0

I got sent an email from someone in response to an over 2 year old exchange, and the contents of it look like spam to me.

Checking the headers the following looks normal:

Return-Path Received & Received-SPF:

Received: from gateway34.websitewelcome.com (gateway34.websitewelcome.com. [192.185.150.114])
    by mx.google.com with ESMTPS id v2si12361706otn.296.2021.03.09.10.56.01
    for <[my email redacted]>
    (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
    Tue, 09 Mar 2021 10:56:01 -0800 (PST)
Received-SPF: pass (google.com: domain of [real user email redacted] designates 192.185.150.114 as permitted sender) client-ip=192.185.150.114;

Authentication-Results and others:

Authentication-Results: mx.google.com;
   dkim=pass header.i=@[user real domain redacted] header.s=default header.b=i7HIMnGa;
   spf=pass (google.com: domain of [real user email redacted] designates 192.185.150.114 as permitted sender) smtp.mailfrom=[real user email redacted]
Received: from cm10.websitewelcome.com (cm10.websitewelcome.com [100.42.49.4])
by gateway34.websitewelcome.com (Postfix) with ESMTP id 670551B8D18
for <[my user email redacted]>; Tue,  9 Mar 2021 12:55:59 -0600 (CST)
Received: from box2063.bluehost.com ([67.222.39.95])
by cmsmtp with SMTP
id JhWQlljlHkscSJhWRlkpRs; Tue, 09 Mar 2021 12:55:59 -0600
X-Authority-Reason: nr=8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=[real user domain redacted]; s=default; h=Content-Transfer-Encoding:Content-Type
:Message-ID:Date:References:In-Reply-To:Subject:To:From:MIME-Version:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=[string redacted, unsure if safe to post]

This one looks dodgy? (As it appears it originates from France, not the country the actual sender is in or websitewelcome and probably not bluehost either)

Received: from lfbn-poi-1-1523-161.w109-220.abo.wanadoo.fr ([109.220.87.161]:64877 helo=[169.254.135.18])
by box2063.bluehost.com with esmtpsa  (TLS1.2) tls TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.93)
(envelope-from <[real user email redacted]>)
id 1lJhWQ-000Icb-El
for [my email redacted]; Tue, 09 Mar 2021 11:55:58 -0700

X-Headers: The X-Source-IP and X-Source-Sender look dodgy.

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box2063.bluehost.com
X-AntiAbuse: Original Domain - [my domain name redacted]
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - [real user domain name redacted]
X-BWhitelist: no
X-Source-IP: 109.220.87.161
X-Source-L: No
X-Exim-ID: 1lJhWQ-000Icb-El
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: lfbn-poi-1-1523-161.w109-220.abo.wanadoo.fr ([169.254.135.18]) [109.220.87.161]:64877
X-Source-Auth: [real user email redacted]
X-Email-Count: 37
X-Source-Cap: [redacted, unsure if safe to include]
X-Local-Domain: yes

Reading this page, the Return-Path and Received-SPF appear to be fine and I don't appear to have any X-Sender headers, however do have a X-Source-Sender that doesn't look right?

Because they appear to have been able to reply to an actual email thread I had with the other real user, is one of our devices infected? How were they able to send this?

It appears to be this scam:

https://blogs.k-state.edu/scams/2020/01/31/phishing-scam-01-31-2020-re-03-25-2018-password-change-deadline-for-eid/

However the content of the new email ends where they mention the password.

Brett
  • 279
  • 2
  • 7
  • I have no idea what you are trying to show with all these data. It is unclear what exactly you think was spoofed here and it is unclear why do you think specific headers look dodgy - you simply state that they do in your opinion without giving any reason. Also, there is not even a `From` header shown what kind of spoofing you talk about? If you talk about spoofing envelope from than you stated yourself that this is not spoofed (*"Return-Path .. appear to be fine"*) – Steffen Ullrich Mar 09 '21 at 21:02
  • They look dodgy because they appear to originate from France, not the country of the sender or websitewelcome and probably not bluehost either. I have updated my post. What type of spoofing? I'm not sure, all I know is it appears to come from a specific person, but it isn't as it's clearly a spam email. – Brett Mar 09 '21 at 22:01
  • 1
    *"Because they appear to have been able to reply to an actual email thread I had with the other real user, is one of our devices infected?"* - Possible duplicate of [How could the content of an e-mail get leaked?](https://security.stackexchange.com/questions/239100/how-could-the-content-of-an-e-mail-get-leaked), – Steffen Ullrich Mar 09 '21 at 22:21
  • Can you inlcude the full headers of the "dodgy" email? The hops (Received headers) will tell you where the email originated from. The Authentication-Results will tell you how the authentication was perceived by your system. So if SPF and / or DKIM pass, you might have a compromised user account issue. And thus no spoofing, but the actual account sending those emails, from a client connecting from France. – Reinto Apr 20 '21 at 09:23

0 Answers0