Re: [mailop] Cisco Ironport asking RECIPIENT if their customer is sending spam?

Tue, 02 Jun 2026 00:00:54 -0700 

Hi

Interesting - I never clicked on 'release' on the cisco quarantine, but
this morning the mail in question had disappeared from the quarantine
and could not be found - I first assumed Cisco had probably noticed the
incident and deleted all emails in question silently.

No, that phisihing email from the quarantine now was delivered to me. So
I have full headers.

Here some which might indicate what happened:

Received: from esa2.hc682-83.smtpi.com (esa2.hc682-83.smtpi.com [23.90.103.73])
        by mail.***** (Postfix) with ESMTPS id 12B6E3F95F
        for <panizzon@*****>; Mon, 01 Jun 2026 11:28:50 +0200 (CEST)
Received: from sma1.hc682-83.smtpi.com ([194.165.195.253])
  by esa2.hc682-83.smtpi.com with ESMTP; 01 Jun 2026 14:58:48 +0530
Received: from localhost by sma1.hc682-83.smtpi.com;
  01 Jun 2026 14:58:48 +0530
Received: from esa2.hc682-83.smtpi.com ([23.90.103.73])
  by sma1.hc682-83.smtpi.com with ESMTP; 29 May 2026 15:27:33 +0530

Authentication-Results: esa2.hc682-83.smtpi.com; dkim=none (message not signed) 
header.i=none; spf=Fail [email protected]
Received-SPF: Fail (esa2.hc682-83.smtpi.com: domain of
  [email protected] does not designate
  158.94.210.98 as permitted sender) identity=mailfrom;
  client-ip=158.94.210.98; receiver=esa2.hc682-83.smtpi.com;
  envelope-from="[email protected]";

X-IronPort-RemoteIP: 158.94.210.98

Received: from unknown (HELO [158.94.210.98]) ([158.94.210.98])
  by esa2.hc682-83.smtpi.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 29 May 2026 
12:24:40 +0530

From: DH Lieferung Kundenbetreuung <[email protected]>
To: panizzon@*
Message-ID: <[email protected]>
X-Mailer: Python SMTP Client

inetnum:        158.94.210.0 - 158.94.210.255
netname:        OMEGATECH
country:        NL

So I guess I could be right, that this was sent from an compromised
cisco ironport customer's account.

Envelope Sender Domain: esa2.hc682-83.smtpi.com

esa2.hc682-83.smtpi.com. 3600   IN      TXT     "v=spf1 ip4:23.90.103.73 -all"

So this was SPF pass not fail. Maybe esa2.hc682-83.smtpi.com was
configured as open replay? I can't connect it on either smtp, smtps and
submission port.

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to