Jump to content

forum spammer using my email! pleae help!!!


raniero

Recommended Posts

hello

i receive every day ten forum registration confirm email mail with user and password from a spammer that spam forum with a fake nike shop website

how can i stop this? is making me crazy cant stop these emails neither filter them out

please help

Link to comment
Share on other sites

As I understand it you cannot report those requests for confirmation through SpamCop because they are not spam nor, in real terms, misdirected.

It seems like someone or several people using spambot programs intended for SEO have used your e-mail address as a forum registration address. Whether robot or person, this achieves nothing for them in terms of forum registration since the registrations with almost all forums cannot be completed without confirmation. If the spammers have access to your e-mail account, that is a different matter. But perhaps it is malicious, intended only to bombard you with those registration confirmations. Not much you can do if that is the case I think - if the registration confirmations are coming from many different forums, meaning you cannot filter them out by sender, which I understand is the situation. Others may be able to suggest otherwise but I cannot think of a way.

Is the e-mail address receiving this unwelcome attention listed at http://www.stopforumspam.com/search ? If it is then you are already receiving some protection because many forums would be blocking registration attempts using that address - but the question would have to be asked, "How did the spammers register with some forums unless they have access to your e-mail account?"

In any case, you should make sure you change the password of the affected e-mail account - just in case the account has been hacked. In any case also, if it was not malicious, just a "mistake", there is hope it will stop in time. Spambots never tire but their human controllers do.

I think most people in your situation would simply abandon that e-mail address and start using another one.

Link to comment
Share on other sites

As I understand it you cannot report those requests for confirmation through SpamCop because they are not spam nor, in real terms, misdirected.

It seems like someone or several people using spambot programs intended for SEO have used your e-mail address as a forum registration address. Whether robot or person, this achieves nothing for them in terms of forum registration since the registrations with almost all forums cannot be completed without confirmation.

If someone else is using your email address, doesn't that mean it was misdirected?

According the SpamCop FAQ (http://www.spamcop.net/fom-serve/cache/14.html), a message is reportable if it was not requested (either explicitly or implicitly). This means that unless that this was done through a third party (for which you did sign up), it was unsolicited.

Link to comment
Share on other sites

If someone else is using your email address, doesn't that mean it was misdirected?

According the SpamCop FAQ (http://www.spamcop.net/fom-serve/cache/14.html), a message is reportable if it was not requested (either explicitly or implicitly). This means that unless that this was done through a third party (for which you did sign up), it was unsolicited.

Maybe - not so much different to a "misdirected bounce" except the sender (forum) had no way to do anything differently, whereas with a misdirected bounce the sender (mail exchange) has not followed proper procedure - which is correctable.

Forum requests for confirmation are specifically to obtain reassurance about the identity and intention of the supposed membership applicant and would usually be phrased along those lines. Seems a little pointless to smack the sender in the face when it turns out it was all a hoax/mistake on the part of the actual applicant, the very eventuality meant to be revealed by the process.

I guess the rise of forum-spamming robots like XRumer have the potential to change the game beyond anything envisaged when the SC guidelines were written - if they result either inadvertently or maliciously in "mail bombing". I don't know if they can be used that way but see no reason to suppose otherwise. That may or may not be the O/P's circumstance (pending his response) but the potential is there I think, regardless, and shows the futility of trying to address the problem through SC reporting for which there can be no positive outcome.

But it is not my call - perhaps SpamCop staff could clarify/resolve whether or not forum confirmation requests are the sort of "unsolicited" message meant to be addressed in the reporting process?

Link to comment
Share on other sites

<snip>

Forum requests for confirmation are specifically to obtain reassurance about the identity and intention of the supposed membership applicant and would usually be phrased along those lines. Seems a little pointless to smack the sender in the face when it turns out it was all a hoax/mistake on the part of the actual applicant, the very eventuality meant to be revealed by the process.

<snip>

...True, unless the Forum software is sending multiple (more than 1? 2?) requests for a single registration attempt. That would be difficult for most victims to determine; we'd have to see the bodies (and perhaps the internet headers) of all of the confirmation requests to have a chance to determine whether more than one (or two) of them were in response to a single registration.
<snip>

cant stop these emails neither filter them out

<snip>

...If your e-mail client software is able to filter on content, perhaps you could put in a filter for the name of the forum that is asking you for confirmation. You could also use SpamCop to find the abuse address of the Forum server and send a polite request to them explaining that your e-mail address is being spoofed and asking them to stop sending you confirmation requests.
Link to comment
Share on other sites

i receive 10 mail from 10 different forums every day, every username and password is different theres no way to filter those mail

of course i wont never leave this email address is really important

to access my gmail you need to have my mobile phone for the txt message autenthication, theres no way to access my email

this is the website they are spamming all over, of course a fraud fake site really dangerous ht tp://www.maypole.co.kr/freeruno.asp

This post has been edited by raniero: Jul 15 2013, 04:34 PM US Eastern time

This post has been edited by turetzsr to break link to dangerous web site: Jul 15 2013, 05:23 PM US Eastern time

Link to comment
Share on other sites

<snip>

theres no way to filter those mail

<snip>

ht tp://www.maypole.co.kr/freeruno.asp]http://www.maypole.co.kr/freeruno.asp

...GMail doesn't allow you to filter on body text "maypole.co.kr"? If that's the case, it's not very good, is it? Of course, since it's a free service, I guess there's really little basis to complain....

...Since you left a link to what you yourself acknowledge is a dangerous site, I am taking the liberty of editing your last message to break that link.

Link to comment
Share on other sites

Are we actually talking about forum registration e-mails? We need to see an example. I repeat, Is the e-mail address (the O/P's one being bombed) receiving this unwelcome attention listed at http://www.stopforumspam.com/search ? A very easy thing for the O/P to check (without divulging it in public) - I already know the answer and it is "yes" and there is actual evidence of specific spam activity by someone using that (confirmed) e-mail address and we now have confirmation from the O/P that no-one else could have been operating it. I'm afraid I am smelling some sort of a rat at this stage and banning of the O/P's account here (and other actions) will follow unless there are some pretty darned convincing explanations offered fairly quickly.

Link to comment
Share on other sites

ive just wake up and this are the emails ive found

beattduy,

Благодарим Ð’Ð°Ñ Ð·Ð° региÑтрацию на Ñайте karizma.ru. Ð’Ñ‹ можете ÑÐµÐ¹Ñ‡Ð°Ñ Ð²Ð¾Ð¹Ñ‚Ð¸ на ht tp://www.karizma.ru/user иÑÐ¿Ð¾Ð»ÑŒÐ·ÑƒÑ Ñледующие учетные данные:

Ð¸Ð¼Ñ Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ: beattduy

пароль: ZVyg9bFy5n

ПоÑле входа на Ñайт вы будете перенаправлены на Ñтраницу ht tp://www.karizma.ru/user/97286/edit, где можете Ñменить Ñвой пароль.

Ð’Ñ‹ так же можете войти, нажав на Ñледующую ÑÑылку или Ñкопировав её в адреÑную Ñтроку браузера: ht tp://www.karizma.ru/user/reset/97286/137...2c9176dac889c35

Это одноразовый вход и воÑпользоватьÑÑ Ð¸Ð¼ можно лишь однажды.

Рекомендуем Ñразу поÑле входа изменить Ñвой пароль на тот, который Ð’Ñ‹ Ñможете запомнить. Сменить пароль вÑегда можно на Ñтранице ht tp://www.karizma.ru/user/97286/edit

--

С уважением, админиÑÑ‚Ñ€Ð°Ñ†Ð¸Ñ Ñайта karizma.ru

ユーザーå: carpinteyroaly

パスワード: Ub85wu*wb00g

ã“ã¡ã‚‰ã§ãƒ­ã‚°ã‚¤ãƒ³ã§ãã¾ã™: ht tp://modelsite.sakura.ne.jp/bbpress/

楽ã—ã‚“ã§ãã ã•ã„ !

Cher beatnzgt,

Merci de votre inscription sur CVparfait. Vous pouvez à présent vous connecter à ht tp://www.cvparfait.com/user avec le nom d'utilisateur et le mot de passe :

nom d'utilisateur : beatnzgt

mot de passe : 98E3rLcbha

Vous pouvez aussi vous connecter en cliquant sur ce lien ou le copier-coller dans votre navigateur :

ht tp://www.cvparfait.com/user/reset/157631...105a0d7f1e60005

Il s'agit d'une connexion temporaire, elle ne peut être utilisée qu'une fois.

Après vous être connecté, vous serez redirigé vers ht tp://www.cvparfait.com/user/157631/edit pour pouvoir changer votre mot de passe.

-- L'équipe de CVparfait

Your username is: carpinteyroxph

Your password is: Kdsf^V#^EWn1

You can now log in: ht tp://buduwie-mami.ru/bbpress/

Enjoy!

carpinteyrovtr,

Thank you for registering at getwashboardabs.com. You may now log in to ht tp://getwashboardabs.com/user using the following username and password:

username: carpinteyrovtr

password: R3NpkyqH7x

You may also log in by clicking on this link or copying and pasting it in your browser:

ht tp://getwashboardabs.com/user/reset/6036...18a9a229f72b883

This is a one-time login, so it can be used only once.

After logging in, you will be redirected to ht tp://getwashboardabs.com/user/603630/edit so you can change your password.

-- getwashboardabs.com team

ユーザーå: carpinteyrorcq

パスワード: LNuyUefIJ0G8

ã“ã¡ã‚‰ã§ãƒ­ã‚°ã‚¤ãƒ³ã§ãã¾ã™: ht tp://nihon.wroclaw.pl/bbpress/

楽ã—ã‚“ã§ãã ã•ã„ !

carpinteyrodgj,

æ„Ÿè¬ä½ åœ¨ åµé”網 網站註冊。你ç¾åœ¨å¯ä»¥ä½¿ç”¨ä»¥ä¸‹çš„使用者å稱和密碼登入 ht tp://flolac.iis.sinica.edu.tw/lambdawan/zh/user:

使用者å稱: carpinteyrodgj

密碼:yDpbW3qtHy

你也å¯ä»¥é»žé¸ä»¥ä¸‹é€£çµã€æˆ–複製連çµä¸¦è²¼åˆ°ä½ çš„ç€è¦½å™¨ç¶²å€è£¡é€²è¡Œç™»å…¥ï¼Œé€™æ˜¯ä¸€æ¬¡æ€§çš„登入連çµï¼Œåªèƒ½ä½¿ç”¨ä¸€æ¬¡ï¼š

ht tp://flolac.iis.sinica.edu.tw/lambdawan/...b025bf9eb606ddd

åœ¨ç™»å…¥å¾Œï¼Œä½ æœƒè¢«å°Žå…¥åˆ°æ‚¨çš„å€‹äººå¸³è™Ÿä»‹é¢ ht tp://flolac.iis.sinica.edu.tw/lambdawan/zh/user/59595/edit ,讓你修改密碼。

-- åµé”網

carpinteyrosjs,

Thank you for registering at PromoteGIS. You may now log in to ht tp://promotegis.org/user using the following username and password:

username: carpinteyrosjs

password: f9nGuMgwKG

You may also log in by clicking on this link or copying and pasting it in your browser:

ht tp://promotegis.org/user/reset/129495/13...971ea7316bd39a1

This is a one-time login, so it can be used only once.

After logging in, you will be redirected to ht tp://promotegis.org/user/129495/edit so you can change your password.

Administrator - PromoteGIS

Your username is: carpinteyrovme

Your password is: s19Rfdw5Mjwz

You can now log in: ht tp://ingresscolorado.com/forum/

Enjoy!

carpinteyrorel,

Thank you for registering at DylanSpencerJames. You may now log in by

clicking this link or copying and pasting it to your browser:

ht tp://www.dylanspencerjames.com/user/rese...gwK20he5-oi5srw

This link can only be used once to log in and will lead you to a page where

you can set your password.

After setting your password, you will be able to log in at

ht tp://www.dylanspencerjames.com/user in the future using:

username: carpinteyrorel

password: Your password

-- DylanSpencerJames team

beatfyed,

Благодарим Ð’Ð°Ñ Ð·Ð° региÑтрацию на Ñайте minbitbu.com. Ð’Ñ‹ можете ÑÐµÐ¹Ñ‡Ð°Ñ Ð²Ð¾Ð¹Ñ‚Ð¸ на ht tp://minbitbu.com/?q=user иÑÐ¿Ð¾Ð»ÑŒÐ·ÑƒÑ Ñледующие учетные данные:

Ð¸Ð¼Ñ Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ: beatfyed

пароль: FDyZq3BMFL

Ð’Ñ‹ так же можете войти, нажав на Ñледующую ÑÑылку или Ñкопировав её в адреÑную Ñтроку браузера:

ht tp://minbitbu.com/?q=user/reset/35770/13...b58c0c73fc60bbe

Это одноразовый вход и воÑпользоватьÑÑ Ð¸Ð¼ можно лишь однажды. ПоÑле входа на Ñайт вы будете перенаправлены на Ñтраницу ht tp://minbitbu.com/?q=user/35770/edit, где можете Ñменить Ñвой пароль.

-- minbitbu.com team

beatdkgr,

Thank you for registering at local983.org. You may now log in to ht tp://local983.org/user using the following username and password:

username: beatdkgr

password: ProNaj6b5t

You may also log in by clicking on this link or copying and pasting it in your browser:

ht tp://local983.org/user/reset/297694/1373...6b42cbf6633b44b

This is a one-time login, so it can be used only once.

After logging in, you will be redirected to ht tp://local983.org/user/297694/edit so you can change your password.

-- local983.org team

Your username is: beatvsyw

Your password is: !FET&6)iaXcx

You can now log in: ht tp://10minutetrain.com/forum/

Enjoy!

Ваше Ð¸Ð¼Ñ Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ: carpinteyrocaa

Ваш пароль: 0J9ibc9pQ9tA

Ð’Ñ‹ можете ÑÐµÐ¹Ñ‡Ð°Ñ Ð²Ð¾Ð¹Ñ‚Ð¸ в ÑиÑтему: ht tp://profaudit.com.ua/forum/

Вперед!

AND MORE, AND COUNTING AND THIS IS ONLY IN THE MORNING... IT WILL KEEP GOING ON ALL THE DAY

This post has been edited by turetzsr to break active hyperlinks Jul 16, 2013, 04:11 PM US Eastern time

Link to comment
Share on other sites

Those passwords should be munged/deleted to prevent account activation by anyone reading your post. You should do that immediately. Looks like one of those venues doesn't bother with validation, which is disappointing but will "cost" them.

Okay, from stopforumspam.com:

beattduy not detected in forum spam.

carpinteyroaly Prolific long-term spammer, uses an unending progression of registration addresses, unlikely to be more than a spambot picking up your address from somewhere. Promotes a variety of links, not just the one you say.

beatnzgt not detected in forum spam.

carpinteyroxph Prolific long-term spammer, similar to carpinteyroaly.

carpinteyrovtr Prolific long-term spammer, similar to carpinteyroaly.

carpinteyrorcq Prolific long-term spammer, similar to carpinteyroaly.

carpinteyrodgj Prolific long-term spammer, similar to carpinteyroaly.

carpinteyrosjs Prolific long-term spammer, similar to carpinteyroaly.

carpinteyrovme Prolific long-term spammer, similar to carpinteyroaly.

carpinteyrorel Prolific long-term spammer, similar to carpinteyroaly.

beatfyed not detected in forum spam.

beatdkgr not detected in forum spam.

beatvsyw not detected in forum spam.

carpinteyrocaa Prolific long-term spammer, similar to carpinteyroaly.

Definitely looks like two spambots have got hold of your address somehow, believing it to be compromised and available for their validation and subsequent use of forum registration for SEO. One of them confines activity to eastern Europe and hasn't yet bumped into stopforumspam reporters.

This is the situation first envisaged and really there seems no way to stop it, even if reported to SpamCop they would have already moved on to register with other forums. Some spambots keep "hammering" the same forums over and over but not these, it seems.

The only solution I could see would be to forward your mail to an account where you CAN filter based on body content. You could then divert any messages with both words "username" and "password" in any of several languages and scripts.

Note the website you nominated as the target for SEO is surely but one of many in a continuing succession. There is no evidence that it is "dangerous" (indeed that is seldom the case with SEO). You make yourself look suspicious when you assert otherwise without foundation - spammers have wars amongst themselves, rival businesses play games, social activists embark on quests to punish those of opposing disposition or activity.

Link to comment
Share on other sites

actually ive left passwords to let others or emplyee to check these accounts for more information, like ip or post or link, or information profile, as well like link

as i told, is totally impossible anybody access my account in anyway, ive a 2 step verification, password and phone message verification for any access, ive changed recentely the password, a really hard password. ive checked the access to my account from the access page in gmail and i am the only one access my gmail only with my ip. now ive removed any third service authorization just to be more shure

but i think the most of the account registered are not activated and not used, some of them dont require any activation and those are the one used. btw some email have same password and no activation link, this means the bot can post without activating

by the way ive found that fraud site looking one of their forum account profile, and yes, this is of course fake and totally fraud website, a 1 year baby would totally understand at first sight, theres no real contact information at all and is just a page under another brand (of course fake) website, its like www.abercrombie.com/prada.htm r u kidding me? this looks real in anyway to you? my grandmother maybe would fall into it getting stealead, but she do not use computer. but if you are shure this is a trusted site go buy some shoes, they btw are almost free, a good deal for you and you credit card, and please after you got them tell the owner to stop makin me crazy with thei tons of spam forum registration mail

the one thing in common with all those mail is that they are using my email that is raniero[at]xxxx with first letter capitalized, all mail came to Raniero[at]xxxx i never registered my email this way

theres anything i could do? i would just filter all mail from carpinter* but gmail has no wildcard search function to set in filters

any suggestion or help is really appreciated, this is giving problem to me from at least 3 months, it has stopped for one month i dont know how, but now is started again much more than before

update: my email has already been blocked like a spam email from a long time, i just understand now why ive been denied from more than one year when i ve tried to register in some forums. btw this is okay i dont care, i would prefer to stop these emails before of all and spam from my email address

Link to comment
Share on other sites

carpinteyrosjs,

Thank you for registering at xxxxxx. You may now log in to http://xxxxx.org/user using the following username and password:

username: carpintxxosjs

password: f9nGuxxwKG

I think we are miss reading the type of email being received by the OP. I think these are spam with the payload delivered when you go to the "Forum", in the above example, http://xxxx.org/user.

My experience with forums and mailing list that use a double-opt-in do not include user/login name and password in the email requesting conformation.

The examples look more like, email generated when you open an account at a business, they want it to be simple, with a low rejection rate. There is low risk for the business - you don't post anything others can see, you may spend money.

As stated earlier, without seeing the headers we can't tell where these email really came from.

Link to comment
Share on other sites

ok these are some headers, ive starred my email address, if i forgot some dont quote thanks

Delivered-To: ****[at]gmail.com

Received: by 10.58.45.230 with SMTP id q6csp218168vem;

Tue, 16 Jul 2013 05:25:24 -0700 (PDT)

X-Received: by 10.180.108.129 with SMTP id hk1mr948353wib.42.1373977523731;

Tue, 16 Jul 2013 05:25:23 -0700 (PDT)

Return-Path: <info[at]youelect.org.uk>

Received: from server62.donhost.co.uk (server62.donhost.co.uk. [81.21.75.93])

by mx.google.com with SMTP id mx14si493841wic.74.2013.07.16.05.25.23

for <***[at]gmail.com>;

Tue, 16 Jul 2013 05:25:23 -0700 (PDT)

Received-SPF: neutral (google.com: 81.21.75.93 is neither permitted nor denied by best guess record for domain of info[at]youelect.org.uk) client-ip=81.21.75.93;

Authentication-Results: mx.google.com;

spf=neutral (google.com: 81.21.75.93 is neither permitted nor denied by best guess record for domain of info[at]youelect.org.uk) smtp.mail=info[at]youelect.org.uk

Received: (qmail 47350 invoked by uid 314552); 16 Jul 2013 12:25:23 -0000

To: ***[at]gmail.com

Subject: YouElect Community Forums: Password

Date: Tue, 16 Jul 2013 13:25:23 +0100

From: YouElect Community Forums <info[at]youelect.org.uk>

Message-ID: <8b4d4776f090896581339877c5fc4823[at]youelect.org.uk>

X-Priority: 3

X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4]

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

Content-Type: text/plain; charset="UTF-8"

X-DHSource: /domains/y/o/youelect.org.uk/public_html/community/register.php

X-DHSender: 114.113.229.39

Peace Be Upon You,

Your username is: beatbbvo

Your password is: YU%j8PREsRys

You can now log in: ht tp://youelect.org.uk/community/

Thank you for joining the YouElect community forum.

YouElect Forum Admin

Delivered-To: *****[at]gmail.com

Received: by 10.58.45.230 with SMTP id q6csp214796vem;

Tue, 16 Jul 2013 04:43:27 -0700 (PDT)

X-Received: by 10.14.177.8 with SMTP id c8mr1176073eem.93.1373975006775;

Tue, 16 Jul 2013 04:43:26 -0700 (PDT)

Return-Path: <yselle[at]lighthosting.pl>

Received: from main4.lh.pl ([89.146.199.176])

by mx.google.com with ESMTP id g8si908203eet.333.2013.07.16.04.43.26

for <****[at]gmail.com>;

Tue, 16 Jul 2013 04:43:26 -0700 (PDT)

Received-SPF: pass (google.com: domain of yselle[at]lighthosting.pl designates 89.146.199.176 as permitted sender) client-ip=89.146.199.176;

Authentication-Results: mx.google.com;

spf=pass (google.com: domain of yselle[at]lighthosting.pl designates 89.146.199.176 as permitted sender) smtp.mail=yselle[at]lighthosting.pl

Received: by main4.lh.pl (Postfix, from userid 1241)

id 4BEF71815B; Tue, 16 Jul 2013 13:43:26 +0200 (CEST)

To: ****[at]gmail.com

Subject: Account details for carpinteyroada at XenaPedia

X-PHP-scri_pt: yselle.lh.pl/xenapedia/index.php for 218.104.148.157

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes

Content-Transfer-Encoding: 8Bit

X-Mailer: Drupal

Errors-To: yselle[at]interia.pl

Sender: yselle[at]interia.pl

From: yselle[at]interia.pl

Message-Id: <20130716114326.4BEF71815B[at]main4.lh.pl>

Date: Tue, 16 Jul 2013 13:43:26 +0200 (CEST)

Delivered-To: *****[at]gmail.com

Received: by 10.58.45.230 with SMTP id q6csp190454vem;

Mon, 15 Jul 2013 22:46:26 -0700 (PDT)

X-Received: by 10.14.251.73 with SMTP id a49mr62353742ees.45.1373953585626;

Mon, 15 Jul 2013 22:46:25 -0700 (PDT)

Return-Path: <www-data[at]xmasters.ru>

Received: from xmasters.ru ([95.169.184.16])

by mx.google.com with ESMTP id i41si30886614eev.124.2013.07.15.22.46.25

for <****[at]gmail.com>;

Mon, 15 Jul 2013 22:46:25 -0700 (PDT)

Received-SPF: temperror (google.com: error in processing during lookup of www-data[at]xmasters.ru: DNS timeout) client-ip=95.169.184.16;

Authentication-Results: mx.google.com;

spf=temperror (google.com: error in processing during lookup of www-data[at]xmasters.ru: DNS timeout) smtp.mail=www-data[at]xmasters.ru

Received: by xmasters.ru (Postfix, from userid 33)

id 021B520122A; Tue, 16 Jul 2013 07:46:24 +0200 (CEST)

To: ****[at]gmail.com

Subject: =?UTF-8?B?0KPRh9C10YLQvdGL0LUg0LTQsNC90L3Ri9C1INC/0L7Qu9GM0LfQvtCy0LDRgg==?= =?UTF-8?B?0LXQu9GPIGNhcnBpbnRleXJvb scri_pt: 0:mail.inc

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes

Content-Transfer-Encoding: 8Bit

X-Mailer: Drupal

Errors-To: info[at]iqgorod.ru

Sender: info[at]iqgorod.ru

Reply-To: info[at]iqgorod.ru

From: info[at]iqgorod.ru

Message-Id: <20130716054625.021B520122A[at]xmasters.ru>

Date: Tue, 16 Jul 2013 07:46:24 +0200 (CEST)

Delivered-To: ******[at]gmail.com

Received: by 10.58.45.230 with SMTP id q6csp188172vem;

Mon, 15 Jul 2013 22:11:28 -0700 (PDT)

X-Received: by 10.66.5.195 with SMTP id u3mr815491pau.79.1373951488623;

Mon, 15 Jul 2013 22:11:28 -0700 (PDT)

Return-Path: <modelsite[at]www1932.sakura.ne.jp>

Received: from www1932.sakura.ne.jp (www1932.sakura.ne.jp. [59.106.27.172])

by mx.google.com with ESMTPS id ie10si34536928pbc.251.2013.07.15.22.11.27

for <*****[at]gmail.com>

(version=TLSv1 cipher=RC4-SHA bits=128/128);

Mon, 15 Jul 2013 22:11:28 -0700 (PDT)

Received-SPF: pass (google.com: best guess record for domain of modelsite[at]www1932.sakura.ne.jp designates 59.106.27.172 as permitted sender) client-ip=59.106.27.172;

Authentication-Results: mx.google.com;

spf=pass (google.com: best guess record for domain of modelsite[at]www1932.sakura.ne.jp designates 59.106.27.172 as permitted sender) smtp.mail=modelsite[at]www1932.sakura.ne.jp

Received: from www1932.sakura.ne.jp (localhost [127.0.0.1])

by www1932.sakura.ne.jp (8.14.3/8.14.3) with ESMTP id r6G5BQLi091285

for <Raniero[at]gmail.com>; Tue, 16 Jul 2013 14:11:26 +0900 (JST)

(envelope-from modelsite[at]www1932.sakura.ne.jp)

Received: (from modelsite[at]localhost)

by www1932.sakura.ne.jp (8.14.3/8.14.3/Submit) id r6G5BQDq091284;

Tue, 16 Jul 2013 14:11:26 +0900 (JST)

(envelope-from modelsite)

To: *****[at]gmail.com

Subject: Forum: Password

Date: Tue, 16 Jul 2013 14:11:26 +0900

From: Forum <takeda[at]at-factory.com>

Message-ID: <c8f474cb48025cb66f2a9756f095b1ac[at]modelsite.sakura.ne.jp>

X-Priority: 3

X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4]

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

Content-Type: text/plain; charset="UTF-8"

ユーザーåÂÂ: carpinteyroaly

パスワード: Ub85wu*wb00g

ã“ã¡らã§ログインã§ãÂÂã¾ãÂâ„¢: ht tp://modelsite.sakura.ne.jp/bbpress/

楽ã—んã§ãÂÂã ã•ã„ !

This post has been edited by turetzsr to break active hyperlinks Jul 16, 2013, 04:11 PM US Eastern time

Link to comment
Share on other sites

A couple of those are easily resolved to supposed forum senders:

YouElect Community Forums

C:\Documents and Settings\Admin>nslookup youelect.org.uk

x

x

Non-authoritative answer:

Name: youelect.org.uk

Address: 81.21.75.93

modelsite.sakura.ne.jp

C:\Documents and Settings\Admin>nslookup -type=mx modelsite.sakura.ne.jp

x

x

Non-authoritative answer:

modelsite.sakura.ne.jp MX preference = 10, mail exchanger = modelsite.sakura.ne.jp

modelsite.sakura.ne.jp internet address = 59.106.27.172

I think, on balance of probability, the messages are all [forum/some sort of] registrations as represented, rather than some sort of spam lure to exploit sites in the usual sense - though they could be deceptive/scam sites, as suggested. How an open and functioning scam site could long survive on the internet is another question.

raniero - it takes only one instance of that address, in clear, on the internet anywhere, to be scraped. Google for that capitilised variation of your address and you will find it somewhere. Alternatively it might have been "guessed". The scam site scenario is looking like the only one that makes any real sense, in the absence of any hacking of the e-mail account. That has not been a widely-reported form of scam, accordingly the apparent scale of it you are seeing (so many different registrations) should have set more alarm bells ringing than has been the case to date. That side of it doesn't make sense. Not that any spam make a lot of sense.

Anyway, for suggestions - any thoughts on specifics as to how a gmail account can be handled to divert these messages from user inbox? Mailwasher? Some body text keywords noted in my previous (with luck common to maybe 80%, unfortunately though, in several/many different languages). Seems like SC reporting might be valid after all - but SCBL listingd unlikely unless this becomes much more widespread. SC reports to ISPs might do some good but experience indicates this would be limited, which might be especially so if it is out of the "ordinary" line of spam.

Link to comment
Share on other sites

Hi, raniero,

...For the third time, I have had to edit your posts to remove live hyperlinks. Please be sure in future that your posts do not contain live hyperlinks. The easiest way to do that is to simply be sure that none of the text you copy into the Forum form contains any URLs. If you must post URLs, an easy way to ensure that they are not live is to go through your post before you click the "add reply" button and put a space somewhere within all of the "http" strings -- also be sure to remove any "BB Code" that was inserted by the Forum software on your behalf. Thank you for your understanding and compliance.

Link to comment
Share on other sites

<snip>

theres no an authority i can file for this? and this is not a crime?

...All you need to do is to identify the criminal, find a law under which to charge her or him (I would suggest grand theft [of internet service and disk space]), find a legal authority or advocate willing to file charges, a judge willing to hear the case and a jury to convict (assuming you do so in a country that has a trial and jury system for criminal activity). My guess is that you are unlikely to succeed in any of these areas unless you can find a very inventive legal counsel who is either given to blind leaps of optimism or doesn't much care whether she or he wins or loses the case, and not on the last two prerequisites.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...