Jump to content

Possible forgery


mrmaxx

Recommended Posts

I'm a SpamCop mail-system user and I've got a bunch of what appear to be bounces in my held mail, but looking at them, it appears that there is spam in them... but the subject doesn't make sense as a legitimate bounce, so it almost looks to me like the spammers have gotten smarter and realized that we can't report bounces here.... Wondering if it's a legit bounce, and if not, can we report it? Here's a sample message:

Return-Path: <mailer[at]hotmail.com>

Delivered-To: spamcop-net-mrmaxx[at]spamcop.net

Received: (qmail 14040 invoked from network); 9 May 2004 12:57:41 -0000

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)

by blade1.cesmail.net with SMTP; 9 May 2004 12:57:41 -0000

Received: from mailgate.cesmail.net (216.154.195.36)

by c60.cesmail.net with SMTP; 09 May 2004 08:57:41 -0400

X-Ironport-AV: i="3.80,98,1081137600";

d="scan'217,208?gif'217,208,147"; a="59143976:sNHT52405404"

Received: (qmail 26795 invoked from network); 9 May 2004 12:57:40 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by mailgate.cesmail.net with SMTP; 9 May 2004 12:57:40 -0000

Received: from mail.chattanooga.net [66.129.1.5]

by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)

for mrmaxx[at]spamcop.net (single-drop); Sun, 09 May 2004 08:57:40 -0400 (EDT)

Received: from psmtp.com (exprod7mx11.postini.com [12.158.38.151])

by mail.chattanooga.net (8.12.8/8.12.8) with SMTP id i49CsMfX023479;

Sun, 9 May 2004 08:54:22 -0400

Received: from source ([69.40.67.169]) by exprod7mx11.postini.com ([12.158.38.251]) with SMTP;

Sun, 09 May 2004 05:54:05 PDT

X-McAfeeVS-TimeoutProtection: 0

Received: from 160.156.124.146

X-eGroups-Return: sentto-6006413-12636-7863170432-coxeagle[at]chattanooga.net[at]returns.groups.yahoo.com

Received: from syndicalisms (75-ANV.yahoo.com [208.218.48.64)

by mta326.mail.scd.yahoo.com (Postfix) with ESMTP id C6562347A

for <coxeagle[at]chattanooga.net>; Sun, 09 May 2004 10:53:01 -0200

X-Sender: mailer[at]hotmail.com

X-Apparently-To: cyclization[at]yahoogroups.com

From: "Norton E-mail Gateway" <mailer[at]hotmail.com>

To: <coxeagle[at]chattanooga.net>

Subject: MSN Status: Error connecting to host yahoo.com

Date: Sun, 09 May 2004 07:53:01 -0500

MIME-Version: 1.0

Content-Type: multipart/related;

boundary="----=_NextPart_000_00JM_06B7610YZ_02X.928X83P0"

X-Mailer: Microsoft Office Outlook, Build 11.0.5510

Thread-Index: AcQwQjF9bDLVYxsoS6yH1aKBtjW/3w==

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409

X-Yahoo-Profile: coordinators

Mailing-List: list electrofishing[at]yahoogroups.com; contact shed-owner[at]yahoogroups.com

Precedence: bulk

List-Unsubscribe: <mailto:tussucks-unsubscribe[at]yahoogroups.com>

Message-Id: <20040508125126.C9141347A[at]mta326.mail.scd.yahoo.com>

In-Reply-To: <20040330185343.5456B3965[at]sitemail.everyone.net>

X-pstn-levels: (S: 8.17002/99.40117 R:95.9108 P:95.7665 M:100.0000 C:87.1170 )

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level: *

X-spam-Status: hits=1.1 tests=BIZ_TLD,HTML_70_80,HTML_MESSAGE,

MIME_BOUND_NEXTPART version=2.63

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 66.129.1.5 12.158.38.151 69.40.67.169

X-SpamCop-Disposition: Blocked bl.spamcop.net

This is a multi-part message in MIME format.

------=_NextPart_000_00JM_06B7610YZ_02X.928X83P0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_00YF_04H3140FP_01H.982H41E0"

------=_NextPart_000_00YF_04H3140FP_01H.982H41E0

Content-Type: text/plain;

charset="us-ascii"

Content-Transfer-Encoding: 7bit

Your mailer do not support HTML messages. Switch to a better mailer.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.3 (MingW32)

iD8DBQFAk9uTqH6NtwbH1FARAuaTAJ0erO4hUhVjiwosDk7dLvy7s4VTeQCeJuQF

YrgfFpQBmN2lfLXxxcZosIw=

=d5JJ

-----END PGP SIGNATURE-----

------=_NextPart_000_00YF_04H3140FP_01H.982H41E0

Content-Type: text/html;

charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-mic=

rosoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word=

" xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">=

<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">

<!--[if !mso]>

<style>

v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

shape {behavior:url(#default#VML);}

</style>

<![endif]-->

<style>

<!--

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

{margin:0cm;

margin-bottom:.0001pt;

font-size:12.0pt;

font-family:"Times New Roman";}

a:link, span.MsoHyperlink

{color:blue;

text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

{color:purple;

text-decoration:underline;}

span.EstiloDeEmail17

{mso-style-type:personal-compose;

font-family:Arial;

color:windowtext;}

[at]page Section1

{size:612.0pt 792.0pt;

margin:70.85pt 3.0cm 70.85pt 3.0cm;}

div.Section1

{page:Section1;}

-->

</style>

</head>

<body lang=3DPT-BR link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:=

10.0pt;

font-family:Arial'>Hello,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:=

10.0pt;

font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:=

10.0pt;

font-family:Arial'><img width=3D449 height=3D219 id=3D"_x0000_i1025"

src=3D"cid:image001.gif[at]01C431CF.EDE0F1F0"><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:=

10.0pt;

font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><b><font size=3D2 face=3DArial><span lang=3DEN-US

style=3D'font-size:10.0pt;font-family:Arial;font-weight:bold'><a

href=3D"http://genericpharmacies.biz/?affiliate_id=3D233778&campaign_i=

d=3D21001"

title=3D"http://genericpharmacies.biz/?affiliate_id=3D233778&campaign_=

id=3D21001">Go

there</a><o:p></o:p></span></font></b></p>

<p class=3DMsoNormal><b><font size=3D2 face=3DArial><span lang=3DEN-US

style=3D'font-size:10.0pt;font-family:Arial;font-weight:bold'><o:p> <=

/o:p></span></font></b></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D=

EN-US

style=3D'font-size:12.0pt'>preassigns recappable emf q

televisesdomiciliating scarierswallowtailruggeder treeless repristination =

remints<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D=

EN-US

style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D=

EN-US

style=3D'font-size:12.0pt'>Best regards,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D=

EN-US

style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3D=

EN-US

style=3D'font-size:12.0pt'>Madeline<o:p></o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_00YF_04H3140FP_01H.982H41E0--

------=_NextPart_000_00JM_06B7610YZ_02X.928X83P0

Content-Type: image/gif;

name="image001.gif"

Content-Transfer-Encoding: base64

Content-ID: <image001.gif[at]01C431CF.EDE0F1F0>

R0lGODlhwQHbALMAAP///wAA//8AAAAAADMz/5mZ/2Zm/8zM/////wAAAAAAAAAAAAAAAAAAAAAA

AAAAACH5BAUUAAgALAAAAADBAdsAAAT/EMhJq7046827/2AojmRpnmiqrmzrvnAsz3Rt33iu73zv

/8CgcEgsGo/IpHLJbDqf0Kh0Sq1ar9isdsvteqeGgdggEU/MALF6QAmPy2z44bKew8/s9ZqiV6fj

f3B7Em5idn0WiIJ+dxOFZH+DAIUDdl+XmDVoBWZogZ8Vm51xhnSkgJ6eoKZ8qKcWYXMHaKqJcZyv

ALO5n7irhJW6tZnExSiclnjKvwDIts0DBRexErOQqYDMrduNw8Pay5/Yjc6h2Y3G6eon3+PM7dHf

q7Su3Biq7t76Gvn14ufo8ACUt65gQXh6FtEzxejZMncBHSqkN2hXqYkOOV27tVCbIovB/yIaHLkO

3sOBACOFgWSOG0RwAftdACkNZqSGiv6xskCTpE+fJruhNDUnqNBwNvH5I2hRpL1tu07unNnwp9V0

5ex1pJD1ZM020SRoRKeUXzaZZp0iXcappqhkatdenYtJVJ6lKe2CCuqpLbSvSc/itTVnbOCpW/Xq

KzxgI93HXwq5xStpkprJcgUZSPaoZYayQiWtYZkzc99RYMVMFq2GdErIsGPLnk27tu3buHPr3s27

t+/fwIMLH068uPHjyJMrX868ufPn0KNLn069uvXr2LNr3869u/fv4MOLH0++vPnz6NOrX8++vfv3

8OPLn0+/vv37+H0YCMCfJf//AUjAX/9N/AkIYIAAHEjABAU6wh8BLElAQACWHBDAgg0aiGAb//kH

4IIU/DfCfgFE6CCEDAI4wQEgpqgFiSWmqGKCARCI4IE3fuiigxeayCOKNIaYYZAVZAjjZiCw2N80

[mega-snip]

------=_NextPart_000_00JM_06B7610YZ_02X.928X83P0--

Link to comment
Share on other sites

I'm a SpamCop mail-system user and I've got a bunch of what appear to be bounces in my held mail, but looking at them, it appears that there is spam in them... but the subject doesn't make sense as a legitimate bounce, so it almost looks to me like the spammers have gotten smarter and realized that we can't report bounces here.... Wondering if it's a legit bounce, and if not, can we report it? [snip]

No, according to SpamCop's TOS bounces (even bogus bounces) can't be reported through SpamCop.

I'm seeing a lot of fake bounces at addresses that aren't reported to anyone except for the FTC. I suspect that the bogus bounces aren't coming because they can't be reported through SpamCop, rather they're coming because people have a tendancy to open undelivered email notices to see what bounced and this allows spammy's garbage to be seen when it would otherwise be deleted unread.

Link to comment
Share on other sites

No, according to SpamCop's TOS bounces (even bogus bounces) can't be reported through SpamCop.

I'm seeing a lot of fake bounces at addresses that aren't reported to anyone except for the FTC.  I suspect that the bogus bounces aren't coming because they can't be reported through SpamCop, rather they're coming because people have a tendancy to open undelivered email notices to see what bounced and this allows spammy's garbage to be seen when it would otherwise be deleted unread.

I think that's just wrong... I think fake bounces (at least obviously fake bounces) should be reportable.

Link to comment
Share on other sites

The attachment looks suspicious too...could be a hidden virus.

Well, it's possible, but I doubt it... typically a virus isn't going to be labled as JUST a GIF file, it's going to be named something like "image01.gif.pif" or something like that... :)

Link to comment
Share on other sites

I'm a SpamCop mail-system user and I've got a bunch of what appear to be bounces in my held mail, but looking at them, it appears that there is spam in them... but the subject doesn't make sense as a legitimate bounce, so it almost looks to me like the spammers have gotten smarter and realized that we can't report bounces here.... Wondering if it's a legit bounce, and if not, can we report it? Here's a sample message:

I got 14 of those things. The ones I got are obviously not real bounces, because the bounces are addressed to somebody else, BCC'd to me.

The attachment looks suspicious too...could be a hidden virus.

No, it's just the GIF containing the advertisement. (Generic Viagra, yada yada yada.)

Link to comment
Share on other sites

I think that's just wrong... I think fake bounces (at least obviously fake bounces) should be reportable.

I don't disagree, but a couple of factors should be considered.

  • SpamCop, or any other online service, has every right to determine what they wll or will not process.
  • Bounces can, and often do, contain two sets of headers, how would you suggest the parser determine which set of headers to analyze.
    A spammer could be sending fake bounces direct-to-MX (with forged headers in the bounce body), or they could be using a legitimate server to bounce spams which includes the true source's headers in the message body.

Link to comment
Share on other sites

I think that's just wrong... I think fake bounces (at least obviously fake bounces) should be reportable.

A spammer could be sending fake bounces direct-to-MX (with forged headers in the bounce body), or they could be using a legitimate server to bounce spams which includes the true source's headers in the message body.

This is the most important reason of all! The only reason that SpamCop reports have any credibility is that the analysis ignores the SMTP headers which are easily and routinely faked. Anything in the body of the email, specifically the supposed headers of the email which supposedly bounced, are easily faked and can not be trusted. It's an other way to "Joe-Job" someone using the faked headers in the bounced message.

So a fake bounce is a wonderful way for the spammer to double his pleasure, double his fun:

  • 1) any SpamCop reports using the headers of the "bounced" message are likely to report an innocent party, poor Joe
    2) the creditibility of SpamCop reports suffers

And, as has been pointed out already:

  • 3) users who would never open an email with a subject containing "V1[at]GRA" are more likely to open a NDN to see if one of their messages bounced, thereby triggering web bugs and other such. No more practicing Safe Email.

Link to comment
Share on other sites

Sample of forged bounce

this was not bounced to my email address (To dowlnload rightclick and save to folder. File name is "MSN ServerMessage Delivery Failure.eml" ) :angry: To view you will need to "Right Click" mouse save as file and use Outlook Express to view drugs spam)

spamcop reporting diagnoses this as a bounce (it was blocked by SCBL)

This email is as I saved it it is in HTML (has been scanned by Mail server and Norton latest definitions)

So it shows that SpamCop is doing some good and pays to report this spammer even if it is a personal report

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...