troubleshooting Question

Help in identifying spam header line in email

Avatar of Andrew N. Kowtalo
Andrew N. Kowtalo asked on
AntiSpamOutlook* Outlook 2019* Email Header
5 Comments3 Solutions295 ViewsLast Modified:
A client received this email, its spam.   I pulled the header from the email, and I was wondering if someone can assist in identifying which line shows a bogus inbound or outbound sending line? I went through it a couple times and this is my only source to identify where the sender came  from.

Received: from BN6PR2201MB1137.namprd22.prod.outlook.com
 (2603:10b6:404:8d::27) by BN6PR2201MB1746.namprd22.prod.outlook.com with
 HTTPS via BN6PR04CA0077.NAMPRD04.PROD.OUTLOOK.COM; Tue, 25 Feb 2020 19:51:11
 +0000
Received: from DM3PR14CA0133.namprd14.prod.outlook.com (2603:10b6:0:53::17) by
 BN6PR2201MB1137.namprd22.prod.outlook.com (2603:10b6:405:36::29) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Tue, 25 Feb
 2020 19:51:09 +0000
Received: from DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
 (2603:10b6:0:53:cafe::96) by DM3PR14CA0133.outlook.office365.com
 (2603:10b6:0:53::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.18 via Frontend
 Transport; Tue, 25 Feb 2020 19:51:08 +0000
Authentication-Results: spf=fail (sender IP is 65.170.60.123)
 smtp.mailfrom=birdair.com; superiorsiti.mail.onmicrosoft.com; dkim=pass
 (signature was verified)
 header.d=birdair.onmicrosoft.com;superiorsiti.mail.onmicrosoft.com;
 dmarc=none action=none header.from=birdair.com;
Received-SPF: Fail (protection.outlook.com: domain of birdair.com does not
 designate 65.170.60.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=65.170.60.123; helo=mail.superiorgroup.com;
Received: from mail.superiorgroup.com (65.170.60.123) by
 DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.20.2772.6 via Frontend Transport; Tue, 25 Feb 2020 19:51:08 +0000
Received: from Exchange.superiorgroup.superior-sdc.com (10.0.1.10) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10; Tue, 25 Feb 2020 14:51:07 -0500
Received: from mx.superiorgroup.com (10.170.60.4) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10 via Frontend Transport; Tue, 25 Feb 2020 14:51:07 -0500
X-ASG-Debug-ID: 1582660166-06bb3c15d040f600001-Uoe6FW
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2120.outbound.protection.outlook.com [40.107.92.120]) by mx.superiorgroup.com with ESMTP id 63ugeOzH11bFTZlj (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <kowtaloa@lumestrategies.com>; Tue, 25 Feb 2020 14:49:26 -0500 (EST)
X-Barracuda-Envelope-From: Mmcguire@birdair.com
X-ASG-Whitelist: Sender
X-Barracuda-Effective-Source-IP: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Apparent-Source-IP: 40.107.92.120
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hI6DjNZxt+CswBVNGulaZIZhUmSj9v+4tR2ce/UeZYQu5cLEnXUCpbmrpsUgsFQYUtjABkjIoSxehAbsPfMpLF/zUnIB4EKxipaOcvpSg6178fPF7Ry1T/Sp0ROwU+Wf4vbsySR9ZRNr6dLPP0G0KigeCmbNQp1zmjfyVq4YAMJt2vNrrxvexJKm/ynJVAz/MRvQVidMkJR0jQGKElq+JxrFzGdeekzz8gxt1CB7UwQBZVYAuc/f8i3V8BkGOFrvj9hhUp8JxO7jg7qOJjAtjXqgDr4/I8+Ryn8AL9CeGTP85IP3m3OvuzXYGXR09tvmpVFnjX0rLi1jfJ1rog2i6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=fJzlWNE+cbQjAWfBm4fguD1Fam2WTcNPDm/t20rWVjrYsCi5GA7AtCdvH17fTZshrh6oLE/mxthHdj3r94a7cBDEX28MPavWfFuOcpI4j2g/BYW8u1DQPSewbG8a8AHko+VUm1OMsZXBSL8yXJSrggVJnAqzROE60efyJEy9KZKYvue5koX8fsHbYcqmbyYpokl1nckYuVO10G4493l6rtgs+70qdB0plbjr5D7RguxgGku06T5Gu0bPngUvmEXlVUMJB741pglOvWA3QI4aWV/Qh2Bzb4aZIrgc7AHxAygmw5syJqwEKYT7h7RtOjmHmCTbvPfhQtv9xlhjXGEjYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=birdair.com; dmarc=pass action=none header.from=birdair.com;
 dkim=pass header.d=birdair.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=birdair.onmicrosoft.com; s=selector1-birdair-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=s+GgvBW4DQh9XoMNEBuhhbf1Thtcghlnkcw9FfFYvDpEqNP0GEasCTXd+dsUaZY03rs23bsKpoI0pBUwGzKT8yxCRbF+IyCg5yC/j+K0H/L654ZJjsl9yD5xE6bR71HUpCZCU9Kns3qzojVfdXxLiQSNvA7dRu04AjRq9gjgu+Y=
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com (2603:10b6:4:6b::25)
 by DM5PR1801MB2073.namprd18.prod.outlook.com (2603:10b6:4:6c::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.22; Tue, 25 Feb
 2020 19:51:06 +0000
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc]) by DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc%3]) with mapi id 15.20.2750.021; Tue, 25 Feb 2020
 19:51:06 +0000
From: Megan Mcguire <Mmcguire@birdair.com>
To: Andrew Kowtalo <kowtaloa@lumestrategies.com>
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
Subject: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Topic: Payment Status for Sawgrass Mills Mall Invoice#3
X-ASG-Orig-Subj: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Index: AQHV6zNReDiwxkvSnUCCyFHQjkAU+agsU2FA
Date: Tue, 25 Feb 2020 19:51:06 +0000
Message-ID: <DM5PR1801MB1819F0A6569960C34A284D29DDED0@DM5PR1801MB1819.namprd18.prod.outlook.com>
References: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
In-Reply-To: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is )
 smtp.mailfrom=Mmcguire@birdair.com; 
x-originating-ip: [71.186.228.11]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-TrafficTypeDiagnostic: DM5PR1801MB2073:|BN6PR2201MB1137:
x-microsoft-antispam-prvs: <DM5PR1801MB2073B89B144DA90715DD5637DDED0@DM5PR1801MB2073.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;OLM:6108;
x-forefront-prvs: 0324C2C0E2
X-Forefront-Antispam-Report-Untrusted:
 SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(136003)(366004)(39830400003)(189003)(199004)(81166006)(8676002)(71200400001)(81156014)(8936002)(5660300002)(7696005)(55016002)(6916009)(15650500001)(86362001)(66616009)(76116006)(66446008)(64756008)(66556008)(66476007)(4744005)(33656002)(26005)(316002)(186003)(66946007)(53546011)(2906002)(52536014)(6506007)(9686003)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR1801MB2073;H:DM5PR1801MB1819.namprd18.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: birdair.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
 HjiFJ6Zmu6Aq8pauY+rT2Und0Wx4jtFCbDqCwDs/BgbaToC7DEJNzfhzBlHsAclNM9FuoclbGGZA4TkK8sLAqZo1eCHEqqQI2uKMpIu8sdONMqMSNz9RqVkbnbI9sKFHB4/ppWMf9QCFg35BcIaiWB2hsO7N70GfzODL4P3gFi4riZu98rDg8q2GYX0xOwzcSf2+9oaeOZGY4Wf5svX3BqoSMFXYFwJ75jNJt5PuQqRu0+nw2olBo8dDXzKh0HzTMFjqqUWZ+lrTcfo+qiI5uzU6kuMJWnytpVWnrQD0eO+EDW150fzwL2a7iVAyIdPlZzuv+1L8Wz1/lHcaLMVtpul9+u9W1cGyEKrXezsmJVmS3XC0bO9qQwrQq1niID7I2H6VOGBT3bR67qgInk/nELFlaxr7TNhruq3diQq/cZozGRhcm1HsjRql7wgiYpdG
x-ms-exchange-antispam-messagedata: VvpMIviZL42e/o3nN22Y0NgQAXGh2vNc2c/mMAgrzshCzyGPU66d8YGJwi7CQKEbQSV9zuZm0sYdQVW441oge1jyi+3pqrAN8A78OMIRrPuVkQ+4A8/U6PGX71nIQxEdybISFO08jmMQCwBZEWXQKw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/related;
	boundary="_004_DM5PR1801MB1819F0A6569960C34A284D29DDED0DM5PR1801MB1819_";
	type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1801MB2073
X-Barracuda-Connect: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Start-Time: 1582660166
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://spam.superiorgroup.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at superiorgroup.com
X-Barracuda-Scan-Msg-Size: 9334
X-Barracuda-BRTS-Status: 1
Return-Path: Mmcguire@birdair.com
X-EXCLAIMER-MD-CONFIG: 528f7f53-ad0a-4a52-b8e6-038dcd5bbf54
X-OrganizationHeadersPreserved: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-ExpirationStartTime: 25 Feb 2020 19:51:08.6900
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-CrossPremisesHeadersPromoted:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-CrossPremisesHeadersFiltered:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-Forefront-Antispam-Report:
 CIP:65.170.60.123;IPV:;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(1110001)(339900001)(489007)(189003)(199004)(15650500001)(6506007)(156005)(86362001)(52536014)(33964004)(5660300002)(55016002)(7696005)(66574012)(9686003)(53546011)(6916009)(8676002)(36005)(36906005)(8936002)(8636004)(7636002)(336012)(246002)(33656002)(356004)(1096003)(5001870100001);DIR:INB;SFP:;SCL:1;SRVR:BN6PR2201MB1137;H:mail.superiorgroup.com;FPR:;SPF:Fail;LANG:en;PTR:autodiscover.superiorgroup.com,webmail.superiorgroup.com,webmail.superior-sdc.com;MX:1;A:1;
X-MS-Exchange-Organization-AuthSource: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: superiorgroup.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
 84d377c4-e7c2-4b5b-7625-08d7ba2c0d8f
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2020 19:51:08.5950
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-Exchange-CrossTenant-Id: 5bd05357-5c48-461b-8f4a-38b232adb5bb
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5bd05357-5c48-461b-8f4a-38b232adb5bb;Ip=[65.170.60.123];Helo=[mail.superiorgroup.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1137
X-MS-Exchange-Transport-EndToEndLatency: 00:00:04.8127098
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2750.019
X-Microsoft-Antispam-Mailbox-Delivery:
	ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750127)(520011016)(944506383)(944626516);
X-Microsoft-Antispam-Message-Info:
	=?us-ascii?Q?WCwmEb1oYrhbTWVSZILuCofqtTLmAU7809cT8HXIohZaPsSAYTVd+H+gNd8G?=
 =?us-ascii?Q?vRN57Mwl9Y2eNj41cy9lP8C1L8cnUCdppiuqBYTE8ajoWcvP09uaeTrlpzo/?=
 =?us-ascii?Q?56aCLS6sFgO7GrcFJBjpAZ1Rptl8MH35HEkH2P/ia8RCflqjeagNeWOk0yLh?=
 =?us-ascii?Q?PfPhsuY2tU61GHQJGEUD0RO6SmqzaOI43/zRGC0idv0MNgBcWnm1fc6sNKn9?=
 =?us-ascii?Q?ss4LDpVRQp9JgfVJjIGCZ3DZ/RWVyYYZ3NRNiQJOkXOLOod5g4sxCE8M1tZG?=
 =?us-ascii?Q?d3KVRlZKphk3f8lk32mBYMXG0iBEM2KALiS3A9r3x+QZovE+p5sM1SwQn5m9?=
 =?us-ascii?Q?GYwDNmyR5K3r5odr7IujvL3FPU8C7SH7GEXzDNJbMk0thPwk9ZIUE3nKYd6K?=
 =?us-ascii?Q?8otW1x23kym9CN0xTgFopt8FBqXeT2/65dbiIdkarFBtaWrWd832cEsh+K+k?=
 =?us-ascii?Q?KKgiOKwGlQ6daA1svXmsHEcWkwWqOWoTVgJ8e1zGM5z9xrHvSjnKQANEqy3w?=
 =?us-ascii?Q?C2GZj1hluwlkLRSKNgj6gr2Pq0Dj45WLe3rkTHBvrnYPbTFjRTx/fkBMdBi5?=
 =?us-ascii?Q?MGHLGGG1rwmJ5Y/nVBinYz8WoFnB4B2AYnmECUbK8eWETqXvYu3t8JSoavym?=
 =?us-ascii?Q?bMS1qsLpkh/QJBtyuiGs/moVlGiLWVN0QW3y3jjVQ1Tl4NLN6m3Zu8AFjpd/?=
 =?us-ascii?Q?kh3MSHqcdjxZ/TphWtYYfH2IVndNZBHzTmRXS36uVfWZOPl1rpkpL8I3KMvj?=
 =?us-ascii?Q?FEXJT6AiE2FaTGhJcHfl0YOSM/sGm7VAWkpJQ42AaxOU0Yh7pnYL/92wOfyC?=
 =?us-ascii?Q?glZ6EvUHz9+MPXHodM7BnJ3Mfrdl2qMCPD0iZ8XnU7IJD/pRPaqc7XkOwAaq?=
 =?us-ascii?Q?m/6AnLdK+PbHTAZp4xp1hbXl2XLXDkqgGplckmLPWY0gi/F+p/dQXsPUTRLA?=
 =?us-ascii?Q?U0KDRf7Zb8QGoJ5O+9D97+MSj8yvhvwl1Txq0F0HkI71faHp1YzhDJvbZIRa?=
 =?us-ascii?Q?JlvatxJpqL0oc+GwAYTRUNM7+XuIrhGiCKUzpTC+2h0TEZ3+aSH4glYlqQq5?=
 =?us-ascii?Q?iVw+tcLoldVVoTyiCK4GtLnRIx9+7EJS7Don8pORAIRLjpRh/EFvvsiQWCO5?=
 =?us-ascii?Q?eP6YOIa5y++2Co4imiMNV3MlB3jHFD0kRHX0ebXYe+yGk6NMvOUP2TrrKDjB?=
 =?us-ascii?Q?oSir8Q9zp9FHND4Wpap+/JUIqph31aVFYtkUjA=3D=3D?=
ASKER CERTIFIED SOLUTION
Hypercat (Deb)
President

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 3 Answers and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 3 Answers and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros