Skip to main content
ThreatOther

X-Originating-IP / X-Sender-IP is a private address — local-machine injection (compromised host / spam relay)

private-ip-origin

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

The `X-Originating-IP` or `X-Sender-IP` header — which records the client IP that submitted the message to its first mail server — contains a PRIVATE IP address from one of the RFC 1918 / loopback / link-local ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, IPv6 fc00::/7, fe80::/10, ::1). Legitimate internet mail ALWAYS comes from a public IP — a home broadband, corporate NAT egress, cloud function, or marketing platform server. A private IP in these headers almost universally means either (1) a compromised web app running on the same host as the receiving MTA (the exact shape of a hacked-WordPress spam relay), or (2) a misconfigured internal tool leaking into outbound traffic. Weighted at +3 — strong but not solo-decisive, because a tiny long-tail of corporate mail flows through split-horizon NAT could theoretically expose a private IP in this header.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started