Corrupted "Received"

I downloaded a suspect email from 163.com webmail as .eml, which could not be analyzed successfully in FEI.
This may result from a corrupted header below.

Received: from TY2PR03MB4621.apcprd03.prod.outlook.com
 ([fe80::4590:eb1a:a57d:5b5]) by TY2PR03MB4621.apcprd03.prod.outlook.com
 ([fe80::4590:eb1a:a57d:5b5%7]) with mReceived: from EUR04-HE1-obe.outbound.protection.outlook.com (unknown [40.107.7.75])
	by mx29 (Coremail) with SMTP id T8CowABX_BVDH91eAIt7DQ--.26887S3;
	Mon, 08 Jun 2020 01:09:26 +0800 (CST)

I’m not sure how this can happen. Does it indicate a falsification?

I agree that this seems out of whack. I would have expected this fragment to have been two separate trace headers along the lines of what follows (ignore their order for now):

Received: from TY2PR03MB4621.apcprd03.prod.outlook.com 
 ([fe80::4590:eb1a:a57d:5b5]) by TY2PR03MB4621.apcprd03.prod.outlook.com 
 ([fe80::4590:eb1a:a57d:5b5%7]) with mapi id <placeholder>; Sun, 07 Jun 2020 17:09:26 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (unknown [40.107.7.75])
  by mx29 (Coremail) with SMTP id T8CowABX_BVDH91eAIt7DQ--.26887S3;
  Mon, 08 Jun 2020 01:09:26 +0800 (CST)

I put a placeholder for the mapi id value as that information is not available in your example, and I used my best guess for what the M365 timestamp should have been.

Note that the m character in the string mReceived: in your example is in the same position as the m character of mapi id in my example.

In addition to the fact that the two trace headers appear merged, their order also seems strange. It looks like this was a message sent from M365 to 163. If that’s the case, the first trace header in my example, which shows activity within the M365 tech stack, should precede the second trace header which shows the handoff from M365 to Coremail.

As to why this happened—hard to tell without looking at additional evidence. If feasible, my first move would be to try to locate additional control messages between the same parties from the same time period for comparison.

On a related note, FEI does not have trouble working with this unusual trace header on my end. If you experienced any unexpected behavior there, please feel free to reach out to our support and we would love to take a look.

1 Like