I’ve noticed that most of the spam I’m getting on my iCloud account (usually those bogus ‘Norton’ or antivirus renewals) originate with servers from “mailsquare.in”
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of bounce@zpack.shop designates 108.160.153.8 as permitted sender) smtp.mailfrom=bounce@zpack.shop
Received-SPF: pass (spf.icloud.com: domain of bounce@zpack.shop designates 108.160.153.8 as permitted sender) receiver=spf.icloud.com; client-ip=108.160.153.8; helo=zpack.shop; envelope-from=bounce@zpack.shop
Received: from setup6.mailsquare.in (216.107.26.213.static.idrivecompute.io [216.107.26.213])
by zpack.shop (Postfix) with ESMTPSA id 1A77647592
for deemery@icloud.com; Wed, 14 Jun 2023 00:39:03 +0000 (UTC)
I don’t understand why Apple isn’t blocking this entire domain. Granted, there’s SPF records for the spammer, but that just says the spammer is more well-organized than most.
That header info doesn’t mean what you think it means:
The ingress mail server (assuming this was the last Received header), zpack.shop received the message from a server claiming to besetup6.mailsquare.in. But it was forged. the header logs the IP address of that server (216.107.26.213) and a reverse-DNS lookup on that address identifies the actual sender’s hostname as 216.107.26.213.static.idrivecompute.io.
Doing a Whois search on mailsquare.in, we see that it is a GoDaddy-registered site. Actually visiting Mailsquare’s home page they claim to be a search-engine-optimization service. That is, they are consultants that help their customers appear more prominently in search results. Whether or not this works or is ethical is a matter of debate, but it’s not spamming.
My guess is that the spammer found an insufficiently secured IDrive server and is using it to send the spam. If the spamming from that server continues, I’m sure it will eventually get blocked. But the spammer may be using a large bucket of hacked servers. You might want to look at multiple messages claiming to be from Mailsquare and see if they’re all coming from the same servers or if they’re actually coming from all over the place.