i received bizarre email... is it spam, or what?

[salamandir]

i got the following email:

-----

Dear Webmail Subscriber,

This mail is to inform all our webmail users that we will be maintaining

and upgrading our website in a couple of days from now.As a Subscriber you

are required to send us your Email account details to enable us know if

you are still making use of your mailbox. Be informed that we will be

deleting all mail account that is not functioning to enable us create more

space for new subscribers, You are to send your mail account details which

are as follows:

*Username:

*Password:

*Alternate email:

Failure to do this will immediately render your email address deactivated

from our database.

Thank you for using our Webmail!

FROM THE SUPPORT TEAM.

-----

i looked at the header and it didn't seem quite right, and when i submitted it, it said

-----

Hostname verified: mx01.csolutions.net

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

No source IP address found, cannot proceed.

-----

but i recognise csolutions.net...

the entire message is here:

http://www.spamcop.net/sc?id=z2468886872zd...;action=display

is this for real, or is it just spammers playing games with me?

[turetzsr]

i got the following email:

<snip>

...Noting this from the header (thank you for including the tracking URL!):

<snip>

From: "Spamcop Support Team" <tech-support[at]spamcop.net>

<snip>

Received: from 208.43.68.148

<snip>

...SpamCop admins will not ask for your password via the mail and they definitely wouldn't use tech-support[at]spamcop.net as the e-mail address. Looking up the IP address:

SpamCop v 2 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved.

Parsing input: 208.43.68.148

Reporting addresses:

abuse[at]softlayer.com

...Not a SpamCop address!

...My conclusion: this is spam.

[salamandir]

...Noting this from the header (thank you for including the tracking URL!):...SpamCop admins will not ask for your password via the mail and they definitely wouldn't use tech-support[at]spamcop.net as the e-mail address. Looking up the IP address:...Not a SpamCop address!

...My conclusion: this is spam.

thanks. i was about 95% sure that it was spam...

although if you can trace it to softlayer.com, how come spamcop can't?

[Farelf]

...although if you can trace it to softlayer.com, how come spamcop can't?

Good question to ask! Something to do with your mailhosts setup - SC parser will pick it up 'unhosted' as in http://www.spamcop.net/sc?id=z2469238840z3...ccecd9675a0f8ez

...yet your parse http://www.spamcop.net/sc?id=z2468886872zd...f53950a9483085z says (amongst other things)

No source IP address found, cannot proceed.

Add/edit your mailhost configuration

[salamandir]

No source IP address found, cannot proceed.

Add/edit your mailhost configuration

i added another mailhost (somehow my "real" email host got deleted?) and tried it again, and i got a completely different parse, which names "abuse[at]tera-byte.com" as the responsible address, and it says that they acknowledge the spam and that it will end "after Sun 21 Dec 2008"... well this message is dated 22 Dec 2008, so that's wrong, but there's no place for me to report it anyway. i'm stumped...

[turetzsr]

<snip>

and it says that they acknowledge the spam and that it will end "after Sun 21 Dec 2008"

<snip>

...Is the phrase "ISP has indicated spam will cease"? If so, type that phrase, with question marks at the beginning and end, into the box near the top center of the page between the "Search for --?" and "GO" buttons, then click one of those buttons. You should get a page of links to SpamCop Forum "threads" that discuss it further.

[kae]

i got the following email ... <snip>

I got one too. I've seen several spamcop news items warning about these type of email messages asking for your spamcop login and password, but this is the first one that I've actually seen land in my Inbox.

Here's the Tracking URL.

I got this today, so the ISP must be having trouble blocking these messages or they are just saying that they will have it fixed by "yesterday".

[salamandir]

so who do i report this to: abuse[at]softlayer.com or abuse[at]tera-byte.com?

[Farelf]

i added another mailhost (somehow my "real" email host got deleted?) and tried it again, and i got a completely different parse, which names "abuse[at]tera-byte.com" as the responsible address, ...

Yeah, if we look at the two parses (since your original one has now reconfigured itself), yours baulks at

5: Received: from 208.43.68.148 (SquirrelMail authenticated user acmeafa) by mail.wildroseinternet.ca with HTTP; Mon, 22 Dec 2008 15:15:01 -0700 (MST)

Hostname verified: odin.fusedhosting.net

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

and drops back to

Tracking message source: 216.194.85.131:

which was step 4:. Mine goes on

Possible spammer: 208.43.68.148

Host mail.wildroseinternet.ca (checking ip) = 216.194.85.131

216.194.85.131 not listed in dnsbl.njabl.org

216.194.85.131 not listed in cbl.abuseat.org

216.194.85.131 not listed in dnsbl.sorbs.net

Chain test:mail.wildroseinternet.ca =? mail.wildroseinternet.ca

Host mail.wildroseinternet.ca (checking ip) = 216.194.85.131

216.194.85.131 is not an MX for mail.wildroseinternet.ca

Host mail.wildroseinternet.ca (checking ip) = 216.194.85.131

ips are identical

mail.wildroseinternet.ca and mail.wildroseinternet.ca have close IP addresses - chain verified

Possible relay: 216.194.85.131

216.194.85.131 has already been sent to relay testers

Received line accepted

Tracking message source: 208.43.68.148:

There's insufficient justification to stop the parse where it does with yours IMO - or rather the justification found to continue mine should (logically) apply equally to yours. Don (SC Admin) or a deputy would need to consider this to assist any change. Ordinarily. But in this case both providers have begged for a moratorium while they fix their networks so it doesn't really matter. Per the lookups suggested by Steve T, you will see there is a 'period of grace' while they do this. That's what the suspension of reporting is all about and if they fail to deliver, deputies will re-start the process towards listing .

I got this today, so the ISP must be having trouble blocking these messages or they are just saying that they will have it fixed by "yesterday".

As above, period of grace is about ~24 hours or when a deputy decides, IIUC - check/search previous references in the forum for more detail.

so who do i report this to: abuse[at]softlayer.com or abuse[at]tera-byte.com?

A manual report? I don't think either, under the circumstances (they both know already that there's something passing through their networks that shouldn't so they don't need that 'heads up'.)

[Spamnophobic]

SpamCop admins will not ask for your password via the mail and they definitely wouldn't use tech-support[at]spamcop.net as the e-mail address.

And can we assume said admins have also jumped on any such addresses, which would need to be valid to "land the catch"?

[rconner]

And can we assume said admins have also jumped on any such addresses, which would need to be valid to "land the catch"?

Not sure I know what you mean by "jumped on," but tech-support (at) spamcop.net does not have to be valid in this case. The spammer has included a reply-to address (techsupport (at) info.lt) which is what your mail program will probably use as the target of any reply messages you send. The spamcop address is used mainly to get the mail past mail hosts and to try to convince you that the message is genuine. It is not intended for replies.

-- rick

[Spamnophobic]

By "jumped on" I meant closed, TOSsed, LARTed, disintegrated, abolished, exterminated and generally destroyed all past, present and future instances of any such address and holder thereof. I was going on the "return path", and as you point out and I of course know if I switch my brain on, mail programmes will use the "From" or "Reply to" addresses if you hit Reply. My first reaction to the OP's "No source IP address found" was "Aha, it's an inside job, the phishers are sending from a spamcop.net address to look genuine!" and a superficial scan of the header (the plain text version not the SC parse) seemed to show non-spammy IPs, which I mistakenly saw as confirmation. Perhaps even an intended ploy by the phisherfolk?

Which train of thought lead me to wonder whether SpamCop mail admins are indeed keeping a lookout for subscriptions with suspicious addresses in these times of phishing for SpamCoppers, "use" of SpamCop addresses in lists (something which like Elind over in the currently most active thread in the Reporting Help section, I've thought about a lot recently) and suchlike.

I was though jumping to incorrect conclusions on the basis of superficial examination, my apologies.