Link to home
Start Free TrialLog in
Avatar of Andrew N. Kowtalo
Andrew N. Kowtalo

asked on

Help in identifying spam header line in email

A client received this email, its spam.   I pulled the header from the email, and I was wondering if someone can assist in identifying which line shows a bogus inbound or outbound sending line? I went through it a couple times and this is my only source to identify where the sender came  from.

Received: from BN6PR2201MB1137.namprd22.prod.outlook.com
 (2603:10b6:404:8d::27) by BN6PR2201MB1746.namprd22.prod.outlook.com with
 HTTPS via BN6PR04CA0077.NAMPRD04.PROD.OUTLOOK.COM; Tue, 25 Feb 2020 19:51:11
 +0000
Received: from DM3PR14CA0133.namprd14.prod.outlook.com (2603:10b6:0:53::17) by
 BN6PR2201MB1137.namprd22.prod.outlook.com (2603:10b6:405:36::29) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Tue, 25 Feb
 2020 19:51:09 +0000
Received: from DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
 (2603:10b6:0:53:cafe::96) by DM3PR14CA0133.outlook.office365.com
 (2603:10b6:0:53::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.18 via Frontend
 Transport; Tue, 25 Feb 2020 19:51:08 +0000
Authentication-Results: spf=fail (sender IP is 65.170.60.123)
 smtp.mailfrom=birdair.com; superiorsiti.mail.onmicrosoft.com; dkim=pass
 (signature was verified)
 header.d=birdair.onmicrosoft.com;superiorsiti.mail.onmicrosoft.com;
 dmarc=none action=none header.from=birdair.com;
Received-SPF: Fail (protection.outlook.com: domain of birdair.com does not
 designate 65.170.60.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=65.170.60.123; helo=mail.superiorgroup.com;
Received: from mail.superiorgroup.com (65.170.60.123) by
 DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.20.2772.6 via Frontend Transport; Tue, 25 Feb 2020 19:51:08 +0000
Received: from Exchange.superiorgroup.superior-sdc.com (10.0.1.10) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10; Tue, 25 Feb 2020 14:51:07 -0500
Received: from mx.superiorgroup.com (10.170.60.4) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10 via Frontend Transport; Tue, 25 Feb 2020 14:51:07 -0500
X-ASG-Debug-ID: 1582660166-06bb3c15d040f600001-Uoe6FW
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2120.outbound.protection.outlook.com [40.107.92.120]) by mx.superiorgroup.com with ESMTP id 63ugeOzH11bFTZlj (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <kowtaloa@lumestrategies.com>; Tue, 25 Feb 2020 14:49:26 -0500 (EST)
X-Barracuda-Envelope-From: Mmcguire@birdair.com
X-ASG-Whitelist: Sender
X-Barracuda-Effective-Source-IP: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Apparent-Source-IP: 40.107.92.120
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hI6DjNZxt+CswBVNGulaZIZhUmSj9v+4tR2ce/UeZYQu5cLEnXUCpbmrpsUgsFQYUtjABkjIoSxehAbsPfMpLF/zUnIB4EKxipaOcvpSg6178fPF7Ry1T/Sp0ROwU+Wf4vbsySR9ZRNr6dLPP0G0KigeCmbNQp1zmjfyVq4YAMJt2vNrrxvexJKm/ynJVAz/MRvQVidMkJR0jQGKElq+JxrFzGdeekzz8gxt1CB7UwQBZVYAuc/f8i3V8BkGOFrvj9hhUp8JxO7jg7qOJjAtjXqgDr4/I8+Ryn8AL9CeGTP85IP3m3OvuzXYGXR09tvmpVFnjX0rLi1jfJ1rog2i6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=fJzlWNE+cbQjAWfBm4fguD1Fam2WTcNPDm/t20rWVjrYsCi5GA7AtCdvH17fTZshrh6oLE/mxthHdj3r94a7cBDEX28MPavWfFuOcpI4j2g/BYW8u1DQPSewbG8a8AHko+VUm1OMsZXBSL8yXJSrggVJnAqzROE60efyJEy9KZKYvue5koX8fsHbYcqmbyYpokl1nckYuVO10G4493l6rtgs+70qdB0plbjr5D7RguxgGku06T5Gu0bPngUvmEXlVUMJB741pglOvWA3QI4aWV/Qh2Bzb4aZIrgc7AHxAygmw5syJqwEKYT7h7RtOjmHmCTbvPfhQtv9xlhjXGEjYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=birdair.com; dmarc=pass action=none header.from=birdair.com;
 dkim=pass header.d=birdair.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=birdair.onmicrosoft.com; s=selector1-birdair-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=s+GgvBW4DQh9XoMNEBuhhbf1Thtcghlnkcw9FfFYvDpEqNP0GEasCTXd+dsUaZY03rs23bsKpoI0pBUwGzKT8yxCRbF+IyCg5yC/j+K0H/L654ZJjsl9yD5xE6bR71HUpCZCU9Kns3qzojVfdXxLiQSNvA7dRu04AjRq9gjgu+Y=
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com (2603:10b6:4:6b::25)
 by DM5PR1801MB2073.namprd18.prod.outlook.com (2603:10b6:4:6c::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.22; Tue, 25 Feb
 2020 19:51:06 +0000
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc]) by DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc%3]) with mapi id 15.20.2750.021; Tue, 25 Feb 2020
 19:51:06 +0000
From: Megan Mcguire <Mmcguire@birdair.com>
To: Andrew Kowtalo <kowtaloa@lumestrategies.com>
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
Subject: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Topic: Payment Status for Sawgrass Mills Mall Invoice#3
X-ASG-Orig-Subj: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Index: AQHV6zNReDiwxkvSnUCCyFHQjkAU+agsU2FA
Date: Tue, 25 Feb 2020 19:51:06 +0000
Message-ID: <DM5PR1801MB1819F0A6569960C34A284D29DDED0@DM5PR1801MB1819.namprd18.prod.outlook.com>
References: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
In-Reply-To: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is )
 smtp.mailfrom=Mmcguire@birdair.com; 
x-originating-ip: [71.186.228.11]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-TrafficTypeDiagnostic: DM5PR1801MB2073:|BN6PR2201MB1137:
x-microsoft-antispam-prvs: <DM5PR1801MB2073B89B144DA90715DD5637DDED0@DM5PR1801MB2073.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;OLM:6108;
x-forefront-prvs: 0324C2C0E2
X-Forefront-Antispam-Report-Untrusted:
 SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(136003)(366004)(39830400003)(189003)(199004)(81166006)(8676002)(71200400001)(81156014)(8936002)(5660300002)(7696005)(55016002)(6916009)(15650500001)(86362001)(66616009)(76116006)(66446008)(64756008)(66556008)(66476007)(4744005)(33656002)(26005)(316002)(186003)(66946007)(53546011)(2906002)(52536014)(6506007)(9686003)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR1801MB2073;H:DM5PR1801MB1819.namprd18.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: birdair.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
 HjiFJ6Zmu6Aq8pauY+rT2Und0Wx4jtFCbDqCwDs/BgbaToC7DEJNzfhzBlHsAclNM9FuoclbGGZA4TkK8sLAqZo1eCHEqqQI2uKMpIu8sdONMqMSNz9RqVkbnbI9sKFHB4/ppWMf9QCFg35BcIaiWB2hsO7N70GfzODL4P3gFi4riZu98rDg8q2GYX0xOwzcSf2+9oaeOZGY4Wf5svX3BqoSMFXYFwJ75jNJt5PuQqRu0+nw2olBo8dDXzKh0HzTMFjqqUWZ+lrTcfo+qiI5uzU6kuMJWnytpVWnrQD0eO+EDW150fzwL2a7iVAyIdPlZzuv+1L8Wz1/lHcaLMVtpul9+u9W1cGyEKrXezsmJVmS3XC0bO9qQwrQq1niID7I2H6VOGBT3bR67qgInk/nELFlaxr7TNhruq3diQq/cZozGRhcm1HsjRql7wgiYpdG
x-ms-exchange-antispam-messagedata: VvpMIviZL42e/o3nN22Y0NgQAXGh2vNc2c/mMAgrzshCzyGPU66d8YGJwi7CQKEbQSV9zuZm0sYdQVW441oge1jyi+3pqrAN8A78OMIRrPuVkQ+4A8/U6PGX71nIQxEdybISFO08jmMQCwBZEWXQKw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/related;
	boundary="_004_DM5PR1801MB1819F0A6569960C34A284D29DDED0DM5PR1801MB1819_";
	type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1801MB2073
X-Barracuda-Connect: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Start-Time: 1582660166
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://spam.superiorgroup.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at superiorgroup.com
X-Barracuda-Scan-Msg-Size: 9334
X-Barracuda-BRTS-Status: 1
Return-Path: Mmcguire@birdair.com
X-EXCLAIMER-MD-CONFIG: 528f7f53-ad0a-4a52-b8e6-038dcd5bbf54
X-OrganizationHeadersPreserved: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-ExpirationStartTime: 25 Feb 2020 19:51:08.6900
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-CrossPremisesHeadersPromoted:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-CrossPremisesHeadersFiltered:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-Forefront-Antispam-Report:
 CIP:65.170.60.123;IPV:;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(1110001)(339900001)(489007)(189003)(199004)(15650500001)(6506007)(156005)(86362001)(52536014)(33964004)(5660300002)(55016002)(7696005)(66574012)(9686003)(53546011)(6916009)(8676002)(36005)(36906005)(8936002)(8636004)(7636002)(336012)(246002)(33656002)(356004)(1096003)(5001870100001);DIR:INB;SFP:;SCL:1;SRVR:BN6PR2201MB1137;H:mail.superiorgroup.com;FPR:;SPF:Fail;LANG:en;PTR:autodiscover.superiorgroup.com,webmail.superiorgroup.com,webmail.superior-sdc.com;MX:1;A:1;
X-MS-Exchange-Organization-AuthSource: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: superiorgroup.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
 84d377c4-e7c2-4b5b-7625-08d7ba2c0d8f
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2020 19:51:08.5950
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-Exchange-CrossTenant-Id: 5bd05357-5c48-461b-8f4a-38b232adb5bb
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5bd05357-5c48-461b-8f4a-38b232adb5bb;Ip=[65.170.60.123];Helo=[mail.superiorgroup.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1137
X-MS-Exchange-Transport-EndToEndLatency: 00:00:04.8127098
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2750.019
X-Microsoft-Antispam-Mailbox-Delivery:
	ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750127)(520011016)(944506383)(944626516);
X-Microsoft-Antispam-Message-Info:
	=?us-ascii?Q?WCwmEb1oYrhbTWVSZILuCofqtTLmAU7809cT8HXIohZaPsSAYTVd+H+gNd8G?=
 =?us-ascii?Q?vRN57Mwl9Y2eNj41cy9lP8C1L8cnUCdppiuqBYTE8ajoWcvP09uaeTrlpzo/?=
 =?us-ascii?Q?56aCLS6sFgO7GrcFJBjpAZ1Rptl8MH35HEkH2P/ia8RCflqjeagNeWOk0yLh?=
 =?us-ascii?Q?PfPhsuY2tU61GHQJGEUD0RO6SmqzaOI43/zRGC0idv0MNgBcWnm1fc6sNKn9?=
 =?us-ascii?Q?ss4LDpVRQp9JgfVJjIGCZ3DZ/RWVyYYZ3NRNiQJOkXOLOod5g4sxCE8M1tZG?=
 =?us-ascii?Q?d3KVRlZKphk3f8lk32mBYMXG0iBEM2KALiS3A9r3x+QZovE+p5sM1SwQn5m9?=
 =?us-ascii?Q?GYwDNmyR5K3r5odr7IujvL3FPU8C7SH7GEXzDNJbMk0thPwk9ZIUE3nKYd6K?=
 =?us-ascii?Q?8otW1x23kym9CN0xTgFopt8FBqXeT2/65dbiIdkarFBtaWrWd832cEsh+K+k?=
 =?us-ascii?Q?KKgiOKwGlQ6daA1svXmsHEcWkwWqOWoTVgJ8e1zGM5z9xrHvSjnKQANEqy3w?=
 =?us-ascii?Q?C2GZj1hluwlkLRSKNgj6gr2Pq0Dj45WLe3rkTHBvrnYPbTFjRTx/fkBMdBi5?=
 =?us-ascii?Q?MGHLGGG1rwmJ5Y/nVBinYz8WoFnB4B2AYnmECUbK8eWETqXvYu3t8JSoavym?=
 =?us-ascii?Q?bMS1qsLpkh/QJBtyuiGs/moVlGiLWVN0QW3y3jjVQ1Tl4NLN6m3Zu8AFjpd/?=
 =?us-ascii?Q?kh3MSHqcdjxZ/TphWtYYfH2IVndNZBHzTmRXS36uVfWZOPl1rpkpL8I3KMvj?=
 =?us-ascii?Q?FEXJT6AiE2FaTGhJcHfl0YOSM/sGm7VAWkpJQ42AaxOU0Yh7pnYL/92wOfyC?=
 =?us-ascii?Q?glZ6EvUHz9+MPXHodM7BnJ3Mfrdl2qMCPD0iZ8XnU7IJD/pRPaqc7XkOwAaq?=
 =?us-ascii?Q?m/6AnLdK+PbHTAZp4xp1hbXl2XLXDkqgGplckmLPWY0gi/F+p/dQXsPUTRLA?=
 =?us-ascii?Q?U0KDRf7Zb8QGoJ5O+9D97+MSj8yvhvwl1Txq0F0HkI71faHp1YzhDJvbZIRa?=
 =?us-ascii?Q?JlvatxJpqL0oc+GwAYTRUNM7+XuIrhGiCKUzpTC+2h0TEZ3+aSH4glYlqQq5?=
 =?us-ascii?Q?iVw+tcLoldVVoTyiCK4GtLnRIx9+7EJS7Don8pORAIRLjpRh/EFvvsiQWCO5?=
 =?us-ascii?Q?eP6YOIa5y++2Co4imiMNV3MlB3jHFD0kRHX0ebXYe+yGk6NMvOUP2TrrKDjB?=
 =?us-ascii?Q?oSir8Q9zp9FHND4Wpap+/JUIqph31aVFYtkUjA=3D=3D?=

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Hypercat (Deb)
Hypercat (Deb)
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Also, just below that, this section indicates the domain that actually owns that IP address:


helo=mail.superiorgroup.com; Received: from mail.superiorgroup.com (65.170.60.123) by                          DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112)

Avatar of Andrew N. Kowtalo
Andrew N. Kowtalo

ASKER

Deb that second domain mail.superiorgroup.com was because she forwarded the spam email to me.   

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial