I have been attempting to explain to a coworker about how the DNS Stuff Email Path Analyzer doesn't use the actual Originating IP of an email we receive to determine if the email is legit or not.
When the header below is placed in the Email Path Analyzer, it comes back with a low threat level. It actually pulls "FROM" info to do it's WhoIS lookups VS the Originating-IP listed in the header.
This is an email, with a zip, with an exe inside, going to a user that doesn't deal with EXE's, and is actually from Turkey, not St. Louis.
What is the best way to explain to the coworker why the Email Path Analyzer results cannot be taken at 'face value' for determining legitimacy?
The header in question (with our info replaced with ouruser@ourdomain.com)...
Received: from [74.40.13.111] (account noreply@esedona.net HELO cfsntsapm.eqinijomxadt.va)
by 78.186.248.222.static.ttnet.com.tr (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 072037273 for ouruser@ourdomain.com; Thu, 12 Dec 2013 19:58:07 +0200
From: WAP <noreply@npgcable.com>
To: <ouruser@ourdomain.com>
Subject: MMS
Date: Thu, 12 Dec 2013 19:58:07 +0200
MIME-Version: 1.0
X-Priority: 3
X-Mailer: ppkulx-35
Message-ID: <8396119095.DY01IBJJ483440@wavgrhhyie.rtnoikjzyc.net>
Content-Type: multipart/mixed;
boundary="----=a__beluuketg_15_37_29"
X-Originating-IP: 78.186.248.222
X-Sender: noreply@npgcable.com
X-HXMSpamScore: -1
X-HXMSpamScoreExt:
X-HXMSpamAction: blocked
X-HXMSpamReason: forbidden file was attached in a zip (MMSJZ121213.exe)