IrvSp

Members
  • Content count

    4
  • Joined

  • Last visited

Community Reputation

0 Neutral

About IrvSp

  • Rank
    Newbie
  1. I keep getting stuff 2 or 3 a day. SPAMCOP reports go into DEVNULL so it probably is worthless reporting it? Spammer does use other ISP occasionally. The header IS forged like this from a few from last week: Received: from [138.128.73.39] ([138.128.73.39:60440] helo=cystolgrantlamhell.com) Received: from [144.168.154.248] ([144.168.154.248:44809] helo=mcmarsbachmcguizeshunt.com) Received: from [85.217.132.83] ([85.217.132.83:36534] helo=rochstaeusstritrelph.com) Received: from [104.144.114.7] ([104.144.114.7:39204] helo=kraekdorfhmonsgermfeldt.com) Received: from [23.250.48.158] ([23.250.48.158:33696] helo=chuchtabhywzornfrees.com) Received: from [85.217.138.125] ([85.217.138.125:41478] helo=moanpeakjezshiftbrook.com Received: from [185.5.119.252] ([185.5.119.252:55850] helo=lomslncermannlouan.com) Received: from [104.144.122.129] ([104.144.122.129:55391] helo=labwetchquicjel.com) Received: from [50.3.123.91] ([50.3.123.91:50110] helo=kraekdorfhmonsgermfeldt.com) Received: from [188.191.150.163] ([188.191.150.163:38151] helo=skeadungthiefjephiatt.com) What the root problem is that I don't know what the payload is? I get 2 types, the BITLY and the ones I can't even figure out? BITLY is just a link. The few times I used the iPad to see it it was something to purchase and appeared to be a real PNG copied over, but those links using the PNG links on it also appeared to be real? Couldn't really tell as I never took any. Suspect they are using the 'from' to get a partial cent for referring you to the site. The worrisome one is this, from the last line email above in RED: ============ <a href="http://spurtvilsnogdpierdrach.tk/20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address"> <img src="http://spurtvilsnogdpierdrach.tk/images/6633815925.png" border="0" /> </a> ========== I know from the last line above it translates into 188.191.150.163 where it will go to. However what exactly is the rest of the line, 20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address, and why is my e-mail address on it? I can't find ANY information on that? Since it is in HTML code when Thunderbird sucks it in it well basically execute that code, and I'll see the PNG file. I'm worried about some malware coming it with it due to the href?
  2. I looked at a few of these today. All have the SAME info at the bottom. Yes, I know it is part of the JPG it seems, and it does link off to a slightly different ending on the URL line, but I googled part of it, " 8123 Interport Blvd Englewood, CO 80112" and added spam to it. I was SURPRISED at all the HITS I got... it seems to be the 'home' for many different companies posting. Why can't this information help stop this? Of course that link it does go to might not be them at all either???
  3. Well, something must have got to them? About a week ago it stopped.... 2 weeks ago I started sending them to my ISP's spam Handler... well it was short lived... started up again yesterday. About all I can tell is they changed the end part of the URL from .party/ to .stream/. I guess it is hard to stop whomever it is? Shut them down and they come right back... Sigh... Surely there must be a way? Even adding SERVERHUB to a black list maybe?
  4. I'm getting 3 to 5 of these a day for 2 months now. They have fake YAHOO.COM e-mail addresses, the subjects are about products. Every one of them when I look at the contents are for images that have many different letting combinations but ALL have .party/ as the last part of the image location. For instance, this one: http;\\peltbangswiestdaunt,party/up0hlwvwsaae/19915641k140e2002308/t5s0gbrvgx7j Others inside have other confusing ones to me but do INCLUDE my e-mail address: <img src="http;\\peltbangswiestdaunt,party/19915644k140e2002308?eb=i******@****r.com" /> I assume that is how they can track me? A typical SpamCop report always comes back as it is coming from SERVERHUB.COM? Don't know how it made that connection? After the report is sent, I can see this on SPAMCOP: https://www.spamcop.net/sc?id=z6354566965z58e6e1b554cd81aafb9894c99b1451dcz The HEADER for that one is: ================ Return-Path: <yunkovalcik8829@yahoo.com> Authentication-Results: cdptpa-imsmta06 header.DKIM-Signature=@yahoo.com; dkim=pass Received: from [98.138.207.12] ([98.138.207.12:34600] helo=smtp105.biz.mail.ne1.yahoo.com) by cdptpa-imsmta06 (envelope-from <yunkovalcik8829@yahoo.com>) (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTPS (cipher=DHE-RSA-CAMELLIA256-SHA) id 0F/76-13528-E3EED885; Sun, 29 Jan 2017 13:29:34 +0000 Received: (qmail 97002 invoked from network); 29 Jan 2017 13:16:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1485695778; bh=gGfWdN6RC3yXfNbEMYT3J+OEY8eZa0S9LXQ4MtN0QVY=; h=Message-ID:Date:From:To:Subject:Content-Type; b=MITSLzafvddVfXxZCb7cwA4j2noD18AN7IoQ+1gf8W7p0zo7M1RDln3fMcaPvl9434ALsXOzCMbiMKbygmOouEW5f+TBx1pAsN9s5fRLi81qB5ktGuJO4SyxvhzZ/1gk+AtmiOWWyrUAyua/8aaPVC3lXihvbFsYPe/jBMlChno= Message-ID: <55380.49272.qm@smtp105.biz.mail.ne1.yahoo.com> Date: Sun, 29 Jan 2017 13:16:18 +0000 (UTC) X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: tqWQH_YVM1n8jsE2uLp2bRKDjph5McZuBA63MHzD_EY_TtK 3x5eO5aPw53w8JZO4G4EWoyQYYmxTvWMU1I0uXo4buv4Ee0plV2JYbTIeHnU Opt_bzFyw8EK3urTAU2ahvEMaYVs3KkzOwCa4KlHMvev2g2Xt_XfGxNzTpI8 cCY56Hn3Zd.fWk._MXTMtFtzI5sFSGwrd18ecUW3DbXJEWHEG83gRCePh0.I hT0.Ve6YOLTUPWofgYzH.VLTOoDvDuf.oz1cPPWGP5.MSsxoRB1b0wHcQkX. Voq6uw.XORME1VS9SwKWNUNuUHrR1Y5CotefCKcSQ8KBTUmwPF_J7Unh5McW a2PxjhulT3Wstmj73ULIQyQu4Zdnj4ZK8E6NmegsKYC2ryOwyBFJmdfx1hI6 YPBvlAa4lsD1RAIo.gzeMHIKKYNAi.lznal7XEAS1XV.hgtxnMFI.if3NONn bKPezPEQCGcKTWpj5gXvFFLH8LScx6P96D9I4KzCbxL_DEtmUf2LP_Ux1eIj TQdQXLRuEv.y19UAmhqwAYGM1TRt4Tdh23QbD59mUqBAcmxOnj7IkWEjE4DA - X-Yahoo-SMTP: LoI572yswBCSbUI_5YkmxJmLSAqIHsv.SzvTWEeVrl.eSN.23aXFE9aQAQqZOiS5QKhCox0- From: Senior Living <yunkovalcik8829@yahoo.com> To: ispalten@cfl.rr.com Subject: Looking for 55+ living in 2017? Content-Type: text/html; charset=UTF-8 X-Authority-Analysis: v=2.1 cv=WtfWSorv c=1 sm=1 tr=0 a=IXwzD+xon/F+YVC+ra/VSA==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=79YnABSCSewA:10 a=IgFoBzBjUZAA:10 a=FD_G_oyTAAAA:8 a=ayC55rCoAAAA:8 a=fhRY4CD02UBmV23WEHMA:9 a=QEXdDO2ut3YA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=jf6ifqx8wrbFtL1ejoTd:22 a=B_RyunTPg8udlmYm5Cu2:22 X-Cloudmark-Score: 0 X-RR-Connecting-IP: 107.14.168.212:25 ================= Body contains: ============= <center> <a href="http://robhelzlattmoor.party/cdo8ihcq5gai/19915506a176o1118741/k779tlpvbmwx"> <img src="http://robhelzlattmoor.party/lfyi137qxx3f/mT/g1aa5ie3k95c" border="0" /> </a> <br /> <a href="http://robhelzlattmoor.party/bge3j39ogj6a/19915507a176o1118741/k0o8j79nl86x"> <img src="http://robhelzlattmoor.party/9fs59t0qbwrv/6l/59neeq17kf67" border="0" /> </a><img src="http://robhelzlattmoor.party/415501a176o1118741.gif" /><img src="http://robhelzlattmoor.party/19915508a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915509a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915510a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915511a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915512a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915513a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915514a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915515a176o1118741?eb=i*******@*****.com" /> ============== So basically I have 2 questions? 1) How does this all translate into SERVERHUB.COM as the 'sender' to be reported too? 2) Why are the reports being ignored? I've even used my ISP's spam REPORTING and it still had not stopped? My ISP does have spam Filters, but only back on FROM and blocking all YAHOO.COM doesn't help me.