Email header shows extra IP address in the Received: section

Michael Fulton
Michael Fulton used Ask the Experts™
on
Email Header analyzing.  
I am going through suspected phishing emails to verify that they are phishing and then find a way to block them since they were not already blocked.
Normally pretty straight forward approach.
I have one that has me baffled though with the analyzation portion.  I have attached the header.

I use two different sites to analyze the header;
https://mxtoolbox.com/
and
https://mha.azurewebsites.net

The question I have is in regards to the "Reeceived headers" section.  The first line reported by both of the above sites.
ON MXToolbox it shows the from as "server.curaduria2bogota.com.co 200.68.9.186"
On the Azure it shows a little more information "[200.68.9.186] (port=11638 helo=[192.3.24.36])"

So the question I have is what does this other IP tell me?  The 192.3.24.36.  The header says:
Received: from [200.68.9.186] (port=11638 helo=[192.3.24.36])       by
 server.curaduria2bogota.com.co

But the address of server.curaduria2bogota.com.co is 108.179.210.71 not that 192 address.

Looking for someone smarter than me for input on this.

thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Likely you can simply tighten your SPF rejection settings, so some From: address server.curaduria2bogota.com.co has no SPF authentication to send, can be bounced during the initial SMTP conversation, when message's first delivery is attempted.
Michael FultonMCITP: Enterprise/Virtual Administrator

Author

Commented:
I understand that.  we have some odd things on this end that currently are preventing making it too tight.

But the question I have is about that address.  Could it be they are using a VPN tunnel and that is their original IP?  I don't know.  That is why I am asking this.
MCITP: Enterprise/Virtual Administrator
Commented:
The first hop reports multiple IPs and a non-standard port. The 2 IP addresses are because the sending computer on Hop 1 reported it’s IP address as 192.3.24.36, but the actual IP address that connected to the receiving host was different (200.68.9.186). The RFC for the SMTP protocol (https://tools.ietf.org/html/rfc821) defines the first step of communications to be that the sender sends a “hello” message (helo or ehlo), as follows:
At the time the transmission channel is opened there is an
      exchange to ensure that the hosts are communicating with the hosts
      they think they are.

      The following two commands are used in transmission channel
      opening and closing:

         HELO <SP> <domain> <CRLF>

         QUIT <CRLF>

      In the HELO command the host sending the command identifies
      itself; the command may be interpreted as saying "Hello, I am
      <domain>".

Most systems won’t do anything to verify that the sending host is reporting itself correctly, so there are a lot of email servers that are just sending the IP address of the server. The sending server only knows it’s internal IP, not its public/NATed IP, so it reports 192.3.24.36.

The first hop also reports a non-standard port. I suspect that server.curaduria2bogota.com.co has configured a non-standard SMTP port (11638) in an attempt to foil spammers, but that someone found the open port and is using it for exactly that purpose.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial