Spammer Bcc'ing replies to himself?

[Maine Train]

  I haven't been on the forum for a long time, so I'm trying to get familiar with it again. I'm seeing threads from 2007 and earlier, but assuming that any without a year are 2020, meaning there's still activity here. I hope so, because I've got a weird situation involving a spammer/scammer trying to impersonate one of my high school classmates.

  In the "old days," most of the people here were way more savvy about the Interwebz in general and spam in particular than I was, so I'm pretty sure someone will have some useful insight on the situation. Would anyone like to hear the whole story?

[petzl]

3 hours ago, Maine Train said:

  I haven't been on the forum for a long time, so I'm trying to get familiar with it again. I'm seeing threads from 2007 and earlier, but assuming that any without a year are 2020, meaning there's still activity here. I hope so, because I've got a weird situation involving a spammer/scammer trying to impersonate one of my high school classmates.

  In the "old days," most of the people here were way more savvy about the Interwebz in general and spam in particular than I was, so I'm pretty sure someone will have some useful insight on the situation. Would anyone like to hear the whole story?

Learn how to send a SpamCop track at top of submitted spam BEFORE you report, this helps look at one's reasoning.
sample below
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6695988901z9aca68918bc112341fac8a2833c6993dz
Skip to Reports

Edited December 24, 2020 by petzl

[Maine Train]

  I did send a report. I'll get the tracking number later, and fill in the details of the spam and the scammer's reply. (To a message I thought was going only to my classmates's address. That's the part that has me puzzled.)

  Thanks for the quick response.

[Maine Train]

  My high school class has a Facebook group, and on Wednesday, the group organizer posted that the group had apparently been "hacked," because she and some other members of the group had received a strange email from another classmate, who is not a Facebook user.
  I hadn't received anything at the address I use for Facebook, but did receive (at a different address) a somewhat strange message from the referenced classmate's Comcast address. I ran that through SpamCop, and it did originate at Comcast, so I didn't report it.

  We were all concerned about the supposed sender's health, so I replied to his email. The best I can tell, my reply went only to his Comcast address. I got a reply from him, saying he didn't send anything, but had had several others who aren't classmates telling him that they had received the same spam. I also received a reply from the spammer/scammer, using a Hotmail address, with my classmate's last name spelled incorrectly. I reported that one, here, with notes to Microsoft and Hotmail that the spam appears to be an attempted scam:

https://www.spamcop.net/mcgi?action=gettrack&reportid=7101629398

: https://www.spamcop.net/mcgi?action=gettrack&reportid=7101629397

  At this point, I'm pretty sure my classmate's address book has been harvested, but I'm mostly wondering how the scammer knew I had replied to my classmate's address. I couldn't find anything in the headers for my reply to my classmate (via Comcast) that suggests a copy was also sent to the scammer's Hotmail addy.

  And finally, is it wrong at this time of year for me to want to reach through the Interwebz and choke the scammer? 😡

  Thanks again, and Merry Christmas.

Edited December 25, 2020 by Maine Train

[petzl]

1 hour ago, Maine Train said:

https://www.spamcop.net/mcgi?action=gettrack&reportid=7101629398

: https://www.spamcop.net/mcgi?action=gettrack&reportid=7101629397

Neither are accessible, need a SpamCop track.
That said I set-up a Facebook account with my real name with my real name Gmail address.
Went to bed, next day getting spam in it?
Criminal  phishing, bogus reply address, bogus unsubscribe
This/my email address I believe sold to this Russian (?) Crime gang by FaceBook
 

 

[Maine Train]

  I'll see if I can get a better track for those reports. They were essentially the same, but one was to Microsoft, the other to Hotmail. Would a copy-and-paste of the headers be of any use for getting a better idea what's going on? I sort of suspect that the spammer has infiltrated my classmate's account to the point where he can read incoming messages as well as using the address to send spam. I think he just uses the Hotmail address to lessen the chance of being found out "squatting" on the victim account, but it's been a couple of years since I've read up on spammer tricks.

  The Russians are my prime suspects for most spams and scams, but that might he just because so much of the "enhancement meds" garbage that I used to report had ",ru" sources, sometimes by way of other countries that I wouldn't mind seeing heavily if not completely blocklisted.

[gnarlymarley]

On 12/23/2020 at 4:45 PM, Maine Train said:

but assuming that any without a year are 2020, meaning there's still activity here

If you mouse over the "posted [date] at [time]", it should show the year with the time in GMT or UTC format.

On 12/24/2020 at 8:47 PM, Maine Train said:

My high school class has a Facebook group, and on Wednesday, the group organizer posted that the group had apparently been "hacked," because she and some other members of the group had received a strange email from another classmate, who is not a Facebook user.

I have had this happen a year or two ago where someone signed up with an impersonator acount on facebook and started trying to friend everyone.  Somehow the scammer/spammer must have got a list of contacts and is attempting each one until they find someone that will reply.  If it stays quiet enough, they will eventually give up.

On 12/25/2020 at 3:03 PM, Maine Train said:

I'll see if I can get a better track for those reports.

If you click the report links, they should come up with  the tracking URLs.  You might have to click a "parse" link at the top to find it.

[Maine Train]

I think this spammer got into the one classmate's account, and harvested his address book. That classmate told me he got messages from friends who weren't in our class (and he doesn't use Facebook, at least not for the class group), telling him about the suspicious emails. I don't know if any of them tried replying to his Comcast address and somehow had it diverted to the scammer's Hotmail address. That's what piqued my curiosity. I thought I was replying only to my classmate, but I got replied from him (via Comcast) and the scammer (via Hotmail).

From View entire message:
Received: from EUR06-AM7-obe.outbound.protection.outlook.com (mail-am7eur06olkn2084.outbound.protection.outlook.com. [40.92.16.84])
        by mx.google.com with ESMTPS id eb8si4670623edb.511.2020.12.23.11.30.07
        for <X>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 23 Dec 2020 11:30:08 -0800 (PST)
Received: from AM7EUR06FT033.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::53) by AM7EUR06HT254.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::326) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Wed, 23 Dec 2020 19:30:07 +0000
Received: from AM7PR04MB6823.eurprd04.prod.outlook.com (2a01:111:e400:fc36::4b) by AM7EUR06FT033.mail.protection.outlook.com (2a01:111:e400:fc36::361) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.27 via Frontend Transport; Wed, 23 Dec 2020 19:30:07 +0000
Received: from AM7PR04MB6823.eurprd04.prod.outlook.com ([fe80::4917:f90a:8527:49bf]) by AM7PR04MB6823.eurprd04.prod.outlook.com ([fe80::4917:f90a:8527:49bf%6]) with mapi id 15.20.3700.026; Wed, 23 Dec 2020 19:30:07 +0000
From: [munged] <pbiibaud@outlook.com>
To: <X>
Subject: Re: Thinking of you fondly
Date: Wed, 23 Dec 2020 19:30:07 +0000
Message-ID: &lt;AM7PR04MB6823A19886BDB753EDA17DC7DCDE0@AM7PR04MB6823.eurprd04.prod.outlook.com&gt;
References: &lt;1503941567.175629.1608646467954@connect.xfinity.com&gt;,&lt;CAL-d1+vxLO6C2aN1mpMg_toYX6ggngt8yx+jqhjQjAcYY_w9yg@mail.gmail.com&gt;
Accept-Language: en-US
Content-Language: en-US

Good to hear from you [munged], please can you help me get a gift card for my little niece. It&#39;s her birthday but i can&#39;t do this now because I&#39;m out of town on vacation, I tried purchasing online but unfortunately had no luck with that. Can you please help me get it from any store around you or help purchase online? reimbursement is not a problem soon as i get back.

#############################################################################################################################

And from Parsing Header:

Parsing header:

host 2a01:111:e400:fc36:0:0:0:53 (getting name) no name
host 2a01:111:e400:fc36:0:0:0:4b (getting name) no name

0: Received: from EUR06-AM7-obe.outbound.protection.outlook.com (mail-am7eur06olkn2084.outbound.protection.outlook.com. [40.92.16.84]) by mx.google.com with ESMTPS id eb8si4670623edb.511.2020.12.23.11.30.07 for <X> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Dec 2020 11:30:08 -0800 (PST)

Hostname verified: mail-am7eur06olkn2084.outbound.protection.outlook.com
Gmail/Postini received mail from sending system 40.92.16.84
 

1: Received: from AM7EUR06FT033.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::53) by AM7EUR06HT254.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::326) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Wed, 23 Dec 2020 19:30:07 +0000

No unique hostname found for source: 2a01:111:e400:fc36:0:0:0:53
Trusted site protection.outlook.com received mail from 2a01:111:e400:fc36:0:0:0:53
 

2: Received: from AM7PR04MB6823.eurprd04.prod.outlook.com (2a01:111:e400:fc36::4b) by AM7EUR06FT033.mail.protection.outlook.com (2a01:111:e400:fc36::361) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.27 via Frontend Transport; Wed, 23 Dec 2020 19:30:07 +0000

No unique hostname found for source: 2a01:111:e400:fc36:0:0:0:4b

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust this Received line.

Sender relay: 40.92.16.84

Routing details for 40.92.16.84
[refresh/show] Cached whois for 40.92.16.84 : abuse@microsoft.com
Using best contacts abuse@microsoft.com
Using rdns to route to correct Microsoft department
host 40.92.16.84 = mail-am7eur06olkn2084.outbound.protection.outlook.com (cached)
abuse net protection.outlook.com = abuse@messaging.microsoft.com

Tracking message source: 2a01:111:e400:fc36:0:0:0:53:

Routing details for 2a01:111:e400:fc36:0:0:0:53
Report routing for 2a01:111:e400:fc36:0:0:0:53: danorm@microsoft.com
danorm@microsoft.com redirects to report_spam@hotmail.com

Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Wed, 23 Dec 2020 19:30:07 +0000

Message is 5.5 days old
2a01:111:e400:fc36:0:0:0:53 not listed in cbl.abuseat.org
2a01:111:e400:fc36:0:0:0:53 not listed in dnsbl.sorbs.net
2a01:111:e400:fc36:0:0:0:53 not listed in accredit.habeas.com
2a01:111:e400:fc36:0:0:0:53 not listed in plus.bondedsender.org
2a01:111:e400:fc36:0:0:0:53 not listed in iadb.isipp.com

Finding links in message body

Parsing text part
no links found

Finding IP block owner:

Routing details for 2a01:111:e400:fc36:0:0:0:53
Report routing for 2a01:111:e400:fc36:0:0:0:53: danorm@microsoft.com
danorm@microsoft.com redirects to report_spam@hotmail.com

If reported today, reports would be sent to:

Re: 2a01:111:e400:fc36:0:0:0:53 (Administrator of IP block - statistics only)

report_spam@hotmail.com

Re: 40.92.16.84 (Administrator interested in intermediary handling of spam)

abuse@messaging.microsoft.com

############################################################################################################################

Side note: Reports were sent on 12/23, but the "too old" language appears to have been added since.