LeeRyder Posted January 21, 2014 Share Posted January 21, 2014 I just got this reply from MS about a spam I just reported. Note: there were no attachments in the spam itself. Thoughts? From: Microsoft Customer Support (WEBCS.WLHM.00.00.EN.MSF.SEA.AU.QRT.SPT.00.EM[at]css.one.microsoft.com) Sent: Mon 1/20/14 7:05 PM To: lee ryder (6065030332[at]reports.spamcop.net) The following attachment(s) could not be processed by the Microsoft support system: . Please be aware of the following restrictions on e-mail the system can accept: 1. File size cannot exceed 5 MB. If you need to send in a larger attachment, please zip it before that. 2. Only the following attachments formats are allowed: accdb, avi, bmp, cab, cap, chls, csv, doc, docx, dotx, eml, err, evt, gif, gz, htm, html, hwl, ico, jpeg, jpg, lic, log, mdb, mht, mp3, mpg, msg, msi, nfo, oft, pcap, pdf, png, potx, ppt, pptx, psf, pst, pub, rar, rtf, saz, stp, swf, text, tiff, tif, txt, uccapilog, uccp, uccplog, vcf, vsd, wdb, wks, wma, wmf, wmv, wps, wpt, xlr, xls, xlsx, xlt, xltx, xml, xps, zip. For file types in any other format, please convert to a .zip format before re-sending. Further information can be found here: http://office.microsoft.com/en-us/help/ha011276901033.aspx . Link to comment Share on other sites More sharing options...
Farelf Posted January 21, 2014 Share Posted January 21, 2014 Have a closer look at that spam via your "past reports" Lee. There may be a clue in the headers, such as a bogus attachment disposition. If you want other eyes to assist, be aware that only SC staff can look up that report when you reveal only the Report ID.. If you wanted to involve others you would need to post the Tracking URL Link to comment Share on other sites More sharing options...
LeeRyder Posted January 21, 2014 Author Share Posted January 21, 2014 Have a closer look at that spam via your "past reports" Lee. There may be a clue in the headers, such as a bogus attachment disposition. If you want other eyes to assist, be aware that only SC staff can look up that report when you reveal only the Report ID.. If you wanted to involve others you would need to post the Tracking URL Oh sorry, I didn't realize that after all these years lol. OK, just copy/paste here for ease of reading: x-store-info:sbevkl2QZR7OXo7WID5ZcVBK1Phj2jX/ Authentication-Results: hotmail.com; spf=pass (sender IP is 65.54.190.22; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=foxie_kerrie[at]hotmail.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=pass header.id=foxie_kerrie[at]hotmail.com X-SID-PRA: foxie_kerrie[at]hotmail.com X-AUTH-Result: PASS X-SID-Result: PASS X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtHRD0xO1NDTD0w X-Message-Info: scknhJDMNN61fKm7P68mei22dicamX3jRnZ50VVwCPHvKvCsmDDvCVGlVeqYXcNhicUDELrRjXLVcH0ua036bxi73dI5dap7hmFVVlLyKODnv9nxiUZxmN7Gr+uHFYdOpljtZs3+xbqlU920b1hj3fso6ODz3BBVIUEAjT62eCnqAKpEpHEiBDy0oWQ0v0rP/TbdMLoQXc7iknhMSKz6lZqPuzogfhBg Received: from bay0-omc1-s11.bay0.hotmail.com ([65.54.190.22]) by SNT0-MC2-F23.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Mon, 20 Jan 2014 16:32:46 -0800 Received: from BAY002-M262 ([65.54.190.59]) by bay0-omc1-s11.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 20 Jan 2014 16:32:46 -0800 X-TMN: [dGN/nV4F9OxmS4FSmB0HqXOTQSKWY6KJ] X-Originating-Email: [foxie_kerrie[at]hotmail.com] Message-ID: <BAY0____________________________FA40[at]phx.gbl> Return-Path: foxie_kerrie[at]hotmail.com Content-Type: multipart/alternative; boundary="_59fa3c69-6858-4b71-87d9-632aa84c391a_" From: kerrie elvidge <foxie_kerrie[at]hotmail.com> To: <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x> Subject: I DID IT! Date: Tue, 21 Jan 2014 00:32:44 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 21 Jan 2014 00:32:46.0091 (UTC) FILETIME=[4E176DB0:01CF1640] --_59fa3c69-6858-4b71-87d9-632aa84c391a_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I try to help you=3B) http://verena.com.ar/private.59news.php?samycabaqur = --_59fa3c69-6858-4b71-87d9-632aa84c391a_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <style><!-- .hmmessage P { margin:0px=3B padding:0px } body.hmmessage { font-size: 12pt=3B font-family:Calibri } --></style></head> <body class=3D'hmmessage'><div dir=3D'ltr'>I try to help you=3B) =3B&nb= sp=3Bhttp://verena.com.ar/private.59news.php?samycabaqur<br> </d= iv></body> </html>= --_59fa3c69-6858-4b71-87d9-632aa84c391a_-- Link to comment Share on other sites More sharing options...
Farelf Posted January 21, 2014 Share Posted January 21, 2014 Looks to me like the multi-part boundaries are muffed Lee (being a common problem when mass-mailers are used to emulate "proper" mail apps). That could have fooled the MS robot, finding dispositions AFTER the supposed message end. And another reason we use trackers is to avoid inadvertently broadcasting the spammers' spamvertized payload which is an ironical sort of thing for a reporter to do . I have broken the live link in the above post. Can't have excess irony, can we? Steve Link to comment Share on other sites More sharing options...
LeeRyder Posted January 21, 2014 Author Share Posted January 21, 2014 Looks to me like the multi-part boundaries are muffed Lee (being a common problem when mass-mailers are used to emulate "proper" mail apps). That could have fooled the MS robot, finding dispositions AFTER the supposed message end. And another reason we use trackers is to avoid inadvertently broadcasting the spammers' spamvertized payload which is an ironical sort of thing for a reporter to do . I have broken the live link in the above post. Can't have excess irony, can we? Steve Oh ok, my bad. I figured links would be disabled on here, sorry so basically, it's just a glitch from the spammer "himself" that confused Microsoft then? huh, ok, well that's a curious one. All these years and I've never seen this. Thanks for your help Link to comment Share on other sites More sharing options...
LeeRyder Posted January 22, 2014 Author Share Posted January 22, 2014 Looks to me like the multi-part boundaries are muffed Lee (being a common problem when mass-mailers are used to emulate "proper" mail apps). That could have fooled the MS robot, finding dispositions AFTER the supposed message end. And another reason we use trackers is to avoid inadvertently broadcasting the spammers' spamvertized payload which is an ironical sort of thing for a reporter to do . I have broken the live link in the above post. Can't have excess irony, can we? Steve I'll be an SOB.. it just happened again... Is this guy working on an exploit since both times the reports were heading to Hotmail? http://www.spamcop.net/mcgi?action=gettrac...rtid=6065714601 x-store-info:w5JOV+GpEg16Hd3Liu8PdRxpTf1sPdyeu0ICfye9mP+UXED47ld+rHXTPKQr8zZmkF7yqWwpWtR7cCaLcCeurWbhOGDcZuGUzfsoz/HgOzgv82hBY7iSvBOyfIChDmxh37Fo6TDvOr8= Authentication-Results: hotmail.com; spf=pass (sender IP is 65.54.190.39; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=foxie_kerrie[at]hotmail.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=pass header.id=foxie_kerrie[at]hotmail.com X-SID-PRA: foxie_kerrie[at]hotmail.com X-AUTH-Result: PASS X-SID-Result: PASS X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MjtHRD0xO1NDTD00 X-Message-Info: CAsu/em8dFgdtvC9ZewnW93FG1YDXl42KefjRMPxo1dt5wUDkOCwnD8PHttNW28716ncbYVlSTMk0YX62yHpUGoO5XJXO1//eAy5s3N6axAEhC4YAkY6AZn/ZWWLaJMQ4584eE2N1N+ZEst8GIl7vk9zdGuwktnnYT5gmIhxizmC3XSZ2nPBKcyOygz5DUDPYPWzziOmf5COPK/y1xfS8YFbxkCUvQsc Received: from bay0-omc1-s28.bay0.hotmail.com ([65.54.190.39]) by SNT0-MC3-F18.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Tue, 21 Jan 2014 15:21:31 -0800 Received: from BAY002-M135 ([65.54.190.59]) by bay0-omc1-s28.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 21 Jan 2014 15:21:30 -0800 X-TMN: [rFikfdcv7dv+AbiUy+08IiRYM4tjJ4aC] X-Originating-Email: [foxie_kerrie[at]hotmail.com] Message-ID: <BAY0____________________________FA40[at]phx.gbl> Return-Path: foxie_kerrie[at]hotmail.com Content-Type: multipart/alternative; boundary="_00ab8d6e-2e16-4201-8188-c07e6e2f18db_" From: kerrie elvidge <foxie_kerrie[at]hotmail.com> To: <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x>, <x> Subject: Fw: [6] Date: Tue, 21 Jan 2014 23:21:27 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 21 Jan 2014 23:21:30.0034 (UTC) FILETIME=[83C6A920:01CF16FF] --_00ab8d6e-2e16-4201-8188-c07e6e2f18db_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpJIHJlY29tbWVuZCBzaXRlDQoNCmh0dHA6Ly93ZWJ0b3ByaW50cy5jb20vX2RvLm5vdC5taXNz LmltcG9ydGFudC5uZXdzLmh0bWw/YXRpcWV0dXNqbQ0KDQoNCj09PT09PT09PT09PT09PQ0KU2Vu dDogV2VkLCAyMiBKYW4gMjAxNCAwOjIxOjIzDQoNCkNoZWNrZWQ6IFNlY3VyZSBMaW5rDQpOb3J0 b27vv70gSW50ZXJuZXQgU2VjdXJpdHkNCiAJCSAJICAgCQkgIA== --_00ab8d6e-2e16-4201-8188-c07e6e2f18db_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxzdHlsZT48IS0tDQouaG1tZXNzYWdlIFANCnsNCm1hcmdpbjowcHg7 DQpwYWRkaW5nOjBweA0KfQ0KYm9keS5obW1lc3NhZ2UNCnsNCmZvbnQtc2l6ZTogMTJwdDsNCmZv bnQtZmFtaWx5OkNhbGlicmkNCn0NCi0tPjwvc3R5bGU+PC9oZWFkPg0KPGJvZHkgY2xhc3M9J2ht bWVzc2FnZSc+PGRpdiBkaXI9J2x0cic+PGJyPkkgcmVjb21tZW5kIHNpdGU8YnI+PGJyPmh0dHA6 Ly93ZWJ0b3ByaW50cy5jb20vX2RvLm5vdC5taXNzLmltcG9ydGFudC5uZXdzLmh0bWw/YXRpcWV0 dXNqbTxicj48YnI+PGJyPj09PT09PT09PT09PT09PTxicj5TZW50OiBXZWQsIDIyIEphbiAyMDE0 IDA6MjE6MjM8YnI+PGJyPkNoZWNrZWQ6IFNlY3VyZSBMaW5rPGJyPk5vcnRvbu+/vSBJbnRlcm5l dCBTZWN1cml0eTxicj4gCQkgCSAgIAkJICA8L2Rpdj48L2JvZHk+DQo8L2h0bWw+ --_00ab8d6e-2e16-4201-8188-c07e6e2f18db_-- Link to comment Share on other sites More sharing options...
Farelf Posted January 22, 2014 Share Posted January 22, 2014 Lee, yes, I'm seeing the boundary _00ab8d6e-2e16-4201-8188-c07e6e2f18db_ prematurely closed (by the addition of a pair of " - " characters) which is my guess as to the cause. We sometimes credit spammers with too much knowledge/intelligence - if this is deliberate it was likely just stumbled over but the odds are the spammer doesn't even know the effect of it. Well, unless he reads these pages. In any event MS might "fix" their parser at any time and, so far as effect on incrementing SC stats against the sending server, it has no effect at all. That at least will help ensure that the "exploit" (if that's what it is) doesn't become a major spam conduit (if MS has any interest in controlling the abuse of its networks it would presumably eventually react to user complaints if outgoing mail started getting blocked or diverted due to IP addresses appearing in the SCbl and other RBLs). Tagging these spams as "spam" within the Hotmail system would probably help too, if you can. Link to comment Share on other sites More sharing options...
LeeRyder Posted January 22, 2014 Author Share Posted January 22, 2014 Lee, yes, I'm seeing the boundary _00ab8d6e-2e16-4201-8188-c07e6e2f18db_ prematurely closed (by the addition of a pair of - characters) which is my guess as to the cause. We sometimes credit spammers with too much knowledge/intelligence - if this is deliberate it was likely just stumbled over and the odds are the spammer doesn't even know the effect of it. Well, unless he reads these pages. In any event MS might "fix" their parser at any time and, so far as effect on incrementing SC stats against the sending server, it has no effect at all. That at least will help ensure that the "exploit" (if that's what it is) doesn't become a major spam conduit (if MS has any interest in controlling the abuse of its networks). Tagging these as "spam" within the Hotmail system would probably help too. OK I I'll stand by over the coming days and note how many are coming from this guy. And see if a pattern emerges (larger than him using the same email addy twice now). I appreciate your help on this. I know, to you, it's petty, but to me, it's war Link to comment Share on other sites More sharing options...
Farelf Posted January 22, 2014 Share Posted January 22, 2014 ... I appreciate your help on this. I know, to you, it's petty, but to me, it's war That's pretty-much how very-nearly all of us started in as reporters Lee Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.