Maine Train

I think this spammer got into the one classmate's account, and harvested his address book. That classmate told me he got messages from friends who weren't in our class (and he doesn't use Facebook, at least not for the class group), telling him about the suspicious emails. I don't know if any of them tried replying to his Comcast address and somehow had it diverted to the scammer's Hotmail address. That's what piqued my curiosity. I thought I was replying only to my classmate, but I got replied from him (via Comcast) and the scammer (via Hotmail). From View entire message: Received: from EUR06-AM7-obe.outbound.protection.outlook.com (mail-am7eur06olkn2084.outbound.protection.outlook.com. [40.92.16.84]) by mx.google.com with ESMTPS id eb8si4670623edb.511.2020.12.23.11.30.07 for &lt;X&gt; (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Dec 2020 11:30:08 -0800 (PST) Received: from AM7EUR06FT033.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::53) by AM7EUR06HT254.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::326) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Wed, 23 Dec 2020 19:30:07 +0000 Received: from AM7PR04MB6823.eurprd04.prod.outlook.com (2a01:111:e400:fc36::4b) by AM7EUR06FT033.mail.protection.outlook.com (2a01:111:e400:fc36::361) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.27 via Frontend Transport; Wed, 23 Dec 2020 19:30:07 +0000 Received: from AM7PR04MB6823.eurprd04.prod.outlook.com ([fe80::4917:f90a:8527:49bf]) by AM7PR04MB6823.eurprd04.prod.outlook.com ([fe80::4917:f90a:8527:49bf%6]) with mapi id 15.20.3700.026; Wed, 23 Dec 2020 19:30:07 +0000 From: [munged] &lt;pbiibaud@outlook.com&gt; To: <X> Subject: Re: Thinking of you fondly Date: Wed, 23 Dec 2020 19:30:07 +0000 Message-ID: &lt;AM7PR04MB6823A19886BDB753EDA17DC7DCDE0@AM7PR04MB6823.eurprd04.prod.outlook.com&gt; References: &lt;1503941567.175629.1608646467954@connect.xfinity.com&gt;,&lt;CAL-d1+vxLO6C2aN1mpMg_toYX6ggngt8yx+jqhjQjAcYY_w9yg@mail.gmail.com&gt; Accept-Language: en-US Content-Language: en-US Good to hear from you [munged], please can you help me get a gift card for my little niece. It&#39;s her birthday but i can&#39;t do this now because I&#39;m out of town on vacation, I tried purchasing online but unfortunately had no luck with that. Can you please help me get it from any store around you or help purchase online? reimbursement is not a problem soon as i get back. ############################################################################################################################# And from Parsing Header: Parsing header: host 2a01:111:e400:fc36:0:0:0:53 (getting name) no name host 2a01:111:e400:fc36:0:0:0:4b (getting name) no name 0: Received: from EUR06-AM7-obe.outbound.protection.outlook.com (mail-am7eur06olkn2084.outbound.protection.outlook.com. [40.92.16.84]) by mx.google.com with ESMTPS id eb8si4670623edb.511.2020.12.23.11.30.07 for <X> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Dec 2020 11:30:08 -0800 (PST) Hostname verified: mail-am7eur06olkn2084.outbound.protection.outlook.com Gmail/Postini received mail from sending system 40.92.16.84 1: Received: from AM7EUR06FT033.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::53) by AM7EUR06HT254.eop-eur06.prod.protection.outlook.com (2a01:111:e400:fc36::326) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.22; Wed, 23 Dec 2020 19:30:07 +0000 No unique hostname found for source: 2a01:111:e400:fc36:0:0:0:53 Trusted site protection.outlook.com received mail from 2a01:111:e400:fc36:0:0:0:53 2: Received: from AM7PR04MB6823.eurprd04.prod.outlook.com (2a01:111:e400:fc36::4b) by AM7EUR06FT033.mail.protection.outlook.com (2a01:111:e400:fc36::361) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.27 via Frontend Transport; Wed, 23 Dec 2020 19:30:07 +0000 No unique hostname found for source: 2a01:111:e400:fc36:0:0:0:4b Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust this Received line. Sender relay: 40.92.16.84 Routing details for 40.92.16.84 [refresh/show] Cached whois for 40.92.16.84 : abuse@microsoft.com Using best contacts abuse@microsoft.com Using rdns to route to correct Microsoft department host 40.92.16.84 = mail-am7eur06olkn2084.outbound.protection.outlook.com (cached) abuse net protection.outlook.com = abuse@messaging.microsoft.com Tracking message source: 2a01:111:e400:fc36:0:0:0:53: Routing details for 2a01:111:e400:fc36:0:0:0:53 Report routing for 2a01:111:e400:fc36:0:0:0:53: danorm@microsoft.com danorm@microsoft.com redirects to report_spam@hotmail.com Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Wed, 23 Dec 2020 19:30:07 +0000 Message is 5.5 days old 2a01:111:e400:fc36:0:0:0:53 not listed in cbl.abuseat.org 2a01:111:e400:fc36:0:0:0:53 not listed in dnsbl.sorbs.net 2a01:111:e400:fc36:0:0:0:53 not listed in accredit.habeas.com 2a01:111:e400:fc36:0:0:0:53 not listed in plus.bondedsender.org 2a01:111:e400:fc36:0:0:0:53 not listed in iadb.isipp.com Finding links in message body Parsing text part no links found Finding IP block owner: Routing details for 2a01:111:e400:fc36:0:0:0:53 Report routing for 2a01:111:e400:fc36:0:0:0:53: danorm@microsoft.com danorm@microsoft.com redirects to report_spam@hotmail.com If reported today, reports would be sent to: Re: 2a01:111:e400:fc36:0:0:0:53 (Administrator of IP block - statistics only) report_spam@hotmail.com Re: 40.92.16.84 (Administrator interested in intermediary handling of spam) abuse@messaging.microsoft.com ############################################################################################################################ Side note: Reports were sent on 12/23, but the "too old" language appears to have been added since.

I'll see if I can get a better track for those reports. They were essentially the same, but one was to Microsoft, the other to Hotmail. Would a copy-and-paste of the headers be of any use for getting a better idea what's going on? I sort of suspect that the spammer has infiltrated my classmate's account to the point where he can read incoming messages as well as using the address to send spam. I think he just uses the Hotmail address to lessen the chance of being found out "squatting" on the victim account, but it's been a couple of years since I've read up on spammer tricks. The Russians are my prime suspects for most spams and scams, but that might he just because so much of the "enhancement meds" garbage that I used to report had ",ru" sources, sometimes by way of other countries that I wouldn't mind seeing heavily if not completely blocklisted.

My high school class has a Facebook group, and on Wednesday, the group organizer posted that the group had apparently been "hacked," because she and some other members of the group had received a strange email from another classmate, who is not a Facebook user. I hadn't received anything at the address I use for Facebook, but did receive (at a different address) a somewhat strange message from the referenced classmate's Comcast address. I ran that through SpamCop, and it did originate at Comcast, so I didn't report it. We were all concerned about the supposed sender's health, so I replied to his email. The best I can tell, my reply went only to his Comcast address. I got a reply from him, saying he didn't send anything, but had had several others who aren't classmates telling him that they had received the same spam. I also received a reply from the spammer/scammer, using a Hotmail address, with my classmate's last name spelled incorrectly. I reported that one, here, with notes to Microsoft and Hotmail that the spam appears to be an attempted scam: https://www.spamcop.net/mcgi?action=gettrack&amp;reportid=7101629398 : https://www.spamcop.net/mcgi?action=gettrack&amp;reportid=7101629397 At this point, I'm pretty sure my classmate's address book has been harvested, but I'm mostly wondering how the scammer knew I had replied to my classmate's address. I couldn't find anything in the headers for my reply to my classmate (via Comcast) that suggests a copy was also sent to the scammer's Hotmail addy. And finally, is it wrong at this time of year for me to want to reach through the Interwebz and choke the scammer? 😡 Thanks again, and Merry Christmas.

I did send a report. I'll get the tracking number later, and fill in the details of the spam and the scammer's reply. (To a message I thought was going only to my classmates's address. That's the part that has me puzzled.) Thanks for the quick response.

I haven't been on the forum for a long time, so I'm trying to get familiar with it again. I'm seeing threads from 2007 and earlier, but assuming that any without a year are 2020, meaning there's still activity here. I hope so, because I've got a weird situation involving a spammer/scammer trying to impersonate one of my high school classmates. In the "old days," most of the people here were way more savvy about the Interwebz in general and spam in particular than I was, so I'm pretty sure someone will have some useful insight on the situation. Would anyone like to hear the whole story?