I got sent an email from someone in response to an over 2 year old exchange, and the contents of it look like spam to me.
Checking the headers the following looks normal:
Return-Path Received & Received-SPF:
Received: from gateway34.websitewelcome.com (gateway34.websitewelcome.com. [192.185.150.114])
by mx.google.com with ESMTPS id v2si12361706otn.296.2021.03.09.10.56.01
for <[my email redacted]>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Tue, 09 Mar 2021 10:56:01 -0800 (PST)
Received-SPF: pass (google.com: domain of [real user email redacted] designates 192.185.150.114 as permitted sender) client-ip=192.185.150.114;
Authentication-Results and others:
Authentication-Results: mx.google.com;
dkim=pass header.i=@[user real domain redacted] header.s=default header.b=i7HIMnGa;
spf=pass (google.com: domain of [real user email redacted] designates 192.185.150.114 as permitted sender) smtp.mailfrom=[real user email redacted]
Received: from cm10.websitewelcome.com (cm10.websitewelcome.com [100.42.49.4])
by gateway34.websitewelcome.com (Postfix) with ESMTP id 670551B8D18
for <[my user email redacted]>; Tue, 9 Mar 2021 12:55:59 -0600 (CST)
Received: from box2063.bluehost.com ([67.222.39.95])
by cmsmtp with SMTP
id JhWQlljlHkscSJhWRlkpRs; Tue, 09 Mar 2021 12:55:59 -0600
X-Authority-Reason: nr=8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=[real user domain redacted]; s=default; h=Content-Transfer-Encoding:Content-Type
:Message-ID:Date:References:In-Reply-To:Subject:To:From:MIME-Version:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=[string redacted, unsure if safe to post]
This one looks dodgy? (As it appears it originates from France, not the country the actual sender is in or websitewelcome and probably not bluehost either)
Received: from lfbn-poi-1-1523-161.w109-220.abo.wanadoo.fr ([109.220.87.161]:64877 helo=[169.254.135.18])
by box2063.bluehost.com with esmtpsa (TLS1.2) tls TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.93)
(envelope-from <[real user email redacted]>)
id 1lJhWQ-000Icb-El
for [my email redacted]; Tue, 09 Mar 2021 11:55:58 -0700
X-Headers: The X-Source-IP and X-Source-Sender look dodgy.
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box2063.bluehost.com
X-AntiAbuse: Original Domain - [my domain name redacted]
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - [real user domain name redacted]
X-BWhitelist: no
X-Source-IP: 109.220.87.161
X-Source-L: No
X-Exim-ID: 1lJhWQ-000Icb-El
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: lfbn-poi-1-1523-161.w109-220.abo.wanadoo.fr ([169.254.135.18]) [109.220.87.161]:64877
X-Source-Auth: [real user email redacted]
X-Email-Count: 37
X-Source-Cap: [redacted, unsure if safe to include]
X-Local-Domain: yes
Reading this page, the Return-Path and Received-SPF appear to be fine and I don't appear to have any X-Sender headers, however do have a X-Source-Sender that doesn't look right?
Because they appear to have been able to reply to an actual email thread I had with the other real user, is one of our devices infected? How were they able to send this?
It appears to be this scam:
However the content of the new email ends where they mention the password.