Sign in to follow this  
Followers 0
IrvSp

Flooded by a spammer, most from ServerMania

2 posts in this topic

I keep getting stuff 2 or 3 a day. SPAMCOP reports go into DEVNULL so it probably is worthless reporting it? Spammer does use other ISP occasionally.

The header IS forged like this from a few from last week:


Received: from [138.128.73.39] ([138.128.73.39:60440] helo=cystolgrantlamhell.com)
Received: from [144.168.154.248] ([144.168.154.248:44809] helo=mcmarsbachmcguizeshunt.com)
Received: from [85.217.132.83] ([85.217.132.83:36534] helo=rochstaeusstritrelph.com)
Received: from [104.144.114.7] ([104.144.114.7:39204] helo=kraekdorfhmonsgermfeldt.com)
Received: from [23.250.48.158] ([23.250.48.158:33696] helo=chuchtabhywzornfrees.com)
Received: from [85.217.138.125] ([85.217.138.125:41478] helo=moanpeakjezshiftbrook.com
Received: from [185.5.119.252] ([185.5.119.252:55850] helo=lomslncermannlouan.com)
Received: from [104.144.122.129] ([104.144.122.129:55391] helo=labwetchquicjel.com)
Received: from [50.3.123.91] ([50.3.123.91:50110] helo=kraekdorfhmonsgermfeldt.com)
Received: from [188.191.150.163] ([188.191.150.163:38151] helo=skeadungthiefjephiatt.com)

What the root problem is that I don't know what the payload is? I get 2 types, the BITLY and the ones I can't even figure out? BITLY is just a link. The few times I used the iPad to see it it was something to purchase and appeared to be a real PNG copied over, but those links using the PNG links on it also appeared to be real? Couldn't really tell as I never took any. Suspect they are using the 'from' to get a partial cent for referring you to the site. The worrisome one is this, from the last line email above in RED:

============
<a href="http://spurtvilsnogdpierdrach.tk/20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address">
<img src="http://spurtvilsnogdpierdrach.tk/images/6633815925.png" border="0" />
</a>
==========

I know from the last line above it translates into 188.191.150.163 where it will go to. However what exactly is the rest of the line, 20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address, and why is my e-mail address on it? I can't find ANY information on that? Since it is in HTML code when Thunderbird sucks it in it well basically execute that code, and I'll see the PNG file. I'm worried about some malware coming it with it due to the href?
 

Share this post


Link to post
Share on other sites
35 minutes ago, IrvSp said:

I keep getting stuff 2 or 3 a day. SPAMCOP reports go into DEVNULL so it probably is worthless reporting it?

There are two primary objectives for reporting spam to SpamCop; 1) is to provide data to build the SC Blocklist for use in dynamically identify sources of spam to filter incoming email, and 2) send a notice (spam Report) to the ISP source of the spam.  From your post, in this case SC has determined not to send the spam Report.  There are several reasons not to send the Report discussed at length in other threads.

BUT even when 2) is not done, 1) is still a valid reason to report spam.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0