SMTP via User

Original Message Headers

Received: from BN3PR11CA0018.namprd11.prod.outlook.com

 (2a01:111:e400:51e4::28) by SN1PR11MB0574.namprd11.prod.outlook.com

 (2a01:111:e400:530f::21) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Wed, 7

 Mar 2018 15:43:47 +0000

Received: from DM3NAM05FT022.eop-nam05.prod.protection.outlook.com

 (2a01:111:f400:7e51::208) by BN3PR11CA0018.outlook.office365.com

 (2a01:111:e400:51e4::28) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.14 via Frontend

 Transport; Wed, 7 Mar 2018 15:43:47 +0000

Authentication-Results: spf=neutral (sender IP is 66.111.4.221)

 smtp.mailfrom=risebakingcompany.com; risebakingcompany.com; dkim=pass

 (signature was verified) header.d=messagingengine.com;risebakingcompany.com;

 dmarc=none action=none header.from=risebakingcompany.com;

Received-SPF: Neutral (protection.outlook.com: 66.111.4.221 is neither

 permitted nor denied by domain of risebakingcompany.com)

Received: from new1-smtp.messagingengine.com (66.111.4.221) by

 DM3NAM05FT022.mail.protection.outlook.com (10.152.98.132) with Microsoft SMTP

 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

 15.20.548.7 via Frontend Transport; Wed, 7 Mar 2018 15:43:46 +0000

Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])

        by mailnew.nyi.internal (Postfix) with ESMTP id 573EE10F1

        for <email address removed for privacy reasons>; Wed, 7 Mar 2018 10:43:46 -0500 (EST)

Received: from frontend1 ([10.202.2.160])

  by compute7.internal (MEProxy); Wed, 07 Mar 2018 10:43:46 -0500

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=

        messagingengine.com; h=content-transfer-encoding:content-type

        :date:from:message-id:mime-version:reply-to:subject:to

        :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=J5yc94p8OcoMielqo

        weJHr1/JS5dWOFLsW5ZI0n+giI=; b=Sros9ppkL1hz/XZGS/A7gcjWZy4Q1fdOB

        376jMEyio6zHl6jbNQdux/qAwsnrtTXqJr3IJqkjpOefkZ+hCO9buu7z+X5CEOZo

        FdwSzzmwQHgkZ6D+XMd/rUXXG0votMRAOUZErS1DdUTm64YZu6o+74Ti/I+DNPt/

        HCHaK5JxzYtIhk6Dydy0kXWL4IYx+zKoJJ+h90brysy6hk9l1L+FK4Lo1QjEgk4G

        t1w2MvwgjPaBRibLVwoZ5ic9DyYtXtoQdOEF4xNfvC7wSE4apAF2RqJZCc+I+YEQ

        lRVnPrD2Mt5s5WTgpIumqC2c14bJFNHz9PGzRn+sckLvLIroqZ9xA==

X-ME-Sender: <xms:sgigWt3l2Il5qJP0vi8x-g3P3mmsCsFjIkz3MPBYz2AwZZnY_PnjZA>

Received: from Ms-MacBook.local (unknown [23.108.31.122])

        by mail.messagingengine.com (Postfix) with ESMTPA id 9D2167E660

        for <email address removed for privacy reasons>; Wed, 7 Mar 2018 10:43:45 -0500 (EST)

Reply-To: email address removed for privacy reasons

To: email address removed for privacy reasons

From: Chris YYYYY <email address removed for privacy reasons>

Subject: Kindly get back

Message-ID: <email address removed for privacy reasons>

Date: Wed, 7 Mar 2018 10:43:44 -0500

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0)

 Gecko/20100101 Thunderbird/52.6.0

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8; format=flowed

Content-Transfer-Encoding: 7bit

Content-Language: en-US

Return-Path: email address removed for privacy reasons

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: 9c9ca00d-d89b-441e-a989-1ae7f6387804:0

X-Forefront-Antispam-Report: CIP:66.111.4.221;IPV:NLI;CTRY:US;EFV:NLI;

X-Microsoft-Exchange-Diagnostics: 1;DM3NAM05FT022;1:22KTfsIJsrHtk/9hXI7qkXbLBstTxAbLpPufCoqKHWGJ4egiyN9wLIV2Evy2BOE4ZyF7IR3XeGyx94qwyUTSJ4yzyLM4x1stQhhuaziR6t+CkNW6DCOra22VCBBlc7/L

X-MS-PublicTrafficType: Email

X-MS-Office365-Filtering-Correlation-Id: c30401f0-1aeb-4fd8-d598-08d58442372f

X-Microsoft-Antispam:

 UriScan:;BCL:0;PCL:0;RULEID:(7020095)(5600026)(4604075)(4605076)(1401096)(8001031)(1405069)(71702078);SRVR:SN1PR11MB0574;

X-Microsoft-Exchange-Diagnostics:

 1;SN1PR11MB0574;3:JnjkmfARjIFKfRcfYH04lGJThsNTuDO2UXaa3HxjtBYDGHgp2u8EIwEVE7vdskPBMjMNYbTuTsGpy+Gm/28pnLF5t2J9NubNlIao4u43MQ2Z3QvkUNX7/iXeXqZ/3iuDYibXCqyQgg+IqpUoXisn88d9eJY2ScT4OZ2N6QTgpMyiwE2/Mcx5GrDV66e94aIDc79i1zPw9+NA89HB0sntt8lxyC6ksaNFnNrFwuMyVF+fl+U/sqExp1wlZjrxUpNrEpmMbDPMjFQE8zqRLhGwz4XAiWOJwM+GyC5C6J0mpxt9cAbW83sRkGUFlbgSz3L2xQKMMGWLkMkD9ZFXd0WgcOnLHphjkWihyv5ZYZjM014=;25:t4rn8dm6J9zqIzoLygCSGsmXepkYJWl+eJTmJ57mzPdsJaBI5uVSYNRp88A5rH0OoCnKcK5iuclzKOVzyAJZ54mA8HUBHtQ+DQVRr5aXpHGy85COQ3XFWBkeVlqedreVIqpK6ubd83vzJUc/7axsFWityzAudHxnqL9QXe4jJxAy1okbCJpAFK65Quk+RQfB9eJbqlq5RIH921S8YjhxswZ65/sok4+gTFmJ31rI0Q3eQpzUjcB1TLExVCw2biqGvKXyAvYxfOuBl7vLYDorbRBUePkzbGJlPf7O89HBeO5C08pQ9Bln0fwqTklt7uC68Vlk0n4UYG42ZoSPEyacow==

X-MS-TrafficTypeDiagnostic: SN1PR11MB0574:

Thanks!!

Labels: Exchange Office 365



16K Views

0 Likes



7 Replies

undefined

All topics

7 Replies

Anonymous replied to Tyler Miller

‎Mar 07 2018 12:05 PM - edited ‎Mar 07 2018 12:07 PM 

Looks like a typical spoof attempt to me. Anyone can send anything as anyone on the internet when it comes to SMTP. I could pop out to my SMTP server and send an e-mail as email address removed for privacy reasons if I wanted to to anyone I wanted. If they aren't using DKIM or SPF etc. it could very well get through, but in this case it was blocked and returned whom the message was set as the from address.Fwd: deliverable: http://10.100.111.152:11189/findotp Send Money Xchanged Rial Iranian Cash Rule Transfer Amount 20,000,000,000,000Rial Transfer To IP Internet Bank Mellat Iban IR770120000000000130041372 IP 046.100.006.152:Iban IR770120000000000130041372 ec29121c-5203-409f-9e84-e83ffc10f226 UID: 12345678 is the user's ID. ec29121c-5203-409f-9e84-e83ffc10f226 is the item's ID. ec29121c-5203-409f-9e84-e83ffc10f226

This is hard for me to believe, simply because I have devices on my network that I have set up to send alerts via SMTP, and if I do not authenticate as the same email as the sender it fails to send the email. SMTP via O365 seems to be very picky on what it accepts, simply because SMTP use to be so open and allow for anyone to send anything. I thought that was fixed now.