Jump to content
Sign in to follow this  
mshalperin

Strange webmail logon message

Recommended Posts

Whenever I login to the webmail site I get the following message:

"Last login: Sun 18 Jul 2004 05:33:20 PM EDT from 1800specialoffers.com"

What's with the 1800specialoffers.com??? My ISP is RoadRunner.

Edited by mshalperin

Share this post


Link to post
Share on other sites

This should probably be moved to the lounge, as it is not directly email related.

That line is telling you the IP address that webmail saw you making a connection from the last time you logged in.

My bet is that you have one of the link tracker programs on your machine which proxy all of your web traffic through them.

Sometimes this is done on purpose to get the great deals they will sent you (usually in pop up ads while you browse), but most of the time it is because someone went to a site without adequate protection setting on their browser and an unscroupulous website decided to change your network configuration to track your every move.

There are a couple of different programs I use to clean this type of problem, both are free for home use. http://www.lavasoft.de/ will get you to Ad-aware. http://www.safer-networking.org/ will get you to Spybot-Search & Destroy. There are other similiar programs available as well.

Good luck and post back with your results.

Share this post


Link to post
Share on other sites
This should probably be moved to the lounge, as it is not directly email related.
My bet is that you have one of the link tracker programs on your machine which proxy all of your web traffic through them.

Thanks. I'm not sure how to move this topic. I have spyware programs (PestPatrol and ZoneAlarm) which don't show anything. However, on a hunch I checked my popup blocker - PopupDummy - which has switch to "Enable Adware Protection." When I DISABLE this option I login to webmail with an IP address (I assume to be from RoadRunner). ENABLING the "adware protection" brings back the 1800specialoffers.com. I don't know if this "feature" is an unscroupulous attempt to track me or a side effect of it's intended function, but I will investigate further.

Edited by mshalperin

Share this post


Link to post
Share on other sites

Moving the topic was aimed at one of the moderators. ou do not have that capability.

You have probably hit on the "problem". That popup blocker might be protecting you by having all messages route through their servers. I had never thought about how those work...always assumed a local lookup table type of system.

Share this post


Link to post
Share on other sites
Moving the topic was aimed at one of the moderators.

And his aim was good! <g>

Interesting anomoly, the source site for this software makes no mention of this "additional benefit" ... SpyChecker makes no mention of this on their listing page ... so the only suggestion I could offer is to go to http://www.dummysoftware.com/contact.html and make note that there seems to be something a bit fishy going on ....

Share this post


Link to post
Share on other sites
You have probably hit on the "problem". That popup blocker might be protecting you by having all messages route through their servers

Actually, it isn't PopupDummy - further testing after deleting it didn't get rid of the 1800specialoffers.com. There were some random logins without it which I prematurely interpreted as being related to the adware protection feature. I ran Spybot in addition to PestPatrol and deleted some other detected problems but this didn't help either...

Interesting anomoly, the source site for this software makes no mention of this "additional benefit" ... SpyChecker makes no mention of this on their listing page ... so the only suggestion I could offer is to go to http://www.dummysoftware.com/contact.html and make note that there seems to be something a bit fishy going on ....

I contacted them and got a quick response from the author (Kory Becker) who indicated that PopupDummy does't filter connections and has no relationship with 1800specialoffers.com. If it's spyware, the adware protection feature should help, not cause the probem. Whatever the source, I'm not finding it. Maybe I'll try Ad-Aware also (am I getting too obsessive?).

Moderator Edit: Based on data provided in Linear Post #24, this post was edited to correct data posted in error.

Edited by Wazoo

Share this post


Link to post
Share on other sites

It took me hours to remove it from a clients computer.

I believe it's almost the same as the onlythebest worm.

Share this post


Link to post
Share on other sites
Whatever the source, I'm not finding it. Maybe I'll try Ad-Aware also (am I getting too obsessive?).

You'll find that there are a number of tools out there, and they all do things a bit differently, find different things, etc. If AdAware (and remember to update the databases on all of these tools before running) doesn't come up with something, then the next suggestion may be something like HiJackThis ...

Share this post


Link to post
Share on other sites
What is the HOSTS file?

13609[/snapback]

I'm not sure of the connection made .. but the HOSTS file is a text file that Windows will look at .. it's normally used to block / redirect traffic during a DNS look-up .. If you are on a Windows platform, do a Find / Search for a file HOSTS.SAM which is the "sample" file provided by Microsoft. If you have made your own (or had some nice application along the way set one up for you) you will find a file named HOSTS (no file extension) ... This file is normally used to block traffic to certain locations ... and once again, Google has many answers and examples out there for you.

Share this post


Link to post
Share on other sites

Look in the C:\Windows Directory

or/and

Look in C:\WINDOWS\SYSTEM32\DRIVERS\etc

for a file calld hosts without an extension.

Open it up with notepad and let us know whats in there.

Not hosts.sam because that is a sample file. Just the one without the extension.

Share this post


Link to post
Share on other sites
for a file calld hosts without an extension
This is the complete contents of th HOSTS file. The file date suggests it hasn't

been altered since the initial installation of the system. (LMHOST.SAM gave a much more detailed explanation.)

____________________________________________________________________

# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

___________________________________________________________________

I'm not sure what the above "localhost" refers to - I'm not connected

to any network other than the internet (through a Netgear router which

currently isn't connected to any other computer.)

Edited by mshalperin

Share this post


Link to post
Share on other sites

With the date identified and the contents listed, it would appear that you offered up the contents of the Hosts.sam file .. the 127.0.0.1 is Internet Protocol talk for "this computer" ... anyway, if this is the HOSTS file (again, apparently a direct copy of Hosts.sam), then as suspected above, this has nothing to do with your original issue. Back to running the other spyware / trojan checkers.

Share this post


Link to post
Share on other sites

I feel its appropriate to suggest downloading and installing Firefox and logging in (and back out and back in) to see if you get a different "last logged in from" message.

At the same time you may consider using Firefox as your main browser from now on (after you're done using it to test the current issue you're trying to fix).

How to switch from IE to Firefox.

Why use Firefox.

(my apologies if in the end this ends up that your issue was not caused by IE's security problems, but I'm betting that it is, and you can avoid them buy using Firefox as well as other software listed at the link in my signature below)

Share this post


Link to post
Share on other sites
Actually, it isn't PopupDummy - further testing after deleting it didn't get rid of the 1800specialoffers.com. There were some random logins without it which I prematurely interpreted as being related to the adware protection feature. I ran Spybot in addition to PestPatrol and deleted some other detected problems but this didn't help either...

I contacted them and got a quick response from the author (Kory Becker) who indicated that PopupDummy does't filter connections and has no relationship with specialoffers.com. If it's spyware, the adware protection feature should help, not cause the probem. Whatever the source, I'm not finding it. Maybe I'll try Ad-Aware also (am I getting too obsessive?).

Hi guys, I just wanted to clear the record a bit: ww w. special offers. com has absolutely NOTHING to do with 1800specialoffers.com or other companies with "special offers" in the domain /return mailing address. I know it's easy to confuse them so no hard feelings; in fact I get many emails from people asking to be taken off the "list," even though I haven't sent an email in years.

Please use the contact form [at] ht tp:// ww w.special offers. com/co ntact/ for any question, clarifications or comments.

sincerely,

Landi Gjoni

Edited by Wazoo

Share this post


Link to post
Share on other sites
Hi guys, I just wanted to clear the record a bit: ww w.special offers. com has absolutely NOTHING to do with 1800specialoffers.com or other companies with "special offers" in the domain /return mailing address. I know it's easy to confuse them so no hard feelings; in fact I get many emails from people asking to be taken off the "list," even though I haven't sent an email in years.

Please use the contact form [at] ht tp://ww w.specialo ffers.com/co ntact/ for any question, clarifications or comments.

I fail to see where anyone made a mis-connection within this Topic/Discussion.

This actually looks like an attempt to spamvertise some other site.

Later Edit:

OK, these tired eyes finally noted that the connection was made in a reply made by yet another company about thier product .. crap .. even that isn't totally true ... it's an 'offered translation/snippet' from yet another un-seen e-mail between a forum user and another third-party application representative ....

Off to do some research to see if anyone can figure who might be lying, acting more confused than I, or has simply got their facts wrong .. geeze .....

Share this post


Link to post
Share on other sites
...I fail to see where anyone made a mis-connection within this Topic/Discussion....
I think the mshalperin quote given can be construed as (at least) an incautious bundling of the two. IME a "right of reply" exists.

[And I did a quick background check]

Share this post


Link to post
Share on other sites

PM sent:

http://forum.spamcop.net/forums/index.php?showtopic=2131 has some current dialog based on your text offered as a bit of communication between yourself and someone else. Time has gone by, but the issue remains ....

a typo on your part?

a lie by someone else?

something else going on?

It is noted that the "problem" was never addressed as being "cleared up" ....

Share this post


Link to post
Share on other sites

I fail to see where anyone made a mis-connection within this Topic/Discussion.

This actually looks like an attempt to spamvertise some other site.

Later Edit:

OK, these tired eyes finally noted that the connection was made in a reply made by yet another company about thier product .. crap .. even that isn't totally true ... it's an 'offered translation/snippet' from yet another un-seen e-mail between a forum user and another third-party application representative ....

Off to do some research to see if anyone can figure who might be lying, acting more confused than I, or has simply got their facts wrong .. geeze .....

I apologize if it seemed like I was advertising; it was not my intention--especially not on a spam fighting forum. The reason I decided to post was that, while the post says that the names are not connected, it's easy for the average person to make a connection. "Special__offers_com" or 1800_special_offers may seem the same to the average guy, and spam has negative connotations. I just wanted to clear that up.

Landi

Share this post


Link to post
Share on other sites

Forums, blogs, and such are the latest targets for both spammers and kiddies-with-scripts ... trying to stay ahead of all that leads to certain conditions .... your selection of a username caught my attention, seeing a new post to an 'old' Topic was another one of those sneaky ways the idiots try to sneak their spam in (not understandng that a new post bumps the Topic to the top of the list) .... read you post, read the Topic several times and didn't see the connection ... made the first call, went back to other things I had open .. came back and used tools ... thus leading to the follow-on actions ....

As noted, there was a typo/mis-copy involved, the anti-ware vendor intentionally mis-lead in that reply, or ..???

Worst case, having to admit that myself or the Moderators didn't catch that bit of data when it was posted .. for that I have to apologize .... one of us should have caight that bit of different data at the time ...

Intended action .. either edit the original post and/or follow-up with that vendor to see what's really being stated by them .... research first though ....

Share this post


Link to post
Share on other sites

I apologize if it seemed like I was advertising; it was not my intention--especially not on a spam fighting forum. The reason I decided to post was that, while the post says that the names are not connected, it's easy for the average person to make a connection. "Special__offers_com" or 1800_special_offers may seem the same to the average guy, and spam has negative connotations. I just wanted to clear that up.

Landi

I originally started this thread in July 2004 because I would get a message from the SpamCop Webmail site that I had logged on from "1800Specialoffers.com." I got the same feedback from other sites as well. It turned out to be due to my assigned static IP address having this as its reverse DNS listing (but no forward DNS listing for 1800Specialoffers.com). Presumably, this entity once used this IP address and didn't get cleared out of the reverse DNS. DNSstuff.com had that IP address listed as on one or more spam BL's under that name as well. I got a new IP address and this issue was resolved.

Share this post


Link to post
Share on other sites
I originally started this thread in July 2004 because I would get a message from the SpamCop Webmail site that I had logged on from "1800Specialoffers.com." I got the same feedback from other sites as well. It turned out to be due to my assigned static IP address having this as its reverse DNS listing (but no forward DNS listing for 1800Specialoffers.com). Presumably, this entity once used this IP address and didn't get cleared out of the reverse DNS. DNSstuff.com had that IP address listed as on one or more spam BL's under that name as well. I got a new IP address and this issue was resolved.

Thanks for closing the issue first raised .... but the current question deals with the data you provided in your Linear Post #6 ... specifically;

I contacted them and got a quick response from the author (Kory Becker) who indicated that PopupDummy does't filter connections and has no relationship with specialoffers.com.

most everywhere else, you used 1800specialoffers ....

The question is ... did you mistype, did the vendor lie/misdirect to you, is there yet more to the story ...???

Share this post


Link to post
Share on other sites
Thanks for closing the issue first raised .... but the current question deals with the data you provided in your Linear Post #6 ... specifically;

most everywhere else, you used 1800specialoffers ....

The question is ... did you mistype, did the vendor lie/misdirect to you, is there yet more to the story ...???

At the time it appeared to me that I didn't get the "logged on from 1800Specialoffers.com" message if I turned off an addware blocking feature of PopupDummy. On your advice I contacted the PopupDummy author who could see no connection. With more investigation, the association with PopupDummy settings was spurious - just random. There is no connection between 1800Specialoffers.com and PopupDummy or any other vendor.

Share this post


Link to post
Share on other sites

Based on this last post, Linear Post #6 was edited to correct data posted in error.

PM sent, once again apologizing for the fact that no one caught the error at the time of the discussion.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×