We help IT Professionals succeed at work.

Help in identifying spam header line in email

Andrew N. Kowtalo
Andrew N. Kowtalo asked
on
A client received this email, its spam.   I pulled the header from the email, and I was wondering if someone can assist in identifying which line shows a bogus inbound or outbound sending line? I went through it a couple times and this is my only source to identify where the sender came  from.

Received: from BN6PR2201MB1137.namprd22.prod.outlook.com
 (2603:10b6:404:8d::27) by BN6PR2201MB1746.namprd22.prod.outlook.com with
 HTTPS via BN6PR04CA0077.NAMPRD04.PROD.OUTLOOK.COM; Tue, 25 Feb 2020 19:51:11
 +0000
Received: from DM3PR14CA0133.namprd14.prod.outlook.com (2603:10b6:0:53::17) by
 BN6PR2201MB1137.namprd22.prod.outlook.com (2603:10b6:405:36::29) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Tue, 25 Feb
 2020 19:51:09 +0000
Received: from DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
 (2603:10b6:0:53:cafe::96) by DM3PR14CA0133.outlook.office365.com
 (2603:10b6:0:53::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.18 via Frontend
 Transport; Tue, 25 Feb 2020 19:51:08 +0000
Authentication-Results: spf=fail (sender IP is 65.170.60.123)
 smtp.mailfrom=birdair.com; superiorsiti.mail.onmicrosoft.com; dkim=pass
 (signature was verified)
 header.d=birdair.onmicrosoft.com;superiorsiti.mail.onmicrosoft.com;
 dmarc=none action=none header.from=birdair.com;
Received-SPF: Fail (protection.outlook.com: domain of birdair.com does not
 designate 65.170.60.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=65.170.60.123; helo=mail.superiorgroup.com;
Received: from mail.superiorgroup.com (65.170.60.123) by
 DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.20.2772.6 via Frontend Transport; Tue, 25 Feb 2020 19:51:08 +0000
Received: from Exchange.superiorgroup.superior-sdc.com (10.0.1.10) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10; Tue, 25 Feb 2020 14:51:07 -0500
Received: from mx.superiorgroup.com (10.170.60.4) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10 via Frontend Transport; Tue, 25 Feb 2020 14:51:07 -0500
X-ASG-Debug-ID: 1582660166-06bb3c15d040f600001-Uoe6FW
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2120.outbound.protection.outlook.com [40.107.92.120]) by mx.superiorgroup.com with ESMTP id 63ugeOzH11bFTZlj (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <kowtaloa@lumestrategies.com>; Tue, 25 Feb 2020 14:49:26 -0500 (EST)
X-Barracuda-Envelope-From: Mmcguire@birdair.com
X-ASG-Whitelist: Sender
X-Barracuda-Effective-Source-IP: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Apparent-Source-IP: 40.107.92.120
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hI6DjNZxt+CswBVNGulaZIZhUmSj9v+4tR2ce/UeZYQu5cLEnXUCpbmrpsUgsFQYUtjABkjIoSxehAbsPfMpLF/zUnIB4EKxipaOcvpSg6178fPF7Ry1T/Sp0ROwU+Wf4vbsySR9ZRNr6dLPP0G0KigeCmbNQp1zmjfyVq4YAMJt2vNrrxvexJKm/ynJVAz/MRvQVidMkJR0jQGKElq+JxrFzGdeekzz8gxt1CB7UwQBZVYAuc/f8i3V8BkGOFrvj9hhUp8JxO7jg7qOJjAtjXqgDr4/I8+Ryn8AL9CeGTP85IP3m3OvuzXYGXR09tvmpVFnjX0rLi1jfJ1rog2i6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=fJzlWNE+cbQjAWfBm4fguD1Fam2WTcNPDm/t20rWVjrYsCi5GA7AtCdvH17fTZshrh6oLE/mxthHdj3r94a7cBDEX28MPavWfFuOcpI4j2g/BYW8u1DQPSewbG8a8AHko+VUm1OMsZXBSL8yXJSrggVJnAqzROE60efyJEy9KZKYvue5koX8fsHbYcqmbyYpokl1nckYuVO10G4493l6rtgs+70qdB0plbjr5D7RguxgGku06T5Gu0bPngUvmEXlVUMJB741pglOvWA3QI4aWV/Qh2Bzb4aZIrgc7AHxAygmw5syJqwEKYT7h7RtOjmHmCTbvPfhQtv9xlhjXGEjYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=birdair.com; dmarc=pass action=none header.from=birdair.com;
 dkim=pass header.d=birdair.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=birdair.onmicrosoft.com; s=selector1-birdair-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=s+GgvBW4DQh9XoMNEBuhhbf1Thtcghlnkcw9FfFYvDpEqNP0GEasCTXd+dsUaZY03rs23bsKpoI0pBUwGzKT8yxCRbF+IyCg5yC/j+K0H/L654ZJjsl9yD5xE6bR71HUpCZCU9Kns3qzojVfdXxLiQSNvA7dRu04AjRq9gjgu+Y=
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com (2603:10b6:4:6b::25)
 by DM5PR1801MB2073.namprd18.prod.outlook.com (2603:10b6:4:6c::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.22; Tue, 25 Feb
 2020 19:51:06 +0000
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc]) by DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc%3]) with mapi id 15.20.2750.021; Tue, 25 Feb 2020
 19:51:06 +0000
From: Megan Mcguire <Mmcguire@birdair.com>
To: Andrew Kowtalo <kowtaloa@lumestrategies.com>
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
Subject: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Topic: Payment Status for Sawgrass Mills Mall Invoice#3
X-ASG-Orig-Subj: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Index: AQHV6zNReDiwxkvSnUCCyFHQjkAU+agsU2FA
Date: Tue, 25 Feb 2020 19:51:06 +0000
Message-ID: <DM5PR1801MB1819F0A6569960C34A284D29DDED0@DM5PR1801MB1819.namprd18.prod.outlook.com>
References: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
In-Reply-To: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is )
 smtp.mailfrom=Mmcguire@birdair.com; 
x-originating-ip: [71.186.228.11]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-TrafficTypeDiagnostic: DM5PR1801MB2073:|BN6PR2201MB1137:
x-microsoft-antispam-prvs: <DM5PR1801MB2073B89B144DA90715DD5637DDED0@DM5PR1801MB2073.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;OLM:6108;
x-forefront-prvs: 0324C2C0E2
X-Forefront-Antispam-Report-Untrusted:
 SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(136003)(366004)(39830400003)(189003)(199004)(81166006)(8676002)(71200400001)(81156014)(8936002)(5660300002)(7696005)(55016002)(6916009)(15650500001)(86362001)(66616009)(76116006)(66446008)(64756008)(66556008)(66476007)(4744005)(33656002)(26005)(316002)(186003)(66946007)(53546011)(2906002)(52536014)(6506007)(9686003)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR1801MB2073;H:DM5PR1801MB1819.namprd18.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: birdair.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
 HjiFJ6Zmu6Aq8pauY+rT2Und0Wx4jtFCbDqCwDs/BgbaToC7DEJNzfhzBlHsAclNM9FuoclbGGZA4TkK8sLAqZo1eCHEqqQI2uKMpIu8sdONMqMSNz9RqVkbnbI9sKFHB4/ppWMf9QCFg35BcIaiWB2hsO7N70GfzODL4P3gFi4riZu98rDg8q2GYX0xOwzcSf2+9oaeOZGY4Wf5svX3BqoSMFXYFwJ75jNJt5PuQqRu0+nw2olBo8dDXzKh0HzTMFjqqUWZ+lrTcfo+qiI5uzU6kuMJWnytpVWnrQD0eO+EDW150fzwL2a7iVAyIdPlZzuv+1L8Wz1/lHcaLMVtpul9+u9W1cGyEKrXezsmJVmS3XC0bO9qQwrQq1niID7I2H6VOGBT3bR67qgInk/nELFlaxr7TNhruq3diQq/cZozGRhcm1HsjRql7wgiYpdG
x-ms-exchange-antispam-messagedata: VvpMIviZL42e/o3nN22Y0NgQAXGh2vNc2c/mMAgrzshCzyGPU66d8YGJwi7CQKEbQSV9zuZm0sYdQVW441oge1jyi+3pqrAN8A78OMIRrPuVkQ+4A8/U6PGX71nIQxEdybISFO08jmMQCwBZEWXQKw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/related;
	boundary="_004_DM5PR1801MB1819F0A6569960C34A284D29DDED0DM5PR1801MB1819_";
	type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1801MB2073
X-Barracuda-Connect: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Start-Time: 1582660166
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://spam.superiorgroup.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at superiorgroup.com
X-Barracuda-Scan-Msg-Size: 9334
X-Barracuda-BRTS-Status: 1
Return-Path: Mmcguire@birdair.com
X-EXCLAIMER-MD-CONFIG: 528f7f53-ad0a-4a52-b8e6-038dcd5bbf54
X-OrganizationHeadersPreserved: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-ExpirationStartTime: 25 Feb 2020 19:51:08.6900
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-CrossPremisesHeadersPromoted:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-CrossPremisesHeadersFiltered:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-Forefront-Antispam-Report:
 CIP:65.170.60.123;IPV:;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(1110001)(339900001)(489007)(189003)(199004)(15650500001)(6506007)(156005)(86362001)(52536014)(33964004)(5660300002)(55016002)(7696005)(66574012)(9686003)(53546011)(6916009)(8676002)(36005)(36906005)(8936002)(8636004)(7636002)(336012)(246002)(33656002)(356004)(1096003)(5001870100001);DIR:INB;SFP:;SCL:1;SRVR:BN6PR2201MB1137;H:mail.superiorgroup.com;FPR:;SPF:Fail;LANG:en;PTR:autodiscover.superiorgroup.com,webmail.superiorgroup.com,webmail.superior-sdc.com;MX:1;A:1;
X-MS-Exchange-Organization-AuthSource: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: superiorgroup.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
 84d377c4-e7c2-4b5b-7625-08d7ba2c0d8f
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2020 19:51:08.5950
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-Exchange-CrossTenant-Id: 5bd05357-5c48-461b-8f4a-38b232adb5bb
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5bd05357-5c48-461b-8f4a-38b232adb5bb;Ip=[65.170.60.123];Helo=[mail.superiorgroup.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1137
X-MS-Exchange-Transport-EndToEndLatency: 00:00:04.8127098
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2750.019
X-Microsoft-Antispam-Mailbox-Delivery:
	ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750127)(520011016)(944506383)(944626516);
X-Microsoft-Antispam-Message-Info:
	=?us-ascii?Q?WCwmEb1oYrhbTWVSZILuCofqtTLmAU7809cT8HXIohZaPsSAYTVd+H+gNd8G?=
 =?us-ascii?Q?vRN57Mwl9Y2eNj41cy9lP8C1L8cnUCdppiuqBYTE8ajoWcvP09uaeTrlpzo/?=
 =?us-ascii?Q?56aCLS6sFgO7GrcFJBjpAZ1Rptl8MH35HEkH2P/ia8RCflqjeagNeWOk0yLh?=
 =?us-ascii?Q?PfPhsuY2tU61GHQJGEUD0RO6SmqzaOI43/zRGC0idv0MNgBcWnm1fc6sNKn9?=
 =?us-ascii?Q?ss4LDpVRQp9JgfVJjIGCZ3DZ/RWVyYYZ3NRNiQJOkXOLOod5g4sxCE8M1tZG?=
 =?us-ascii?Q?d3KVRlZKphk3f8lk32mBYMXG0iBEM2KALiS3A9r3x+QZovE+p5sM1SwQn5m9?=
 =?us-ascii?Q?GYwDNmyR5K3r5odr7IujvL3FPU8C7SH7GEXzDNJbMk0thPwk9ZIUE3nKYd6K?=
 =?us-ascii?Q?8otW1x23kym9CN0xTgFopt8FBqXeT2/65dbiIdkarFBtaWrWd832cEsh+K+k?=
 =?us-ascii?Q?KKgiOKwGlQ6daA1svXmsHEcWkwWqOWoTVgJ8e1zGM5z9xrHvSjnKQANEqy3w?=
 =?us-ascii?Q?C2GZj1hluwlkLRSKNgj6gr2Pq0Dj45WLe3rkTHBvrnYPbTFjRTx/fkBMdBi5?=
 =?us-ascii?Q?MGHLGGG1rwmJ5Y/nVBinYz8WoFnB4B2AYnmECUbK8eWETqXvYu3t8JSoavym?=
 =?us-ascii?Q?bMS1qsLpkh/QJBtyuiGs/moVlGiLWVN0QW3y3jjVQ1Tl4NLN6m3Zu8AFjpd/?=
 =?us-ascii?Q?kh3MSHqcdjxZ/TphWtYYfH2IVndNZBHzTmRXS36uVfWZOPl1rpkpL8I3KMvj?=
 =?us-ascii?Q?FEXJT6AiE2FaTGhJcHfl0YOSM/sGm7VAWkpJQ42AaxOU0Yh7pnYL/92wOfyC?=
 =?us-ascii?Q?glZ6EvUHz9+MPXHodM7BnJ3Mfrdl2qMCPD0iZ8XnU7IJD/pRPaqc7XkOwAaq?=
 =?us-ascii?Q?m/6AnLdK+PbHTAZp4xp1hbXl2XLXDkqgGplckmLPWY0gi/F+p/dQXsPUTRLA?=
 =?us-ascii?Q?U0KDRf7Zb8QGoJ5O+9D97+MSj8yvhvwl1Txq0F0HkI71faHp1YzhDJvbZIRa?=
 =?us-ascii?Q?JlvatxJpqL0oc+GwAYTRUNM7+XuIrhGiCKUzpTC+2h0TEZ3+aSH4glYlqQq5?=
 =?us-ascii?Q?iVw+tcLoldVVoTyiCK4GtLnRIx9+7EJS7Don8pORAIRLjpRh/EFvvsiQWCO5?=
 =?us-ascii?Q?eP6YOIa5y++2Co4imiMNV3MlB3jHFD0kRHX0ebXYe+yGk6NMvOUP2TrrKDjB?=
 =?us-ascii?Q?oSir8Q9zp9FHND4Wpap+/JUIqph31aVFYtkUjA=3D=3D?=

Open in new window

Comment
Watch Question

View Solutions Only

President
CERTIFIED EXPERT
Commented:

There are a number of factors that can indicate that an email is spam or potential spam.  One of the main ones is this:


Received-SPF: Fail (protection.outlook.com: domain of birdair.com does not designate 65.170.60.123 as permitted sender)


This means that the sending domain "birdair.com" does have an SPF (Sender Policy Framework) record on it's public domain. SPF is one of the main means of identifying a "spoofed" email, that is, one that doesn't come from the domain it says it came from.  In this case it's clear that the domain was spoofed because the IP address on the email isn't from an approved IP address for that domain.  This factor alone would be enough for most spam detection services to reject the email as spam.

Hypercat (Deb)President
CERTIFIED EXPERT

Commented:

Also, just below that, this section indicates the domain that actually owns that IP address:


helo=mail.superiorgroup.com; Received: from mail.superiorgroup.com (65.170.60.123) by                          DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112)

Andrew N. KowtaloSupport Center Engineer

Author

Commented:

Deb that second domain mail.superiorgroup.com was because she forwarded the spam email to me.   

Hypercat (Deb)President
CERTIFIED EXPERT
Commented:

Oh - gotcha!

Hypercat (Deb)President
CERTIFIED EXPERT
Commented:

And thanks for the testimonial too!


Deb