www.ipaddress-finder.com/?ip=198.71.225.37

which you can see from those links where it was generated from
0
 
DanNetwork EngineerAuthor Commented:
So 198.71.225.37 is a godaddy IP address, so that doesn't help me much.
Actually, in the real email, it did list my actual domain name, I just changed it before posting the post, just so I don't disclose my actual domain name.   So whoever it was, they are from Arizona, according to ipaddress-finder.com, right?
0
 
Daryl GawnSystem AdministratorCommented:
yes sorry i re-read your post then edited mine.... yeah thats where they sent it from, could have been anywhere in the world themselves.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Daryl GawnSystem AdministratorCommented:
most decent SPF - antispoof gateways should stop or at least quarantine these types of emails. You can't control people outside spoofing your domain name unfortunately but you can at least stop or hold them up from being sent to your own company etc.
0
 
DanNetwork EngineerAuthor Commented:
What's strange is that sending email used was an email inside my organization that is disabled.
So how can I stop this from happening?
I think I only have relaying enabled inside my organization.  Are there any specific configuration I need to check in my exchange account?
0
 
Daryl GawnSystem AdministratorCommented:
you can only stop it coming into your organization if you have a antispam/antispoof etc gateway that does various checks etc.

if you dont exchange will just receive it and deliver it if its addresses to a valid email address inside your org
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you don't want to post the ACTUAL header, I would suggest you run it through analyzers yourself -
https://www.iptrackeronline.com/email-header-analysis.php
https://www.google.com/search?q=email+header+analyzer
0
 
DanNetwork EngineerAuthor Commented:
So I used iptrackeronline.com and it says that most likely the email came from IP: 198.71.236.84
So then why does it have an email listed as the sending email from my own organization, that's what's puzzling me?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now