Jump to content

sharebuilder.com


dbiel

Recommended Posts

I was wondering if someone could help me understand the headers in the following message.

The problem seems to come down to my lack of understanding about DomainKeys. The Wikipedia article DomainKeys Identified Mail was somewhat helpful.

The from line reads: From: "ShareBuilder" <sharebuilder[at]mailer.sharebuilder.com>

The DomainKey-Signature indicates: d=mailer.sharebuilder.com;

But the received from headers do not show any direct relationship with the only headers related to the sender being:

Received: from sharebuilder.outbound.ed10.com ([64.14.81.245])

Received: from [127.0.0.1] ([127.0.0.1:53516])

by bm1-10.bo3.e-dialog.com

I am unable to make sense of the handoff from bm1-10.bo3.e-dialog.com to sharebuilder.outbound.ed10.com which has the DomainKey information sitting in the middle of the hand off.

ed10.com is a know bulk emailer and the message does have a proper return path so I do feel confident that the message is legit and does represent sharebuilder.com via the third party mailer ed10.com, but I do not see were e-dialog.com fits into the picture.

The other spammy chareristic is the following body copy:

You are receiving this e-mail because you have a ShareBuilder Account. You may unsubscribe, update or change your e-mail preferences by logging in to your account and clicking the Account Profile tab under the Accounts tab. Or you may Opt Out here.
Well I do not have and never had such an account
Received: from sharebuilder.outbound.ed10.com ([64.14.81.245])
	by vipmx-mesquite.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1lFY3q5XG3Nl36k0
	for &lt;xxxxxxxx[at]earthlink.net&gt;; Sat, 7 Mar 2009 10:03:08 -0500 (EST)
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
	s=ED2008-09; d=mailer.sharebuilder.com;
	h=Received:Date:Content-Type:Content-Transfer-Encoding:MIME-Version:From:Reply-To:To:Subject:Message-Id:X-Mail-From:X-RCPT-To:X-Mailer:X-Mailing-Name:X-Archive-Key:X-Mailed-Date;
	b=Zl/Oy8FnE+3hqj4RsUlwAqrRfO5Nv67bU3S7NeNNgDT2On4E/fnneZhquEtD9tnP
	4dQYoAdzTeBXnfhI6m+s3DoTP8TLJil4y6D7qzbiV8Iz1GSs9Ls49tvu+DKkbOdw
Received: from [127.0.0.1] ([127.0.0.1:53516])
	by bm1-10.bo3.e-dialog.com (envelope-from &lt;974U49-6M0RMH-HIX6KZ-977RCZ-IS56UR-H-M2-20090306-8f2b5a60c740cc9b83[at]sharebuilder.bounce.ed10.net&gt;)
	(ecelerity 2.2.2.37 r(28805/28809)) with ECSTREAM
	id 72/86-17798-CAC82B94; Sat, 07 Mar 2009 10:03:08 -0500
Date: Sat, 07 Mar 2009 10:03:08 -0500
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
From: "ShareBuilder" &lt;sharebuilder[at]mailer.sharebuilder.com&gt;
Reply-To: "ShareBuilder" &lt;sharebuilder.5VVQ8C.11736821[at]mailer.sharebuilder.com&gt;
To: xxxxxxxxxxxxxx
Subject: Get 7 free investments when you open an IRA
Message-Id: &lt;29823-22165-974U49-6M0RMH-HIX6KZ-977RCZ-IS56UR-H-M2-20090306-8f2b5a60c740cc9b83[at]e-dialog.com&gt;
X-Mail-From: 974U49-6M0RMH-HIX6KZ-977RCZ-IS56UR-H-M2-20090306-8f2b5a60c740cc9b83[at]sharebuilder.bounce.ed10.net
X-RCPT-To: xxxxxxxxxxxxxx
X-Mailer: EDMAIL R6.00.02
X-Mailing-Name: 0903-IRA-NoAcct-Ofr
X-Archive-Key: 0002165806
X-Mailed-Date: Fri, 06 Mar 2009 17:50:17 -0500
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=0b; sbw=010;
X-SpamCop-Checked: 207.69.195.99 207.69.195.26 207.69.195.100 207.69.195.156 64.14.81.245 2.2.2.37 

Note: To info has been munged

I should state that I have reported this message and added the comment regarding why being the bogus statement mentioned above claiming that I have an account.

Link to comment
Share on other sites

I should state that I have reported this message and added the comment regarding why being the bogus statement mentioned above claiming that I have an account.

Assuming you reported it through SpamCop, can you post a tracking URL to this report? There are enough strange things in this header that I for one would like to rule out the possibility of copy-paste problems, HTML/IPB problems, or selective editing in your post.

At a glance, I'd conjecture that every line starting with "DomainKey Signature" is a forgery, and that it would be pointless to examine any of these data. The tracking URL would tell us whether the SpamCop parser had the same opinion (i.e., that 64.14.81.245 is the spam source).

-- rick

Link to comment
Share on other sites

Looks like the spam source was indeed 64.14.81.245, followed in the header by a bunch of header-like science fiction writing. This kind of forgery certainly does not give me a good feeling about E-Dialog's good faith. Seems like this address is on SpamCop's s..t list since they set up a separate devnull account for E-Dialog. THe website is in another block of E-Dialog's but SpamCop sent a report to the upstream provider (Savvis). I'm guessing it would not be productive to wait up for a response from Savvis.

-- rick

Link to comment
Share on other sites

...The other spammy chareristic is the following body copy:
You are receiving this e-mail because you have a ShareBuilder Account. You may unsubscribe, update or change your e-mail preferences by logging in to your account and clicking the Account Profile tab under the Accounts tab. Or you may Opt Out here.
Well I do not have and never had such an account...
That's enough for me. I don't know enough to try to untangle the headers - surely enough to know they lie in one part, no reason not to lie (forge headers) elsewhere if it might improve their chances of penetration - it is, after all, a 'seduction' attempt. I think Rick has the right view.
I should state that I have reported this message and added the comment regarding why being the bogus statement mentioned above claiming that I have an account.
Quite right, maybe savvis.net needs the ammunition/clue, maybe a waste of time but, if you don't know for sure, it's never a bad idea to play it 'with a straight bat' as we say hereabouts (and in most parts of the Commonwealth with the possible exception of Pakistan where they are now trying to imagine life without cricket, but I digress).
Link to comment
Share on other sites

Since ING Direct/Sharebuilder is reputable, the possibility of a rogue affiliate would have to be considered. Looking at http://content.sharebuilder.com/MgdCon/Cor.../affiliates.htm

How will you know what people came from my site?

All links from your site to our site contain a unique identifier so that every time a user comes to us via your site, we know to credit you when an account is created and funded. This is only possible, though, when you create all of your links with the tag generator on your Linkshare account.

So a possibility exists of a rogue 'gaming' the system by placing 'pre-loaded' referral links in spam. Of course that would be fraud against Sharebuilder and their own defenses might well detect it, anyway ANY form of spam is prohibited - http://content.sharebuilder.com/MgdCon/Cor...about/terms.htm (see "Marketing"). According to http://www.sharebuilder.com/sharebuilder/S...onSecurity.aspx suspected spoofs should be sent to spoof[at]sharebuilder.com - which might be the correct handling in this case, IMO.
Link to comment
Share on other sites

Since ING Direct/Sharebuilder is reputable, the possibility of a rogue affiliate would have to be considered.<snip>

According to http://www.sharebuilder.com/sharebuilder/S...onSecurity.aspx suspected spoofs should be sent to spoof[at]sharebuilder.com - which might be the correct handling in this case, IMO.

Thanks for the suggestion. A copy of my email message is pasted below
I am not sure if the attached email spam was endorsed by your company or not, but I find it totally unacceptable and I have reported it as spam using the SpamCop reporting service. My main complaint relates to the false claims made in the message and I quote:

You are receiving this e-mail because you have a ShareBuilder Account. You may unsubscribe, update or change your e-mail preferences by logging in to your account and clicking the Account Profile tab under the Accounts tab. Or you may Opt Out here.

I have never had a ShareBuilder Account.

There is a discussion regarding this email which I started at http://forum.spamcop.net/forums/index.php?showtopic=10152 Your reply to that topic would be greatly appreciated. Since the site does require you to register to post, you may reply to this email and I will post your reply to the topic on your behalf.

Looking forward to your response.

Now to wait and see if they respond or simply ignore the message.
Link to comment
Share on other sites

Now to wait and see if they respond or simply ignore the message.

Or take internal action to evaluate/correct the opinions/methods of their marketing department (assuming they were involved at all with the spam) and then, on advise of their legal department, not get involved in the quagmire of a public discourse in these economic time when financial institution are already under stress.

Or not.

Link to comment
Share on other sites

Thanks for the suggestion. A copy of my email message is pasted below Now to wait and see if they respond or simply ignore the message.

Hi, I work for the company that sends Sharebuilder emails. I like to comment on the DomainKeys stuff. If the DomainKey signature validates, then the signer is willing to take responsibility for the content below the signature line.

As for the connection between ed10.net and e-dialog.com, a simple whois will show who is responsible for those domains (e-dialog).

If you haven't been given a satisfactory answer to why you were emailed, please feel free to contact me. My role at e-Dialog is working with MTAs, so I won't be able to answer you directly why you were emailed but I should be able to contact the proper group if Sharebuilder hasn't answered you.

Link to comment
Share on other sites

I must admit that I am very suprised by the previous reply post. It does appear that e-dialog is a very responsible third party emailer and is working with the source of the message to address the issues raised. There was enough information provide in previous post that I was able to contact him by phone and had a fairly lengthy discussion on the subject. He is still waiting to receive some feedback from his client (the source of the message data) I will update this topic when more information is available.

Link to comment
Share on other sites

I must admit that I am very suprised by the previous reply post.

I must admit that I to am surprised, as reflected in my earlier, less than optimistic, post.

This thread should be marked as an example of the fact that some times good things happen.

Link to comment
Share on other sites

Followup email received from jmacdonald only hours after talking to him on the phone

I have an initial word from Sharebuilder. I'm not totally satisfied

with it and have asked for some further details. I hope to have more

for you tomorrow

You sure can not ask for more than that.
Link to comment
Share on other sites

And an additional unexpected, but very welcomed, email update

Still no word from the client today. Sorry about that. Hopefully something on Monday.

Have a good weekend.

Link to comment
Share on other sites

Additional email reply

Ok, Sharebuilder is claiming you have an account with them. I believe they may end up reaching out to you. I was expecting a confirmation about that but haven't recieved one yet.
my reply to him is a rather embarising
Thank you for the reply. If they contact me I will forward a copy to you.

PS

Well before sending this I have done a bit more research and discovered a web link to sharebuilder.com on an old file that let me recover account information using only very generic personal information. Which returned a user name and allowed me to change the password.

After logging in I was able to obtain an account number with a zero balance and located a contact phone number which I called and discussed the account will a rep.

So it does appear that I do have an account that was set up partially but never completed

It is a trading account that is not linked to any cash account, has never been funded or used

This would mean that the email would not be spam and should not have been reported. I am sorry about that.

Yet in one sense it is still true that I never had a real account, but it was sent up far enough to make calling email from them spam wrong.

At this point, I would like to thank you for all the time and effort you put into resolving this matter and we should consider this issue closed, unless you need something else from me to close it on your end.

I am sorry for wasting your time.

I am also forwarding the tracking link back to the deputies

It would appear that e-dialog.com is the most responsible third party bulk emailer that I have ever seen. :)

Link to comment
Share on other sites

Additional email reply my reply to him is a rather embarising I am also forwarding the tracking link back to the deputies

It would appear that e-dialog.com is the most responsible third party bulk emailer that I have ever seen. :)

We try very hard to be responsible and to make sure our clients are too. If there are issues with one of our clients and you don't receive a proper resolution or explanation, please feel free to ping me. I try to stay on top of complaints using Google, but there will be times when Google fails me. I've enabled email contact on this forum. Additionally I can be reached outside this forum via email at jmacdonald[at]e-dialog.com.

Link to comment
Share on other sites

Indeed. Now I feel sheepish about the "science fiction" comment (although it was an odd header).

What exactly did you find odd? I only ask because of my personal pride. I had some simple goals.

1) an average consumer should not be aware that e-dialog is sending the message (consumers are easily confused)

2) an average techie should be able to determine that e-dialog sent the message

Link to comment
Share on other sites

What exactly did you find odd? I only ask because of my personal pride. I had some simple goals.

1) an average consumer should not be aware that e-dialog is sending the message (consumers are easily confused)

2) an average techie should be able to determine that e-dialog sent the message

Well, you have me over a barrel, let me reconstruct my thinking (or at least what passed for thought at the time).

What puzzled me in dbiel's excerpt was the single Received line followed by a bunch of DKIM stuff followed by another Received line containing the loopback address and a hostname (bm1-10.bo3.e-dialog.com) that returned NXDOMAIN.

As you are no doubt aware, spammers sometimes forge in extra headers before they send their mail (tho I think not so much now as in the past), and these often contain bogus host names and addresses. So, I leapt to a conclusion based on the fact that I saw an unresolveable host name and an unrouteable IP on the same line.

The DKIM stuff struck me as being misplaced, and containing some odd-looking stuff, although I freely admit that I am not a DKIM expert (this might be a good motivation to bone up). The fact that it appeared just before the odd-looking Received line didn't give me a warm feeling. On reflection, I imagine that the DKIM info is inserted by the host that preps the mail to leave the domain, in which case this location makes sense.

Regardless of what I think, the acid test of the header would be whether it pointed to the correct source IP under a strict parse. dbiel's tracking link shows that SpamCop ended its parse at the top line in the excerpt (from sharebuilder.outbound.ed10.com by vipmx-mesquite.atl.sa.earthlink.net), and therefore got the correct source IP address (sharebuilder.outbound.ed10.com at 64.14.81.245).

As for your goal #1, this is probably met by the From and Reply-To addresses you used. The average recipient is not going to go poking in the headers, so won't see the things that confused me. As for goal #2, that too appears to be met, since SpamCop accurately traced the message back to your server, which seems well and properly identified and configured (with a proper PTR record as well).

I apologize for jumping to conclusions, but after the first 75,000 or so spams, things sometimes start to run together. So, when tracing an e-mail message, you probably ought to check with SpamCop first, and ask me later on.

-- rick

Link to comment
Share on other sites

What exactly did you find odd? I only ask because of my personal pride. I had some simple goals.

1) an average consumer should not be aware that e-dialog is sending the message (consumers are easily confused)

2) an average techie should be able to determine that e-dialog sent the message

To start with I want to thank you for your excellent followup and concern regarding what I had originally consider to be a objectionable spam message. Not being an expert regarding headers and having known nothing about DomainKey-Signature I will try to answer you question as a cross between 1) an average consumer and 2) an average techie.

What bothered me was the lack of a clear handoff from e-dialog.com to ed10.com. I will paste and highlight portions of the headers below:

Received: from sharebuilder.outbound.ed10.com ([64.14.81.245])

by vipmx-mesquite.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1lFY3q5XG3Nl36k0

for <xxxxxxxx[at]earthlink.net>; Sat, 7 Mar 2009 10:03:08 -0500 (EST)

DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;

s=ED2008-09; d=mailer.sharebuilder.com;

h=Received:Date:Content-Type:Content-Transfer-Encoding:MIME-Version:From:Reply-To:To:Subject:Message-Id:X-Mail-From:X-RCPT-To:X-Mailer:X-Mailing-Name:X-Archive-Key:X-Mailed-Date;

b=Zl/Oy8FnE+3hqj4RsUlwAqrRfO5Nv67bU3S7NeNNgDT2On4E/fnneZhquEtD9tnP

4dQYoAdzTeBXnfhI6m+s3DoTP8TLJil4y6D7qzbiV8Iz1GSs9Ls49tvu+DKkbOdw

Received: from [127.0.0.1] ([127.0.0.1:53516])

by bm1-10.bo3.e-dialog.com
(envelope-from <974U49-6M0RMH-HIX6KZ-977RCZ-IS56UR-H-M2-20090306-8f2b5a60c740cc9b83[at]sharebuilder.bounce.ed10.net>)

(ecelerity 2.2.2.37 r(28805/28809)) with ECSTREAM

id 72/86-17798-CAC82B94; Sat, 07 Mar 2009 10:03:08 -0500

Date: Sat, 07 Mar 2009 10:03:08 -0500

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: quoted-printable

MIME-Version: 1.0

From: "ShareBuilder" <sharebuilder[at]mailer.sharebuilder.com>

Reply-To: "ShareBuilder" <sharebuilder.5VVQ8C.11736821[at]mailer.sharebuilder.com>

What I would have like to have seen was one additonal set of headers that would have looked something like the following:

Received: from bm1-10.bo3.e-dialog.com ([iP address])

by sharebuilder.inbound.ed10.com ([iP address])

What I saw as the source of the message was: sharebuilder.outbound.ed10.com ([64.14.81.245])

The following was what the SpamCop parser saw:

6: Received: from sharebuilder.outbound.ed10.com ([64.14.81.245]) by vipmx-mesquite.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1lFY3q5XG3Nl36k0 for <x>; Sat, 7 Mar 2009 10:03:08 -0500 (EST)

Hostname verified: sharebuilder.outbound.ed10.com

Earthlink received mail from sending system 64.14.81.245

7: Received: from [127.0.0.1] ([127.0.0.1:53516]) by bm1-10.bo3.e-dialog.com (envelope-from <974U49-6M0RMH-HIX6KZ-977RCZ-IS56UR-H-M2-20090306-8f2b5a60c740cc9b83[at]sharebuilder.bounce.ed10.net>) (ecelerity 2.2.2.37 r(28805/28809)) with ECSTREAM id 72/86-17798-CAC82B94; Sat, 07 Mar 2009 10:03:08 -0500

Internal handoff or trivial forgery

Tracking message source: 64.14.81.245:

Routing details for 64.14.81.245

[refresh/show] Cached whois for 64.14.81.245 : abuse[at]savvis.net

Using abuse net on abuse[at]savvis.net

abuse net savvis.net = abuse[at]savvis.net

Using best contacts abuse[at]savvis.net

I am not saying that there is anything wrong with the headers but a traceable handoff using registered hosts would have made a big difference to me and even to SpamCop which considered the source of the message to be: sharebuilder.outbound.ed10.com ([64.14.81.245]) which was and is a valid source, but I could not see or trust any relationship between ed10.com and e-dialog.com

So that is my simple point of view. But now back to the actual facts related to this specific message which boiled down to the fact that I had forgotten that I had started to set up an account with sharebuilder over a year ago, but never finalized it and the fact that sharebuilder continued to list it as an active trading account for email purposes despite the fact that it had never been funded or used by me.

I did not like the fact that they (sharebuilder) claimed I had an account, displayed a partial account number, suggested that I could log into that account to update data and/or unsubscribe from the mailing list without providing any means for doing so, due to the fact that I was unaware that the account actually existed, with the thrust of the message being that I should open up an additional new IRA account. They were addressing me as an established customer when in fact I had never had a single financial transaction with them other than the creation of a never used account. Not what I would consider an established business relationship, but it is enough that the message should not have been reported as spam my me.

But that degresses from the point of your post here as the third party mailer of the message.

So I will end this lengthy, and hopefully understandable post, by adding my thanks one more time for the way you have personally handled the entire situation. You have gone far above and beyond anything that could have been reasonablely expected from a third party mailer.

PS the following is the copy of your most recent email to me received long before that last few post have been made to this topic

<snip>

>At this point, I would like to thank you for all the time and effort

>you put into resolving this matter and we should consider this issue

>closed, unless you need something else from me to close it on your

>end.

>

>I am sorry for wasting your time.

I would only consider that to be true if neither of us was unable come

to a satisfactory resolution. Thank you for being patient and

reasonable. If you have any other issues with our clients, feel free to

pick up the phone or send an email.

Even though in this case the client wasn't in error, your situation

does illustrate that the client should of reached out to you with an

email saying "Hey, where have you been?" before sending you an IRA

offer. We try very hard to get our clients to understand "relevance"

and this an excellent case study in that.

So, hardly a waste of time IMHO.

Link to comment
Share on other sites

What puzzled me in dbiel's excerpt was the single Received line followed by a bunch of DKIM stuff followed by another Received line containing the loopback address and a hostname (bm1-10.bo3.e-dialog.com) that returned NXDOMAIN.

...

So, I leapt to a conclusion based on the fact that I saw an unresolveable host name and an unrouteable IP on the same line.

I'm not a DNS setup expert, but I don't think it is unreasonable that internal hosts aren't externally resolvable. :)

Some may say we are 'leaking' private information. But having the internal host name in the headers helps with debugging.

I apologize for jumping to conclusions, but after the first 75,000 or so spams...

accepted and understandable.

Moderator Edit: excessive blank vertical whitespace removed.

Link to comment
Share on other sites

Ah, I see the disconnect now, thanks for the details. Our MTA has a feature that allows each client to have their own IP, yet the clients share the same box. In this case the box is bm1-10.bo3.e-dialog.com, but none of our clients email should end up using that IP as the source IP. To clarify, email is injected into bm1-10.bo3.e-dialog.com but leaves that box via an *.outbound.ed10.com IP. The 'hand-off' you are looking for happens internally in the MTA process. There may be an option to add a trace header to show that internal hand-off.

Link to comment
Share on other sites

I'm not a DNS setup expert, but I don't think it is unreasonable that internal hosts aren't externally resolvable. :)

You are of course correct. But, when we are shown a message and asked "hey, is this spam?" and we are already somewhat predisposed to concur, this sort of thing can be invoked as further evidence.

Actually, my ISP used to put 172/8 addresses at the TOP of the header, showing internal handoffs. This was very confusing until I figured out that it was best simply to stop tracing the spam after that point in time.

-- rick

Link to comment
Share on other sites

Ah, I see the disconnect now, thanks for the details. Our MTA has a feature that allows each client to have their own IP, yet the clients share the same box. In this case the box is bm1-10.bo3.e-dialog.com, but none of our clients email should end up using that IP as the source IP. To clarify, email is injected into bm1-10.bo3.e-dialog.com but leaves that box via an *.outbound.ed10.com IP. The 'hand-off' you are looking for happens internally in the MTA process. There may be an option to add a trace header to show that internal hand-off.
As an internal handoff, I see no problems; but It was difficult to see it as being an internal handoff due to the domain name change from bm1-10.bo3.e-dialog.com - to *.outbound.ed10.com which made it look to me as a bunch of forged junk; when in reality is was valid internal routing information.

One additional set of received from/by headers showing the internal hand off from e-dialog to ed10.com would have made things much clearer, or some reference in the message that it was sent from ed10.com as the third party mailer (just my point of view as an average consumer)

Thanks again for your feedback

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...