Strange little messages don't parse

[captkirk]

I have been getting one or two of these a day to various addresses at a couple of the sites I administer. The gist of all these messages is "Will be closed due to bad weather." Sometimes the addressees are close to an actual address; sometimes they are names I don't know. They all come from 64.21.* which SpamCop can't find someone to report to. ARIN shows Net Access Corporation (NAC).

The messages are all a variation on:

"Early closing due to bad conditions.

This will be the only notification to pattstevie[at](mydomain).com and please disregard if sent to the incorrect individual. Thank you."

Is there something I don't understand? Or should I just add abuse[at]nac.net as a user notfication?

[turetzsr]

Hi, captkirk,

...It's hard tell what might be happening from the little information you have posted here. It sounds as if it might be an errant "out of office" message, although it seems to me that if it were you'd have other types of such "blowback." Do you have a Tracking URL for a failed parse that you can provide?

[Farelf]

NAC is allocated 64.21.0.0 - 64.21.191.255 (64.21.0.0/17, 64.21.128.0/18) I guess others have the rest of 64.21.0.0/16. It looks like abuse[at]nac.net bounces SC reports so adding it as a user-defined address will achieve nothing. That's okay, they don't want them, they don't have to take them. abuse.net shows an additional abuse address for nac.net and that is abuse[at]level3.com (for nac.net). You could try that, can't do any harm.

Messages sound tantalisingly like legitimate notifications (the "please disregard" and all) but of you're the administrator and you don't know the recipients then I guess they can't be. As Steve T suggests, if you want more eyes on this one, a tracking URL will be needed.

[captkirk]

http://www.spamcop.net/mcgi?action=gettrac...rtid=6099915103

http://www.spamcop.net/mcgi?action=gettrac...rtid=6099899483

The other thing is maybe they're just phishing for addresses that don't bounce. Some of the names are close to ones that are displayed on the web site, but are still slightly incorrect. Like their scraper isn't working right. They do mimic legitimate notifications. I probably should just ignore them.

[turetzsr]

http://www.spamcop.net/mcgi?action=gettrac...rtid=6099915103

http://www.spamcop.net/mcgi?action=gettrac...rtid=6099899483

<snip>

...Thanks, but we volunteers don't have access to those. Please see SpamCop "FAQ Entry: Getting a Tracking URL from a Report ID."

[captkirk]

Sorry.

http://www.spamcop.net/sc?id=z5813693464ze...204aec053918d6z

http://www.spamcop.net/sc?id=z5813634552zb...80e7dda3328386z

[turetzsr]

...Hm, nothing strange there that I can see. Were it I receiving these, I'd send off a little manual note to abuse[at]nac.net to ask them to stop these and if I didn't hear from them within a reasonable length of time would inquire of level3 (per Steve's [Farelf] post), which I presume is nac.net's "upstream". And I'd certainly submit them to SpamCop, even though the parser can't find a valid complaint address -- it will till contribute to the stats used to determine whether IP addresses should be included on the SpamCop blacklist.

[Farelf]

Based on those examples the messages are remarkably well spread over the network which might indicate some "clever" spamming is going on - snowshoe-type. Wouldn't expect such a spread from anything legitimate. If it was simple fishing for valid addresses I would have expected some sort of coy "unsubscribe" ploy but maybe they consider they have enough information from the absence of non-delivery notification (untrue of course but if spammers were knowledgeable about network operations and mail administration they would have real jobs, I suppose).

http://www.spamcop.net/w3m?action=map;mask...080;sort=ipsort shows a very diffuse record of spam detections in 64.21.0.0/16 - except for 64.21.198.0/24 where a couple of zombies have been "seen" hard at work but that's outside the NAC allocation anyway.

So, certainly worth reporting - and worth trying the level3 address IMO. Large networks need all the help they can get to get on top of these things, whether they admit/realize it or not. And, regardless of whether ISP reports are heeded or not, the rest of the internet needs protection from such abused resources - which needs reporters to submit their sightings.

[Lking]

Well the OP is not alone. This is the only copy I've received and it hit a "well known" public mailbox. I still don't make any sense of it. A miss-directed 'out of office' seems most likely?

http://www.spamcop.net/sc?id=z5816053029z3...af28f6e9732164z

The only thing I see is that trainingleadership.org is in Atlanta, GA. I get lots of ads/spam related to Atlanta because my NOC is close by.

[cliffskier]

I am new here, having come to this site looking for info about these messages. I have also been receiving a number of them over the past week. A tracking URL for one of them is http://www.spamcop.net/sc?id=z5816013415z0...bdf2d163b5f9bdz.

They come from different senders and different apparently fictional domains, although as captkirk noted they come from 64.21.*.

I can't figure out what they are up to. They are being sent to a bunch of different addresses, but most of them end up in my catch-all account for unknown addresses. I have not heard whether any have gone through to real addresses.

It is disturbing that they are using names of real people in the addresses, which could be mined from our web site. But the addresses are generally wrong, although a number of those could also be found on the web site.

Update: Just received another one, this time from 173.201.193.55. So much for all of them coming from 64.21.*.

http://www.spamcop.net/sc?id=z5816138558z2...bd7268156f1dbbz

[captkirk]

Still coming. Now it's snow!

http://www.spamcop.net/sc?id=z5818554190zd...c067ab93362471z

http://www.spamcop.net/sc?id=z5818831194z8...8dfe9f861e4a6az

[Farelf]

Keep reporting! - and add the abuse[at]level3.com report address for those in the NAC allocation if SC still shows "no reporting address" there.

[MoviePostersEtc]

We are getting two to three of these a day as well. The thing we notice is that the email address always has a different name before the [at]. We sell movie posters, and have noticed that all of these spam emails we have been receiving are addressed to movie stars such as Robert De Niro, so the email address will read rdeniro[at]moviepostersetc.com or Marilyn Monroe, and the email address will be marilynmonroe[at]moviepostersetc.com.

It seems as if some robot is just pulling random names from our site, and creating email addresses for them using our domain as the stem. Unfortunately, our email account is catching all of these emails. The emails are coming from various domains, and don't seem to have any purpose whatsoever, unless they are phishing for valid email addresses and see what bounces back and what sticks.

The latest email we received was addressed to actor Gary Oldman. Below is the source information.

Received: (qmail 4109 invoked by uid 30297); 22 Mar 2014 20:10:40 -0000

Received: from unknown (HELO m1pismtp01-033.prod.mesa1.secureserver.net) ([10.8.12.55])

(envelope-sender <Jim[at]openames.com>)

by p3plsmtp18-05.prod.phx3.secureserver.net (qmail-1.03) with SMTP

for <goldman[at]moviepostersetc.com>; 22 Mar 2014 20:10:40 -0000

X-IronPort-Anti-spam-Result: AvsXAF3tLVNAFbcwUGdsb2JhbABZgwaHK7ZyhV0DgRcWAwEBFgoLCA8CK4JmJS8UExMhNBoTEYdonFWPXaFxkzkEiVKFaokNkEWFOh0

Received: from mail.openames.com ([64.21.183.48])

by m1pismtp01-033.prod.mesa1.secureserver.net with ESMTP; 22 Mar 2014 13:10:40 -0700

Received: from 71178582.openames.com

by mail.openames.com (Merak 8.9.1) with ASMTP id IXG43330

for <goldman[at]moviepostersetc.com>; Sat, 22 Mar 2014 13:10:30 -0700

Return-Path: Jim[at]openames.com

Message-ID: <20140322131025.6b2b2e2f6e[at]4e4e>

From: "Jim Jones" <Jim[at]openames.com>

To: "Gary Oldman" <goldman[at]moviepostersetc.com>

Subject: Will be closed due to bad weather.

Date: Sat, 22 Mar 2014 13:10:25 -0700

X-Priority: 3

X-Mailer: Quick Mailer

MIME-Version: 1.0

Content-Type: text/plain;

charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

X-Nonspam: None

Will be closed due to bad weather.=20

This will be the only notification to goldman[at]moviepostersetc.com and =

disregard if sent to the incorrect individual. Thank you.

[lisati]

We are getting two to three of these a day as well. The thing we notice is that the email address always has a different name before the [at]. We sell movie posters, and have noticed that all of these spam emails we have been receiving are addressed to movie stars such as Robert De Niro, so the email address will read rdeniro[at]moviepostersetc.com or Marilyn Monroe, and the email address will be marilynmonroe[at]moviepostersetc.com.

Spammers are stupid!

On a side note, I had an interesting one coming in to an email address I'd set up as a spam-catcher account for my fictious friend "Hugh" (as in short for "huge <insert-name-of-body-part>"). It claimed to be from Mr Donald Duck. A great opporunity for having a bit of fun. Sadly, I never heard back from them after letting them know I'd consulted with other Disney characters.

[Dynamoo]

Hi all,

If you are interested, I've tracked down who is probably sending the spam and why (written up here).

You'll notice that the spam passes the SPF test for a named server which indicates that spoofing is not taking place, therefore whoever owns the domains is responsible for the spam. But in most cases if you look at the WHOIS details then they don't say very much.

However, a look at historical WHOIS details show either "Biz Summits" (aka BizSummits) or "Michael Price" plus a domain mobilesoft.com which is associated with a business caled MobileBriefs, Inc (which also links to Michael Price").

Michael Price runs BizSummits through a firm called CEOVentures (see his LinkedIn profile at www.linkedin.com/in/michaelprice1). Quite how involved he is in the spamming is uncertain.

Technically, I think what is happening here is that BizSummits are probing mail servers for valid email address formats. For example, they scraped from my website the names "Tony Blair" and "Victor Echo" and attempted to email tony[at] and vecho[at] respectively. Once they have established the email address format then they will probably send more spam to names scraped from the target organisation.

I won't tell you my opinion of BizSummits here!

[Farelf]

Thanks Conrad, interesting indeed. It almost defies belief that someone is spending their own money on such pitiful effort but agree your analysis points that way. We await the further "evolution" of BizSummits' project with bated breath.

[Dynamoo]

Thanks Conrad, interesting indeed. It almost defies belief that someone is spending their own money on such pitiful effort but agree your analysis points that way. We await the further "evolution" of BizSummits' project with bated breath.

The reward is that BizSummits charges $1250 a year to people who sign up, and they do seem to get sign-ups.