asked on
Help in identifying spam header line in email
A client received this email, its spam. I pulled the header from the email, and I was wondering if someone can assist in identifying which line shows a bogus inbound or outbound sending line? I went through it a couple times and this is my only source to identify where the sender came from.
Received: from BN6PR2201MB1137.namprd22.prod.outlook.com
(2603:10b6:404:8d::27) by BN6PR2201MB1746.namprd22.prod.outlook.com with
HTTPS via BN6PR04CA0077.NAMPRD04.PROD.OUTLOOK.COM; Tue, 25 Feb 2020 19:51:11
+0000
Received: from DM3PR14CA0133.namprd14.prod.outlook.com (2603:10b6:0:53::17) by
BN6PR2201MB1137.namprd22.prod.outlook.com (2603:10b6:405:36::29) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Tue, 25 Feb
2020 19:51:09 +0000
Received: from DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
(2603:10b6:0:53:cafe::96) by DM3PR14CA0133.outlook.office365.com
(2603:10b6:0:53::17) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.18 via Frontend
Transport; Tue, 25 Feb 2020 19:51:08 +0000
Authentication-Results: spf=fail (sender IP is 65.170.60.123)
smtp.mailfrom=birdair.com; superiorsiti.mail.onmicrosoft.com; dkim=pass
(signature was verified)
header.d=birdair.onmicrosoft.com;superiorsiti.mail.onmicrosoft.com;
dmarc=none action=none header.from=birdair.com;
Received-SPF: Fail (protection.outlook.com: domain of birdair.com does not
designate 65.170.60.123 as permitted sender) receiver=protection.outlook.com;
client-ip=65.170.60.123; helo=mail.superiorgroup.com;
Received: from mail.superiorgroup.com (65.170.60.123) by
DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
15.20.2772.6 via Frontend Transport; Tue, 25 Feb 2020 19:51:08 +0000
Received: from Exchange.superiorgroup.superior-sdc.com (10.0.1.10) by
Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.1.1591.10; Tue, 25 Feb 2020 14:51:07 -0500
Received: from mx.superiorgroup.com (10.170.60.4) by
Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.1.1591.10 via Frontend Transport; Tue, 25 Feb 2020 14:51:07 -0500
X-ASG-Debug-ID: 1582660166-06bb3c15d040f600001-Uoe6FW
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2120.outbound.protection.outlook.com [40.107.92.120]) by mx.superiorgroup.com with ESMTP id 63ugeOzH11bFTZlj (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <kowtaloa@lumestrategies.com>; Tue, 25 Feb 2020 14:49:26 -0500 (EST)
X-Barracuda-Envelope-From: Mmcguire@birdair.com
X-ASG-Whitelist: Sender
X-Barracuda-Effective-Source-IP: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Apparent-Source-IP: 40.107.92.120
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=hI6DjNZxt+CswBVNGulaZIZhUmSj9v+4tR2ce/UeZYQu5cLEnXUCpbmrpsUgsFQYUtjABkjIoSxehAbsPfMpLF/zUnIB4EKxipaOcvpSg6178fPF7Ry1T/Sp0ROwU+Wf4vbsySR9ZRNr6dLPP0G0KigeCmbNQp1zmjfyVq4YAMJt2vNrrxvexJKm/ynJVAz/MRvQVidMkJR0jQGKElq+JxrFzGdeekzz8gxt1CB7UwQBZVYAuc/f8i3V8BkGOFrvj9hhUp8JxO7jg7qOJjAtjXqgDr4/I8+Ryn8AL9CeGTP85IP3m3OvuzXYGXR09tvmpVFnjX0rLi1jfJ1rog2i6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
b=fJzlWNE+cbQjAWfBm4fguD1Fam2WTcNPDm/t20rWVjrYsCi5GA7AtCdvH17fTZshrh6oLE/mxthHdj3r94a7cBDEX28MPavWfFuOcpI4j2g/BYW8u1DQPSewbG8a8AHko+VUm1OMsZXBSL8yXJSrggVJnAqzROE60efyJEy9KZKYvue5koX8fsHbYcqmbyYpokl1nckYuVO10G4493l6rtgs+70qdB0plbjr5D7RguxgGku06T5Gu0bPngUvmEXlVUMJB741pglOvWA3QI4aWV/Qh2Bzb4aZIrgc7AHxAygmw5syJqwEKYT7h7RtOjmHmCTbvPfhQtv9xlhjXGEjYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=birdair.com; dmarc=pass action=none header.from=birdair.com;
dkim=pass header.d=birdair.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=birdair.onmicrosoft.com; s=selector1-birdair-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
b=s+GgvBW4DQh9XoMNEBuhhbf1Thtcghlnkcw9FfFYvDpEqNP0GEasCTXd+dsUaZY03rs23bsKpoI0pBUwGzKT8yxCRbF+IyCg5yC/j+K0H/L654ZJjsl9yD5xE6bR71HUpCZCU9Kns3qzojVfdXxLiQSNvA7dRu04AjRq9gjgu+Y=
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com (2603:10b6:4:6b::25)
by DM5PR1801MB2073.namprd18.prod.outlook.com (2603:10b6:4:6c::22) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.22; Tue, 25 Feb
2020 19:51:06 +0000
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com
([fe80::c85c:d0d1:45cb:34dc]) by DM5PR1801MB1819.namprd18.prod.outlook.com
([fe80::c85c:d0d1:45cb:34dc%3]) with mapi id 15.20.2750.021; Tue, 25 Feb 2020
19:51:06 +0000
From: Megan Mcguire <Mmcguire@birdair.com>
To: Andrew Kowtalo <kowtaloa@lumestrategies.com>
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
Subject: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Topic: Payment Status for Sawgrass Mills Mall Invoice#3
X-ASG-Orig-Subj: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Index: AQHV6zNReDiwxkvSnUCCyFHQjkAU+agsU2FA
Date: Tue, 25 Feb 2020 19:51:06 +0000
Message-ID: <DM5PR1801MB1819F0A6569960C34A284D29DDED0@DM5PR1801MB1819.namprd18.prod.outlook.com>
References: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
In-Reply-To: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is )
smtp.mailfrom=Mmcguire@birdair.com;
x-originating-ip: [71.186.228.11]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-TrafficTypeDiagnostic: DM5PR1801MB2073:|BN6PR2201MB1137:
x-microsoft-antispam-prvs: <DM5PR1801MB2073B89B144DA90715DD5637DDED0@DM5PR1801MB2073.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;OLM:6108;
x-forefront-prvs: 0324C2C0E2
X-Forefront-Antispam-Report-Untrusted:
SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(136003)(366004)(39830400003)(189003)(199004)(81166006)(8676002)(71200400001)(81156014)(8936002)(5660300002)(7696005)(55016002)(6916009)(15650500001)(86362001)(66616009)(76116006)(66446008)(64756008)(66556008)(66476007)(4744005)(33656002)(26005)(316002)(186003)(66946007)(53546011)(2906002)(52536014)(6506007)(9686003)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR1801MB2073;H:DM5PR1801MB1819.namprd18.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: birdair.com does not designate
permitted sender hosts)
x-ms-exchange-senderadcheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
HjiFJ6Zmu6Aq8pauY+rT2Und0Wx4jtFCbDqCwDs/BgbaToC7DEJNzfhzBlHsAclNM9FuoclbGGZA4TkK8sLAqZo1eCHEqqQI2uKMpIu8sdONMqMSNz9RqVkbnbI9sKFHB4/ppWMf9QCFg35BcIaiWB2hsO7N70GfzODL4P3gFi4riZu98rDg8q2GYX0xOwzcSf2+9oaeOZGY4Wf5svX3BqoSMFXYFwJ75jNJt5PuQqRu0+nw2olBo8dDXzKh0HzTMFjqqUWZ+lrTcfo+qiI5uzU6kuMJWnytpVWnrQD0eO+EDW150fzwL2a7iVAyIdPlZzuv+1L8Wz1/lHcaLMVtpul9+u9W1cGyEKrXezsmJVmS3XC0bO9qQwrQq1niID7I2H6VOGBT3bR67qgInk/nELFlaxr7TNhruq3diQq/cZozGRhcm1HsjRql7wgiYpdG
x-ms-exchange-antispam-messagedata: VvpMIviZL42e/o3nN22Y0NgQAXGh2vNc2c/mMAgrzshCzyGPU66d8YGJwi7CQKEbQSV9zuZm0sYdQVW441oge1jyi+3pqrAN8A78OMIRrPuVkQ+4A8/U6PGX71nIQxEdybISFO08jmMQCwBZEWXQKw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/related;
boundary="_004_DM5PR1801MB1819F0A6569960C34A284D29DDED0DM5PR1801MB1819_";
type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1801MB2073
X-Barracuda-Connect: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Start-Time: 1582660166
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://spam.superiorgroup.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at superiorgroup.com
X-Barracuda-Scan-Msg-Size: 9334
X-Barracuda-BRTS-Status: 1
Return-Path: Mmcguire@birdair.com
X-EXCLAIMER-MD-CONFIG: 528f7f53-ad0a-4a52-b8e6-038dcd5bbf54
X-OrganizationHeadersPreserved: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-ExpirationStartTime: 25 Feb 2020 19:51:08.6900
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-CrossPremisesHeadersPromoted:
DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-CrossPremisesHeadersFiltered:
DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-Forefront-Antispam-Report:
CIP:65.170.60.123;IPV:;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(1110001)(339900001)(489007)(189003)(199004)(15650500001)(6506007)(156005)(86362001)(52536014)(33964004)(5660300002)(55016002)(7696005)(66574012)(9686003)(53546011)(6916009)(8676002)(36005)(36906005)(8936002)(8636004)(7636002)(336012)(246002)(33656002)(356004)(1096003)(5001870100001);DIR:INB;SFP:;SCL:1;SRVR:BN6PR2201MB1137;H:mail.superiorgroup.com;FPR:;SPF:Fail;LANG:en;PTR:autodiscover.superiorgroup.com,webmail.superiorgroup.com,webmail.superior-sdc.com;MX:1;A:1;
X-MS-Exchange-Organization-AuthSource: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: superiorgroup.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
84d377c4-e7c2-4b5b-7625-08d7ba2c0d8f
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2020 19:51:08.5950
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-Exchange-CrossTenant-Id: 5bd05357-5c48-461b-8f4a-38b232adb5bb
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5bd05357-5c48-461b-8f4a-38b232adb5bb;Ip=[65.170.60.123];Helo=[mail.superiorgroup.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1137
X-MS-Exchange-Transport-EndToEndLatency: 00:00:04.8127098
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2750.019
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750127)(520011016)(944506383)(944626516);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?WCwmEb1oYrhbTWVSZILuCofqtTLmAU7809cT8HXIohZaPsSAYTVd+H+gNd8G?=
=?us-ascii?Q?vRN57Mwl9Y2eNj41cy9lP8C1L8cnUCdppiuqBYTE8ajoWcvP09uaeTrlpzo/?=
=?us-ascii?Q?56aCLS6sFgO7GrcFJBjpAZ1Rptl8MH35HEkH2P/ia8RCflqjeagNeWOk0yLh?=
=?us-ascii?Q?PfPhsuY2tU61GHQJGEUD0RO6SmqzaOI43/zRGC0idv0MNgBcWnm1fc6sNKn9?=
=?us-ascii?Q?ss4LDpVRQp9JgfVJjIGCZ3DZ/RWVyYYZ3NRNiQJOkXOLOod5g4sxCE8M1tZG?=
=?us-ascii?Q?d3KVRlZKphk3f8lk32mBYMXG0iBEM2KALiS3A9r3x+QZovE+p5sM1SwQn5m9?=
=?us-ascii?Q?GYwDNmyR5K3r5odr7IujvL3FPU8C7SH7GEXzDNJbMk0thPwk9ZIUE3nKYd6K?=
=?us-ascii?Q?8otW1x23kym9CN0xTgFopt8FBqXeT2/65dbiIdkarFBtaWrWd832cEsh+K+k?=
=?us-ascii?Q?KKgiOKwGlQ6daA1svXmsHEcWkwWqOWoTVgJ8e1zGM5z9xrHvSjnKQANEqy3w?=
=?us-ascii?Q?C2GZj1hluwlkLRSKNgj6gr2Pq0Dj45WLe3rkTHBvrnYPbTFjRTx/fkBMdBi5?=
=?us-ascii?Q?MGHLGGG1rwmJ5Y/nVBinYz8WoFnB4B2AYnmECUbK8eWETqXvYu3t8JSoavym?=
=?us-ascii?Q?bMS1qsLpkh/QJBtyuiGs/moVlGiLWVN0QW3y3jjVQ1Tl4NLN6m3Zu8AFjpd/?=
=?us-ascii?Q?kh3MSHqcdjxZ/TphWtYYfH2IVndNZBHzTmRXS36uVfWZOPl1rpkpL8I3KMvj?=
=?us-ascii?Q?FEXJT6AiE2FaTGhJcHfl0YOSM/sGm7VAWkpJQ42AaxOU0Yh7pnYL/92wOfyC?=
=?us-ascii?Q?glZ6EvUHz9+MPXHodM7BnJ3Mfrdl2qMCPD0iZ8XnU7IJD/pRPaqc7XkOwAaq?=
=?us-ascii?Q?m/6AnLdK+PbHTAZp4xp1hbXl2XLXDkqgGplckmLPWY0gi/F+p/dQXsPUTRLA?=
=?us-ascii?Q?U0KDRf7Zb8QGoJ5O+9D97+MSj8yvhvwl1Txq0F0HkI71faHp1YzhDJvbZIRa?=
=?us-ascii?Q?JlvatxJpqL0oc+GwAYTRUNM7+XuIrhGiCKUzpTC+2h0TEZ3+aSH4glYlqQq5?=
=?us-ascii?Q?iVw+tcLoldVVoTyiCK4GtLnRIx9+7EJS7Don8pORAIRLjpRh/EFvvsiQWCO5?=
=?us-ascii?Q?eP6YOIa5y++2Co4imiMNV3MlB3jHFD0kRHX0ebXYe+yGk6NMvOUP2TrrKDjB?=
=?us-ascii?Q?oSir8Q9zp9FHND4Wpap+/JUIqph31aVFYtkUjA=3D=3D?=
AntiSpamOutlook* Outlook 2019* Email Header
Last Comment
Hypercat (Deb)
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Deb that second domain mail.superiorgroup.com was because she forwarded the spam email to me.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Also, just below that, this section indicates the domain that actually owns that IP address:
helo=mail.superiorgroup.com; Received: from mail.superiorgroup.com (65.170.60.123) by DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112)