Thread: Hacked mail
View Single Post
  #25   Report Post  
Posted to uk.d-i-y
Tim Lamb[_2_] Tim Lamb[_2_] is offline
external usenet poster
  
Posts: 6,938
Default Hacked mail
In message , Tim Lamb
writes
In message HZudnSRANIrfP53DnZ2dnUU78RmdnZ2d@brightvi
ew.co.uk, John Rumm writes
In thunderbird, just hit CTRL + U to display the full message source.
Right! 4 pages of gobbledegook:-)
Sent from jumbo.zone but otherwise nothing I understand. It
obviously passed all the authentication checks.

Past em here or email them to me, and I can probably get you a
bit more info - like where it came from, whether its using a
compromise account or just spoofing etc.

(we only need the headers - you can snip the actual body, and
react any real mail addresses etc)

OK John. I'll have a go this evening.

Somebody wants the woodwork bench they lent me 15 years ago returned!

Try this:-

From - Mon Dec 9 08:05:17 2019
X-Account-Key: account4
X-UIDL: 21366
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: from LO2P265MB1421.GBRP265.PROD.OUTLOOK.COM
(2603:10a6:401:5a::14)
by CWLP265MB0962.GBRP265.PROD.OUTLOOK.COM with HTTPS via
CWLP265CA0338.GBRP265.PROD.OUTLOOK.COM; Mon, 9 Dec 2019 03:24:06 +0000
Received: from LO2P265CA0401.GBRP265.PROD.OUTLOOK.COM
(2603:10a6:600:f::29) by
LO2P265MB1421.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:94::16) with
Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.2516.14; Mon, 9 Dec 2019 03:24:06 +0000
Received: from AM5EUR02FT010.eop-EUR02.prod.protection.outlook.com
(2a01:111:f400:7e1e::202) by LO2P265CA0401.outlook.office365.com
(2603:10a6:600:f::29) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.14 via
Frontend
Transport; Mon, 9 Dec 2019 03:24:06 +0000
Authentication-Results: spf=none (sender IP is 118.97.118.130)
smtp.mailfrom=onigiri.co.id; marfordfarm.demon.co.uk; dkim=none
(message not
signed) header.d=none;marfordfarm.demon.co.uk; dmarc=none action=none
header.from=onigiri.co.id;compauth=fail reason=001
Received-SPF: None (protection.outlook.com: onigiri.co.id does not
designate
permitted sender hosts)
Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id
(118.97.118.130) by
AM5EUR02FT010.mail.protection.outlook.com (10.152.8.144) with Microsoft
SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
id
15.20.2495.18 via Frontend Transport; Mon, 9 Dec 2019 03:24:05 +0000
Received: from localhost (localhost [127.0.0.1])
by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with
ESMTP id 7BC5A12256D
for ; Mon, 9 Dec 2019 10:19:11
+0700 (WIB)
Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id ([127.0.0.1])
by localhost (mx5-siagan-mbaru-g12-itu.indomaguro.co.id
[127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id Wns20PcwSrH6 for ;
Mon, 9 Dec 2019 10:19:11 +0700 (WIB)
Received: from localhost (localhost [127.0.0.1])
by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with
ESMTP id 1C03012256B
for ; Mon, 9 Dec 2019 10:19:11
+0700 (WIB)
X-Virus-Scanned: amavisd-new at
mx5-siagan-mbaru-g12-itu.indomaguro.co.id
Received: from mx5-siagan-mbaru-g12-itu.indomaguro.co.id ([127.0.0.1])
by localhost (mx5-siagan-mbaru-g12-itu.indomaguro.co.id
[127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id EwNacX-0Qg_V for ;
Mon, 9 Dec 2019 10:19:11 +0700 (WIB)
Received: from sp.onigiri.co.id (unknown [191.55.76.13])
by mx5-siagan-mbaru-g12-itu.indomaguro.co.id (Postfix) with
ESMTPA id ED7FB122570
for ; Mon, 9 Dec 2019 10:19:09
+0700 (WIB)
From: "Hannah Lamb"
To: "Pa"
Reply-To: "Hannah Lamb"
Subject: Hello Pa
Thread-Index: Ky1lejU1cXY1d20uOWU3Ki51eTZmMQ==
Date: Mon, 9 Dec 2019 06:23:31 +0300
Message-Id:
10U6HCH5TFTN4ZZXP7FT5DUSS0RP83PZ0M4N0T2N@HU0US2NY 2HF3HH7.namprd14.prod.o
utlook.com
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_10U6HCH5TFTN4ZZXP7FT5DUSS0RP83PZ0M4 N0T2NHU0US2NY2H
F3HH7_"
Return-Path:
X-MS-Exchange-Organization-ExpirationStartTime: 09 Dec 2019
03:24:05.5006
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
08def035-c0b7-433d-ddc6-08d77c573ede
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: b58b9882-6915-43fd-93c2-085d389cfee5:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
CIP:118.97.118.130;IPV:NLI;CTRY:ID;EFV:NLI;SFV:SPM ;SFS10001);DIR:INB;S
FP:;SCL:5;SRVR:LO2P265MB1421;H:mx5-siagan-mbaru-g12-itu.indomaguro.co.id;
FPR:;SPF:None;LANG:en;CAT:SPOOF;
X-MS-Exchange-Organization-AuthSource:
AM5EUR02FT010.eop-EUR02.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id:
08def035-c0b7-433d-ddc6-08d77c573ede
X-MS-TrafficTypeDiagnostic: LO2P265MB1421:
X-MS-Oob-TLC-OOBClassifiers: OLM:1728;
X-MS-Exchange-Organization-SCL: 6
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2019 03:24:05.1073
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
08def035-c0b7-433d-ddc6-08d77c573ede
X-MS-Exchange-CrossTenant-Id: b58b9882-6915-43fd-93c2-085d389cfee5
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P265MB1421
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5773365
X-MS-Exchange-Processed-By-BccFoldering: 15.20.2516.000
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG20160513016)(7 50127)(52000205
0)(701014)(944506383)(944626516)


--
Tim Lamb
Reply With QuoteReply With Quote