Jump to content

A strange response from microsoft...


LeeRyder
 Share

Recommended Posts

I just got this reply from MS about a spam I just reported. Note: there were no attachments in the spam itself. Thoughts?

From: Microsoft Customer Support (WEBCS.WLHM.00.00.EN.MSF.SEA.AU.QRT.SPT.00.EM[at]css.one.microsoft.com)

Sent: Mon 1/20/14 7:05 PM

To: lee ryder (6065030332[at]reports.spamcop.net)

The following attachment(s) could not be processed by the Microsoft support system: . Please be aware of the following restrictions on e-mail the system can accept: 1. File size cannot exceed 5 MB. If you need to send in a larger attachment, please zip it before that. 2. Only the following attachments formats are allowed: accdb, avi, bmp, cab, cap, chls, csv, doc, docx, dotx, eml, err, evt, gif, gz, htm, html, hwl, ico, jpeg, jpg, lic, log, mdb, mht, mp3, mpg, msg, msi, nfo, oft, pcap, pdf, png, potx, ppt, pptx, psf, pst, pub, rar, rtf, saz, stp, swf, text, tiff, tif, txt, uccapilog, uccp, uccplog, vcf, vsd, wdb, wks, wma, wmf, wmv, wps, wpt, xlr, xls, xlsx, xlt, xltx, xml, xps, zip. For file types in any other format, please convert to a .zip format before re-sending. Further information can be found here: http://office.microsoft.com/en-us/help/ha011276901033.aspx .

Edited by LeeRyder
Link to comment
Share on other sites

Have a closer look at that spam via your "past reports" Lee. There may be a clue in the headers, such as a bogus attachment disposition. If you want other eyes to assist, be aware that only SC staff can look up that report when you reveal only the Report ID.. If you wanted to involve others you would need to post the Tracking URL

Link to comment
Share on other sites

Have a closer look at that spam via your "past reports" Lee. There may be a clue in the headers, such as a bogus attachment disposition. If you want other eyes to assist, be aware that only SC staff can look up that report when you reveal only the Report ID.. If you wanted to involve others you would need to post the Tracking URL

Oh sorry, I didn't realize that after all these years lol. OK, just copy/paste here for ease of reading:

x-store-info:sbevkl2QZR7OXo7WID5ZcVBK1Phj2jX/

Authentication-Results: hotmail.com; spf=pass (sender IP is 65.54.190.22; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=foxie_kerrie[at]hotmail.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=pass header.id=foxie_kerrie[at]hotmail.com

X-SID-PRA: foxie_kerrie[at]hotmail.com

X-AUTH-Result: PASS

X-SID-Result: PASS

X-Message-Status: n:n

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w

X-Message-Info: scknhJDMNN61fKm7P68mei22dicamX3jRnZ50VVwCPHvKvCsmDDvCVGlVeqYXcNhicUDELrRjXLVcH0ua036bxi73dI5dap7hmFVVlLyKODnv9nxiUZxmN7Gr+uHFYdOpljtZs3+xbqlU920b1hj3fso6ODz3BBVIUEAjT62eCnqAKpEpHEiBDy0oWQ0v0rP/TbdMLoQXc7iknhMSKz6lZqPuzogfhBg

Received: from bay0-omc1-s11.bay0.hotmail.com ([65.54.190.22]) by SNT0-MC2-F23.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);

Mon, 20 Jan 2014 16:32:46 -0800

Received: from BAY002-M262 ([65.54.190.59]) by bay0-omc1-s11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);

Mon, 20 Jan 2014 16:32:46 -0800

X-TMN: [dGN/nV4F9OxmS4FSmB0HqXOTQSKWY6KJ]

X-Originating-Email: [foxie_kerrie[at]hotmail.com]

Message-ID: <BAY0____________________________FA40[at]phx.gbl>

Return-Path: foxie_kerrie[at]hotmail.com

Content-Type: multipart/alternative;

boundary="_59fa3c69-6858-4b71-87d9-632aa84c391a_"

From: kerrie elvidge <foxie_kerrie[at]hotmail.com>

To: <x>, <x>,

<x>, <x>,

<x>, <x>, <x>,

<x>, <x>,

<x>, <x>,

<x>

Subject: I DID IT!

Date: Tue, 21 Jan 2014 00:32:44 +0000

Importance: Normal

MIME-Version: 1.0

X-OriginalArrivalTime: 21 Jan 2014 00:32:46.0091 (UTC) FILETIME=[4E176DB0:01CF1640]

--_59fa3c69-6858-4b71-87d9-632aa84c391a_

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

I try to help you=3B) http://verena.com.ar/private.59news.php?samycabaqur

=

--_59fa3c69-6858-4b71-87d9-632aa84c391a_

Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

<html>

<head>

<style><!--

.hmmessage P

{

margin:0px=3B

padding:0px

}

body.hmmessage

{

font-size: 12pt=3B

font-family:Calibri

}

--></style></head>

<body class=3D'hmmessage'><div dir=3D'ltr'>I try to help you=3B) =3B&nb=

sp=3Bhttp://verena.com.ar/private.59news.php?samycabaqur<br> </d=

iv></body>

</html>=

--_59fa3c69-6858-4b71-87d9-632aa84c391a_--

Link to comment
Share on other sites

Looks to me like the multi-part boundaries are muffed Lee (being a common problem when mass-mailers are used to emulate "proper" mail apps). That could have fooled the MS robot, finding dispositions AFTER the supposed message end.

And another reason we use trackers is to avoid inadvertently broadcasting the spammers' spamvertized payload which is an ironical sort of thing for a reporter to do :P . I have broken the live link in the above post. Can't have excess irony, can we?

Steve

Link to comment
Share on other sites

Looks to me like the multi-part boundaries are muffed Lee (being a common problem when mass-mailers are used to emulate "proper" mail apps). That could have fooled the MS robot, finding dispositions AFTER the supposed message end.

And another reason we use trackers is to avoid inadvertently broadcasting the spammers' spamvertized payload which is an ironical sort of thing for a reporter to do :P . I have broken the live link in the above post. Can't have excess irony, can we?

Steve

Oh ok, my bad. I figured links would be disabled on here, sorry :)

so basically, it's just a glitch from the spammer "himself" that confused Microsoft then? huh, ok, well that's a curious one. All these years and I've never seen this.

Thanks for your help :)

Link to comment
Share on other sites

Looks to me like the multi-part boundaries are muffed Lee (being a common problem when mass-mailers are used to emulate "proper" mail apps). That could have fooled the MS robot, finding dispositions AFTER the supposed message end.

And another reason we use trackers is to avoid inadvertently broadcasting the spammers' spamvertized payload which is an ironical sort of thing for a reporter to do :P . I have broken the live link in the above post. Can't have excess irony, can we?

Steve

I'll be an SOB.. it just happened again... Is this guy working on an exploit since both times the reports were heading to Hotmail?

http://www.spamcop.net/mcgi?action=gettrac...rtid=6065714601

x-store-info:w5JOV+GpEg16Hd3Liu8PdRxpTf1sPdyeu0ICfye9mP+UXED47ld+rHXTPKQr8zZmkF7yqWwpWtR7cCaLcCeurWbhOGDcZuGUzfsoz/HgOzgv82hBY7iSvBOyfIChDmxh37Fo6TDvOr8=

Authentication-Results: hotmail.com; spf=pass (sender IP is 65.54.190.39; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=foxie_kerrie[at]hotmail.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=pass header.id=foxie_kerrie[at]hotmail.com

X-SID-PRA: foxie_kerrie[at]hotmail.com

X-AUTH-Result: PASS

X-SID-Result: PASS

X-Message-Status: n:n

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MjtHRD0xO1NDTD00

X-Message-Info: CAsu/em8dFgdtvC9ZewnW93FG1YDXl42KefjRMPxo1dt5wUDkOCwnD8PHttNW28716ncbYVlSTMk0YX62yHpUGoO5XJXO1//eAy5s3N6axAEhC4YAkY6AZn/ZWWLaJMQ4584eE2N1N+ZEst8GIl7vk9zdGuwktnnYT5gmIhxizmC3XSZ2nPBKcyOygz5DUDPYPWzziOmf5COPK/y1xfS8YFbxkCUvQsc

Received: from bay0-omc1-s28.bay0.hotmail.com ([65.54.190.39]) by SNT0-MC3-F18.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);

Tue, 21 Jan 2014 15:21:31 -0800

Received: from BAY002-M135 ([65.54.190.59]) by bay0-omc1-s28.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);

Tue, 21 Jan 2014 15:21:30 -0800

X-TMN: [rFikfdcv7dv+AbiUy+08IiRYM4tjJ4aC]

X-Originating-Email: [foxie_kerrie[at]hotmail.com]

Message-ID: <BAY0____________________________FA40[at]phx.gbl>

Return-Path: foxie_kerrie[at]hotmail.com

Content-Type: multipart/alternative;

boundary="_00ab8d6e-2e16-4201-8188-c07e6e2f18db_"

From: kerrie elvidge <foxie_kerrie[at]hotmail.com>

To: <x>, <x>,

<x>, <x>,

<x>, <x>, <x>,

<x>, <x>, <x>,

<x>, <x>,

<x>, <x>,

<x>, <x>,

<x>, <x>,

<x>, <x>, <x>,

<x>, <x>,

<x>, <x>,

<x>

Subject: Fw: [6]

Date: Tue, 21 Jan 2014 23:21:27 +0000

Importance: Normal

MIME-Version: 1.0

X-OriginalArrivalTime: 21 Jan 2014 23:21:30.0034 (UTC) FILETIME=[83C6A920:01CF16FF]

--_00ab8d6e-2e16-4201-8188-c07e6e2f18db_

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: base64

DQpJIHJlY29tbWVuZCBzaXRlDQoNCmh0dHA6Ly93ZWJ0b3ByaW50cy5jb20vX2RvLm5vdC5taXNz

LmltcG9ydGFudC5uZXdzLmh0bWw/YXRpcWV0dXNqbQ0KDQoNCj09PT09PT09PT09PT09PQ0KU2Vu

dDogV2VkLCAyMiBKYW4gMjAxNCAwOjIxOjIzDQoNCkNoZWNrZWQ6IFNlY3VyZSBMaW5rDQpOb3J0

b27vv70gSW50ZXJuZXQgU2VjdXJpdHkNCiAJCSAJICAgCQkgIA==

--_00ab8d6e-2e16-4201-8188-c07e6e2f18db_

Content-Type: text/html; charset="utf-8"

Content-Transfer-Encoding: base64

PGh0bWw+DQo8aGVhZD4NCjxzdHlsZT48IS0tDQouaG1tZXNzYWdlIFANCnsNCm1hcmdpbjowcHg7

DQpwYWRkaW5nOjBweA0KfQ0KYm9keS5obW1lc3NhZ2UNCnsNCmZvbnQtc2l6ZTogMTJwdDsNCmZv

bnQtZmFtaWx5OkNhbGlicmkNCn0NCi0tPjwvc3R5bGU+PC9oZWFkPg0KPGJvZHkgY2xhc3M9J2ht

bWVzc2FnZSc+PGRpdiBkaXI9J2x0cic+PGJyPkkgcmVjb21tZW5kIHNpdGU8YnI+PGJyPmh0dHA6

Ly93ZWJ0b3ByaW50cy5jb20vX2RvLm5vdC5taXNzLmltcG9ydGFudC5uZXdzLmh0bWw/YXRpcWV0

dXNqbTxicj48YnI+PGJyPj09PT09PT09PT09PT09PTxicj5TZW50OiBXZWQsIDIyIEphbiAyMDE0

IDA6MjE6MjM8YnI+PGJyPkNoZWNrZWQ6IFNlY3VyZSBMaW5rPGJyPk5vcnRvbu+/vSBJbnRlcm5l

dCBTZWN1cml0eTxicj4gCQkgCSAgIAkJICA8L2Rpdj48L2JvZHk+DQo8L2h0bWw+

--_00ab8d6e-2e16-4201-8188-c07e6e2f18db_--

Edited by LeeRyder
Link to comment
Share on other sites

Lee, yes, I'm seeing the boundary _00ab8d6e-2e16-4201-8188-c07e6e2f18db_ prematurely closed (by the addition of a pair of " - " characters) which is my guess as to the cause. We sometimes credit spammers with too much knowledge/intelligence - if this is deliberate it was likely just stumbled over but the odds are the spammer doesn't even know the effect of it. Well, unless he reads these pages.

In any event MS might "fix" their parser at any time and, so far as effect on incrementing SC stats against the sending server, it has no effect at all. That at least will help ensure that the "exploit" (if that's what it is) doesn't become a major spam conduit (if MS has any interest in controlling the abuse of its networks it would presumably eventually react to user complaints if outgoing mail started getting blocked or diverted due to IP addresses appearing in the SCbl and other RBLs). Tagging these spams as "spam" within the Hotmail system would probably help too, if you can.

Link to comment
Share on other sites

Lee, yes, I'm seeing the boundary _00ab8d6e-2e16-4201-8188-c07e6e2f18db_ prematurely closed (by the addition of a pair of - characters) which is my guess as to the cause. We sometimes credit spammers with too much knowledge/intelligence - if this is deliberate it was likely just stumbled over and the odds are the spammer doesn't even know the effect of it. Well, unless he reads these pages. In any event MS might "fix" their parser at any time and, so far as effect on incrementing SC stats against the sending server, it has no effect at all. That at least will help ensure that the "exploit" (if that's what it is) doesn't become a major spam conduit (if MS has any interest in controlling the abuse of its networks). Tagging these as "spam" within the Hotmail system would probably help too.

OK I I'll stand by over the coming days and note how many are coming from this guy. And see if a pattern emerges (larger than him using the same email addy twice now).

I appreciate your help on this. I know, to you, it's petty, but to me, it's war :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...