Spam through iCloud - as source

I’ve noticed that most of the spam I’m getting on my iCloud account (usually those bogus ‘Norton’ or antivirus renewals) originate with servers from “”

Authentication-Results:; spf=pass ( domain of designates as permitted sender)
Received-SPF: pass ( domain of designates as permitted sender); client-ip=;;
Received: from ( [])
by (Postfix) with ESMTPSA id 1A77647592
for; Wed, 14 Jun 2023 00:39:03 +0000 (UTC)

I don’t understand why Apple isn’t blocking this entire domain. Granted, there’s SPF records for the spammer, but that just says the spammer is more well-organized than most.

That header info doesn’t mean what you think it means:

The ingress mail server (assuming this was the last Received header), received the message from a server claiming to be But it was forged. the header logs the IP address of that server ( and a reverse-DNS lookup on that address identifies the actual sender’s hostname as

Doing a Whois search on, we see that it is a GoDaddy-registered site. Actually visiting Mailsquare’s home page they claim to be a search-engine-optimization service. That is, they are consultants that help their customers appear more prominently in search results. Whether or not this works or is ethical is a matter of debate, but it’s not spamming.

The Whois record for indicates that it is property of IDrive, Inc. a cloud backup service.

My guess is that the spammer found an insufficiently secured IDrive server and is using it to send the spam. If the spamming from that server continues, I’m sure it will eventually get blocked. But the spammer may be using a large bucket of hacked servers. You might want to look at multiple messages claiming to be from Mailsquare and see if they’re all coming from the same servers or if they’re actually coming from all over the place.

1 Like