Jump to content

[Resolved] Why is "Received: from... (EHLO spamcop.net)" in my spam headers?


Clydesdale

Recommended Posts

Hello,

When cutting and pasting headers from the most recent versions of daily spam emails I've noticed that spamcop is mentioned in the headers of all of these emails. Why would the line "Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000" be in the header? Why is the spamcop name in the header? The full header of my latest spam email with my email address munged is below. The bold font is mine.

From yadayadayada[at]nortom.com Sat Dec 21 15:33:04 2013

X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.21; Sat, 21 Dec 2013 23:33:04 +0000

Return-Path: <yadayadayada[at]nortom.com>

X-YahooFilteredBulk: 81.3.142.201

Received-SPF: permerror (encountered permanent error during SPF processing of domain of nortom.com)

X-YMailISG: wd9iGmYWLDtSt_u0glv6ASZDbf04DgWGG7F_Gs.p8Vnnk0ar

EOAP5e5GG8zq5G298QyI0ahKKipYR1T3ERzvGdQb8nKUIQJpszqR5zmA.Udp

2rkwZNk01xqO9H7PBb4aC3g3CvkF3uwAkzvmvSz4dRFIu4vfemgISIGiMCs_

x7INKH.6Jz1iNPECxTIwh6BHOi72Qn3v0u3oznd980EC2cgTvQl5AJnCYz57

keX5d3pNV1lG9ceKo8z3ZNdw4Qv6yu5bszKwfpA_FyX6x5IHXx9Hx2COgos2

LCD2WECMGItqu2GRhj.cWfhoys_n6seIdfC2oXUljch5tfBCFlDLcAkhM6UB

2wNU6za9RZ4ODOCYOMsHeEThvt6kb_Wq.3u53ItO9HQ7d.FdVn3dtlSo4rkR

I1NBCaeVkz0SJUeG5ej.Ltuus390HTa.V0ztXnmnt21iVVcenpSf1HyzUvGk

E.q2xlGrv0n0JPSHL3.DHAwcPJ_ZfdWaADsa93o3pGs4iLnUul_tRZXGf_sv

dE7_OlBj4MVTYnK6_jOQJJgo4E6WxC33gCrhghbaW9v_7PAhL3TsBkwW_H94

ZOfgo1wQ5rzb2lozO6vI4.asldVGU3fRImIMq.JKkkrsjkAKbEoSAvb2txzw

UPM1TnqrAmC8GjD3z_ogpSDoZZG41pO4lCHt8OQxrc8B2._j.5P7krCT_5iW

mmPAZG0h.HV.KBXd6nFrpKYYTzYlO_vZOPMNwHWYt2OyHGE5FIBBkYLSBg92

8YRV3vz0IWY4mQio4hJLJF1eha31o9tdnh9RNvZU71GvAzYpAraa51jsKlIQ

PAuaOg3bhCnSz4vLy7y8Ze.NkJQ3SrJ9KAjXxJuym9peWQapV_mECHyCxS_i

BFHRPXzEM_T8gsUdfZRGZUlE_GpHYGJ5sjRDY6hGm6Kk16ekZZYdQKWMEvpB

IC1dKYtWig2rf_kOjaYu.zJKEhEtAY.VZ9AQTtjSiPLjYqrS5Ks5CCDRZLwW

4_HLuPMVj1gVyQFS5X0xu_s2ZF3rweTPbqN4bTLC153O5JfU5VzcOjXC3zKg

5MwkpyKvr332NqUsh8mQVDa20lcMiCRjJM4Pnl0STdYgB06nfBi_jmkicLkm

6EJmFIRxDSN4HbSlQxVbL6yCISPjyh_EHixeKgtV35adRuB_a6h8_PThLgWa

.snRsKL7Tmsywd2sY9xd2IvGwJXPdMQAkhAe7AIcEbm542JiqrXbs4r5nuyQ

uEuNTKWgmrL_cmcGxhqwDD9NbkACOE.zJ7doDb7HxdIriXpRMYz0oPqlcQ_o

5HT.cdv9yKtMrLW08QyGla3tlKIJzgRS8mOpL0fRZXAfi52B7C3dYDa0Xg--

X-Originating-IP: [81.3.142.201]

Authentication-Results: mta1445.mail.ne1.yahoo.com from=nortom.com; domainkeys=neutral (no sig); from=nortom.com; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201)

by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000

Received: by mail.hosting.com (Postfix, from uid 1)

id 653DB664470; Sat, Dec 21 2013 23:32:41 +0000 (UTC)

To: blahblahblah[at]yahoo.com

From: yadayadayada[at]nortom.com

Subject: SilkRoad products by credit card

MIME-Version: 1.0

Message-Id: <1387668761.653DB664470[at]mail.hosting.com>

Content-Type: multipart/alternative; boundary="197365567D6-302315864"

Date: Sat, Dec 21 2013 23:32:41 +0000 (UTC)

Content-Length: 601

The email contents contains three links with what seems like version decoding in the URL text, but not in the link. Below is the text only. The link doesn't have the www241 value in it. The wwwXXX number is different in each spam email.

Main: www241.approved-pharmacy-cop.net

Mirror: www241.atlantic-drugs.com

Affiliates your spam traffic accepted: www241.rxtitans.com

Would this be a joe-job? They arrive about five times per day and are pretty nonsensical - as if they are begging to have them reported to spamcop.

Thanks in advance.

Link to comment
Share on other sites

Just received another, similar, spam with spamcop in the header. The header is below. Bold text mine.

From YadaYadaYada[at]copitima.com Sat Dec 21 17:09:18 2013

X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.24; Sat, 21 Dec 2013 17:09:18 -0800

Return-Path: <YadaYadaYada[at]copitima.com>

X-YahooFilteredBulk: 218.210.2.92

Received-SPF: softfail (transitioning domain of copitima.com does not designate 218.210.2.92 as permitted sender)

X-YMailISG: MRlFIiwWLDsK9gESvtAgxgPb9S_pBXmeWrNykLenQGbalAKK

Mf3bhnZYPEm6ibtY6gm.ZyNOhGmohENj_xAS6QnbTMZG9DP4mqrWWgeLYh0P

UKRlqp2zNPwjF0ZAw1S8DjXHSqqkJzcpr15QBP8rSWOcFwPKK3z0zpGcjKu0

rEbFJDduHQFGI8fKsTUJBmnale0tlfieBEbi1v8LWM5RjOvy1GKV.j9tyqnA

gjzPCqnVM2aS979ar8WTd_kFQxQxcqVdmG84wH54q4xmOJBMRxaEXihD_feA

WqKjOMYlS4Kp0UQ_lcfMZQuILYclIn6WMc87Hqt7HrUUOxFQExqj7hPXVaC8

VdGMymkE2JgT1t1Oyl8HYTW.ouKqPEcG8MelfStWOfaP6cK6AAyMQP9lkt.9

wUYLDUhBOzZ1KY1.7fOHQvIFixL9y3lRAycwR3srJXOXzqKbJg5av9xoD2Gb

3PCChhW2J2AXe8be8ZKQaUcMcGEB9OCYnQUdfjvpGrWsiLF8wluWmFlR27ql

N4sZZ6AqOMDtdttpH2lJLJT1RRJpE7D2nMMAeGPfs_aB4VPIygs_JdyVNdCC

vRke6HTQ7yWenPvZVTlI2NfpZsGdYD9y2TWLstY21ghp95hmdtjWhNBwMhcw

fSveKcenw1hcmqCq8e8UEW3oa3HZJAI2o8r4KCFm81ZO314jYWavEqKT.kcf

Jy.do_Kv8Pe8H3auo5d34.nNjD3qXaiyWZJ1UlxeOXHSWsCHqeztwE28bnou

AQnbaiZvjTxBG512LLkUE.8cWzTeLOT6.9yGpwvfSFNLi_P7LlifVC5Wpkhl

g.gDZi2nUhId9KtbWSpbCoHQyOEV5fULPWcIPpV3c05ckhnvyiaaCWzGIoNF

lbGhyTGm9uxR3C53bEBDi32lBcPZTNgieZTleY._aq05SmE_mjA8NdkD0u_C

T2WCEKhSx8a42Wc61TENRC4ksnziRtPK1bXKhBoZ8_z3idLZ59h95cEVNSr2

.2KoU8cwPWklT5.40aNXIpaQ1HGMHnMTWbVcN4BTq2Iqga6TLpNGjxK_TRBl

hI35C9ptSClUA03NEK8wR1FYIDPfzwi3npa0QyU5Q282MNY7m5eMr8XmPS4z

S6JOkfgoX3wOr34yv38nmHmNEvcHYtXJ3l5BSYs4N8n8esE6pmw80qqt7YUw

lAlxDiFjTpS6xE259ljZrVl7sNplDdvgtXcfVHpd2b3ekWMVNJ.woF1EKpH8

oJ5JLwg72E0MEaZ5BAG6RUMd6fW6tSkiojsh3nI-

X-Originating-IP: [218.210.2.92]

Authentication-Results: mta1349.mail.gq1.yahoo.com from=copitima.com; domainkeys=neutral (no sig); from=copitima.com; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO spamcop.net) (218.210.2.92)

by mta1349.mail.gq1.yahoo.com with SMTP; Sat, 21 Dec 2013 17:09:15 -0800

Received: by mail.hosting.com (Postfix, from uid 1)

id 50A4A1989AE; Sun, Dec 22 2013 01:04:56 +0000 (UTC)

To: blahblahblah[at]yahoo.com

From: YadaYadaYada[at]copitima.com

Subject: Very cheat phentermine for you

MIME-Version: 1.0

Message-Id: <1387674296.50A4A1989AE[at]mail.hosting.com>

Content-Type: multipart/alternative; boundary="4B1F63CFBB4-176502668"

Date: Sun, Dec 22 2013 01:04:56 +0000 (UTC)

Content-Length: 654

Link to comment
Share on other sites

Hello,

When cutting and pasting headers from the most recent versions of daily spam emails I've noticed that spamcop is mentioned in the headers of all of these emails. Why would the line "Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000" be in the header? Why is the spamcop name in the header? The full header of my latest spam email with my email address munged is below. The bold font is mine.

Would this be a joe-job? They arrive about five times per day and are pretty nonsensical - as if they are begging to have them reported to spamcop.

Thanks in advance.

BOTNET attack host

http://cbl.abuseat.org/lookup.cgi?ip=81.3.142.201

Pay to show SpamCop tracking URL makes it easier to work out

Just received another, similar, spam with spamcop in the header. The header is below. Bold text mine.

From YadaYadaYada[at]copitima.com Sat Dec 21 17:09:18 2013

X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.24; Sat, 21 Dec 2013 17:09:18 -0800

Return-Path: <YadaYadaYada[at]copitima.com>

X-YahooFilteredBulk: 218.210.2.92

Botnet attack host

http://cbl.abuseat.org/lookup.cgi?ip=218.210.2.92

Abuse notification should go to abuse[at]sparqnet.net

These "providers" need to block Port 25 outbound to stop this type of spam

Link to comment
Share on other sites

BOTNET attack host

http://cbl.abuseat.org/lookup.cgi?ip=81.3.142.201

Pay to show SpamCop tracking URL makes it easier to work out

petzl,

Thank you for the response. I'm not as up as I should be on these things. I understand your botnet attack explanation and the link showing it. I still don't understand why, or how, the word "spamcop" is in the spammer's spam email header. This seems to be recent and only in this set of spam emails that are arriving.

Link to comment
Share on other sites

petzl,

Thank you for the response. I'm not as up as I should be on these things. I understand your botnet attack explanation and the link showing it. I still don't understand why, or how, the word "spamcop" is in the spammer's spam email header. This seems to be recent and only in this set of spam emails that are arriving.

Zombie computer controlled by a spammer.

Simply changing the computers name from "My Computer" to SpamCop will do this

Also the "spamware" can also put any name up

Link to comment
Share on other sites

Zombie computer controlled by a spammer.

Simply changing the computers name from "My Computer" to SpamCop will do this

Also the "spamware" can also put any name up

Ahh... Now I get it. Thanks!

Interesting that they make it spamcop. I guess they don't like spamcop much - a good thing. :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...