help in identifying email headers

A user received an email with a threat.  I looked at the headers on the original email, but I'm a little puzzled as who the sender is.
Can anyone help me figure out the sending ISP or domain name?
As it looks like the sender is from mydomain.com, which I changed from my actual domain name, but how would that be possible?

to: GB@gmail.com
Reply-To: stone_castle79@yahoo.com
X-Source:
X-Cmae-Envelope: MS4wfLtixYZbNphNoTWoj7lekuBKBhpAtXdlyL3+LCH10Wb4G1C5xTaaLBth7cy6LGM33q7r6MG7+DBRM3vHMntJHAL1gMB6iEMvwD0uYQ2h3APx6sXpvxEn OGhaCdhpcmxSSVha5NRWwMc+nm3vASBakApuXhGyl3jZeh/nNL6IS8GZ0FgGGJw7i1CeqIRU4T6HjjnY4Hbnxa+iYorWeWqcYItHj4cdWlI0yuKxmnmKX/sy
Arc-Seal: i=1; a=rsa-sha256; t=1518499219; cv=none; d=google.com; s=arc-20160816; b=rQO9e4fAItoBkDRk9OGqPQVrDheobUAXy0quGR7c5p0vTScJsSbD9+tpoM5Z5ULncv Luz7dIvJMTWQgiuh5rVPFtT02HxFlKtGvXqZPW3rBpR2MlS6+0vfe6oVQWHIJYQsNA34 mZ79pBbIorJ2Z/z1HMD913CT1Sjuj6zPN14FrjNlmrKLXq7kGqigJND8hAdeFEdZiHkb EQAssz2F+HQhxhknn3WdaAiA71tC9OuVAkKCsVbksf7dAEFlCIDto5BLehUuIgFwb7/u 5xjP0gSmEjvjADQRcigPWscYyMxjwd07IdgHnn7AqstEg5vxE8dSFQ0vfF6boi0t+PN9 begA==
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - a2plcpnl0589.prod.iad2.secureserver.net
X-Antiabuse: Original Domain - gmail.com
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - mydomain.com
X-Received: by 10.200.26.79 with SMTP id q15mr57888qtk.174.1518499219513; Mon, 12 Feb 2018 21:20:19 -0800 (PST)
X-Wpcf7-Content-Type: text/plain
X-Source-Args:
Return-Path: <brad@mydomain.com>
Arc-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning brad@mydomain.com does not designate 198.71.225.37 as permitted sender) smtp.mailfrom=brad@mydomain.com
X-Google-Smtp-Source: AH8x224MVkS9ZjALO7rGfeg/SXclO8BzlTLmiy4gy+IgWBl4Waiv4sGmClRYx/RKrnHRtYp9XqHq
Mime-Version: 1.0
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning brad@mydomain.com does not designate 198.71.225.37 as permitted sender) smtp.mailfrom=brad@mydomain.com
Content-Disposition: inline
X-Source-Dir:
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-disposition:content-transfer-encoding:date :subject:reply-to:to:sender:from:message-id :arc-authentication-results; bh=BpJQV9NvxujrAxT28fj3I09CEdF0id/FuvjrnUL1MFc=; b=urvUwR+ZZi86HU0DM4EqWU3Ytbh4bHeTwgG27r9XE/4Kor2+vJMIMwhs49NsfzOFG0 6eISpO9dXXBWgBqCAYL/taxA+jOBgnZSsYG8/u3O5A71E+5MKYdbN5XITT6oDE///6EK Hs/8yS9WEqEi1rvDJ+iyUPNJ9uVuMT5XELs+sUZsFRPy5auIVTEWczEDvc+liqbuWDuS aHo+eddwMkrpOMPZaXhGyBhEzUdJrjMSlj09d+nvrkZdXVWm8bXKEYrd8yWiQiZz6F7+ Llgd82U5Ik159Hs0f3/OtIPdokjj3rAcYrbBcqsEs9pCSXhyw/N+RZZtI4KNhVRLL6RO Wxow==
X-Mailer: Postman SMTP 1.7.2 for WordPress (https://wordpress.org/plugins/postman-smtp/)
Message-Id: <5a827593.87b1370a.12cda.b891SMTPIN_ADDED_MISSING@mx.google.com>
Sender: brad@mydomain.com
Content-Transfer-Encoding: quoted-printable
X-Get-Message-Sender-Via: a2plcpnl0589.prod.iad2.secureserver.net: acl_c_authenticated_local_user: mydomain
X-Authenticated-Sender: a2plcpnl0589.prod.iad2.secureserver.net: mydomain
Content-Type: text/plain; charset=UTF-8
Delivered-To: GB@gmail.com
Received-Spf: softfail (google.com: domain of transitioning brad@mydomain.com does not designate 198.71.225.37 as permitted sender) client-ip=198.71.225.37;
Received: by 10.74.106.219 with SMTP id k88csp3799495ooe; Mon, 12 Feb 2018 21:20:19 -0800 (PST)
Received: from a2nlsmtp01-03.prod.iad2.secureserver.net (a2nlsmtp01-03.prod.iad2.secureserver.net. [198.71.225.37]) by mx.google.com with ESMTPS id a129si1760340qkf.441.2018.02.12.21.20.19 for <GB@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Feb 2018 21:20:19 -0800 (PST)
Received: from a2plcpnl0589.prod.iad2.secureserver.net ([198.71.236.84]) by : HOSTING RELAY : with SMTP id lSzuewThWNMFylSzueZNQM; Mon, 12 Feb 2018 22:19:18 -0700
Received: from [127.0.0.1] (port=52530 helo=localhost) by a2plcpnl0589.prod.iad2.secureserver.net with esmtp (Exim 4.89) (envelope-from <brad@mydomain.com>) id 1elSzu-003Llz-G6 for GB@gmail.com; Mon, 12 Feb 2018 22:19:18 -0700
Granite Bay Contact Form Message
DanNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daryl GawnSystem AdministratorCommented:
someone spoofed your domain.com via a script etc, you can in theory send from any address but depending on what hops it goes through then it may or may not be recieved in this case it was

the sending address is 198.71.225.37 https://www.abuseipdb.com/whois/198.71.225.37  http://www.ipaddress-finder.com/?ip=198.71.225.37

which you can see from those links where it was generated from
0
DanNetwork EngineerAuthor Commented:
So 198.71.225.37 is a godaddy IP address, so that doesn't help me much.
Actually, in the real email, it did list my actual domain name, I just changed it before posting the post, just so I don't disclose my actual domain name.   So whoever it was, they are from Arizona, according to ipaddress-finder.com, right?
0
Daryl GawnSystem AdministratorCommented:
yes sorry i re-read your post then edited mine.... yeah thats where they sent it from, could have been anywhere in the world themselves.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Daryl GawnSystem AdministratorCommented:
most decent SPF - antispoof gateways should stop or at least quarantine these types of emails. You can't control people outside spoofing your domain name unfortunately but you can at least stop or hold them up from being sent to your own company etc.
0
DanNetwork EngineerAuthor Commented:
What's strange is that sending email used was an email inside my organization that is disabled.
So how can I stop this from happening?
I think I only have relaying enabled inside my organization.  Are there any specific configuration I need to check in my exchange account?
0
Daryl GawnSystem AdministratorCommented:
you can only stop it coming into your organization if you have a antispam/antispoof etc gateway that does various checks etc.

if you dont exchange will just receive it and deliver it if its addresses to a valid email address inside your org
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you don't want to post the ACTUAL header, I would suggest you run it through analyzers yourself -
https://www.iptrackeronline.com/email-header-analysis.php
https://www.google.com/search?q=email+header+analyzer
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanNetwork EngineerAuthor Commented:
So I used iptrackeronline.com and it says that most likely the email came from IP: 198.71.236.84
So then why does it have an email listed as the sending email from my own organization, that's what's puzzling me?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.