bobster Posted May 2, 2005 Share Posted May 2, 2005 Once in a while, I'll get spam with the X-Originating-IP: [127.0.0.1]. If I report the spam to Spamcop (email or web process) I get no IP found. I can understand this, with IP 127.0.0.1. The question is what is it, (zombie, inside job, what)?? I did report it to my ISP abuse. Received: from pinsky (localhost[127.0.0.1]) by sccrmxc19.comcast.net (sccrmxc19) with SMTP id <20050502194856s1900gtliee>; Mon, 2 May 2005 19:48:56 +0000 X-Originating-IP: [127.0.0.1] From: "groe" <ioxnerwdfezvmsmusec[at]lyceum.com> Reply-To: "groe" <ioxnerwdfezvmsmusec[at]lyceum.com> To: x BCC: x Subject: we offer the best compensation package Content-Type: text/plain;charset="iso-8859-1" Date: Mon, 2 May 2005 15:47:34 -0400 x[at]comcast.net Hello, Would you like at least $1500.00 to $3500.00 per day just for returning phone calls? I do! If you have a telephone and can return calls you are fully qualified for this program. EDIT: wazoo deleted remainder of spam body .... Link to comment Share on other sites More sharing options...
Jeff G. Posted May 2, 2005 Share Posted May 2, 2005 This is yet another symptom of incompetence at Comcast (please feel free to search this site for other mentions of Comcast). As a paying customer, you probably can get more done by complaining via customer-only web, email, and phone channels like support and sales, or even in person if you are near a local office. Link to comment Share on other sites More sharing options...
Wazoo Posted May 2, 2005 Share Posted May 2, 2005 Just to step outside the box a bit ... is "pinsky" familiar to you? Is it possible that you've got an anti-virus tool in use that also scans e-mail? Are these actually the complete headers? Your description (and sample) reminds me of ancient (haven't been there in a while) issues raised over in the Microsoft newsgroups ... Norton anti-virus (NAV) et al would be installed, with e-mail scanning activated. This worked by NAV setting up a bit of a proxy, it would actually go out and get the e-mail, do the scan, then put the 'good' e-mail 'over there' ... The existing e-mail app would have had its pointers reset to go look 'over there' to pull in the new e-mail. Worked fine until the user decided to remove NAV .. the e-mail app pointers weren't reset, so "we'd" see the query posted in the Microsoft newsgroup as "OE just quit/broken" ... eventually finding out that OE was trying to connect to (localhost) 127.0.0.1 instead of the actual POP server .... Link to comment Share on other sites More sharing options...
bobster Posted May 2, 2005 Author Share Posted May 2, 2005 Hi What I posted is the exact header from the Message Source detail window. No, I am NOT familiar "pinsky" but I am run Norton anti virus with it set to check email. If I'm reading your reply correctly, this could be related to my norton anti-virus app. Below is a another example that i just happen to save (dated 4/28/05), this to was copied conpletely from the Message Source Detail Window but is a little different. Received: from sitedesign (localhost[127.0.0.1]) by rwcrmxc22.comcast.net (rwcrmxc22) with SMTP id <20050428220905r2200qq0nce>; Thu, 28 Apr 2005 22:09:06 +0000 X-Originating-IP: [127.0.0.1] From: "michelleburke" <oczskmkei[at]yahoo.com> Reply-To: "michelleburke" <oczskmkei[at]yahoo.com> To: x[at]comcast.net BCC: x Content-Type: text/plain;charset="iso-8859-1" Date: Thu, 28 Apr 2005 18:07:20 -0400 x[at]comcast.net Hello, Would you like at least $1500.00 to $3500.00 per day just for returning phone calls? I do! EDIT: wazoo deleted the rest of the spam body ... nothing to do with the query Link to comment Share on other sites More sharing options...
Wazoo Posted May 2, 2005 Share Posted May 2, 2005 This came up once before over in the newsgroups .. only good link found thus far ... http://news.spamcop.net/pipermail/spamcop-...ber/063761.html (sort/select Thread to 'easily' see the rest of this conversation) Though http://news.spamcop.net/pipermail/spamcop-...ber/043435.html includes a spam sample with these same comcast lines in use, but noting the additional header lines above and below ...???? Search made difficult due to the "popularity" of comcast and that so many folks used a posting address of somename <at> 127.0.0.1 instead of the recommended dead address .... Link to comment Share on other sites More sharing options...
bobster Posted May 3, 2005 Author Share Posted May 3, 2005 Hi Wazoo, I checked out the links and they do make some sense why this IP (non IP) would be used. I reported it my ISP and will be interesting to see the response, if I get one. If I get anymore info on this issue I will post it. Thanks Link to comment Share on other sites More sharing options...
Jeff G. Posted May 3, 2005 Share Posted May 3, 2005 Please forward a copy of that spam or a Tracking URL to the Deputies via their address deputies <at> spamcop.net. Thanks! Link to comment Share on other sites More sharing options...
bobster Posted May 3, 2005 Author Share Posted May 3, 2005 Please forward a copy of that spam or a Tracking URL to the Deputies via their address deputies <at> spamcop.net. Thanks! 27548[/snapback] Just got another one, fresh meat. Link to comment Share on other sites More sharing options...
Farelf Posted May 5, 2005 Share Posted May 5, 2005 Interesting ... not just Comcast, I've been getting the odd 127.0.0.1 originated mail through my attglobal account for years, both simple spam and as supposed returned undeliverables of spam messages which of course I never sent. The cruelly misnamed ATT "Help Center" has been totally unhelpful in all that time, despite my best efforts to coax some vestige or hint of competence out of them. I conclude they know more than they care to admit; they're too consistently blockheaded for simple incompetence to seem believable. Occasional server glitches perhaps? They never admit fault. occurrences, for me, are sporadic and low-volume, mostly just irritating because there's no spammer to report. Link to comment Share on other sites More sharing options...
bobster Posted May 5, 2005 Author Share Posted May 5, 2005 WOW! I'm glad you responded, I throught it was only comcast. I have found other reports dating back to 2002 with the 127.0.0.1 and believe it goes back even further back in time. I'm thinking now it may be a inside job from someone who has access to the system (intranet) or someone who figured out a way to cut the header from what I've read. Thank you for response. Link to comment Share on other sites More sharing options...
bobster Posted June 13, 2005 Author Share Posted June 13, 2005 The end of the story "Originating-IP: [127.0.0.1]". Basily, spam that is not leaving your ISP (network) and is intranet spam. Only your ISP can correct it or find the source. Thanks to all the Deputies that helped with a solution! Link to comment Share on other sites More sharing options...
Farelf Posted June 14, 2005 Share Posted June 14, 2005 ... Only your ISP can correct it or find the source. .... 29224[/snapback] Thanks for the feedback bobster! I mentioned elsewhere I have finally crumbled and installed filters to get free of most of the spam coming my way. I included this one: IF the RECEIVED field contains "(localhost[127.0.0.1]) by prserv.net" THEN forward the message to "postmaster[at]attglobal.net" THEN stop processing filters After AT&T/attglobal being utterly unhelpful for years, pretending not to understand or accept that there was anything untoward in these messages (invariably spam) I figured maybe they would benefit by being a little closer to the occurences. If all AT&T users did the same ... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.