Sign in to follow this  
Followers 0
IrvSp

SERVERHUB flooding me as if it comes from Yahoo

2 posts in this topic

I'm getting 3 to 5 of these a day for 2 months now.

They have fake YAHOO.COM e-mail addresses, the subjects are about products. Every one of them when I look at the contents are for images that have many different letting combinations but ALL have .party/ as the last part of the image location. For instance, this one:

http;\\peltbangswiestdaunt,party/up0hlwvwsaae/19915641k140e2002308/t5s0gbrvgx7j

Others inside have other confusing ones to me but do INCLUDE my e-mail address:

<img src="http;\\peltbangswiestdaunt,party/19915644k140e2002308?eb=i******@****r.com" />

I assume that is how they can track me?

A typical SpamCop report always comes back as it is coming from SERVERHUB.COM? Don't know how it made that connection?

After the report is sent, I can see this on SPAMCOP:

https://www.spamcop.net/sc?id=z6354566965z58e6e1b554cd81aafb9894c99b1451dcz

The HEADER for that one is:

================

Return-Path: <yunkovalcik8829@yahoo.com>
Authentication-Results: cdptpa-imsmta06 header.DKIM-Signature=@yahoo.com; dkim=pass
Received: from [98.138.207.12] ([98.138.207.12:34600] helo=smtp105.biz.mail.ne1.yahoo.com)
    by cdptpa-imsmta06 (envelope-from <yunkovalcik8829@yahoo.com>)
    (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTPS (cipher=DHE-RSA-CAMELLIA256-SHA)
    id 0F/76-13528-E3EED885; Sun, 29 Jan 2017 13:29:34 +0000
Received: (qmail 97002 invoked from network); 29 Jan 2017 13:16:18 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1485695778; bh=gGfWdN6RC3yXfNbEMYT3J+OEY8eZa0S9LXQ4MtN0QVY=; h=Message-ID:Date:From:To:Subject:Content-Type; b=MITSLzafvddVfXxZCb7cwA4j2noD18AN7IoQ+1gf8W7p0zo7M1RDln3fMcaPvl9434ALsXOzCMbiMKbygmOouEW5f+TBx1pAsN9s5fRLi81qB5ktGuJO4SyxvhzZ/1gk+AtmiOWWyrUAyua/8aaPVC3lXihvbFsYPe/jBMlChno=
Message-ID: <55380.49272.qm@smtp105.biz.mail.ne1.yahoo.com>
Date: Sun, 29 Jan 2017 13:16:18 +0000 (UTC)
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: tqWQH_YVM1n8jsE2uLp2bRKDjph5McZuBA63MHzD_EY_TtK
 3x5eO5aPw53w8JZO4G4EWoyQYYmxTvWMU1I0uXo4buv4Ee0plV2JYbTIeHnU
 Opt_bzFyw8EK3urTAU2ahvEMaYVs3KkzOwCa4KlHMvev2g2Xt_XfGxNzTpI8
 cCY56Hn3Zd.fWk._MXTMtFtzI5sFSGwrd18ecUW3DbXJEWHEG83gRCePh0.I
 hT0.Ve6YOLTUPWofgYzH.VLTOoDvDuf.oz1cPPWGP5.MSsxoRB1b0wHcQkX.
 Voq6uw.XORME1VS9SwKWNUNuUHrR1Y5CotefCKcSQ8KBTUmwPF_J7Unh5McW
 a2PxjhulT3Wstmj73ULIQyQu4Zdnj4ZK8E6NmegsKYC2ryOwyBFJmdfx1hI6
 YPBvlAa4lsD1RAIo.gzeMHIKKYNAi.lznal7XEAS1XV.hgtxnMFI.if3NONn
 bKPezPEQCGcKTWpj5gXvFFLH8LScx6P96D9I4KzCbxL_DEtmUf2LP_Ux1eIj
 TQdQXLRuEv.y19UAmhqwAYGM1TRt4Tdh23QbD59mUqBAcmxOnj7IkWEjE4DA
 -
X-Yahoo-SMTP: LoI572yswBCSbUI_5YkmxJmLSAqIHsv.SzvTWEeVrl.eSN.23aXFE9aQAQqZOiS5QKhCox0-
From: Senior Living <yunkovalcik8829@yahoo.com>
To: ispalten@cfl.rr.com
Subject: Looking for 55+ living in 2017?
Content-Type: text/html; charset=UTF-8
X-Authority-Analysis: v=2.1 cv=WtfWSorv c=1 sm=1 tr=0 a=IXwzD+xon/F+YVC+ra/VSA==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=79YnABSCSewA:10 a=IgFoBzBjUZAA:10 a=FD_G_oyTAAAA:8 a=ayC55rCoAAAA:8 a=fhRY4CD02UBmV23WEHMA:9 a=QEXdDO2ut3YA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=jf6ifqx8wrbFtL1ejoTd:22 a=B_RyunTPg8udlmYm5Cu2:22
X-Cloudmark-Score: 0
X-RR-Connecting-IP: 107.14.168.212:25

=================

Body contains:

=============

<center>
<a href="http://robhelzlattmoor.party/cdo8ihcq5gai/19915506a176o1118741/k779tlpvbmwx">
<img src="http://robhelzlattmoor.party/lfyi137qxx3f/mT/g1aa5ie3k95c" border="0" />
</a>
<br />
<a href="http://robhelzlattmoor.party/bge3j39ogj6a/19915507a176o1118741/k0o8j79nl86x">
<img src="http://robhelzlattmoor.party/9fs59t0qbwrv/6l/59neeq17kf67" border="0" />
</a><img src="http://robhelzlattmoor.party/415501a176o1118741.gif" /><img src="http://robhelzlattmoor.party/19915508a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915509a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915510a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915511a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915512a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915513a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915514a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915515a176o1118741?eb=i*******@*****.com" />

==============

So basically I have 2 questions?

1) How does this all translate into SERVERHUB.COM as the 'sender' to be reported too?

2) Why are the reports being ignored?

I've even used my ISP's spam REPORTING and it still had not stopped? My ISP does have spam Filters, but only back on FROM and blocking all YAHOO.COM doesn't help me.

 

Share this post


Link to post
Share on other sites

Welcome to the SpamCop forum.

Please note that I have broken the first link in your post. 

  • Not knowing what the spammer now has at the end of this link OR may have in the future, I do not want to follow the link. Nor does SpamCop want to have, what may be a poisonous link in this forum that some visitor could follow to disastrous results.
  • We do not want a link on this forum to assist a spammer get better SEO ratings by having references to their domain.

Thank you for providing a Tracking URL as an example of the spam you are addressing.  By providing the Tracking URL, all of up can see the spam, and how the SpamCop parser processed your submission, without you copping the spam into your post.

I notice the spam cut/pasted into your post is not the same as the Tracking URL

8 hours ago, IrvSp said:

1) How does this all translate into SERVERHUB.COM as the 'sender' to be reported too?

If you will look near the bottom of the results of parsing the spam you will see

Quote

[report history]
Host robhelzlattmoor.party (checking ip) = 104.140.17.220
Resolves to 104.140.17.220
Routing details for 104.140.17.220
Using smaller IP block (/ 11 vs. / 16 )
Removing 1 larger (> / 11 ) route(s) from cache
[refresh/show] Cached whois for 104.140.17.220 : noc@serverhub.com
Using abuse net on noc@serverhub.com
abuse net serverhub.com = admin@serverhub.com, postmaster@serverhub.com
Using best contacts admin@serverhub.com postmaster@serverhub.com
admin@serverhub.com redirects to spamcop@serverhub.com
postmaster@serverhub.com redirects to spamcop@serverhub.com

 

 

Which explains why reports were sent to SERVERHUB.COM, because they host a link included in the body of the spam, not because they sent the spam.

Looking at the bottom of the results you will see

Quote

Re: 98.138.207.12 (Administrator of network where email originates)

Internal spamcop handling: (yahoo)

Which tells us that the IP address where the spam originated, is controlled by Yahoo, and SpamCop does not send them spam reports.

 

8 hours ago, IrvSp said:

2) Why are the reports being ignored?

Because they are spammers and they don't care.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0