We help IT Professionals succeed at work.
Get Started

Help in identifying spam header line in email

Andrew N. Kowtalo
Andrew N. Kowtalo asked
on
5 Comments
3 Solutions
286 Views
Last Modified: 2020-02-25
A client received this email, its spam.   I pulled the header from the email, and I was wondering if someone can assist in identifying which line shows a bogus inbound or outbound sending line? I went through it a couple times and this is my only source to identify where the sender came  from.

Received: from BN6PR2201MB1137.namprd22.prod.outlook.com
 (2603:10b6:404:8d::27) by BN6PR2201MB1746.namprd22.prod.outlook.com with
 HTTPS via BN6PR04CA0077.NAMPRD04.PROD.OUTLOOK.COM; Tue, 25 Feb 2020 19:51:11
 +0000
Received: from DM3PR14CA0133.namprd14.prod.outlook.com (2603:10b6:0:53::17) by
 BN6PR2201MB1137.namprd22.prod.outlook.com (2603:10b6:405:36::29) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Tue, 25 Feb
 2020 19:51:09 +0000
Received: from DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
 (2603:10b6:0:53:cafe::96) by DM3PR14CA0133.outlook.office365.com
 (2603:10b6:0:53::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.18 via Frontend
 Transport; Tue, 25 Feb 2020 19:51:08 +0000
Authentication-Results: spf=fail (sender IP is 65.170.60.123)
 smtp.mailfrom=birdair.com; superiorsiti.mail.onmicrosoft.com; dkim=pass
 (signature was verified)
 header.d=birdair.onmicrosoft.com;superiorsiti.mail.onmicrosoft.com;
 dmarc=none action=none header.from=birdair.com;
Received-SPF: Fail (protection.outlook.com: domain of birdair.com does not
 designate 65.170.60.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=65.170.60.123; helo=mail.superiorgroup.com;
Received: from mail.superiorgroup.com (65.170.60.123) by
 DM3NAM05FT043.mail.protection.outlook.com (10.152.98.112) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id
 15.20.2772.6 via Frontend Transport; Tue, 25 Feb 2020 19:51:08 +0000
Received: from Exchange.superiorgroup.superior-sdc.com (10.0.1.10) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10; Tue, 25 Feb 2020 14:51:07 -0500
Received: from mx.superiorgroup.com (10.170.60.4) by
 Exchange.superiorgroup.superior-sdc.com (10.0.1.10) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10 via Frontend Transport; Tue, 25 Feb 2020 14:51:07 -0500
X-ASG-Debug-ID: 1582660166-06bb3c15d040f600001-Uoe6FW
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2120.outbound.protection.outlook.com [40.107.92.120]) by mx.superiorgroup.com with ESMTP id 63ugeOzH11bFTZlj (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <kowtaloa@lumestrategies.com>; Tue, 25 Feb 2020 14:49:26 -0500 (EST)
X-Barracuda-Envelope-From: Mmcguire@birdair.com
X-ASG-Whitelist: Sender
X-Barracuda-Effective-Source-IP: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Apparent-Source-IP: 40.107.92.120
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hI6DjNZxt+CswBVNGulaZIZhUmSj9v+4tR2ce/UeZYQu5cLEnXUCpbmrpsUgsFQYUtjABkjIoSxehAbsPfMpLF/zUnIB4EKxipaOcvpSg6178fPF7Ry1T/Sp0ROwU+Wf4vbsySR9ZRNr6dLPP0G0KigeCmbNQp1zmjfyVq4YAMJt2vNrrxvexJKm/ynJVAz/MRvQVidMkJR0jQGKElq+JxrFzGdeekzz8gxt1CB7UwQBZVYAuc/f8i3V8BkGOFrvj9hhUp8JxO7jg7qOJjAtjXqgDr4/I8+Ryn8AL9CeGTP85IP3m3OvuzXYGXR09tvmpVFnjX0rLi1jfJ1rog2i6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=fJzlWNE+cbQjAWfBm4fguD1Fam2WTcNPDm/t20rWVjrYsCi5GA7AtCdvH17fTZshrh6oLE/mxthHdj3r94a7cBDEX28MPavWfFuOcpI4j2g/BYW8u1DQPSewbG8a8AHko+VUm1OMsZXBSL8yXJSrggVJnAqzROE60efyJEy9KZKYvue5koX8fsHbYcqmbyYpokl1nckYuVO10G4493l6rtgs+70qdB0plbjr5D7RguxgGku06T5Gu0bPngUvmEXlVUMJB741pglOvWA3QI4aWV/Qh2Bzb4aZIrgc7AHxAygmw5syJqwEKYT7h7RtOjmHmCTbvPfhQtv9xlhjXGEjYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=birdair.com; dmarc=pass action=none header.from=birdair.com;
 dkim=pass header.d=birdair.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=birdair.onmicrosoft.com; s=selector1-birdair-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=RQdoI7j69F4CRbuaJBrVyXpykl3Qb8dbM6oBLBk43SE=;
 b=s+GgvBW4DQh9XoMNEBuhhbf1Thtcghlnkcw9FfFYvDpEqNP0GEasCTXd+dsUaZY03rs23bsKpoI0pBUwGzKT8yxCRbF+IyCg5yC/j+K0H/L654ZJjsl9yD5xE6bR71HUpCZCU9Kns3qzojVfdXxLiQSNvA7dRu04AjRq9gjgu+Y=
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com (2603:10b6:4:6b::25)
 by DM5PR1801MB2073.namprd18.prod.outlook.com (2603:10b6:4:6c::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.22; Tue, 25 Feb
 2020 19:51:06 +0000
Received: from DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc]) by DM5PR1801MB1819.namprd18.prod.outlook.com
 ([fe80::c85c:d0d1:45cb:34dc%3]) with mapi id 15.20.2750.021; Tue, 25 Feb 2020
 19:51:06 +0000
From: Megan Mcguire <Mmcguire@birdair.com>
To: Andrew Kowtalo <kowtaloa@lumestrategies.com>
X-Barracuda-User-Whitelist: kowtaloa@lumestrategies.com
Subject: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Topic: Payment Status for Sawgrass Mills Mall Invoice#3
X-ASG-Orig-Subj: FW: Payment Status for Sawgrass Mills Mall Invoice#3
Thread-Index: AQHV6zNReDiwxkvSnUCCyFHQjkAU+agsU2FA
Date: Tue, 25 Feb 2020 19:51:06 +0000
Message-ID: <DM5PR1801MB1819F0A6569960C34A284D29DDED0@DM5PR1801MB1819.namprd18.prod.outlook.com>
References: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
In-Reply-To: <17078208e46.f4f3f5db51398.4056900749452283588@bigspams.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is )
 smtp.mailfrom=Mmcguire@birdair.com; 
x-originating-ip: [71.186.228.11]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-TrafficTypeDiagnostic: DM5PR1801MB2073:|BN6PR2201MB1137:
x-microsoft-antispam-prvs: <DM5PR1801MB2073B89B144DA90715DD5637DDED0@DM5PR1801MB2073.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;OLM:6108;
x-forefront-prvs: 0324C2C0E2
X-Forefront-Antispam-Report-Untrusted:
 SFV:NSPM;SFS:(10019020)(376002)(346002)(396003)(136003)(366004)(39830400003)(189003)(199004)(81166006)(8676002)(71200400001)(81156014)(8936002)(5660300002)(7696005)(55016002)(6916009)(15650500001)(86362001)(66616009)(76116006)(66446008)(64756008)(66556008)(66476007)(4744005)(33656002)(26005)(316002)(186003)(66946007)(53546011)(2906002)(52536014)(6506007)(9686003)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR1801MB2073;H:DM5PR1801MB1819.namprd18.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: birdair.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
 HjiFJ6Zmu6Aq8pauY+rT2Und0Wx4jtFCbDqCwDs/BgbaToC7DEJNzfhzBlHsAclNM9FuoclbGGZA4TkK8sLAqZo1eCHEqqQI2uKMpIu8sdONMqMSNz9RqVkbnbI9sKFHB4/ppWMf9QCFg35BcIaiWB2hsO7N70GfzODL4P3gFi4riZu98rDg8q2GYX0xOwzcSf2+9oaeOZGY4Wf5svX3BqoSMFXYFwJ75jNJt5PuQqRu0+nw2olBo8dDXzKh0HzTMFjqqUWZ+lrTcfo+qiI5uzU6kuMJWnytpVWnrQD0eO+EDW150fzwL2a7iVAyIdPlZzuv+1L8Wz1/lHcaLMVtpul9+u9W1cGyEKrXezsmJVmS3XC0bO9qQwrQq1niID7I2H6VOGBT3bR67qgInk/nELFlaxr7TNhruq3diQq/cZozGRhcm1HsjRql7wgiYpdG
x-ms-exchange-antispam-messagedata: VvpMIviZL42e/o3nN22Y0NgQAXGh2vNc2c/mMAgrzshCzyGPU66d8YGJwi7CQKEbQSV9zuZm0sYdQVW441oge1jyi+3pqrAN8A78OMIRrPuVkQ+4A8/U6PGX71nIQxEdybISFO08jmMQCwBZEWXQKw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/related;
	boundary="_004_DM5PR1801MB1819F0A6569960C34A284D29DDED0DM5PR1801MB1819_";
	type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1801MB2073
X-Barracuda-Connect: mail-bn7nam10on2120.outbound.protection.outlook.com[40.107.92.120]
X-Barracuda-Start-Time: 1582660166
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://spam.superiorgroup.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at superiorgroup.com
X-Barracuda-Scan-Msg-Size: 9334
X-Barracuda-BRTS-Status: 1
Return-Path: Mmcguire@birdair.com
X-EXCLAIMER-MD-CONFIG: 528f7f53-ad0a-4a52-b8e6-038dcd5bbf54
X-OrganizationHeadersPreserved: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-ExpirationStartTime: 25 Feb 2020 19:51:08.6900
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-EOPAttributedMessage: 0
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-CrossPremisesHeadersPromoted:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-CrossPremisesHeadersFiltered:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
 DM3NAM05FT043.eop-nam05.prod.protection.outlook.com
X-Forefront-Antispam-Report:
 CIP:65.170.60.123;IPV:;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(1110001)(339900001)(489007)(189003)(199004)(15650500001)(6506007)(156005)(86362001)(52536014)(33964004)(5660300002)(55016002)(7696005)(66574012)(9686003)(53546011)(6916009)(8676002)(36005)(36906005)(8936002)(8636004)(7636002)(336012)(246002)(33656002)(356004)(1096003)(5001870100001);DIR:INB;SFP:;SCL:1;SRVR:BN6PR2201MB1137;H:mail.superiorgroup.com;FPR:;SPF:Fail;LANG:en;PTR:autodiscover.superiorgroup.com,webmail.superiorgroup.com,webmail.superior-sdc.com;MX:1;A:1;
X-MS-Exchange-Organization-AuthSource: Exchange.superiorgroup.superior-sdc.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-OriginatorOrg: superiorgroup.com
X-MS-Office365-Filtering-Correlation-Id-Prvs:
 84d377c4-e7c2-4b5b-7625-08d7ba2c0d8f
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2020 19:51:08.5950
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 40e87e18-e9b4-4fd5-e88b-08d7ba2c0edc
X-MS-Exchange-CrossTenant-Id: 5bd05357-5c48-461b-8f4a-38b232adb5bb
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5bd05357-5c48-461b-8f4a-38b232adb5bb;Ip=[65.170.60.123];Helo=[mail.superiorgroup.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1137
X-MS-Exchange-Transport-EndToEndLatency: 00:00:04.8127098
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2750.019
X-Microsoft-Antispam-Mailbox-Delivery:
	ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160514016)(750127)(520011016)(944506383)(944626516);
X-Microsoft-Antispam-Message-Info:
	=?us-ascii?Q?WCwmEb1oYrhbTWVSZILuCofqtTLmAU7809cT8HXIohZaPsSAYTVd+H+gNd8G?=
 =?us-ascii?Q?vRN57Mwl9Y2eNj41cy9lP8C1L8cnUCdppiuqBYTE8ajoWcvP09uaeTrlpzo/?=
 =?us-ascii?Q?56aCLS6sFgO7GrcFJBjpAZ1Rptl8MH35HEkH2P/ia8RCflqjeagNeWOk0yLh?=
 =?us-ascii?Q?PfPhsuY2tU61GHQJGEUD0RO6SmqzaOI43/zRGC0idv0MNgBcWnm1fc6sNKn9?=
 =?us-ascii?Q?ss4LDpVRQp9JgfVJjIGCZ3DZ/RWVyYYZ3NRNiQJOkXOLOod5g4sxCE8M1tZG?=
 =?us-ascii?Q?d3KVRlZKphk3f8lk32mBYMXG0iBEM2KALiS3A9r3x+QZovE+p5sM1SwQn5m9?=
 =?us-ascii?Q?GYwDNmyR5K3r5odr7IujvL3FPU8C7SH7GEXzDNJbMk0thPwk9ZIUE3nKYd6K?=
 =?us-ascii?Q?8otW1x23kym9CN0xTgFopt8FBqXeT2/65dbiIdkarFBtaWrWd832cEsh+K+k?=
 =?us-ascii?Q?KKgiOKwGlQ6daA1svXmsHEcWkwWqOWoTVgJ8e1zGM5z9xrHvSjnKQANEqy3w?=
 =?us-ascii?Q?C2GZj1hluwlkLRSKNgj6gr2Pq0Dj45WLe3rkTHBvrnYPbTFjRTx/fkBMdBi5?=
 =?us-ascii?Q?MGHLGGG1rwmJ5Y/nVBinYz8WoFnB4B2AYnmECUbK8eWETqXvYu3t8JSoavym?=
 =?us-ascii?Q?bMS1qsLpkh/QJBtyuiGs/moVlGiLWVN0QW3y3jjVQ1Tl4NLN6m3Zu8AFjpd/?=
 =?us-ascii?Q?kh3MSHqcdjxZ/TphWtYYfH2IVndNZBHzTmRXS36uVfWZOPl1rpkpL8I3KMvj?=
 =?us-ascii?Q?FEXJT6AiE2FaTGhJcHfl0YOSM/sGm7VAWkpJQ42AaxOU0Yh7pnYL/92wOfyC?=
 =?us-ascii?Q?glZ6EvUHz9+MPXHodM7BnJ3Mfrdl2qMCPD0iZ8XnU7IJD/pRPaqc7XkOwAaq?=
 =?us-ascii?Q?m/6AnLdK+PbHTAZp4xp1hbXl2XLXDkqgGplckmLPWY0gi/F+p/dQXsPUTRLA?=
 =?us-ascii?Q?U0KDRf7Zb8QGoJ5O+9D97+MSj8yvhvwl1Txq0F0HkI71faHp1YzhDJvbZIRa?=
 =?us-ascii?Q?JlvatxJpqL0oc+GwAYTRUNM7+XuIrhGiCKUzpTC+2h0TEZ3+aSH4glYlqQq5?=
 =?us-ascii?Q?iVw+tcLoldVVoTyiCK4GtLnRIx9+7EJS7Don8pORAIRLjpRh/EFvvsiQWCO5?=
 =?us-ascii?Q?eP6YOIa5y++2Co4imiMNV3MlB3jHFD0kRHX0ebXYe+yGk6NMvOUP2TrrKDjB?=
 =?us-ascii?Q?oSir8Q9zp9FHND4Wpap+/JUIqph31aVFYtkUjA=3D=3D?=

Open in new window

Comment
Watch Question
President
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 3 Answers and 5 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant

An Experts Exchange subscription includes unlimited access to online courses.

Get Started
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE