Clydesdale Posted December 22, 2013 Share Posted December 22, 2013 Hello, When cutting and pasting headers from the most recent versions of daily spam emails I've noticed that spamcop is mentioned in the headers of all of these emails. Why would the line "Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000" be in the header? Why is the spamcop name in the header? The full header of my latest spam email with my email address munged is below. The bold font is mine. From yadayadayada[at]nortom.com Sat Dec 21 15:33:04 2013 X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.21; Sat, 21 Dec 2013 23:33:04 +0000 Return-Path: <yadayadayada[at]nortom.com> X-YahooFilteredBulk: 81.3.142.201 Received-SPF: permerror (encountered permanent error during SPF processing of domain of nortom.com) X-YMailISG: wd9iGmYWLDtSt_u0glv6ASZDbf04DgWGG7F_Gs.p8Vnnk0ar EOAP5e5GG8zq5G298QyI0ahKKipYR1T3ERzvGdQb8nKUIQJpszqR5zmA.Udp 2rkwZNk01xqO9H7PBb4aC3g3CvkF3uwAkzvmvSz4dRFIu4vfemgISIGiMCs_ x7INKH.6Jz1iNPECxTIwh6BHOi72Qn3v0u3oznd980EC2cgTvQl5AJnCYz57 keX5d3pNV1lG9ceKo8z3ZNdw4Qv6yu5bszKwfpA_FyX6x5IHXx9Hx2COgos2 LCD2WECMGItqu2GRhj.cWfhoys_n6seIdfC2oXUljch5tfBCFlDLcAkhM6UB 2wNU6za9RZ4ODOCYOMsHeEThvt6kb_Wq.3u53ItO9HQ7d.FdVn3dtlSo4rkR I1NBCaeVkz0SJUeG5ej.Ltuus390HTa.V0ztXnmnt21iVVcenpSf1HyzUvGk E.q2xlGrv0n0JPSHL3.DHAwcPJ_ZfdWaADsa93o3pGs4iLnUul_tRZXGf_sv dE7_OlBj4MVTYnK6_jOQJJgo4E6WxC33gCrhghbaW9v_7PAhL3TsBkwW_H94 ZOfgo1wQ5rzb2lozO6vI4.asldVGU3fRImIMq.JKkkrsjkAKbEoSAvb2txzw UPM1TnqrAmC8GjD3z_ogpSDoZZG41pO4lCHt8OQxrc8B2._j.5P7krCT_5iW mmPAZG0h.HV.KBXd6nFrpKYYTzYlO_vZOPMNwHWYt2OyHGE5FIBBkYLSBg92 8YRV3vz0IWY4mQio4hJLJF1eha31o9tdnh9RNvZU71GvAzYpAraa51jsKlIQ PAuaOg3bhCnSz4vLy7y8Ze.NkJQ3SrJ9KAjXxJuym9peWQapV_mECHyCxS_i BFHRPXzEM_T8gsUdfZRGZUlE_GpHYGJ5sjRDY6hGm6Kk16ekZZYdQKWMEvpB IC1dKYtWig2rf_kOjaYu.zJKEhEtAY.VZ9AQTtjSiPLjYqrS5Ks5CCDRZLwW 4_HLuPMVj1gVyQFS5X0xu_s2ZF3rweTPbqN4bTLC153O5JfU5VzcOjXC3zKg 5MwkpyKvr332NqUsh8mQVDa20lcMiCRjJM4Pnl0STdYgB06nfBi_jmkicLkm 6EJmFIRxDSN4HbSlQxVbL6yCISPjyh_EHixeKgtV35adRuB_a6h8_PThLgWa .snRsKL7Tmsywd2sY9xd2IvGwJXPdMQAkhAe7AIcEbm542JiqrXbs4r5nuyQ uEuNTKWgmrL_cmcGxhqwDD9NbkACOE.zJ7doDb7HxdIriXpRMYz0oPqlcQ_o 5HT.cdv9yKtMrLW08QyGla3tlKIJzgRS8mOpL0fRZXAfi52B7C3dYDa0Xg-- X-Originating-IP: [81.3.142.201] Authentication-Results: mta1445.mail.ne1.yahoo.com from=nortom.com; domainkeys=neutral (no sig); from=nortom.com; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000 Received: by mail.hosting.com (Postfix, from uid 1) id 653DB664470; Sat, Dec 21 2013 23:32:41 +0000 (UTC) To: blahblahblah[at]yahoo.com From: yadayadayada[at]nortom.com Subject: SilkRoad products by credit card MIME-Version: 1.0 Message-Id: <1387668761.653DB664470[at]mail.hosting.com> Content-Type: multipart/alternative; boundary="197365567D6-302315864" Date: Sat, Dec 21 2013 23:32:41 +0000 (UTC) Content-Length: 601 The email contents contains three links with what seems like version decoding in the URL text, but not in the link. Below is the text only. The link doesn't have the www241 value in it. The wwwXXX number is different in each spam email. Main: www241.approved-pharmacy-cop.net Mirror: www241.atlantic-drugs.com Affiliates your spam traffic accepted: www241.rxtitans.com Would this be a joe-job? They arrive about five times per day and are pretty nonsensical - as if they are begging to have them reported to spamcop. Thanks in advance. Link to comment Share on other sites More sharing options...
Clydesdale Posted December 22, 2013 Author Share Posted December 22, 2013 Just received another, similar, spam with spamcop in the header. The header is below. Bold text mine. From YadaYadaYada[at]copitima.com Sat Dec 21 17:09:18 2013 X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.24; Sat, 21 Dec 2013 17:09:18 -0800 Return-Path: <YadaYadaYada[at]copitima.com> X-YahooFilteredBulk: 218.210.2.92 Received-SPF: softfail (transitioning domain of copitima.com does not designate 218.210.2.92 as permitted sender) X-YMailISG: MRlFIiwWLDsK9gESvtAgxgPb9S_pBXmeWrNykLenQGbalAKK Mf3bhnZYPEm6ibtY6gm.ZyNOhGmohENj_xAS6QnbTMZG9DP4mqrWWgeLYh0P UKRlqp2zNPwjF0ZAw1S8DjXHSqqkJzcpr15QBP8rSWOcFwPKK3z0zpGcjKu0 rEbFJDduHQFGI8fKsTUJBmnale0tlfieBEbi1v8LWM5RjOvy1GKV.j9tyqnA gjzPCqnVM2aS979ar8WTd_kFQxQxcqVdmG84wH54q4xmOJBMRxaEXihD_feA WqKjOMYlS4Kp0UQ_lcfMZQuILYclIn6WMc87Hqt7HrUUOxFQExqj7hPXVaC8 VdGMymkE2JgT1t1Oyl8HYTW.ouKqPEcG8MelfStWOfaP6cK6AAyMQP9lkt.9 wUYLDUhBOzZ1KY1.7fOHQvIFixL9y3lRAycwR3srJXOXzqKbJg5av9xoD2Gb 3PCChhW2J2AXe8be8ZKQaUcMcGEB9OCYnQUdfjvpGrWsiLF8wluWmFlR27ql N4sZZ6AqOMDtdttpH2lJLJT1RRJpE7D2nMMAeGPfs_aB4VPIygs_JdyVNdCC vRke6HTQ7yWenPvZVTlI2NfpZsGdYD9y2TWLstY21ghp95hmdtjWhNBwMhcw fSveKcenw1hcmqCq8e8UEW3oa3HZJAI2o8r4KCFm81ZO314jYWavEqKT.kcf Jy.do_Kv8Pe8H3auo5d34.nNjD3qXaiyWZJ1UlxeOXHSWsCHqeztwE28bnou AQnbaiZvjTxBG512LLkUE.8cWzTeLOT6.9yGpwvfSFNLi_P7LlifVC5Wpkhl g.gDZi2nUhId9KtbWSpbCoHQyOEV5fULPWcIPpV3c05ckhnvyiaaCWzGIoNF lbGhyTGm9uxR3C53bEBDi32lBcPZTNgieZTleY._aq05SmE_mjA8NdkD0u_C T2WCEKhSx8a42Wc61TENRC4ksnziRtPK1bXKhBoZ8_z3idLZ59h95cEVNSr2 .2KoU8cwPWklT5.40aNXIpaQ1HGMHnMTWbVcN4BTq2Iqga6TLpNGjxK_TRBl hI35C9ptSClUA03NEK8wR1FYIDPfzwi3npa0QyU5Q282MNY7m5eMr8XmPS4z S6JOkfgoX3wOr34yv38nmHmNEvcHYtXJ3l5BSYs4N8n8esE6pmw80qqt7YUw lAlxDiFjTpS6xE259ljZrVl7sNplDdvgtXcfVHpd2b3ekWMVNJ.woF1EKpH8 oJ5JLwg72E0MEaZ5BAG6RUMd6fW6tSkiojsh3nI- X-Originating-IP: [218.210.2.92] Authentication-Results: mta1349.mail.gq1.yahoo.com from=copitima.com; domainkeys=neutral (no sig); from=copitima.com; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO spamcop.net) (218.210.2.92) by mta1349.mail.gq1.yahoo.com with SMTP; Sat, 21 Dec 2013 17:09:15 -0800 Received: by mail.hosting.com (Postfix, from uid 1) id 50A4A1989AE; Sun, Dec 22 2013 01:04:56 +0000 (UTC) To: blahblahblah[at]yahoo.com From: YadaYadaYada[at]copitima.com Subject: Very cheat phentermine for you MIME-Version: 1.0 Message-Id: <1387674296.50A4A1989AE[at]mail.hosting.com> Content-Type: multipart/alternative; boundary="4B1F63CFBB4-176502668" Date: Sun, Dec 22 2013 01:04:56 +0000 (UTC) Content-Length: 654 Link to comment Share on other sites More sharing options...
petzl Posted December 22, 2013 Share Posted December 22, 2013 Hello, When cutting and pasting headers from the most recent versions of daily spam emails I've noticed that spamcop is mentioned in the headers of all of these emails. Why would the line "Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000" be in the header? Why is the spamcop name in the header? The full header of my latest spam email with my email address munged is below. The bold font is mine. Would this be a joe-job? They arrive about five times per day and are pretty nonsensical - as if they are begging to have them reported to spamcop. Thanks in advance. BOTNET attack host http://cbl.abuseat.org/lookup.cgi?ip=81.3.142.201 Pay to show SpamCop tracking URL makes it easier to work out Just received another, similar, spam with spamcop in the header. The header is below. Bold text mine. From YadaYadaYada[at]copitima.com Sat Dec 21 17:09:18 2013 X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.24; Sat, 21 Dec 2013 17:09:18 -0800 Return-Path: <YadaYadaYada[at]copitima.com> X-YahooFilteredBulk: 218.210.2.92 Botnet attack host http://cbl.abuseat.org/lookup.cgi?ip=218.210.2.92 Abuse notification should go to abuse[at]sparqnet.net These "providers" need to block Port 25 outbound to stop this type of spam Link to comment Share on other sites More sharing options...
Clydesdale Posted December 22, 2013 Author Share Posted December 22, 2013 BOTNET attack host http://cbl.abuseat.org/lookup.cgi?ip=81.3.142.201 Pay to show SpamCop tracking URL makes it easier to work out petzl, Thank you for the response. I'm not as up as I should be on these things. I understand your botnet attack explanation and the link showing it. I still don't understand why, or how, the word "spamcop" is in the spammer's spam email header. This seems to be recent and only in this set of spam emails that are arriving. Link to comment Share on other sites More sharing options...
petzl Posted December 22, 2013 Share Posted December 22, 2013 petzl, Thank you for the response. I'm not as up as I should be on these things. I understand your botnet attack explanation and the link showing it. I still don't understand why, or how, the word "spamcop" is in the spammer's spam email header. This seems to be recent and only in this set of spam emails that are arriving. Zombie computer controlled by a spammer. Simply changing the computers name from "My Computer" to SpamCop will do this Also the "spamware" can also put any name up Link to comment Share on other sites More sharing options...
Clydesdale Posted December 22, 2013 Author Share Posted December 22, 2013 Zombie computer controlled by a spammer. Simply changing the computers name from "My Computer" to SpamCop will do this Also the "spamware" can also put any name up Ahh... Now I get it. Thanks! Interesting that they make it spamcop. I guess they don't like spamcop much - a good thing. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.