We help IT Professionals succeed at work.

Email header shows extra IP address in the Received: section

64 Views
Last Modified: 2019-03-07
Email Header analyzing.  
I am going through suspected phishing emails to verify that they are phishing and then find a way to block them since they were not already blocked.
Normally pretty straight forward approach.
I have one that has me baffled though with the analyzation portion.  I have attached the header.

I use two different sites to analyze the header;
https://mxtoolbox.com/
and
https://mha.azurewebsites.net

The question I have is in regards to the "Reeceived headers" section.  The first line reported by both of the above sites.
ON MXToolbox it shows the from as "server.curaduria2bogota.com.co 200.68.9.186"
On the Azure it shows a little more information "[200.68.9.186] (port=11638 helo=[192.3.24.36])"

So the question I have is what does this other IP tell me?  The 192.3.24.36.  The header says:
Received: from [200.68.9.186] (port=11638 helo=[192.3.24.36])       by
 server.curaduria2bogota.com.co

But the address of server.curaduria2bogota.com.co is 108.179.210.71 not that 192 address.

Looking for someone smarter than me for input on this.

thank you!
Comment
Watch Question

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Likely you can simply tighten your SPF rejection settings, so some From: address server.curaduria2bogota.com.co has no SPF authentication to send, can be bounced during the initial SMTP conversation, when message's first delivery is attempted.
Michael FultonMCITP: Enterprise/Virtual Administrator

Author

Commented:
I understand that.  we have some odd things on this end that currently are preventing making it too tight.

But the question I have is about that address.  Could it be they are using a VPN tunnel and that is their original IP?  I don't know.  That is why I am asking this.
MCITP: Enterprise/Virtual Administrator
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.