Jump to content
Sign in to follow this  
karlisma

tricky guys

Recommended Posts

From - Tue Aug 08 19:20:12 2006
X-UIDL: 2cf7ad3691610000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Received: by receiving.server (mbox recipient)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Aug  1 13:16:53 2006)
X-From_: user[at]who.received  Tue Aug  1 18:10:05 2006
Return-Path: <user[at]who.received>
Received: from server.server (root[at]server.server [192.5.5.555])
	by server.server (8.11.6/8.11.6) with ESMTP id dfghfgfgh
	for <user[at]who.received>; Tue, 1 Aug 2006 18:10:04 +0300 (CST)
Received: from bla-bla-bla-bla.network.net (bla-bla-bla-bla.network.net [80.200.100.10])
	by server.server (38..61.6/8.13) with ESMTP id 0758F0A2k701L3
	for <user[at]who.received>; Tue, 1 Aug 2006 18:10:03 +0300 (CST)
Received: from smtp1.TRACKINGCODEHERE.com (TRACKINGCODEHERE [some.strange.ip.address])
	by bla-bla-bla-bla.network.net with smtp
	id TRACKINGCODEHERE
	for user[at]who.received; Tue, 01 Aug 2006 10:45:46 +0100 (CST)
Message-ID: <TRACKINGCODEHERE>
From: "lucky guy" <any[at]inncoent.com>
To: user[at]who.received
Subject: some strange topic here
Date: Tue, 01 Aug 2006 10:45:46 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_00EC_y.y"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-VERnet-MAIL-Server-MailScanner-Information: Please contact the ISP for more information
X-VERnet-MAIL-Server-MailScanner: Found to be clean
X-MailScanner-From: user[at]who.received

------=_NextPart_000_00EC_y.y
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_00ED_y.y"


------=_NextPart_001_00ED_y.y
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_001_00ED_y.y
Content-Type: text/html;
	charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
<META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><a href=http://fagim.net><IMG alt=3D"" hspace=3D0=20 width=299 height=513 src=3D"cid:TRACKINGCODEHERE" =
align=3Dbaseline=20 border=3D0></a></FONT></DIV></BODY></HTML>

------=_NextPart_001_00ED_y.y--

------=_NextPart_000_00EC_y.y
Content-Type: image/gif;
	name="TRACKINGCODEHERE.gif"
Content-Transfer-Encoding: base64
Content-ID: <TRACKINGCODEHERE>

and allways spamvertisment is fagim.net, which travels a lot from japan to korea, through comcast and proxad, bora and whatever...

Author seems to russian guy, so I never know... why and why me.

My attention, writing this, is to look at how many tracking codes are hidden in this message, never mind the following parts with gif name and everything else... Will and when spamcop will start to clean up these tracking codes? Any time soon or no chance at all?.... or not the right philosophy here, if you see this post stupid or something, feel free to administer it to the trash bin, right away. I will feel just fine.

Share this post


Link to post
Share on other sites

Most of these are actually normal parts of the SMTP process. I'm not going to go through them one at a time, but I will tell you that a message ID is generated by the sending server and should follow the message through from beginning to end, that is normal. You cid:Trackingcodehere is what allows a message to display an attached image as part of the message body, rather than just showing up as an attachment. Of course, any of these COULD be used as tracking information, if the spammer wanted to go to that much trouble. However, I think in most cases it is not worth the spammers time to setup and maintain a database with individual tracking information for every spam he sent out.

Also, the vast majority of these originate from zombied computers, and most of the trojan/virus zombies out there don't have much capability to track and send back information other than to simply receive commands along the lines of "Send THIS message to THIS list of email addresses".

Share this post


Link to post
Share on other sites

The problem is automating the process. Identifying tracking codes automatically would, I suspect, be very difficult and processor hungry. Can't seeing it being a priority - even if it is possible.

Andrew

Share this post


Link to post
Share on other sites

you have replaced everything in the original email that might have been a tracking code with the word TRACKINGCODEHERE. That makes it a bit difficult to tell if any of it actually was a tracking code. For it to be a tracking code, it would have to be unique to your email address, generated by the spammer while sending out or while preparing the spam run, and tracked by the spammer to id live addresses. Not every 'random character string' in the message would be a tracking code, as some of them are legitimate to general email form (as mentioned above.)

Likely tracking code places are:

1) graphic URL's - the spammer can track which links have been accessed. These can be tracked without the recipient doing anything other than reading the message with images enabled. (that's why many email clients/programs turn off graphic display by default).

2) click-able links used to always contain tracking codes. don't see it as much anymore.

3) other 'random string' locations: unlikely. and some are (were) munged by spamcop. They are only useful to the spammer to find out who's complaining about/reporting the spam, for the purpose of whitelisting. Less common now as most spammers are using 'bot-nets' and complaints don't affect them directly.

the third brings up an interesting point. Since SC can less-and-less affect the actual spammers, instead focusing on the often-hijacked "innocent" bystander, and then trying to help them, maybe spamcop (or at least the forum) should be renamed SpamEMS? :)

Edited by Jank1887

Share this post


Link to post
Share on other sites

the third

Received: from smtp1.TRACKINGCODEHERE.com (TRACKINGCODEHERE [some.strange.ip.address])
	by bla-bla-bla-bla.network.net with smtp
	id TRACKINGCODEHERE

is completely not related to anything, and here these three are the same.

and this third received: from is only in these particular messages, spamvertizing fagim.net.

:)

Strange thing noticed - they read you, spamcop, as of today - no one wishes to receive reports regarding fagim.net :)

prdn mai inglish

Edited by karlisma

Share this post


Link to post
Share on other sites

the third

Received: from smtp1.TRACKINGCODEHERE.com (TRACKINGCODEHERE [some.strange.ip.address])
	by bla-bla-bla-bla.network.net with smtp
	id TRACKINGCODEHERE

is completely not related to anything, and here these three are the same.

and this third received: from is only in these particular messages, spamvertizing fagim.net.

:)

Strange thing noticed - they read you, spamcop, as of today - no one wishes to receive reports regarding fagim.net :)

prdn mai inglish

Are you saying that phrase "TRACKINGCODEHERE" is the same combination of characters in all 3 locations? If not, your example is useless because those things COULD be valid, but you have munged them and we can not investigate. Provide a tracking URL for one of these messages so we can all be seeing the actual data. It is possible (though unlikely) that is a valid header, which WOULD all be the same if they are all coming from the same server.

Just because you say they are tracking codes does not make them so.

Share this post


Link to post
Share on other sites

Yes all are the same, and this third header is useless (just my opinion????), and are not coming from same server. I see them as tracking codes only, because the ip in this header is complete b=sh.

And sorry, Steve - I will not provide tracking url, because, as I mentioned before - THEY READ YOU! (thus - they will hit me with the biggest hammer ever makeing me into bying concrete premix some 7 time zones away, of course, with that free delivery :rolleyes: ) Providing tracking code will be useless this time.

And I was not complaining about this particular message, it was just the best to explain my concerns about spamcop not cleaning up "personal" info in submittals... <_<

Of course, You can still administer this whole post to the trash bin, i will feel just fine.

Share this post


Link to post
Share on other sites

There are so many different ways that spammers can track their spam that there is no possible way to delete all of them. some of them seem obvious like email addresses, but others could be very subtle such as one random word spelled differently.

At one time, spammers did attempt to stop reporters or other anti-spam persons. A couple of years ago, I had three (email) encounters with spammers who knew I was a reporter. None of them were vindictive, but did promptly listwash me from their lists and sold my email address to someone else (at least that was my inference because the type of spam changed). There are too many reporters to make it effective to try to stop them by intimidation.

When some ISPs started to require unmunged reports (again several years ago), there were several lively discussions in the ngs about munging vs unmunging. Basically, some old timers were against unmunging mostly because of listwashing, though a few still harbored fears of retaliation. Others said that the number of reporters made retaliation outdated and that if one was listwashed from one list, there was no lessening of the spamload so it didn't make any difference in the long run. It also helped any ISP that might be going after spammers aggressively by having good legal evidence. And that there was no way to effectively mung a spam so as to be sure that all the trackers were gone. See how much of a spamtrap report gets published!

Bottom line is that you are either a mole reporter, don't report, or don't worry about munging reports.

Miss Betsy

Share this post


Link to post
Share on other sites

how came?

is that on server (parser) level?

Resolving link obfuscation
   http://fagim.net
   Host fagim.net (checking ip) IP not found; fagim.net discarded as fake.
   Host fagim.net (checking ip) IP not found; fagim.net discarded as fake.
Tracking link: http://fagim.net/
[report history]
ISP does not wish to receive report regarding http://fagim.net/
Cannot resolve http://fagim.net/

if cannot deal with problem - hide it?

Share this post


Link to post
Share on other sites

how came?

is that on server (parser) level?

Resolving link obfuscation
   http://fagim.net
   Host fagim.net (checking ip) IP not found; fagim.net discarded as fake.
   Host fagim.net (checking ip) IP not found; fagim.net discarded as fake.
Tracking link: http://fagim.net/
[report history]
ISP does not wish to receive report regarding http://fagim.net/
Cannot resolve http://fagim.net/

if cannot deal with problem - hide it?

http://www.dnsstuff.com/tools/dnstime.ch?n....net&type=A

Searching for fagim.net A record at k.root-servers.net Got referral to e.gtld-servers.net. [took 255 ms]

Searching for fagim.net A record at e.gtld-servers.net. Got referral to ns1.bjail.net. [took 84 ms]

Searching for fagim.net A record at ns1.bjail.net. Refused! [took 501 ms].

Answer:

Unknown (refused at ns1.bjail.net).

Sorry, I could not continue.

And I can not get there from my location. If you are still getting there, perhaps you have the page cached?

They seem to have been shutdown (at least from my point).

Share this post


Link to post
Share on other sites

http://www.dnsstuff.com/tools/dnstime.ch?n....net&type=A

...

Answer:

Unknown (refused at ns1.bjail.net).

Sorry, I could not continue....

Same with all NS at the moment: http://www.dnsreport.com/tools/dnsreport.ch?domain=fagim.net

Since results may be variable over time, lifting the current report:

Category Status Test Name Information

Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.

INFO NS records at parent servers Your NS records at the parent servers are:

ns1.bjail.net. [58.52.72.227] [TTL=172800] [CN]

ns2.bjail.net. [59.56.171.208] [TTL=172800] [CN]

ns3.bjail.net. [218.73.84.61] [TTL=172800] [CN]

ns4.bjail.net. [222.95.66.251] [TTL=172800] [CN]

ns5.bjail.net. [84.101.216.243] [TTL=172800] [FR]

[These were obtained from e.gtld-servers.net]

PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.

PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.

PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.

NS FAIL NS A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding. If you have a Watchguard Firebox, it's due to a bug in their DNS Proxy, which must be disabled (31 Jul 2006 UPDATE: several years after being informed of this, there is a rumor that there is a fix that allows the DNS proxy to work).

Comprehensively unreachable ...

how came? ...

Resolving link obfuscation
   http://fagim.net
   Host fagim.net (checking ip) IP not found; fagim.net discarded as fake.
   Host fagim.net (checking ip) IP not found; fagim.net discarded as fake.
Tracking link: http://fagim.net/
[report history]
ISP does not wish to receive report regarding http://fagim.net/
Cannot resolve http://fagim.net/

if cannot deal with problem - hide it?

So, the history reference seems to indicate that it was once reachable, current attempts at resolution prove it is no longer. Not sure how you come to suggest there is any "hiding" of the "problem"? Maybe you think SpamCop is not diligent enough in tracking down every last hidey-hole of the spamming scum (and the reasons for that have been explained time and again), that's where manual reporting takes over but it seems to me there's nothing to do in this case - that horse is already deceased.

Share this post


Link to post
Share on other sites

And while we're on the subject of those "tricky" lil' devils, here's a wrinkle I've not noticed before - the spamvertized links are in the headers (including the subject): http://www.spamcop.net/sc?id=z1028325315zd...;action=display Oddly enough it parses without an error message (though of course the parser makes no attempt to pick up the links) even though there is no "body"). Do "no body" spam parse now? I've noticed no comment to that effect.

I have no idea what Outlook (or any other application) would make of it. Another spammer trick or another impotent spammer? I suspect I know what the OP would say :). I've been seeing a lot of broken spam lately. But no less of the unbroken variety.

Edited by Farelf

Share this post


Link to post
Share on other sites

Tracking link: http://fagim.net/
[report history]
ISP does not wish to receive report regarding http://fagim.net/
Cannot resolve http://fagim.net/ 

Read it stright: Which ISP? Which one? Which?

if before - the link fagim.net did parse somehow... cycling through kornet, cnc-noc, uu, and all the other wellknowns (earthlink, comcast).... then, after my post (coincidence?!?!) it does not go anywhere... saying exactly above.... with no mentioning the host and displaying parse info...

There: i did ask - is it switched off at the server/parser level?

P.S. fagim.net still alive, do not worry, dear Farelf.

Share this post


Link to post
Share on other sites

P.S. fagim.net still alive, do not worry, dear Farelf.

They are are still showing no IP address from my location and as such, I can not access the site. I have been able to reach it previously (after your forst post).

Spamcop is currentlyoffering to send reports to:

Reporting addresses:

abuse[at]ttn.com.tw

spam[at]ttn.com.tw

Share this post


Link to post
Share on other sites

08/12/06 18:05:52 Slow traceroute fagim.net

Trace fagim.net (61.239.128.166) ...

08/12/06 18:05:42 dns fagim.net

Canonical name: fagim.net

Addresses:

61.239.128.166

58.223.19.30

220.80.155.32

218.72.55.185

210.192.218.31

Noting that none oif these match the 'rcords' listed below .. I've no doubt that re-checking this data every few minutes will result in a new list of different IP addresses .....

08/12/06 18:14:59 dns fagim.net

Canonical name: fagim.net

Addresses:

61.239.128.166

220.80.155.32

218.72.55.185

210.192.218.31

58.223.19.30

08/12/06 18:21:55 dns fagim.net

Canonical name: fagim.net

Addresses:

220.80.155.32

58.223.19.30

61.239.128.166

218.72.55.185

210.192.218.31

Hmmm, OK, not different IPAs this time, but everchanging order .... though also taking almost two minutes to resolve ....

08/12/06 19:08:59 dns fagim.net

No DNS for this address

(host doesn't exist)

Interesting 'change' .....

Hmmm, back again ....

08/12/06 19:24:56 dns fagim.net

Canonical name: fagim.net

Addresses:

220.80.155.32

210.192.218.31

218.72.55.185

61.239.128.166

58.223.19.30

08/12/06 19:28:01 Slow traceroute fagim.net

Trace fagim.net (220.80.155.32) ...

08/12/06 19:29:03 Browsing http://fagim.net/

Fetching http://fagim.net/ ...

HTTP/1.1 404 Not Found

Date: Sun, 13 Aug 2006 00:30:01 GMT

Server: Apache/2.0.52 (CentOS)

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL / was not found on this server.</p>

<hr>

<address>Apache/2.0.52 (CentOS) Server at fagim.net Port 80</address>

http://www.dnsreport.com/tools/dnsreport.ch?domain=fagim.net

Your NS records at the parent servers are:

ns1.bjail.net. [86.71.13.53] [TTL=172800] [FR]

ns2.bjail.net. [124.50.100.69] [TTL=172800] [KR]

ns3.bjail.net. [221.227.27.201] [TTL=172800] [CN]

ns4.bjail.net. [69.241.143.173] [TTL=172800] [uS]

ns5.bjail.net. [82.16.46.4] [TTL=172800] [GB]

[These were obtained from i.gtld-servers.net]

ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:

ns1.bjail.net.

ns2.bjail.net.

ns3.bjail.net.

ns4.bjail.net.

ns5.bjail.net.

ERROR: I checked with your nameservers to see if there were any CNAMEs for your NS records (there shouldn't be), but they all timed out. Note: This test checks with our local DNS server (since the NS record hostnames may not be handled by your DNS server), and therefore may be cached.

WARNING: Your SOA EXPIRE time is : 300 seconds. This seems very low. You should consider increasing this value to about 1209600 to 2419200 seconds (2 to 4 weeks). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.

WARNING: You have duplicate MX records. This means that mailservers may try delivering mail to the same IP more than once. Although technically valid, this is very confusing, and wastes resources. The duplicate MX records are:

www.fagim.net. and www.fagim.net. both resolve to 0.0.0.0.

www.fagim.net. and www.fagim.net. both resolve to 0.0.0.0.

<snip>

ERROR: I could not complete a connection to any of your mailservers!

www.fagim.net: Could not connect without glue or A record.

www.fagim.net: Could not connect without glue or A record.

<snip>

Share this post


Link to post
Share on other sites

And while we're on the subject of those "tricky" lil' devils, here's a wrinkle I've not noticed before - the spamvertized links are in the headers (including the subject): http://www.spamcop.net/sc?id=z1028325315zd...;action=display Oddly enough it parses without an error message (though of course the parser makes no attempt to pick up the links) even though there is no "body").

If I had to say something 'official' .... I'd suggest that there was an issue with the Norton tool involved .... I'm seeing that the blank line betwen the header and body was removed, then the NAS header lines were attached to the bottom of that new construct .... An ooops somewhere in there ...???? Notice that the Subject Line: was also 'massaged' a bit and also relocated ....

Do "no body" spam parse now? I've noticed no comment to that effect.

Easy way to answer .... it depends on the method of submittal .... I'm not having a good memory moment, but ... I'm thinking that an e-mail submittal gets treated like a "Quick Report" .. i.e. it's just the header that gets analyzed anyway .... this was brought into being quite a while back .... I believe that a web-form submittal still generates an error due to the 'missing body' ....

Share this post


Link to post
Share on other sites
... I'm thinking that an e-mail submittal gets treated like a "Quick Report" .. i.e. it's just the header that gets analyzed anyway .... this was brought into being quite a while back .... I believe that a web-form submittal still generates an error due to the 'missing body' ....

Ah yes, thanks!

No blank line delineating headers from body - abort

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z1028955147zd...170b58e83e5b94z

...

No source IP address found, cannot proceed.

...

Submitting spam via email (may work better)

...

No body provided, check format of submission

Edited by Farelf

Share this post


Link to post
Share on other sites
P.S. fagim.net still alive, do not worry, dear Farelf.
Thanks karlisma, I see what you've been saying - maybe not a dead horse as such but, in the words of "Bones" McCoy, "It's not life as we know it, Jim."

FWIW the mailservers at the reporting addresses provided above by StevenUnderwood are "responsive" http://www.dnsstuff.com/tools/mail.ch?doma...se%40ttn.com.tw (same for spam[at]ttn.com.tw)

Trying to connect to all mailservers:

   roll.ttn.com.tw. - 210.17.57.4  [Successful connect: Got a good response [250 2.1.5 &lt;abuse[at]ttn.com.tw&gt;... Recipient ok]] (took 5.703 seconds)
   rock.ttn.com.tw. - 210.17.57.1  [Successful connect: Got a good response [250 2.1.5 &lt;abuse[at]ttn.com.tw&gt;... Recipient ok]] (took 5.563 seconds)
   rock.ttn.com.tw. - 210.17.57.6  [Successful connect: Got a good response [250 2.1.5 &lt;abuse[at]ttn.com.tw&gt;... Recipient ok]] (took 3.0 seconds)

NOTE: This tool does [b]NOT[/b] attempt to determine if an E-mail address exists!

In the words of those good old guys, the Cossacks, "На коня!" ("To horse!") if you will but I suspect they will be unreceptive to any suggestion you might make and I would not be using any address I was fond of in doing it.

Share this post


Link to post
Share on other sites

http://aircleanline.com/

adds up.

Fagim.net almost unseen....

and yes, now it's MyCanadianPills :)

and still, all this spam is coming with that third useless header filled wth tracking codes.

Edited by karlisma

Share this post


Link to post
Share on other sites
...Or all of Your 1138 posts ar like: So? ...
If you were to look, you would find dra007 helps lots of people, notably of late providing evidence for those who need it. That is a very positive contribution to the war on spam. You seem to prefer to alert "us" to just how tricky you think some spammers are. This is a help forum, the Lounge is for social commentary or whatever else. If you are asking for help, what is your question?

Share this post


Link to post
Share on other sites

If you were to look, you would find dra007 helps lots of people, notably of late providing evidence for those who need it. That is a very positive contribution to the war on spam. You seem to prefer to alert "us" to just how tricky you think some spammers are. This is a help forum, the Lounge is for social commentary or whatever else. If you are asking for help, what is your question?

Should I have lookd? Why? And What is the purpose of posting So? ?

If read first post = then see question :ph34r:

My attention, writing this, is to look at how many tracking codes are hidden in this message, never mind the following parts with gif name and everything else... Will and when spamcop will start to clean up these tracking codes? Any time soon or no chance at all?

it went to the parsing and juggling with dns records etc.etc, just miss Betsy had a point, but knowing she is not in the tech so much :rolleyes: , I was waiting for some, who is.

and then there was Post #10, asking - how come? - parser without displaying technical info just spits out:

ISP does not wish to receive report regarding http://fagim.net/
Cannot resolve http://fagim.net/

that's pretty much all.

Edited by karlisma

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×