Missing Headers - SmarterTools

Here's one we haven't seen before. Headers in a spam message (the recipient was a BCC):

Received: from [85.209.176.115] (port=65243) by sv01.gofox.pt with esmtpa (Exim 4.96) (envelope-from <stthomashospitaluk66@gmail.com>) id 1qgFf7-0004By-2G; Wed, 13 Sep 2023 03:31:28 +0100
From: "St. Thomas' Hospital" <stthomashospitaluk66@gmail.com>
To: Recipients <stthomashospitaluk66@gmail.com>
Subject: Job Vacancy
Date: Tue, 12 Sep 2023 19:31:21 -0700

But we have 89.209.176.0/21 blocked in the firewall. We wondered how it got passed the firewall block rule, until we looked at the server's SMTP log for the transaction and found:

[2023.09.12] 22:31:29.373 [94.46.23.119][24418393] cmd: EHLO sv01.gofox.pt
[2023.09.12] 22:31:30.014 [94.46.23.119][24418393] cmd: MAIL FROM:<stthomashospitaluk66@gmail.com> SIZE=5853

So now we're curious how the sending server at 94.46.23.119 was able deliver a message but the headers show 85.209.176.115 as the last MX to have touched the message. If Smartermail received it from 94.46.23.119, why was that shown in the SMTP log but NOT added to the message headers?

Kyle Kerst Replied

9/13/2023 at 7:14 AM

Employee Post

Hey Jay! To give you a solid answer on how this was possible we'd need to look at the whole session in the SMTP/Delivery and Spam Checks logging unfortunately. But, it looks like someone at Gmail passed you a spoofed EML, which is a rising complaint on the Gmail/Google email server network. These types of attempts are particularly crafty so they can take some investigation to find a pattern. Can you guys submit a ticket on this one please?

Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

1 Reply

Reply to Thread

Related Knowledge Base Articles

1 Reply

Reply to Thread

Tags

Related Knowledge Base Articles