What happens to PayPal Phishers

dra007 · April 30, 2006

I have some of my spam e-mails trapped in a postini junk folder which I regularly check and forward to my inbox, setup to forward to spamcop which as a rule traps most of these e-mails in the heldmail folder for reporting. For some reason most paypal phishers never make it, but instead get lost in the Neverland.. Can someone explain this behavior to me? Here are some tracking urls from such e-mails, obviously phishers:

paypal Phisher 1

PayPal Phisher2

another PayPal Phisher

I could go on, but of all spam I handle this way only paypal and e-bay behave like this...Can someone come with a rational explanation?

PS. Nothing to do with mailhosts, these were cut and pasted and analysed correctly. Forwarding from postini junk mail folder to my spamcop e-mail account works for all mail unless PayPal appears in the e-mail with all the logos and trimmings to make it look authentic PayPal e-mail. They come from cn, rr, kornet and usually in a spam run of several copies. Where do they end up when I forward them to SpamCop? are they silently bounced ...that is the mystery, even if they were bounced to me I would recieve them..but they are not..

Wazoo · April 30, 2006

My first look at this .. figured I didn't understand because I was tired .... a few hours later, a but of a nap, coffee brewing, I look again. I'm sill confused.

Posted into the Reporting Help Forum section. But most of the write-up is on something other than parse results.

A tale of e-mail being forwarded, filtered, handled includes the phrase "never make it, but instead get lost in the Neverland .." which would seem to be a complaint about the spamcop.net e-mail account system ..????

Three samples offered ... the first and third ending being the same Tracking URL .. but the first thing noted in the samples is the big MailHost complaint ....

If the issue is that e-mail is "disappearing" .. need to move this to the E-mail System Forum section and get JT alerted.

If the question is about anything else, maybe point to the specific issue .. a couple of guesses offered ....

1. if the question is based on the MailHost complaint ... then one would have to ask you to compare the headers seen in these samples with other spam that "didn't disappear" .... The common item seen in the samples are that there is only one valid Received: line. The questions is whether the remnants seen in other lines are spammer construct, have been damaged in all the transporting, were edited for posting purposes, etc.

2. if the question is about the "missing" URLs .. one would have to ask about who / what is making all the changes to the spam .. MIME boundary lines are not existing, the body actually looks like a screen-grab of some displayed stuff, whit the results that none of the "please click here" items are in the spam submittal .... so is this also "normal" in the handling of your e-mail, perhaps some sort of HTML de-fanging tool gone mad somewhere ?????

dra007 · May 1, 2006

What is missing is the e-mail I forward to my spamcop account so I can report it in bulk with all other spam. I have to resort to manual reporting because these e-mails get lost when I forward them as I usually do with most spam trapped in the postini junk mail folder, a one-two click operation that requires my intervention (not automatic)..

dra007 · May 1, 2006

I just went through this exarcise again all e-mail below were forwarded from my postini junkmail folder and almost instantly ready to report from my spamcop heldmail folder:

[43411] zulzmcjc[at]flashmail.com (Finest Rolex Watch Replica Preview )
Sun, 30 Apr 2006 19:58:36 -0200 (Blocked SpamAssassin=31)

   [43412] itdsrso[at]linuxmail.org (Stop Premature Ejaculation Preview )

Sun, 30 Apr 2006 21:58:41 +0400 (Blocked SpamAssassin=24)

   [43413] ivggbas[at]mailpanda.com (Finest Rolex Watch Replica Preview )

Sun, 30 Apr 2006 19:56:34 +0100 (Blocked SpamAssassin=31)

   [43414] carminehancock5[at]aberksan.com (New Equifax Credit Points Arrangement Preview )

Sun, 30 Apr 2006 18:06:55 -0500 (Blocked SpamAssassin=21)

   [43415] zonnyastinky[at]atlanta.com (Bill Clinton wears our sytlish Rolex Alec Preview )

Sun, 30 Apr 2006 13:13:47 -0700 (Blocked SpamAssassin=17)

   [43416] rpzwa23aqlpk[at]wolfe.net ( Preview )

Sun, 30 Apr 2006 20:55:18 -0400 (EDT) (Blocked SpamAssassin=5)

   [43417] chasemayer1[at]andreas-borchert.de (Equifax Publication of your Individual Info Preview )

Mon, 01 May 2006 06:31:56 +0800 (Blocked SpamAssassin=8)

   [43418] myrtle.ewing[at]mantramail.com (Re: Invoice # 323694S Preview )

Sun, 30 Apr 2006 16:56:52 -0600 (Blocked SpamAssassin=21)

That is all except the one that mentioned PayPal:

Date: Sun, 30 Apr 2006 18:51:32 -0400
From: "PayPal" <Support[at]PayPal.com>

I can generate a tracking URL going back to the postini DELIVERED mail folder and using the usual cut and paste in the reporting page method:

http://www.spamcop.net/sc?id=z931720914z43...1a9d434z;PayPal

looks like kornet was sending it...

StevenUnderwood · May 1, 2006

I just went through this exarcise again all e-mail below were forwarded from my postini junkmail folder and almost instantly ready to report from my spamcop heldmail folder:
That is all except the one that mentioned PayPal:

I can generate a tracking URL going back to the postini DELIVERED mail folder and using the usual cut and paste in the reporting page method:

http://www.spamcop.net/sc?id=z931720914z43...1a9d434z;PayPal

looks like kornet was sending it...

42439[/snapback]

Perhaps another server between Postini and your end is pulling out viruses? Also, are you sure it is being forwarded? Everytine I try to forward a virus from Poistini (for further inspection) I get a message saying that they would not forward viruses. Postini recently started clasifying many Phishing attempts as viruses. Any of this help?

Wazoo · May 1, 2006

The last Tracking URL looks not different than the ones I already looked at ... but you made no note of comparing the header data to other spam to check on the Received line bits ....

Based on the data Steven has suggested (which sounds awfully familiar with some other major ISP actions) .... the usual troublesgooting procedures seem to be called for if you want to pin things down .... That you say 'everything else' is being forwarded, the question then boils down to where those 'missing' items are being 'lost' .... try a CC: copy to some other account elsewhere and see it if shows up .. if not, Postini seems to be the cause ....

If it shows up elsewhere, then you've got everything JT would need to see to sort out things on his end.

dbiel · May 1, 2006

If I am reading this topic correctly, you have a SpamCop email account.

Ever thought about using IMAP to move messages, rather than forwarding them?

I realize that this does not address the problem at hand, but may provided an alternative way of processing your spam.

dra007 · May 1, 2006

Yes I do that, but postini junk folder is only available through a web interface..and Steven was right, PayPal phishers get stopped by postini in the outbound phase...The problem is that cut and paste from that interface obscures the url in the e-mails for parsing...Incidentally postini puts viruses in a different folder..I am not that brazen to try forwarding from that one but on occasion I parse some mannually just taking the header info on the postini web interface...the content is stripped from offending/mallicious/virus code...mostly has a simple message like I love you or here is a file you requested...

Sign In

What happens to PayPal Phishers

Recommended Posts

dra007

Link to comment

Share on other sites

Wazoo

Link to comment

Share on other sites

dra007

Link to comment

Share on other sites

dra007

Link to comment

Share on other sites

StevenUnderwood

Link to comment

Share on other sites

Wazoo

Link to comment

Share on other sites

dbiel

Link to comment

Share on other sites

dra007

Link to comment

Share on other sites

Archived

Browse

Activity