Forum Discussion
SMTP via User
Looks like a typical spoof attempt to me. Anyone can send anything as anyone on the internet when it comes to SMTP. I could pop out to my SMTP server and send an e-mail as YYYY@risebakingcompany.com if I wanted to to anyone I wanted. If they aren't using DKIM or SPF etc. it could very well get through, but in this case it was blocked and returned whom the message was set as the from address.
Original Message Headers
Received: from BN3PR11CA0018.namprd11.prod.outlook.com
(2a01:111:e400:51e4::28) by SN1PR11MB0574.namprd11.prod.outlook.com
(2a01:111:e400:530f::21) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Wed, 7
Mar 2018 15:43:47 +0000
Received: from DM3NAM05FT022.eop-nam05.prod.protection.outlook.com
(2a01:111:f400:7e51::208) by BN3PR11CA0018.outlook.office365.com
(2a01:111:e400:51e4::28) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.14 via Frontend
Transport; Wed, 7 Mar 2018 15:43:47 +0000
Authentication-Results: spf=neutral (sender IP is 66.111.4.221)
smtp.mailfrom=risebakingcompany.com; risebakingcompany.com; dkim=pass
(signature was verified) header.d=messagingengine.com;risebakingcompany.com;
dmarc=none action=none header.from=risebakingcompany.com;
Received-SPF: Neutral (protection.outlook.com: 66.111.4.221 is neither
permitted nor denied by domain of risebakingcompany.com)
Received: from new1-smtp.messagingengine.com (66.111.4.221) by
DM3NAM05FT022.mail.protection.outlook.com (10.152.98.132) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.548.7 via Frontend Transport; Wed, 7 Mar 2018 15:43:46 +0000
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
by mailnew.nyi.internal (Postfix) with ESMTP id 573EE10F1
for <email address removed for privacy reasons>; Wed, 7 Mar 2018 10:43:46 -0500 (EST)
Received: from frontend1 ([10.202.2.160])
by compute7.internal (MEProxy); Wed, 07 Mar 2018 10:43:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=content-transfer-encoding:content-type
:date:from:message-id:mime-version:reply-to:subject:to
:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=J5yc94p8OcoMielqo
weJHr1/JS5dWOFLsW5ZI0n+giI=; b=Sros9ppkL1hz/XZGS/A7gcjWZy4Q1fdOB
376jMEyio6zHl6jbNQdux/qAwsnrtTXqJr3IJqkjpOefkZ+hCO9buu7z+X5CEOZo
FdwSzzmwQHgkZ6D+XMd/rUXXG0votMRAOUZErS1DdUTm64YZu6o+74Ti/I+DNPt/
HCHaK5JxzYtIhk6Dydy0kXWL4IYx+zKoJJ+h90brysy6hk9l1L+FK4Lo1QjEgk4G
t1w2MvwgjPaBRibLVwoZ5ic9DyYtXtoQdOEF4xNfvC7wSE4apAF2RqJZCc+I+YEQ
lRVnPrD2Mt5s5WTgpIumqC2c14bJFNHz9PGzRn+sckLvLIroqZ9xA==
X-ME-Sender: <xms:sgigWt3l2Il5qJP0vi8x-g3P3mmsCsFjIkz3MPBYz2AwZZnY_PnjZA>
Received: from Ms-MacBook.local (unknown [23.108.31.122])
by mail.messagingengine.com (Postfix) with ESMTPA id 9D2167E660
for <email address removed for privacy reasons>; Wed, 7 Mar 2018 10:43:45 -0500 (EST)
Reply-To: email address removed for privacy reasons
To: email address removed for privacy reasons
From: Chris YYYYY <email address removed for privacy reasons>
Subject: Kindly get back
Message-ID: <email address removed for privacy reasons>
Date: Wed, 7 Mar 2018 10:43:44 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0)
Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Return-Path: email address removed for privacy reasons
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 9c9ca00d-d89b-441e-a989-1ae7f6387804:0
X-Forefront-Antispam-Report: CIP:66.111.4.221;IPV:NLI;CTRY:US;EFV:NLI;
X-Microsoft-Exchange-Diagnostics: 1;DM3NAM05FT022;1:22KTfsIJsrHtk/9hXI7qkXbLBstTxAbLpPufCoqKHWGJ4egiyN9wLIV2Evy2BOE4ZyF7IR3XeGyx94qwyUTSJ4yzyLM4x1stQhhuaziR6t+CkNW6DCOra22VCBBlc7/L
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c30401f0-1aeb-4fd8-d598-08d58442372f
X-Microsoft-Antispam:
UriScan:;BCL:0;PCL:0;RULEID:(7020095)(5600026)(4604075)(4605076)(1401096)(8001031)(1405069)(71702078);SRVR:SN1PR11MB0574;
X-Microsoft-Exchange-Diagnostics:
1;SN1PR11MB0574;3:JnjkmfARjIFKfRcfYH04lGJThsNTuDO2UXaa3HxjtBYDGHgp2u8EIwEVE7vdskPBMjMNYbTuTsGpy+Gm/28pnLF5t2J9NubNlIao4u43MQ2Z3QvkUNX7/iXeXqZ/3iuDYibXCqyQgg+IqpUoXisn88d9eJY2ScT4OZ2N6QTgpMyiwE2/Mcx5GrDV66e94aIDc79i1zPw9+NA89HB0sntt8lxyC6ksaNFnNrFwuMyVF+fl+U/sqExp1wlZjrxUpNrEpmMbDPMjFQE8zqRLhGwz4XAiWOJwM+GyC5C6J0mpxt9cAbW83sRkGUFlbgSz3L2xQKMMGWLkMkD9ZFXd0WgcOnLHphjkWihyv5ZYZjM014=;25:t4rn8dm6J9zqIzoLygCSGsmXepkYJWl+eJTmJ57mzPdsJaBI5uVSYNRp88A5rH0OoCnKcK5iuclzKOVzyAJZ54mA8HUBHtQ+DQVRr5aXpHGy85COQ3XFWBkeVlqedreVIqpK6ubd83vzJUc/7axsFWityzAudHxnqL9QXe4jJxAy1okbCJpAFK65Quk+RQfB9eJbqlq5RIH921S8YjhxswZ65/sok4+gTFmJ31rI0Q3eQpzUjcB1TLExVCw2biqGvKXyAvYxfOuBl7vLYDorbRBUePkzbGJlPf7O89HBeO5C08pQ9Bln0fwqTklt7uC68Vlk0n4UYG42ZoSPEyacow==
X-MS-TrafficTypeDiagnostic: SN1PR11MB0574:
Thanks!!
Labels: Exchange Office 365
16K Views
0 Likes
7 Replies
undefined
All topics
7 Replies
Anonymous replied to Tyler Miller
Mar 07 2018 12:05 PM - edited Mar 07 2018 12:07 PM
Looks like a typical spoof attempt to me. Anyone can send anything as anyone on the internet when it comes to SMTP. I could pop out to my SMTP server and send an e-mail as email address removed for privacy reasons if I wanted to to anyone I wanted. If they aren't using DKIM or SPF etc. it could very well get through, but in this case it was blocked and returned whom the message was set as the from address.Fwd: deliverable: http://10.100.111.152:11189/findotp Send Money Xchanged Rial Iranian Cash Rule Transfer Amount 20,000,000,000,000Rial Transfer To IP Internet Bank Mellat Iban IR770120000000000130041372 IP 046.100.006.152:Iban IR770120000000000130041372 ec29121c-5203-409f-9e84-e83ffc10f226 UID: 12345678 is the user's ID. ec29121c-5203-409f-9e84-e83ffc10f226 is the item's ID. ec29121c-5203-409f-9e84-e83ffc10f226