Hi Team We have somewhat manuelly coded an SRS implementation, which allows us to get notified when we try to decode a SRS recipient with invalid SRS signature.
Lately I have seen this happen multiple times per day from the sending server. ENIX UK abuse desk has not reacted for about two weeks since I first notified them if this issue. delicia.gateway.enmail.co [213.5.176.222] Bounces are being sent to: [email protected] which if the signature was correct, would be decoded into: [email protected] The content of the bounce contains the original header (obfuscating our customer's email address) Return-Path: <[email protected]> Received: from mail.enmail.co (unknown [91.204.208.8]) by gateway1.enmail.co (Postfix) with ESMTPS id 8220A4655B for <***@bman.ch>; Thu, 22 Jan 2026 13:37:54 +0000 (UTC) Received: from mail.enmail.co (localhost [127.0.0.1]) by mail.enmail.co (Postfix) with ESMTP id DFC593000C42CD8D for <***@bman.ch>; Thu, 22 Jan 2026 13:37:52 +0000 (UTC) Received: from D4JIPL7RI7WHQ7QEZ864U (62-210-113-184.rev.poneytelecom.eu [62.210.113.184]) by mail.enmail.co (Postfix) with ESMTPSA id 41BCC3000C42BEB3 for <***@bman.ch>; Thu, 22 Jan 2026 13:36:29 +0000 (UTC) MIME-Version: 1.0 From: Claudia Richter<[email protected]> Subject: Transaktion: „Na, du?“ wurde ausgelöst X-Antivirus-Status: Clean Content-Type: multipart/related; boundary="8681598220" To: ***@bman.ch X-Antivirus: Avast (VPS 240607-8, 7/6/2024), Outbound message X-Original-Recipient: ***@bman.ch Message-Id: <[email protected]> Date: Thu, 22 Jan 2026 13:37:52 +0000 (UTC) Gateway-ID: 8220A4655B-1769089074 To me, this first looked like some wrong SRS implementation on either: unknown [91.204.208.8] or delicia.gateway.enmail.co [213.5.176.222] which wrongfully encodes the recipient as SRS encoded envelope sender instead of the sender, as the sender domain is on that same platform: sorrell.f9.co.uk mail is handled by 10 mx.enmail.co. But now I start to suspect this could be some attempt to test if email is being relayed without checking the SRS signature. Especially poneytelecom.eu constantly pops up with any kind of email and especially SIP fraud attempts. Does anyone have an idea of I could be right, or why we see those emails? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
