Clydesdale Posted December 22, 2013 Share Posted December 22, 2013 Hello, When cutting and pasting headers from the most recent versions of daily spam emails I've noticed that spamcop is mentioned in the headers of all of these emails. Why would the line "Received: from 127.0.0.1 (EHLO spamcop.net) (22.214.171.124) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000" be in the header? Why is the spamcop name in the header? The full header of my latest spam email with my email address munged is below. The bold font is mine. From yadayadayada[at]nortom.com Sat Dec 21 15:33:04 2013 X-Apparently-To: blahblahblah[at]yahoo.com via 126.96.36.199; Sat, 21 Dec 2013 23:33:04 +0000 Return-Path: <yadayadayada[at]nortom.com> X-YahooFilteredBulk: 188.8.131.52 Received-SPF: permerror (encountered permanent error during SPF processing of domain of nortom.com) X-YMailISG: wd9iGmYWLDtSt_u0glv6ASZDbf04DgWGG7F_Gs.p8Vnnk0ar EOAP5e5GG8zq5G298QyI0ahKKipYR1T3ERzvGdQb8nKUIQJpszqR5zmA.Udp 2rkwZNk01xqO9H7PBb4aC3g3CvkF3uwAkzvmvSz4dRFIu4vfemgISIGiMCs_ x7INKH.6Jz1iNPECxTIwh6BHOi72Qn3v0u3oznd980EC2cgTvQl5AJnCYz57 keX5d3pNV1lG9ceKo8z3ZNdw4Qv6yu5bszKwfpA_FyX6x5IHXx9Hx2COgos2 LCD2WECMGItqu2GRhj.cWfhoys_n6seIdfC2oXUljch5tfBCFlDLcAkhM6UB 2wNU6za9RZ4ODOCYOMsHeEThvt6kb_Wq.3u53ItO9HQ7d.FdVn3dtlSo4rkR I1NBCaeVkz0SJUeG5ej.Ltuus390HTa.V0ztXnmnt21iVVcenpSf1HyzUvGk E.q2xlGrv0n0JPSHL3.DHAwcPJ_ZfdWaADsa93o3pGs4iLnUul_tRZXGf_sv dE7_OlBj4MVTYnK6_jOQJJgo4E6WxC33gCrhghbaW9v_7PAhL3TsBkwW_H94 ZOfgo1wQ5rzb2lozO6vI4.asldVGU3fRImIMq.JKkkrsjkAKbEoSAvb2txzw UPM1TnqrAmC8GjD3z_ogpSDoZZG41pO4lCHt8OQxrc8B2._j.5P7krCT_5iW mmPAZG0h.HV.KBXd6nFrpKYYTzYlO_vZOPMNwHWYt2OyHGE5FIBBkYLSBg92 8YRV3vz0IWY4mQio4hJLJF1eha31o9tdnh9RNvZU71GvAzYpAraa51jsKlIQ PAuaOg3bhCnSz4vLy7y8Ze.NkJQ3SrJ9KAjXxJuym9peWQapV_mECHyCxS_i BFHRPXzEM_T8gsUdfZRGZUlE_GpHYGJ5sjRDY6hGm6Kk16ekZZYdQKWMEvpB IC1dKYtWig2rf_kOjaYu.zJKEhEtAY.VZ9AQTtjSiPLjYqrS5Ks5CCDRZLwW 4_HLuPMVj1gVyQFS5X0xu_s2ZF3rweTPbqN4bTLC153O5JfU5VzcOjXC3zKg 5MwkpyKvr332NqUsh8mQVDa20lcMiCRjJM4Pnl0STdYgB06nfBi_jmkicLkm 6EJmFIRxDSN4HbSlQxVbL6yCISPjyh_EHixeKgtV35adRuB_a6h8_PThLgWa .snRsKL7Tmsywd2sY9xd2IvGwJXPdMQAkhAe7AIcEbm542JiqrXbs4r5nuyQ uEuNTKWgmrL_cmcGxhqwDD9NbkACOE.zJ7doDb7HxdIriXpRMYz0oPqlcQ_o 5HT.cdv9yKtMrLW08QyGla3tlKIJzgRS8mOpL0fRZXAfi52B7C3dYDa0Xg-- X-Originating-IP: [184.108.40.206] Authentication-Results: mta1445.mail.ne1.yahoo.com from=nortom.com; domainkeys=neutral (no sig); from=nortom.com; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO spamcop.net) (220.127.116.11) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000 Received: by mail.hosting.com (Postfix, from uid 1) id 653DB664470; Sat, Dec 21 2013 23:32:41 +0000 (UTC) To: blahblahblah[at]yahoo.com From: yadayadayada[at]nortom.com Subject: SilkRoad products by credit card MIME-Version: 1.0 Message-Id: <1387668761.653DB664470[at]mail.hosting.com> Content-Type: multipart/alternative; boundary="197365567D6-302315864" Date: Sat, Dec 21 2013 23:32:41 +0000 (UTC) Content-Length: 601 The email contents contains three links with what seems like version decoding in the URL text, but not in the link. Below is the text only. The link doesn't have the www241 value in it. The wwwXXX number is different in each spam email. Main: www241.approved-pharmacy-cop.net Mirror: www241.atlantic-drugs.com Affiliates your spam traffic accepted: www241.rxtitans.com Would this be a joe-job? They arrive about five times per day and are pretty nonsensical - as if they are begging to have them reported to spamcop. Thanks in advance. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.