mrmaxx Posted May 9, 2004 Share Posted May 9, 2004 I'm a SpamCop mail-system user and I've got a bunch of what appear to be bounces in my held mail, but looking at them, it appears that there is spam in them... but the subject doesn't make sense as a legitimate bounce, so it almost looks to me like the spammers have gotten smarter and realized that we can't report bounces here.... Wondering if it's a legit bounce, and if not, can we report it? Here's a sample message: Return-Path: <mailer[at]hotmail.com> Delivered-To: spamcop-net-mrmaxx[at]spamcop.net Received: (qmail 14040 invoked from network); 9 May 2004 12:57:41 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade1.cesmail.net with SMTP; 9 May 2004 12:57:41 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with SMTP; 09 May 2004 08:57:41 -0400 X-Ironport-AV: i="3.80,98,1081137600"; d="scan'217,208?gif'217,208,147"; a="59143976:sNHT52405404" Received: (qmail 26795 invoked from network); 9 May 2004 12:57:40 -0000 Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101) by mailgate.cesmail.net with SMTP; 9 May 2004 12:57:40 -0000 Received: from mail.chattanooga.net [66.129.1.5] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for mrmaxx[at]spamcop.net (single-drop); Sun, 09 May 2004 08:57:40 -0400 (EDT) Received: from psmtp.com (exprod7mx11.postini.com [12.158.38.151]) by mail.chattanooga.net (8.12.8/8.12.8) with SMTP id i49CsMfX023479; Sun, 9 May 2004 08:54:22 -0400 Received: from source ([69.40.67.169]) by exprod7mx11.postini.com ([12.158.38.251]) with SMTP; Sun, 09 May 2004 05:54:05 PDT X-McAfeeVS-TimeoutProtection: 0 Received: from 160.156.124.146 X-eGroups-Return: sentto-6006413-12636-7863170432-coxeagle[at]chattanooga.net[at]returns.groups.yahoo.com Received: from syndicalisms (75-ANV.yahoo.com [208.218.48.64) by mta326.mail.scd.yahoo.com (Postfix) with ESMTP id C6562347A for <coxeagle[at]chattanooga.net>; Sun, 09 May 2004 10:53:01 -0200 X-Sender: mailer[at]hotmail.com X-Apparently-To: cyclization[at]yahoogroups.com From: "Norton E-mail Gateway" <mailer[at]hotmail.com> To: <coxeagle[at]chattanooga.net> Subject: MSN Status: Error connecting to host yahoo.com Date: Sun, 09 May 2004 07:53:01 -0500 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_00JM_06B7610YZ_02X.928X83P0" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcQwQjF9bDLVYxsoS6yH1aKBtjW/3w== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Yahoo-Profile: coordinators Mailing-List: list electrofishing[at]yahoogroups.com; contact shed-owner[at]yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:tussucks-unsubscribe[at]yahoogroups.com> Message-Id: <20040508125126.C9141347A[at]mta326.mail.scd.yahoo.com> In-Reply-To: <20040330185343.5456B3965[at]sitemail.everyone.net> X-pstn-levels: (S: 8.17002/99.40117 R:95.9108 P:95.7665 M:100.0000 C:87.1170 ) X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1 X-spam-Level: * X-spam-Status: hits=1.1 tests=BIZ_TLD,HTML_70_80,HTML_MESSAGE, MIME_BOUND_NEXTPART version=2.63 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 66.129.1.5 12.158.38.151 69.40.67.169 X-SpamCop-Disposition: Blocked bl.spamcop.net This is a multi-part message in MIME format. ------=_NextPart_000_00JM_06B7610YZ_02X.928X83P0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00YF_04H3140FP_01H.982H41E0" ------=_NextPart_000_00YF_04H3140FP_01H.982H41E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Your mailer do not support HTML messages. Switch to a better mailer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAk9uTqH6NtwbH1FARAuaTAJ0erO4hUhVjiwosDk7dLvy7s4VTeQCeJuQF YrgfFpQBmN2lfLXxxcZosIw= =d5JJ -----END PGP SIGNATURE----- ------=_NextPart_000_00YF_04H3140FP_01H.982H41E0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-mic= rosoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word= " xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">= <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EstiloDeEmail17 {mso-style-type:personal-compose; font-family:Arial; color:windowtext;} [at]page Section1 {size:612.0pt 792.0pt; margin:70.85pt 3.0cm 70.85pt 3.0cm;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DPT-BR link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:= 10.0pt; font-family:Arial'>Hello,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:= 10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:= 10.0pt; font-family:Arial'><img width=3D449 height=3D219 id=3D"_x0000_i1025" src=3D"cid:image001.gif[at]01C431CF.EDE0F1F0"><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:= 10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><b><font size=3D2 face=3DArial><span lang=3DEN-US style=3D'font-size:10.0pt;font-family:Arial;font-weight:bold'><a href=3D"http://genericpharmacies.biz/?affiliate_id=3D233778&campaign_i= d=3D21001" title=3D"http://genericpharmacies.biz/?affiliate_id=3D233778&campaign_= id=3D21001">Go there</a><o:p></o:p></span></font></b></p> <p class=3DMsoNormal><b><font size=3D2 face=3DArial><span lang=3DEN-US style=3D'font-size:10.0pt;font-family:Arial;font-weight:bold'><o:p> <= /o:p></span></font></b></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D= EN-US style=3D'font-size:12.0pt'>preassigns recappable emf q televisesdomiciliating scarierswallowtailruggeder treeless repristination = remints<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D= EN-US style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D= EN-US style=3D'font-size:12.0pt'>Best regards,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D= EN-US style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D= EN-US style=3D'font-size:12.0pt'>Madeline<o:p></o:p></span></font></p> </div> </body> </html> ------=_NextPart_000_00YF_04H3140FP_01H.982H41E0-- ------=_NextPart_000_00JM_06B7610YZ_02X.928X83P0 Content-Type: image/gif; name="image001.gif" Content-Transfer-Encoding: base64 Content-ID: <image001.gif[at]01C431CF.EDE0F1F0> R0lGODlhwQHbALMAAP///wAA//8AAAAAADMz/5mZ/2Zm/8zM/////wAAAAAAAAAAAAAAAAAAAAAA AAAAACH5BAUUAAgALAAAAADBAdsAAAT/EMhJq7046827/2AojmRpnmiqrmzrvnAsz3Rt33iu73zv /8CgcEgsGo/IpHLJbDqf0Kh0Sq1ar9isdsvteqeGgdggEU/MALF6QAmPy2z44bKew8/s9ZqiV6fj f3B7Em5idn0WiIJ+dxOFZH+DAIUDdl+XmDVoBWZogZ8Vm51xhnSkgJ6eoKZ8qKcWYXMHaKqJcZyv ALO5n7irhJW6tZnExSiclnjKvwDIts0DBRexErOQqYDMrduNw8Pay5/Yjc6h2Y3G6eon3+PM7dHf q7Su3Biq7t76Gvn14ufo8ACUt65gQXh6FtEzxejZMncBHSqkN2hXqYkOOV27tVCbIovB/yIaHLkO 3sOBACOFgWSOG0RwAftdACkNZqSGiv6xskCTpE+fJruhNDUnqNBwNvH5I2hRpL1tu07unNnwp9V0 5ex1pJD1ZM020SRoRKeUXzaZZp0iXcappqhkatdenYtJVJ6lKe2CCuqpLbSvSc/itTVnbOCpW/Xq KzxgI93HXwq5xStpkprJcgUZSPaoZYayQiWtYZkzc99RYMVMFq2GdErIsGPLnk27tu3buHPr3s27 t+/fwIMLH068uPHjyJMrX868ufPn0KNLn069uvXr2LNr3869u/fv4MOLH0++vPnz6NOrX8++vfv3 8OPLn0+/vv37+H0YCMCfJf//AUjAX/9N/AkIYIAAHEjABAU6wh8BLElAQACWHBDAgg0aiGAb//kH 4IIU/DfCfgFE6CCEDAI4wQEgpqgFiSWmqGKCARCI4IE3fuiigxeayCOKNIaYYZAVZAjjZiCw2N80 [mega-snip] ------=_NextPart_000_00JM_06B7610YZ_02X.928X83P0-- Link to comment Share on other sites More sharing options...
Spambo Posted May 9, 2004 Share Posted May 9, 2004 I'm a SpamCop mail-system user and I've got a bunch of what appear to be bounces in my held mail, but looking at them, it appears that there is spam in them... but the subject doesn't make sense as a legitimate bounce, so it almost looks to me like the spammers have gotten smarter and realized that we can't report bounces here.... Wondering if it's a legit bounce, and if not, can we report it? [snip] No, according to SpamCop's TOS bounces (even bogus bounces) can't be reported through SpamCop. I'm seeing a lot of fake bounces at addresses that aren't reported to anyone except for the FTC. I suspect that the bogus bounces aren't coming because they can't be reported through SpamCop, rather they're coming because people have a tendancy to open undelivered email notices to see what bounced and this allows spammy's garbage to be seen when it would otherwise be deleted unread. Link to comment Share on other sites More sharing options...
dra007 Posted May 9, 2004 Share Posted May 9, 2004 The attachment looks suspicious too...could be a hidden virus. Link to comment Share on other sites More sharing options...
mrmaxx Posted May 9, 2004 Author Share Posted May 9, 2004 No, according to SpamCop's TOS bounces (even bogus bounces) can't be reported through SpamCop. I'm seeing a lot of fake bounces at addresses that aren't reported to anyone except for the FTC. I suspect that the bogus bounces aren't coming because they can't be reported through SpamCop, rather they're coming because people have a tendancy to open undelivered email notices to see what bounced and this allows spammy's garbage to be seen when it would otherwise be deleted unread. I think that's just wrong... I think fake bounces (at least obviously fake bounces) should be reportable. Link to comment Share on other sites More sharing options...
mrmaxx Posted May 9, 2004 Author Share Posted May 9, 2004 The attachment looks suspicious too...could be a hidden virus. Well, it's possible, but I doubt it... typically a virus isn't going to be labled as JUST a GIF file, it's going to be named something like "image01.gif.pif" or something like that... Link to comment Share on other sites More sharing options...
ortonmc Posted May 9, 2004 Share Posted May 9, 2004 I'm a SpamCop mail-system user and I've got a bunch of what appear to be bounces in my held mail, but looking at them, it appears that there is spam in them... but the subject doesn't make sense as a legitimate bounce, so it almost looks to me like the spammers have gotten smarter and realized that we can't report bounces here.... Wondering if it's a legit bounce, and if not, can we report it? Here's a sample message: I got 14 of those things. The ones I got are obviously not real bounces, because the bounces are addressed to somebody else, BCC'd to me. The attachment looks suspicious too...could be a hidden virus. No, it's just the GIF containing the advertisement. (Generic Viagra, yada yada yada.) Link to comment Share on other sites More sharing options...
Spambo Posted May 9, 2004 Share Posted May 9, 2004 I think that's just wrong... I think fake bounces (at least obviously fake bounces) should be reportable. I don't disagree, but a couple of factors should be considered. SpamCop, or any other online service, has every right to determine what they wll or will not process. Bounces can, and often do, contain two sets of headers, how would you suggest the parser determine which set of headers to analyze. A spammer could be sending fake bounces direct-to-MX (with forged headers in the bounce body), or they could be using a legitimate server to bounce spams which includes the true source's headers in the message body. Link to comment Share on other sites More sharing options...
eric Posted May 9, 2004 Share Posted May 9, 2004 I think that's just wrong... I think fake bounces (at least obviously fake bounces) should be reportable. A spammer could be sending fake bounces direct-to-MX (with forged headers in the bounce body), or they could be using a legitimate server to bounce spams which includes the true source's headers in the message body. This is the most important reason of all! The only reason that SpamCop reports have any credibility is that the analysis ignores the SMTP headers which are easily and routinely faked. Anything in the body of the email, specifically the supposed headers of the email which supposedly bounced, are easily faked and can not be trusted. It's an other way to "Joe-Job" someone using the faked headers in the bounced message. So a fake bounce is a wonderful way for the spammer to double his pleasure, double his fun: 1) any SpamCop reports using the headers of the "bounced" message are likely to report an innocent party, poor Joe 2) the creditibility of SpamCop reports suffersAnd, as has been pointed out already: 3) users who would never open an email with a subject containing "V1[at]GRA" are more likely to open a NDN to see if one of their messages bounced, thereby triggering web bugs and other such. No more practicing Safe Email. Link to comment Share on other sites More sharing options...
Stan_qaz Posted May 9, 2004 Share Posted May 9, 2004 Some mail checking programs also send fake bounces to the forged return addresses on spam which makes this problem worse. Link to comment Share on other sites More sharing options...
petzl Posted May 9, 2004 Share Posted May 9, 2004 Sample of forged bounce this was not bounced to my email address (To dowlnload rightclick and save to folder. File name is "MSN ServerMessage Delivery Failure.eml" ) :angry: To view you will need to "Right Click" mouse save as file and use Outlook Express to view drugs spam) spamcop reporting diagnoses this as a bounce (it was blocked by SCBL) This email is as I saved it it is in HTML (has been scanned by Mail server and Norton latest definitions) So it shows that SpamCop is doing some good and pays to report this spammer even if it is a personal report Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.