Block invalid inbound email?

tolcheentolcheen
in Firebox - Proxies

I've been getting some SPAM lately that my M390 isn't tagging as SPAM.

I see that the email is coming over the internet from a private IP address and an invalid domain prefix. Anyone know how I can block these or tag them as SPAM?

Here is an email header example:

My sever receives it
Received: from swt-exch.kovacorp.com (23.24.73.85) by
VPC-SWT-Exch16.KOVACorp.local (x.x.x.x) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.1.2507.39 via Frontend Transport; Tue, 6 Aug 2024 16:42:10 -0400

And the rest? All private IPs?
Received: from winhex19beus1.winusa.mail ([10.72.152.11]) by
mrieueus.server.lan (mrieueus003 [172.19.150.82]) with ESMTPS (Nemesis) id
0Lflcq-1rqafD3IAU-00c2tb for sales@kovacorp.com; Tue, 06 Aug 2024 22:42:09
+0200

Received: from [127.0.0.1] (10.72.152.123) by winhex19beus1.winusa.mail
(10.72.152.11) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1544.11; Tue, 6 Aug
2024 16:42:08 -0400

Content-Type: multipart/mixed; boundary="--_NmP-a27526fec95b0717-Part_1"
From: Secure Enterprises Ventures Technologies stbarth@clic.com
Sender:
Kovacorp.Exchange.review.and.Help-desk.required.sent.on.Behalf.of.Kovacorp.Admin.To.sales@kovacorp.com
To: sales@kovacorp.com
Subject: Action Req: Needful August 6, 2024 at 04:42:06 PM
Message-ID: 39d5fb6b-5bc5-3e7f-8b5f-5d5d65f6b320@clic.com
X-Priority: 1 (Highest)
X-MSMail-Priority: High
Importance: High
Date: Tue, 6 Aug 2024 20:42:07 +0000
MIME-Version: 1.0
Return-Path: stbarth@clic.com
X-ClientProxiedBy: winhex19beus1.winusa.mail (10.72.152.11) To
winhex19beus1.winusa.mail (10.72.152.11)
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:2DGnBJuztEs=;K7vHKHbc4Cva16DgW7q76QBXgai
x1oQ4KCu1Dw2c43/aTTLsmhipf28QVYtqp6j3dsOu3UXt56NLLJHKMoMFEWFtW0+6PZzLoLiw
JlmKZrfo7iZUD92/1k5Fatu3OFk2g8MdPoonNbKMCBx/E4+hC5vFLE39NP5nJm0hf21BB8M9Z
O4WrlTcrn0/KAjJZCtJRPvWiHBAqbRwk9qHng8zNFDYwoTHts0CbCvrIkyZtPmlVFIbwxAd3x
haJUo/FyvPaIw3CVGLShy7KUBqF/t4y4koPVA2ipNMw0AwYUE682wEnWTe/wtW+U5sGK+lQu8
abaB2Eug01EtuEC3CVXXTNUtKsR6pHgznxiPdAysebvXoId8Z6BW5tS3ybsLI6fMD0XeFuRJ5
4Y9INbqL5j2VNlVsE6/B1jYNuXKwfQjEqWrORZfmufbuZljVK//LVEFXwW2+rqGbSa20xEgpM
d3Mbb8tTg5lU2qBM2YdFmcTCFrZlt/Z6kojaZtCG2akSpApfe9jePzQgW2xi2kVercoRz3TJg
5BtfvazHBtB+vFvr6kGUyYf1g4XvWhMc5xLAQkmpYutuqRyx13sGnS47Q2VWyO/2sJfcnZUaa
K/xZoyeUFThd2akwTNyjd1bMT828Np09F/boy4zUxXI/BT+BY55nW8VyqYPApNlFEuxGiz1s7
uNpCquPqoP1URNN6aQLDWvx60gBANombSBGyPFfx8758cs9SL0FPgMZHIwYFavI+qYKl9XIko
U+kllDrR1JRaprF4bNDJvZ8+MaYW6iUuQ==
X-WatchGuard-Spam-Score: unclassified
X-WatchGuard-Mail-Client-IP: 0.0.0.0
X-WatchGuard-Mail-From: stbarth@clic.com
X-WatchGuard-Mail-Recipients: sales@kovacorp.com
X-MS-Exchange-Organization-Network-Message-Id: 5ce04b84-5d95-4f75-5fe9-08dcb6583f00
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Organization-AuthSource: VPC-SWT-Exch16.KOVACorp.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:16.4129639
X-MS-Exchange-Processed-By-BccFoldering: 15.01.2507.039

Comments

  • Bruce_BriggsBruce_Briggs

    Looks like these are internal SMTP servers, which have private IP addrs.
    The email was forwarded from the last to the the previous 1 to the 1st one, which does have a public IP addr

Sign In to comment.