#1 2022-02-08 11:10 am

kmchen

Member

Registered: 2022-02-08

Posts: 1

Is it possible to find origin of SPAM attack

Hi,
One unused and forgoten smtp server relayed 75278 mails on 2022/02/03.

Here is the header of an undeliverability message received for one of them:

    Received: from PR1P264MB3769.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:181::9)
    by PR0P264MB1530.FRAP264.PROD.OUTLOOK.COM with HTTPS; Thu, 3 Feb 2022
    09:01:44 +0000
    Received: from PR3P193CA0040.EURP193.PROD.OUTLOOK.COM (2603:10a6:102:51::15)
    by PR1P264MB3769.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:181::9) with
    Microsoft SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4930.15; Thu, 3 Feb
    2022 09:01:43 +0000
    Received: from PR2FRA01FT006.eop-fra01.prod.protection.outlook.com
    (2603:10a6:102:51:cafe::34) by PR3P193CA0040.outlook.office365.com
    (2603:10a6:102:51::15) with Microsoft SMTP Server (version=TLS1_2,
    cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.11 via Frontend
    Transport; Thu, 3 Feb 2022 09:01:43 +0000
    Authentication-Results: spf=none (sender IP is 217.72.192.102)
    smtp.helo=mout-bounce.kundenserver.de; dkim=none (message not signed)
    header.d=none;dmarc=fail action=quarantine
    header.from=le.fqdn;compauth=fail reason=000
    Received-SPF: None (protection.outlook.com: mout-bounce.kundenserver.de does
    not designate permitted sender hosts)
    Received: from mout-bounce.kundenserver.de (217.72.192.102) by
    PR2FRA01FT006.mail.protection.outlook.com (10.152.48.99) with Microsoft SMTP
    Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
    15.20.4951.12 via Frontend Transport; Thu, 3 Feb 2022 09:01:43 +0000
    Authentication-Results-Original: mqeue113.server.lan; dkim=none
    Received: from le.fqdn ([xx.xx.xx.xx]) by
    mx.kundenserver.de (mxeue111 [217.72.192.67]) with ESMTP (Nemesis) id
    1MQNyZ-1mtK911tIX-00MKM4 for plateforme@bambou.cfa-epure.com; Thu, 03 Feb
    2022 10:01:42 +0100
    Received: by le.fqdn (Postfix)
    id 39353C337A; Thu, 3 Feb 2022 10:01:32 +0100 (CET)
    Date: Thu, 3 Feb 2022 10:01:32 +0100 (CET)
    From: MAILER-DAEMON@le.fqdn (Mail Delivery System)
    Subject: Undelivered Mail Returned to Sender
    To: plateforme@bambou.cfa-epure.com
    Auto-Submitted: auto-replied
    Message-Id: 20220203090132.39353C337A@le.fqdn
    Envelope-To: plateforme@bambou.cfa-epure.com
    X-UI-Loop: V01:6QL5ZV6wwJ0=:v3y0cpIWTPOY5LC4P6hZj2MIN3KJO73uhVjJRedCZUc=
    X-Spam-Flag: NO
    X-UI-Out-Filterresults: notjunk:1;V03:K0:Gt3Q3/3n30M=:Ears1Q5hxKpDLFIwR3dWwy
    26cyhEgFcPD7bbU7ex/z3rREAWDBnQpVV6YWzIGx7j9jh5TctRsajC7d/tfupjc/i8YRmmyPj
    aKFJs8RN6uoV/pZZcim7yWMBd7cyIHS/IRt+mPW3blErmngZ/f8M9o//rZxNX7vS/QwwyEKip
    aGU6GGVEIQD0kPCwmcehdXAmyv7HK45p8eHn11DHJCIS8sY/WPtY5n2HLYLPYLxF/w95XdnU0
    O66gplbPw4hbDCkf2BEXA+CAwCpNEXyAS/j9f7npjB8fxaw/1Jn8Rp5IZ/67GOTK7WMwmCBb9
    aRi/hyZXxe6vCE8k1SVDl55WrTZCKPG1AwnsXwELDo0pk35549Mu7Xv4zvHTCBXOD1rzvO18P
    PEUyNGB2HSHe8w1D6A/cIO9xhLrUWKHSE4JKt8DYCrax8s8cc4g6I4OnVW/4Vq/cn3cElczBd
    nKE6yhyesg==
    Return-Path: <>
    X-MS-Exchange-Organization-ExpirationStartTime: 03 Feb 2022 09:01:43.4785
    (UTC)
    X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
    X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
    X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
    X-MS-Exchange-Organization-Network-Message-Id:
    a694feb1-d7a0-4c4c-3a35-08d9e6f3ccaa
    X-EOPAttributedMessage: 0
    X-EOPTenantAttributedMessage: d8fdd076-bcb9-4323-af02-1c22f8a3f5b7:0
    X-MS-Exchange-Organization-MessageDirectionality: Incoming
    X-MS-PublicTrafficType: Email
    X-MS-Exchange-Organization-AuthSource:
    PR2FRA01FT006.eop-fra01.prod.protection.outlook.com
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Office365-Filtering-Correlation-Id: a694feb1-d7a0-4c4c-3a35-08d9e6f3ccaa
    X-MS-TrafficTypeDiagnostic: PR1P264MB3769:EE_
    X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
    X-MS-Exchange-Organization-SCL: 5
    X-Forefront-Antispam-Report:
    CIP:217.72.192.102;CTRY:DE;LANG:en;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mout-bounce.kundenserver.de;PTR:mout-bounce.kundenserver.de;CAT:SPOOF;SFS:(13230001)(1930700014)(356005)(26005)(6266002)(1076003)(58800400005)(7596003)(7636003)(42882007)(9686003)(33964004)(336012)(83380400001)(33656002)(5660300002)(34206002)(22186003)(42186006)(8676002)(78352004)(1096003);DIR:INB;
    X-Microsoft-Antispam: BCL:0;
    X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Feb 2022 09:01:43.4004
    (UTC)
    X-MS-Exchange-CrossTenant-Network-Message-Id: a694feb1-d7a0-4c4c-3a35-08d9e6f3ccaa
    X-MS-Exchange-CrossTenant-Id: d8fdd076-bcb9-4323-af02-1c22f8a3f5b7
    X-MS-Exchange-CrossTenant-AuthSource:
    PR2FRA01FT006.eop-fra01.prod.protection.outlook.com
    X-MS-Exchange-CrossTenant-AuthAs: Anonymous
    X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1P264MB3769
    X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.2063751
    X-MS-Exchange-Processed-By-BccFoldering: 15.20.4951.012
    X-Microsoft-Antispam-Mailbox-Delivery:
    ucf:0;jmr:0;auth:0;dest:J;OFR:SpamFilterAuthJ;ENG:(910001)(944506458)(944626604)(920097)(930097)(3100021);RF:JunkEmail;
    X-Microsoft-Antispam-Message-Info:
    =?us-ascii?Q?pa5WZ1znAJz+0RVwhX+Zyddsf+RnMp5C7HZ1XFb49x5lKAfwjAfTfQPtZkvY?=
    ...
    boundary="B_3726808695_475925881"
    MIME-Version: 1.0

Is it possible to deduce that the attack came from 217.72.192.102 & 67 IPs ?

Any comment welcomed

[Mod edit: extract placed within [ code ] section].

Alex Kemp

Moderator

From: Nottingham, England

Registered: 2009-12-02

Posts: 2,423

Website

Re: Is it possible to find origin of SPAM attack

This is Stop Forum Spam. not Stop Email Spam. We cannot help you any further.

---

Alex Kemp

IP Aggregation (Help) · Easy Firewall Generator (Help)  · Conteg v0.13.14