I'm investigating an email and in its headers all the hops (Received entries) are private (10.X.X.X) addresses. Initially I thought that this simply meant that the email originated from the same mail-server (so it never needed to do a public hop). However, after contacting the provider (Intermedia), they informed me that the source is determined from a different section of the header (x-source-ip).
After doing some research it seems to me that if the IP address found under x-source-ip is not also found somewhere in the original (Received) hops, then the x-source-ip has been spoofed. Or is it somehow possible for the original source to be in x-source-ip and not in the hops? Email headers are below.
Received: from X-E5-VA-1.x.domain.local (10.219.12.138) by
X-E5-VA-1.x.domain.local (10.219.12.138) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521) id
15.1.2375.17 via Mailbox Transport; Fri, 10 Dec 2021 09:10:41 -0500
Received: from X-E5-VA-2.x.domain.local (10.219.12.140) by
X-E5-VA-1.x.domain.local (10.219.12.138) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521) id
15.1.2375.17; Fri, 10 Dec 2021 09:10:40 -0500
Received: from x-va-1-2.serverpod.net (10.216.74.75) by
X-E5-VA-2.x.domain.local (10.219.12.141) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521) id
15.1.2375.17 via Frontend Transport; Fri, 10 Dec 2021 09:10:40 -0500
Received: from x-va-1-3.serverpod.net (x-va-1-3.serverpod.net [10.216.76.86])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by x-va-1.serverpod.net (Postfix) with ESMTPS id BA7FE100005
for <[email protected]>; Fri, 10 Dec 2021 06:10:40 -0800 (PST)
Received: from out.x.serverdata.net (unknown [10.219.12.138])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by x-va-1.serverpod.net (Postfix) with ESMTPS id 95881100004
for <[email protected]>; Fri, 10 Dec 2021 06:10:40 -0800 (PST)
Received: from X-E5-VA-1.x.domain.local (10.219.12.138) by
X-E5-VA-1.x.domain.local (10.219.12.138) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521) id
15.1.2375.17; Fri, 10 Dec 2021 09:10:40 -0500
Received: from X-E5-VA-1.x.domain.local ([10.219.12.138]) by
X-E5-VA-1.x.domain.local ([10.219.12.138]) with mapi id
15.01.2375.017; Fri, 10 Dec 2021 09:10:40 -0500
From: mycompany.com <[email protected]>
To: First Last <[email protected]>
Subject: Your account is scheduled for termination!!!
Thread-Topic: Your account is scheduled for termination!!!
Thread-Index: AQHX7c+dWsv6PH5mQUqK59FFKaujxQ==
Date: Fri, 10 Dec 2021 14:10:40 +0000
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=bankomatchik.ru; s=dkim;
t=1639144993; bh=JRc5i07SeJJi7IKmf4kk7YS+u37nZRSWTa9JN4q+GDw=;
h=To:Subject:Date:From:From;
b=VlYQOrD2H6zI5UnWGneQEyqNAPMa9AYQVNeOi+893IPfLfpaEq4ut7VUj338N1UQc
U26YJl80XrFXtwxQ8QPpTmwJpMhg9eeEYN9FkgxR8eqWIbCtwZCbJkxj1WrMIML9V3
FuBXeDZOD60tMaucFBp6PgRy6snRakQjs7E4JJr8=
x-cmae-score: 0
x-cmae-analysis: v=2.2 cv=DMz/22Fb c=1 sm=1 tr=0
a=uUzqdBFmwskn7PK6BrDENA==:117 a=uUzqdBFmwskn7PK6BrDENA==:17
a=IOMw9HtfNCkA:10 a=G7ipKTrHp8AA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=07qlFErKAAAA:8
a=EQh1O3JVudHgXb9kck8A:9 a=QEXdDO2ut3YA:10 a=1O92t69KAAAA:8
a=lpIj0mRyDt8dnHIlFYYA:9 a=lNjrS4_qGLc71qEN:21 a=m7PwTm9v_g-j7EjRtLGg:22
a=Ol1NtEL7n3yPw0winTxy:22
x-source-ip: 46.36.222.102
x-spf-status: pass
x-rdns-status: pass
spam-stopper-id: cd2e25c5-1d15-4d0f-8a52-bc5fceb90982
x-spam-category: LEGIT
x-spam-reasons: {'verdict': 'clean', 'spamcause':
'gggruggvucftvghtrhhoucdtuddrgedvuddrkedvgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfkpffvgfftoffgfffktedpggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffohhmrghinhculdegledmnecujfgurhepvffufffhkfggtgfgsegrkehjphdttdejnecuhfhrohhmpedfphgrghgvjhhonhgvshdrtghomhdfuceoshhuphhpohhrthessggrnhhkohhmrghttghhihhkrdhruheqnecuggftrfgrthhtvghrnhepudevjeehlefhhfehkeeifeefveegkedujedtkeffjeelfeduvddvffeifeetffeinecuffhomhgrihhnpeifvggsrdgrphhpnecukfhppeegiedrfeeirddvvddvrddutddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgeeirdefiedrvddvvddruddtvddpmhgrihhlfhhrohhmpehsuhhpphhorhhtsegsrghnkhhomhgrthgthhhikhdrrhhupdhrtghpthhtohepphhmohhrghgrnhesphgrghgvjhhonhgvshdrtghomh',
'internal': ['[email protected]', 'From="mycompany.com"
<[email protected]>'], 'elapsed': '17ms'}
x-aes-category: LEGIT
x-spam-score: 49
x-ms-exchange-transport-endtoendlatency: 00:00:00.1949891
x-ms-exchange-processed-by-bccfoldering: 15.01.2375.017
x-armorblox-processed: YES
x-spf-from-status: not_checked
x-dkim: OpenDKIM Filter v2.6.8 mail.microgenius.ru 5A7E599FB6
x-originating-ip: [10.232.212.161]
Content-Type: multipart/alternative;
boundary="_000_50ef8cf96073a3a05bd6a6b1f8985875bankomatchikru_"
MIME-Version: 1.0
Spam-Stopper-Id: 2f55156e-4535-43bc-8950-d9b2bb44a4ba
Spam-Stopper-v2: Yes
X-Armorblox-Processed: YES
Return-Path: [email protected]
X-MS-Exchange-Organization-Network-Message-Id: 8ad1c7e6-d9ca-43b1-292b-08d9bbe6d919
X-MS-Exchange-Organization-AuthSource: X-E5-VA-2.x.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Processed-By-BccFoldering: 15.01.2375.017
