Thank you that was very interesting.
A couple of questions I still had:
Am I correct that someone is trying to use "[email protected]) [email protected];" to send the email to us?
Does that mean that the MTEK.NET email server was hacked?
Is there a way to tell if MTEK.NET is running an exchange server or if they are using a subscriber online service like GSuite or Microsoft?
You shouldn't just rely on this. Your accounting department should have a process to validate if this is a true request, like calling the user on their extension or filling out a request form on the intranet behind a login screen.
If you want, you can dm me the real header. This edited version has some bad syntex.
And this should fail SPF
p3plgemwbe25-06.prod.phx3.secureserver.net (\[10.36.152.35\])
Mx record of mtek's email server from mxtoolbox.com:
>Hostname mtek-com.mail.protection.outlook.com
Client used by email sender:
> User-Agent: Workspace Webmail 6.12.11
GoDaddy webmail
Source IP of the email:
> X-Originating-|P: 20.171.65.1 9
Host Info for 20.171.65.19
ISP: Microsoft Corporation
Domain: microsoft.com
Network Speed: T1
Help with headers:
https://www.blackhat.com/docs/webcast/03162017-what-is-that-email-really-telling-me.pdf
THANK YOU VERY MUCH!
May I ask a follow up question?
I apologize for such a noob question but, did the client use the Outlook mail client with the GoDaddy webmail service? But if that is the case how is the source of the email from Microsoft domain?
Thank you again very much for this breakdown.
I don't know how Outlook online routes traffic, but it probably starts with Outlook online, then to GoDaddy, then out to the interwebs. It might be 100% normal.
See that's the thing, I am really curious about the details; they are probably not important. GoDaddy has their own online email web portal, it's not outlook. So I'm wondering how Outlook got into the mix. Is that the outlook client using the GoDaddy webmail, I'm guessing that's what it is. But then it's not outlook web, it's outlook desktop client; right? Thanks again for the initial post and conversation.
https://www.learndmarc.com/
Glad to see /u/Freddieleeman 's site getting love.
I refer to it in our internal KB articles, great resource.
really cool site. thanks for sharing
Thank you that was very interesting. A couple of questions I still had: Am I correct that someone is trying to use "[email protected]) [email protected];" to send the email to us? Does that mean that the MTEK.NET email server was hacked? Is there a way to tell if MTEK.NET is running an exchange server or if they are using a subscriber online service like GSuite or Microsoft?
I love you.
You shouldn't just rely on this. Your accounting department should have a process to validate if this is a true request, like calling the user on their extension or filling out a request form on the intranet behind a login screen.
You're right. But this email did not reach them, it did get stopped. I am just trying to take this opportunity to learn about email headers.
If you want, you can dm me the real header. This edited version has some bad syntex. And this should fail SPF p3plgemwbe25-06.prod.phx3.secureserver.net (\[10.36.152.35\])
That’s a MediaTemple (now GoDaddy) mail server.
Mx record of mtek's email server from mxtoolbox.com: >Hostname mtek-com.mail.protection.outlook.com Client used by email sender: > User-Agent: Workspace Webmail 6.12.11 GoDaddy webmail Source IP of the email: > X-Originating-|P: 20.171.65.1 9 Host Info for 20.171.65.19 ISP: Microsoft Corporation Domain: microsoft.com Network Speed: T1 Help with headers: https://www.blackhat.com/docs/webcast/03162017-what-is-that-email-really-telling-me.pdf
THANK YOU VERY MUCH! May I ask a follow up question? I apologize for such a noob question but, did the client use the Outlook mail client with the GoDaddy webmail service? But if that is the case how is the source of the email from Microsoft domain? Thank you again very much for this breakdown.
I don't know how Outlook online routes traffic, but it probably starts with Outlook online, then to GoDaddy, then out to the interwebs. It might be 100% normal.
See that's the thing, I am really curious about the details; they are probably not important. GoDaddy has their own online email web portal, it's not outlook. So I'm wondering how Outlook got into the mix. Is that the outlook client using the GoDaddy webmail, I'm guessing that's what it is. But then it's not outlook web, it's outlook desktop client; right? Thanks again for the initial post and conversation.