Jump to content

spam spoofing my Yahoo Mail address


matt2000

Recommended Posts

Posted

In the past couple of months I've been getting spam to my Yahoo Mail account every 2-3 hours that is spoofing my own email address. The spam is also spoofing the email domains that appear as the source of the email in the complete email header. And the return address or domain is never the same twice.

I've changed my email password twice in the past month, once just yesterday when while logging on, Yahoo suggested I do so based on what they saw as potential threats to my account.

I'm reasonably sure it wasn't my account that was hacked, as several common friends have been having the same problem. Apparently one of our accounts was hacked, and email addresses harvested. Now my address, and addresses of friends are being used to spread thousands of spam messages every day.

I found this forum thread on the problem with the new Yahoo interface that doesn't allow forwarding email by attaching it anymore. But at the very bottom if the page is this link to information on how to hit CTRL-ALT-F to achived that now.

What I'd like to get some feedback from people here is, can SPAMCOP help actually track this kind of operation and put an end to it? Have people seen this kind of 'double-spoofing' both "To:' and "From" email addresses in spam before where the darned sender email domain changes in every single spam? Are people with Yahoo email accounts seeing SPAMCOP successfully process this new CTRL-ALT-F method of forwarding attached email, and get the problem successfully resolved?

Kind thanks

Matt

PS: These SPAMs are all for penis pills, strong erection, medstore online, and Pharmacy trusted by thousands.

EDIT: It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.

Posted

Hi Matt,

In the past couple of months I've been getting spam to my Yahoo Mail account every 2-3 hours that is spoofing my own email address. The spam is also spoofing the email domains that appear as the source of the email in the complete email header. And the return address or domain is never the same twice. ...

All standard operating procedure for a particular variety of spam.
...I've changed my email password twice in the past month, once just yesterday when while logging on, Yahoo suggested I do so based on what they saw as potential threats to my account.

I'm reasonably sure it wasn't my account that was hacked, as several common friends have been having the same problem. Apparently one of our accounts was hacked, and email addresses harvested. Now my address, and addresses of friends are being used to spread thousands of spam messages every day. ...

Yes, Yahoo seems to be doing it tough at the moment - I mentioned this in part of my reply in another topic -

http://forum.spamcop.net/forums/index.php?showtopic=13181

Some believe Facebook may be implicated, others think not, there are many theories - too much supposition, not enough facts so far.

...I found this forum thread on the problem with the new Yahoo interface that doesn't allow forwarding email by attaching it anymore. But at the very bottom if the page is this link to information on how to hit CTRL-ALT-F to achived that now.

What I'd like to get some feedback from people here is, can SPAMCOP help actually track this kind of operation and put an end to it? Have people seen this kind of 'double-spoofing' both "To:' and "From" email addresses in spam before where the darned sender email domain changes in every single spam? Are people with Yahoo email accounts seeing SPAMCOP successfully process this new CTRL-ALT-F method of forwarding attached email, and get the problem successfully resolved?...

The ""From:", "Reply-to:"/"Return-path:" addresses don't come into it - they are nearly always spoofed. If they're the same as the "To:" that's either coincidence (ramdom selection from the same list) or a feeble attempt to avoid filtering (some people like to whitelist their own address - even though there is absolutely no need to do so, most of the time). SpamCop actually goes to the server (IP address) that injected the spam into your network (at the "boundary"). If enough SC reporters are seeing spam from the same one it will get listed. If it hits a SC spam trap it will get listed. Regardless of whether or not it is listed, every time a reporter reports it, the abuse address responsible for that network gets a report (unless they have declined them) as a heads-up that there's a spammer loose there. SC's strength is that it gives early warning of a major spam outbreak through a particular server. Constantly changing "From:" and "Reply-to:" addresses just don't affect its functionality. It is less helpful when the servers keep getting shuffled around (snowshoeing or botnets) or where the network is owned by the spammers.

I have used the CTRL-ALT-F method to successfully send and parse a message (at the time it was first revealed here). I promptly cancelled the report because it wasn't a real spam (just a regular e-mail from an unsuspecting correspondent) but it all worked fine. I don't get spam on my Yahoo account (yet). My Hotmail account (just lately) goes some way towards redressing the apparent injustice of that.

...EDIT: It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.
I will have to leave that to the author or someone else who can confirm or deny it.
Posted
...I've changed my email password twice in the past month, once just yesterday when while logging on, Yahoo suggested I do so based on what they saw as potential threats to my account.
That CAN happen through other parties innocently trying to log in on your account name by mistake. Say you are CoolDude[at] ... Yahoo/Live whatever. Someone who used to be CoolDude[at] another service decides to open an account with Yahoo/Live whatever and use the same name only he can't because the name is in use. So he becomes Cool_Dude[at] ... Yahoo/Live or CoolDude999[at] .... You can be sure he will fairly frequently mistype, omitting the underscore or the 999. Too many failed logins like that on your account and Yahoo/Live whatever will be warning you about potential threats to your account. Naturally you can't trust that might be case (have to assume a hacker has been sniffing as a matter of prudence) but the moral of the story is that "popular" account names aren't necessarily as cool as they might seem.

... It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.

Can anyone answer this?

Posted

EDIT: It was reported in this forum post that you can, "just use an IMAP email client such as Thunderbird, to access your Yahoo account: this is possible even for a free account." Can anyone confirm that? Everything I see says Yahoo Mail Plus is required for Thunderbird to work.

The server is imap.mail.yahoo.com. Here is the link for the setup: http://www.google.com/url?sa=t&rct=j&a...aWM&cad=rja

Posted

Thanks for all your feedback Farelf.

I just found this information here on the main SpamCop site:

Mailhost configuration

SpamCop is undergoing a major renovation to the underlying logic which it uses to determine spam sources. Soon, all SpamCop users will be required to use this new system, completing additional setup steps. Some "unique" users may not be able to report all the spam they have in the past.

Why?
This is being done because of ongoing problems - spammers have finally begun doing what we have known they could do all along - create really convincing mail header forgeries. These forgeries make SpamCop think spam is being sent from innocent sites where it is actually not. Clearly, this must be stopped. Currently, only a few spam forgeries cause serious problems for SpamCop, but if this problem is not solved, it will become much worse. Even now, a few mis-identified innocent sites are a big problem. This system promises to eliminate the forgery problem forever, while also avoiding problems caused by other less-drastic attempts to mitigate the forgeries. However, it does require more involvement from SpamCop users.

I'm wondering if this is the type of spam I've been receiving. I've submitted 24 spams in the past couple of days, and I don't understand these things enough to figure it from reading the reports. I've had Yahoo Mail for 12 years and have never seen anything like this. I'm wondering if I ought to opt in to the new system.

The server is imap.mail.yahoo.com. Here is the link for the setup: http://www.google.com/url?sa=t&rct=j&a...aWM&cad=rja

Thanks for that gnarlymarley.

EDIT: Looking over reports for 5-6 of my submissions, there's nothing similar between them at all. IP addresses are all over the map.

Posted

For full context, see above.

... I've had Yahoo Mail for 12 years and have never seen anything like this. I'm wondering if I ought to opt in to the new system.

Thanks for that gnarlymarley.

EDIT: Looking over reports for 5-6 of my submissions, there's nothing similar between them at all. IP addresses are all over the map.

Certainly you should set up your mailhosting - it is quite mature now and certainly recommended for all reporting accounts. It will probably not make any difference to what you are presently seeing. Mailhosting is designed to cut the ground from underneath CLEVER forgers - the ones you are describing are a long, long way from clever, trust me.

One of the things mailhosting does is cut out any laborious analysis of the (supposed) full delivery chain, instead (once it has all the detail by way of the hosting setup) laying blame with whoever sent or relayed spam to the border of "your" network. Once you commence setting up mailhosting you can report nothing until it is complete to avoid misreporting (the process usually doesn't take long - the key part being receiving and responding to SC "probe" messages IIRC - and SC works out much of the detail for you from the hosting of other folks' reporting accounts in the same network).

If you want some opinions on the nature of your spam before going any further, you could always extract the Tacking URL from one of your recent parses and post it here. Not really necessary, I should think. I reckon you've described what you're seeing quite well but one cannot be absolutely sure without seeing the full detail, including the comments/notes the parser inserts. As said, so far it seems all straight-forward and familiar, alarming the first time you see it but after a thousand times ... not so much.

Posted
For full context, see above. Certainly you should set up your mailhosting - it is quite mature now and certainly recommended for all reporting accounts.

I'm a bit confused about just what the service is. At 1st I thought it was the service where SC provides an email account on its server for you. But reading over the link I posted above, it seems to be something that enhances what I'm already doing. But I'm not clear on just what it adds, or how it's different.

At this point I'm forwarding attachments of spam to my Yahoo account to SC. Then I get email from SC with a link to complete the process of reporting the spam. SC mailhosting doesn't host an email account for me I don't think. It seems to be something where I register my Yahoo mailhost with SC, and somehow that enhances SC's ability to inspect and report the spam. Is that right? How would that work?

If you want some opinions on the nature of your spam before going any further, you could always extract the Tacking URL from one of your recent parses and post it here.

I'd do that except since the spam is spoofing my own address which is my full name, it's revealed in the report. I'd rather not pass that around. I could edit it out of a report though and paste it here.

Posted
I'm a bit confused about just what the service is. At 1st I thought it was the service where SC provides an email account on its server for you. But reading over the link I posted above, it seems to be something that enhances what I'm already doing. But I'm not clear on just what it adds, or how it's different.
...That's all explained in Steve's (Farelf) immediately preceding reply 84276[/snapback] in his second paragraph after his quote of you. As you have divined, it enhances the SpamCop parser's ability to distinguish internet header lines added by a server of your e-mail provider and those sent to it from outside. The primary benefit is that it reduces the opportunity for the parser to mistakenly identify one of your own e-mail service provider's servers as the source of spam and then sending the complaint to your e-mail provider.
It seems to be something where I register my Yahoo mailhost with SC, and somehow that enhances SC's ability to inspect and report the spam. Is that right? How would that work?
...Correct. Basically, it allows SC to store your e-mail provider's identity so that it trusts e-mail internet header lines placed there by your provider's servers.
I'd do that except since the spam is spoofing my own address which is my full name, it's revealed in the report. I'd rather not pass that around. I could edit it out of a report though and paste it here.
...IMHO, it would be much better to do that editing in the content you submit to the parser itself rather than cutting and pasting to provide here. That way, your e-mail address doesn't go out to what might be a spammer who controls the "abuse" address to which SpamCop sends the reports! Also, it allows us to see what was seen by the parser without any loss of fidelity, such as due to loss of indentation that might occur if you pasted into a reply in the Forum.
Posted
IMHO, it would be much better to do that editing in the content you submit to the parser itself rather than cutting and pasting to provide here.

I read where that can be considered.... had to look up the term 'munging' that causes problems when SC parses the attachment. Maybe some specific degree of altering the email header is considered munging. But anyway, it doesn't seem there's any way to edit the attached email header when I forward it from Yahoo Mail.

I did get Thunderbird set up to access my Yahoo Mail account. But so far SC isn't showing a detailed parsing of the header when I use Tbird to submit the spam from the link in the email SC replies with. This is all SC presents me in its report from the one submission I made from Tbird:

===========================================================

SpamCop v 4.7.0.111 © 1992-2013 Cisco Systems, Inc. All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/(should I hide the remainder of this?)

Please make sure this email IS spam:

From: <MyEmailAddress[at]Yahoo.com SC didn't remove> (Pharmacy online)

Best online pharmacy 24/7...Fast delivery!Perfect quality!

http://doctormilk.com.ua

View full message

Report spam to:

Re: 190.94.211.98 (Administrator of network where email originates)

[✓] To: jcrespo[at]ifxnw.com.ve (Notes)

Re: http://doctormilk.com.ua/ (Administrator of network hosting website referenced in spam)

[✓] To: guwei[at]51iker.com (Notes)

[✓] To: daiqingguo[at]51iker.com (Notes)

===========================================================

Here's what I get clicking on the "View F\full message" link"

===========================================================

CLICK 'BACK' BUTTON TO RETURN TO SPAMCOP

################################################################################

X-Apparently-To: (I'm deleting my address) via 98.137.13.238; Wed, 13 Mar 2013 19:52:24 -0700

Return-Path: <fobbingl6[at]buxrud.se>

X-YahooFilteredBulk: 190.94.211.98

Received-SPF: fail (domain of buxrud.se does not designate 190.94.211.98 as permitted sender)

X-YMailISG: lgvJuBEWLDuf9RkLLK4MC8.QcnxrfJo1NXuvBHFEnOmUBjKi

uYg3Jz6q5XFILn6h.LbiWS52oPskcN5TNYrczvmfD6sicakuhRXAolp4DXff

Tu.JsvIZkalOmneeXU6hNkAs1ZdjkYJ7vF8CgUaLIUyzRGKXxzQwSvhWvnlH

tK5sVAwEe.tBTMI.Gejj6tyfKrB1PVd5.kUihHtDIiNfKS3SnPbmdpHqOpz_

Zk49YImCQh0td9I26.hY3cXN7Rtt_KUmHWv7SSJ_yEb9NZnKhE6NV5jSSMYB

sMJoDfjHe1gbCK8cfDyNNOUUP5RQeeTte2hB6MEHiY__Ip0rjirkzqA_zju.

Jhqa9eN73Db7O3wiocRPlrC1A8R0EPaUbtD1OeHExiKZXrZ7ZPlDrxzttjFX

_P4bxMT5Uumt9DkhvG5OVAHpilBxUYh4xayQJEuHhXhgFUuVS4UP0NR7MsbA

YcEw89S7HwEvT0D1udjmcrJQpVV32m7ZaNxvXMMQA.xKoeRE6NXDcsBGF7Ln

5CiZAXvqBN.YPbs3fu2Pc.fihrpEv3VbynCJOEO9BwFATj1hLIZZPhn.Ybib

BVwC1KM4MalxufB5ckA2q9ZGOF.7HrnRKWsX3izrr4cMXKthdVuumRFZiXFz

ESLeVeh6BEaDtRyLN2H9s6zdHYCE9F8WSakrOgqK2OGji6O6.WW61Cr95Pkj

zX081MIdWIRhq6FaTgctmz.1ebEGCth2Bno9mh_EMcJHn5lAhW0CLk4zyE5Y

aGsuuqn_Pue0J2S3hXakUinYPytSpwKYVSnhvQLGVpv5UDW3y80urLz.aY0k

85BELsxnYqAecUs6hngTqo1OMXwacgQRtgzjsJibX38wZDtG.eNeNHc0zuXO

H4E9H1zbrb2CeYiXC.KquLOrdGtHVeebAAr_vLCREjD0g8TQubIScit4WC4r

mxjJXzU6DrjB_qiawaGmw90DX0nut2LdMBg9Bd9Kf7kgmX_WNTGfknU10DMp

_kaHhZkl_7SMsTOMVA1Ktslsa.6KMqHYZKigHuioGfqyb__wh59hDkQ5nipW

spO5Sp9JSRABHMvYCUzXrWuMo_iks96aMnb7ofDzTrdMbqljUYvV7EawNg0e

PavmtSHOrOHtAFQ293oZIQ--

X-Originating-IP: [190.94.211.98]

Authentication-Results: mta1190.mail.gq1.yahoo.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO 190.94.211.98) (190.94.211.98)

by mta1190.mail.gq1.yahoo.com with SMTP; Wed, 13 Mar 2013 19:52:24 -0700

Received: from 190.94.211.98(helo=yahoo.com)

by yahoo.com with esmtpa (Exim 4.69)

(envelope-from )

id 1MMN18-0985mq-HJ

for <(I'm deleting my address) >; Wed, 13 Mar 2013 22:22:22 -0430

From: <(I'm deleting my address) >

To: <(I'm deleting my address) >

Subject: Pharmacy online

Date: Wed, 13 Mar 2013 22:22:22 -0430

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1250"

Content-Transfer-Encoding: 7bit

X-Mailer: immylw 54

Message-ID: <1434497436.3Z6LMJ18006594[at]sbbljdqqc.fxkpbdv.ua>

Best online pharmacy 24/7...Fast delivery!Perfect quality!

http://doctormilk.com.ua

===========================================================

This is the SC report of the same spam submission when I send it from Yahoo Mail:

===========================================================

SpamCop v 4.7.0.111 © 1992-2013 Cisco Systems, Inc. All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/(Should I delete the remainder of this?)

Skip to Reports

X-Apparently-To: x via 98.137.13.238; Wed, 13 Mar 2013 19:52:24 -0700

X-YahooFilteredBulk: 190.94.211.98

Received-SPF: fail (domain of buxrud.se does not designate 190.94.211.98 as permitted sender)

X-YMailISG: lgvJuBEWLDuf9RkLLK4MC8.QcnxrfJo1NXuvBHFEnOmUBjKi

uYg3Jz6q5XFILn6h.LbiWS52oPskcN5TNYrczvmfD6sicakuhRXAolp4DXff

Tu.JsvIZkalOmneeXU6hNkAs1ZdjkYJ7vF8CgUaLIUyzRGKXxzQwSvhWvnlH

tK5sVAwEe.tBTMI.Gejj6tyfKrB1PVd5.kUihHtDIiNfKS3SnPbmdpHqOpz_

Zk49YImCQh0td9I26.hY3cXN7Rtt_KUmHWv7SSJ_yEb9NZnKhE6NV5jSSMYB

sMJoDfjHe1gbCK8cfDyNNOUUP5RQeeTte2hB6MEHiY__Ip0rjirkzqA_zju.

Jhqa9eN73Db7O3wiocRPlrC1A8R0EPaUbtD1OeHExiKZXrZ7ZPlDrxzttjFX

_P4bxMT5Uumt9DkhvG5OVAHpilBxUYh4xayQJEuHhXhgFUuVS4UP0NR7MsbA

YcEw89S7HwEvT0D1udjmcrJQpVV32m7ZaNxvXMMQA.xKoeRE6NXDcsBGF7Ln

5CiZAXvqBN.YPbs3fu2Pc.fihrpEv3VbynCJOEO9BwFATj1hLIZZPhn.Ybib

BVwC1KM4MalxufB5ckA2q9ZGOF.7HrnRKWsX3izrr4cMXKthdVuumRFZiXFz

ESLeVeh6BEaDtRyLN2H9s6zdHYCE9F8WSakrOgqK2OGji6O6.WW61Cr95Pkj

zX081MIdWIRhq6FaTgctmz.1ebEGCth2Bno9mh_EMcJHn5lAhW0CLk4zyE5Y

aGsuuqn_Pue0J2S3hXakUinYPytSpwKYVSnhvQLGVpv5UDW3y80urLz.aY0k

85BELsxnYqAecUs6hngTqo1OMXwacgQRtgzjsJibX38wZDtG.eNeNHc0zuXO

H4E9H1zbrb2CeYiXC.KquLOrdGtHVeebAAr_vLCREjD0g8TQubIScit4WC4r

mxjJXzU6DrjB_qiawaGmw90DX0nut2LdMBg9Bd9Kf7kgmX_WNTGfknU10DMp

_kaHhZkl_7SMsTOMVA1Ktslsa.6KMqHYZKigHuioGfqyb__wh59hDkQ5nipW

spO5Sp9JSRABHMvYCUzXrWuMo_iks96aMnb7ofDzTrdMbqljUYvV7EawNg0e

PavmtSHOrOHtAFQ293oZIQ--

X-Originating-IP: [190.94.211.98]

Authentication-Results: mta1190.mail.gq1.yahoo.com from=yahoo.com; domainkeys=neutral (no sig); from=yahoo.com; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO 190.94.211.98) (190.94.211.98)

by mta1190.mail.gq1.yahoo.com with SMTP; Wed, 13 Mar 2013 19:52:24 -0700

Received: from 190.94.211.98(helo=yahoo.com)

by yahoo.com with esmtpa (Exim 4.69)

(envelope-from )

id 1MMN18-0985mq-HJ

for <x>; Wed, 13 Mar 2013 22:22:22 -0430

From: <I'M DELETING THIS, NOT SC>

To: <x>

Subject: Pharmacy online

Date: Wed, 13 Mar 2013 22:22:22 -0430

MIME-Version: 1.0

Content-Type: text/plain;

charset="windows-1250"

Content-Transfer-Encoding: 7bit

X-Mailer: immylw 54

View entire message

Parsing header:

Received: from 127.0.0.1 (EHLO 190.94.211.98) (190.94.211.98) by mta1190.mail.gq1.yahoo.com with SMTP; Wed, 13 Mar 2013 19:52:24 -0700

Bogus IP in HELO removed:

Received: from 127.0.0.1 (EHLO [x.x.x.x]) (190.94.211.98) by mta1190.mail.gq1.yahoo.com with SMTP; Wed, 13 Mar 2013 19:52:24 -0700

host 190.94.211.98 (getting name) no name

Possible spammer: 190.94.211.98

Received line accepted

Received: from 190.94.211.98(helo=yahoo.com) by yahoo.com with esmtpa (Exim 4.69) (envelope-from ) id 1MMN18-0985mq-HJ for <x>; Wed, 13 Mar 2013 22:22:22 -0430

Ignored

190.94.211.98 not listed in dnsbl.njabl.org ( 127.0.0.9 )

190.94.211.98 listed in cbl.abuseat.org ( 1 )

Open proxies untrusted as relays

Tracking message source: 190.94.211.98:

Routing details for 190.94.211.98

[refresh/show] Cached whois for 190.94.211.98 : jcrespo[at]ifxnw.com.ve

Using last resort contacts jcrespo[at]ifxnw.com.ve

Yum, this spam is fresh!

Message is 0 hours old

190.94.211.98 not listed in dnsbl.njabl.org ( 127.0.0.8 )

190.94.211.98 not listed in dnsbl.njabl.org ( 127.0.0.9 )

190.94.211.98 listed in cbl.abuseat.org ( 1 )

190.94.211.98 is an open proxy

190.94.211.98 not listed in accredit.habeas.com

190.94.211.98 not listed in plus.bondedsender.org

190.94.211.98 not listed in iadb.isipp.com

Finding links in message body

Parsing text part

Resolving link obfuscation

http://doctormilk.com.ua

Tracking link: http://doctormilk.com.ua/

[report history]

Host doctormilk.com.ua (checking ip) = 122.49.31.49

Resolves to 122.49.31.49

Routing details for 122.49.31.49

[refresh/show] Cached whois for 122.49.31.49 : guwei[at]51iker.com daiqingguo[at]51iker.com

Using last resort contacts guwei[at]51iker.com daiqingguo[at]51iker.com

Please make sure this email IS spam:

From: <I'M DELETING THIS, NOT SC> (Pharmacy online)

Best online pharmacy 24/7...Fast delivery!Perfect quality!

http://doctormilk.com.ua

View full message

Report spam to:

Re: 190.94.211.98 (Administrator of network where email originates)

[✓] To: jcrespo[at]ifxnw.com.ve (Notes)

Re: http://doctormilk.com.ua/ (Administrator of network hosting website referenced in spam)

[✓] To: guwei[at]51iker.com (Notes)

[✓] To: daiqingguo[at]51iker.com (Notes)

Additional notes (optional - max 2000 characters):

===========================================================

Phew... that was labor intensive. Maybe not a technique to employ very often. Get back to me on how much modifying of the attachment I send with Thunderbird is okay if I can get that working like submissions from Yahoo Mail.

BTW: I haven't submitted that one yet.

Thx

Posted
<snip>

But anyway, it doesn't seem there's any way to edit the attached email header when I forward it from Yahoo Mail.

<snip>

...Quite true; in a case like that, you'll need to use the online submission capability.
Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/(should I hide the remainder of this?)

<snip>

...No, that's the part we need! :) <g> In fact, it's all we need, we would be able to see the rest ourselves from just that and with indentation intact -- web forums don't retain that critical feature. And, as long as you submit or cancel the parse, there's no danger and no risk of a scraper finding your e-mail address posted here. I see you munged when posting here, though -- that was a good idea! :) <g>
Phew... that was labor intensive.<snip>
...That's why giving us just the Tracking URL is better -- no work for you except for posting the tracking URL here!
Posted

I'm still on the steep slope of the learning curve here.

I'm sorry I didn't point out that recreating those 2 reports above was not to have you folks analyze them. What I'd intended by recreating the reports for those two submissions of the exact same spam was to point out that the report SC returned for the one submitted by Thunderbird via my Yahoo account was very short, and the one submitted directly from Yahoo was long and detailed. The report for the Thunderbird submission didn't include the header, or any analysis of what SC had parsed the way SC reported the submission directly from Yahoo. And it seems using Thunderbird to submit spam from a Yahoo Mail account is something new here, and any potential problems with the process may not have been fully addressed yet.

Now I have another issue. When I go back to old emails SC has sent for me to confirm submissions (ones I've already processed), and click the link again to view what I saw when I originally confirmed a submission, I only get a very short report similar to the 1st I recreated above. But that wasn't the case when I followed the same link a few times within a few minutes of originally confirming the submission. When I followed the links within a few minutes, SC would present me with the same long detailed explanation of what it had parsed the 1st time through.

Is there a time limit on how long after you confirm a submission that you will be able to read the full report? Are those truncated reports the same that you folks would see? I'd guess so from following the tracking URLs myself. Do I need to copy, paste and the original reports to be able to save all the original analysis?

...Quite true; in a case like that, you'll need to use the online submission capability..

Well I actually tried that on a spam that had just arrived. But again SC didn't present me with a detailed analysis of what it parsed. I created a forwarded Yahoo email and sent it to myself. I downloaded the attachment, opened it in Notepad++. Then I replaced the one of many my email addresses, the one SC's previous reports had not Xed. That's the one in the From: field of the header. But after I submitted it, again, I got a very short report (similar to the 1st I recreated above), and when I clicked on the 'View full message' link, SC had NOT Xed the other positions of my email address in the header like it has been doing for the many submissions I've made directly from Yahoo.

[sigh] I just got fresh spam as I was completing this. So I processed it directly from Yahoo as I've done successfully for some 30+ submissions. This hoping to have SC return that detailed report I've seen for 99% of the others. But now I'm only getting the brief report using the same method that returned the detailed report.

Over to you folks.

Thx

Posted
And, as long as you submit or cancel the parse, there's no danger and no risk of a scraper finding your e-mail address posted here.

"submit or cancel" ... what other options are there? Thing is, as I pointed out above, SC isn't processing my headers the same way when I paste them into the webform as it does when I submit them via email. The 2 reports are different. Via email, SC Xs my email address at every position in the header but the one in the From: field. If I paste the header obtained as I described above into the webform and process it, SC's report shows my email address and doesn't delete my email address at ANY of the 5 positions where it appears in the header. But either way my email address is revealed in SC's report.

Can I remove all 5 instances of my address in the header, submit that into the webform for processing, and have SC accept it? I really appreciate the service SC is providing, but I'd really rather not have my email address spread all over these forums.

Posted

The parser will not mind if you remove (munge) your address in every instance. Some abuse desks will not accept munged reports - you will be warned when you go to submit in any such instance (that is, when they have signified their requirement and when you have your report preferences set to munge). Touching the headers is taboo generally but anonomyzing your own email address when the parser doesn't is permitted.

You don't have to post a tracking URL and yes, it is known that SC/the parser does not munge the headers for you if it is your address is shown as "From:" or "Reply-to:"/"Return-path:". Since you mentioned the learning curve - the details under the official FAQ http://www.spamcop.net/fom-serve/cache/285.html are, in some cases, "expanded" or updated in the SCWiki and FAQ Under Construction in this forum - also in discussions contained in various topics. Never mind, just continue to ask about anything with which you have difficulty.

Leaving that aside, to get your full technical details in parses, log in to your member page at http://members.spamcop.net/ (in "Report spam" tab by default) and ensure the "Show technical details" box is ticked (under the paste-in submission box(es) - incidentally you should be using the default single box, not the outlook/eudora workaround form) THEN go to your "Preferences" tab, "Report Handling Options" link, and select the "Show technical data" radio button in the "Show Technical Details during reporting" item. You should get the same parse for the same spam regardless of whether submitted by emailed attachment (through the Yahoo account or via Thunderbird) or pasted in to the submission box in the webform.

I think you should (again) be able to review full details in your past reports once you have done the above. No idea why it toggled on you but others, in the past, have said such has happened to them.

"Preview Reports" is the third option after parsing (with "Send Ð…pam Report(s) Now" and "Cancel").

Posted
The parser will not mind if you remove (munge) your address in every instance.
...And, more to the point, neither will SpamCop staff, who are in a position to invoke sanctions against abusers of the rules prohibiting disallowed munging -- see SpamCop FAQ (links to which appear near the top left of each SpamCop Forum page) links labeled "-----> Material changes to spam," "-------> Material changes to spam - Updated!" and "-----> What if I break the rule(s)?"
<snip>

You don't have to post a tracking URL

...But it's far better than the alternative of copying and pasting all the headers and/ or spam content and/ or parse results here if you want us to know what those contain! :) <g>
<snip>

"Preview Reports" is the third option after parsing (with "Send Ð…pam Report(s) Now" and "Cancel").

...Thanks, Steve. Actually, the option of which I was thinking was to do nothing at all, just leave the results in an unprocessed state that someone else could go in and "Send" for you when you don't want the reports to be sent!
<snip>

Well I actually tried that on a spam that had just arrived. But again SC didn't present me with a detailed analysis of what it parsed.

<snip>

...Whoops, sorry, I sent you off on a wild goose chase with my suggestion. It was simply intended to lead you to the idea of using it as a means to submit a fully munged copy of the spam internet headers to the parser.
<snip>

Can I remove all 5 instances of my address in the header, submit that into the webform for processing, and have SC accept it? I really appreciate the service SC is providing, but I'd really rather not have my email address spread all over these forums.

...There ya go! Sorry I didn't make that clearer in my last reply. :blush: <blush>
  • 3 months later...
Posted

That stuff has never left gmail matt - reporting must be handled within the gmail spam system (others may be able to advise with knowledge of that system). The "giveaway" that is that all IP addresses are within 10.0.0.0/8 (0.0.0.0 - 10.255.255.255) defined as "Used for local communications within a private network" as specified by RFC 1918.

"By definitition" those addresses cannot be resolved to any unique server from the outside - Google however should/may track down a specific sender (spammer) from the full headers, if put on the case quickly enough. Incidentally a SC parse (non-mailhosted) of that spam would look like

http://www.spamcop.net/sc?id=z5524720838zb...f91dc775255d04z

- "private network" IPs ignored, there is no alternative, and nothing ventured outside that private network (gmail).

...So here's the question: Is this an example of IP spoofing that's spoofing a non-existing IP address? Are there a lot of examples like this where there's no detectable originating IP address for email? Is it possible that one of the emails links took him to a URL that ran a virus executable? For instance:

All the links are to www.baba-mail.com, so I don't know if someone there has been able to comprise their system....

As above, simple case that the message never left the internal network, hence "unresolvable" IP addresses.

baba-mail.com runs on Microsoft-IIS/6.0 which, supposedly more secure than the former hacker paradise versions, no doubt still receives more than its fair share of attention via unpatched or outstanding vulnerabilities. It is entirely likely that pages on the site were hacked and exploits placed. Being Israeli it is probably frequently attacked. But I have absolutely no evidence.

Posted

That stuff has never left gmail matt - reporting must be handled within the gmail spam system (others may be able to advise with knowledge of that system). The "giveaway" that is that all IP addresses are within 10.0.0.0/8 (0.0.0.0 - 10.255.255.255) defined as "Used for local communications within a private network" as specified by RFC 1918.

Okay... that makes sense now that you explain it. Seems there's always a good explanation behind most of what looks like magic. I've been scratching my head about this since I 1st started trying to make sense out of the email's header.

baba-mail.com runs on Microsoft-IIS/6.0 which, supposedly more secure than the former hacker paradise versions, no doubt still receives more than its fair share of attention via unpatched or outstanding vulnerabilities. It is entirely likely that pages on the site were hacked and exploits placed. Being Israeli it is probably frequently attacked. But I have absolutely no evidence.

Microsoft software huh? Well, Microsoft sure has had a long legacy of being a favorite target for hacking, being as widely used it's been.

Thanks for explaining this Farelf. It makes the whole deal seem a lot less threatening and more commonplace... again (re-reading above) :)

Posted
...I should probably start a new thread for this, or maybe it's fully not on topic here. But my neighbor clicked a link in a Gmail email today, and his whole system locked up from this "Remove FBI - System Failure - virus (REloadit Scam)" scam. I was able to boot Win7 into Safe Mode with Command Prompt, and set his last restore point to solve the problem. Malwarebytes is now running to remove and traces of the virus that may still exist. ...
Yes, off-topic here but my latest post in an appropriate topic - http://forum.spamcop.net/forums/index.php?...amp;#entry85006 - maybe Sandboxie would be equally useful to keep inveterate link chasers somewhat safer (configure for all browser and e-mail sessions with auto delete of the sandbox on exit, configuration options are available to save anything safe that is downloaded before closing a session) or for the more technically inclined (though not necessarily highly knowledgeable) looking for/at malware attack vectors or even legitimate programs, drivers, etc. that might cause system problems, maybe checking that firewalls are catching outgoing ...

By the way, that bad site seems clear now - but don't tell your neighbour :D Seriously, it could still be feral but attacking only certain vulnerable systems, I'm not up to probing it in depth.

Posted

I looked at sandboxing quite a while back, but never really had a reason to set something like that up. With Inet threats seeming to loom larger and larger as the years go by, it may be a wise to set up at some point. I survived 8-10 years though without antivirus or firewalls pretty well just being able to look carefully before I jump into anything. If you don't see the "Warning - Too Hot To Handle" indications, you're going to get burnt. My friend's computer awareness is pretty much limited to sending/receiving email, and printing documents. And there are always plenty of folks out there like that to get suckered into these kinds of traps.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...