<div dir="ltr">OK, so this was an "outgoing" email from you, not inbound. (and by that, I don't mean to imply that it went anywhere near your actual mail server)<div><br></div><div>Back to your original header of interest :<br><div><br></div><div><span style="font-size:12.8px">Received: from </span><a href="http://ali-syd-1.albury.net.au/" rel="noreferrer" style="font-size:12.8px" target="_blank">ali-syd-1.albury.net.au</a><span style="font-size:12.8px"> (208.117.108.170) by</span><br style="font-size:12.8px"><a href="http://bn1bffo11fd024.mail.protection.outlook.com/" rel="noreferrer" style="font-size:12.8px" target="_blank">BN1BFFO11FD024.mail.protection.outlook.com</a><span style="font-size:12.8px"> (10.58.144.87) with Microsoft SMTP Server (TLS) id 15.1.286.14 via Frontend Transport; Tue, 6 Oct 2015 10:43:53 +0000</span><br></div><div><br></div><div>The first bit, "from <a href="http://ali-syd-1.albury.net.au" target="_blank">ali-syd-1.albury.net.au</a> (208.117.108.170)" means that, as I think someone else said, this came from the host at 208.117.108.170, which identified itself as "<a href="http://ali-syd-1.albury.net.au" target="_blank">ali-syd-1.albury.net.au</a>" in the HELO/EHLO.</div></div><div><br></div><div>Next, "by <a href="http://BN1BFFO11FD024.mail.protection.outlook.com">BN1BFFO11FD024.mail.protection.outlook.com</a> (10.58.144.87)" that's the host that received it, but logging it's "local" IP address. Clearly it's behind Reverse NAT/Port forwarding/etc, so that IP isn't of interest to anyone but Microsoft.</div><div><br></div><div>But all up, that header is valid, and was added by Microsoft/Outlook. You can be sure of that based on the headers that come after it (going up), which are clearly internal Outlook.com headers.</div><div><br></div><div>The headers below this one are bogus. It's nothing new - include some additional headers, often actually taken from a real message but with the timestamp (and sometimes, but not always, message-id) modified. In theory it makes the message seem more legitimate, and some very broken anti-spam systems will follow down to what appears to be the last legitimate header with public IP (which in this case is 202.3.36.15) and then do a reputation check on that IP - which not surprisingly returns a good reputation on every system I checked.</div><div><br></div><div> Scott</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 6, 2015 at 5:28 PM, Ross Wheeler <span dir="ltr"><<a href="mailto:ausnog@rossw.net" target="_blank">ausnog@rossw.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
On Tue, 6 Oct 2015, Scott Howard wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The next header in the chain will reveal all. Is there a reason you didn't<br>
include it?<br>
</blockquote>
<br>
Only that it was a scree-shot and I didn't feel like typing it ALL back in :)<br>
<br>
Here it is, with only a few bits obfuscated to preserve the recipients identity.<br>
<br>
<a href="http://support.rossw.net/spam-7oct2015.gif" rel="noreferrer" target="_blank">http://support.rossw.net/spam-7oct2015.gif</a><br>
<br>
Things worthy of pointing out:<br>
1. The alleged sender doesn't use Thunderbird.<br>
2. My mail server doesn't have a timezone of +0100<br>
3. None of the mail IDs that claim to be associated with this appear in my maillogs<br>
4. No mail to or from this domain were offered to, received by or sent from my mail server on within 24 hours of this time.<br>
<br>
I wasn't so much concerned about the spam itself, as I was about something I haven't previously observed.<br>
<br>
R.<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div><br></div>