IrvSp Posted January 29, 2017 Share Posted January 29, 2017 I'm getting 3 to 5 of these a day for 2 months now. They have fake YAHOO.COM e-mail addresses, the subjects are about products. Every one of them when I look at the contents are for images that have many different letting combinations but ALL have .party/ as the last part of the image location. For instance, this one: http;\\peltbangswiestdaunt,party/up0hlwvwsaae/19915641k140e2002308/t5s0gbrvgx7j Others inside have other confusing ones to me but do INCLUDE my e-mail address: <img src="http;\\peltbangswiestdaunt,party/19915644k140e2002308?eb=i******@****r.com" /> I assume that is how they can track me? A typical SpamCop report always comes back as it is coming from SERVERHUB.COM? Don't know how it made that connection? After the report is sent, I can see this on SPAMCOP: https://www.spamcop.net/sc?id=z6354566965z58e6e1b554cd81aafb9894c99b1451dcz The HEADER for that one is: ================ Return-Path: <yunkovalcik8829@yahoo.com> Authentication-Results: cdptpa-imsmta06 header.DKIM-Signature=@yahoo.com; dkim=pass Received: from [98.138.207.12] ([98.138.207.12:34600] helo=smtp105.biz.mail.ne1.yahoo.com) by cdptpa-imsmta06 (envelope-from <yunkovalcik8829@yahoo.com>) (ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTPS (cipher=DHE-RSA-CAMELLIA256-SHA) id 0F/76-13528-E3EED885; Sun, 29 Jan 2017 13:29:34 +0000 Received: (qmail 97002 invoked from network); 29 Jan 2017 13:16:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1485695778; bh=gGfWdN6RC3yXfNbEMYT3J+OEY8eZa0S9LXQ4MtN0QVY=; h=Message-ID:Date:From:To:Subject:Content-Type; b=MITSLzafvddVfXxZCb7cwA4j2noD18AN7IoQ+1gf8W7p0zo7M1RDln3fMcaPvl9434ALsXOzCMbiMKbygmOouEW5f+TBx1pAsN9s5fRLi81qB5ktGuJO4SyxvhzZ/1gk+AtmiOWWyrUAyua/8aaPVC3lXihvbFsYPe/jBMlChno= Message-ID: <55380.49272.qm@smtp105.biz.mail.ne1.yahoo.com> Date: Sun, 29 Jan 2017 13:16:18 +0000 (UTC) X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: tqWQH_YVM1n8jsE2uLp2bRKDjph5McZuBA63MHzD_EY_TtK 3x5eO5aPw53w8JZO4G4EWoyQYYmxTvWMU1I0uXo4buv4Ee0plV2JYbTIeHnU Opt_bzFyw8EK3urTAU2ahvEMaYVs3KkzOwCa4KlHMvev2g2Xt_XfGxNzTpI8 cCY56Hn3Zd.fWk._MXTMtFtzI5sFSGwrd18ecUW3DbXJEWHEG83gRCePh0.I hT0.Ve6YOLTUPWofgYzH.VLTOoDvDuf.oz1cPPWGP5.MSsxoRB1b0wHcQkX. Voq6uw.XORME1VS9SwKWNUNuUHrR1Y5CotefCKcSQ8KBTUmwPF_J7Unh5McW a2PxjhulT3Wstmj73ULIQyQu4Zdnj4ZK8E6NmegsKYC2ryOwyBFJmdfx1hI6 YPBvlAa4lsD1RAIo.gzeMHIKKYNAi.lznal7XEAS1XV.hgtxnMFI.if3NONn bKPezPEQCGcKTWpj5gXvFFLH8LScx6P96D9I4KzCbxL_DEtmUf2LP_Ux1eIj TQdQXLRuEv.y19UAmhqwAYGM1TRt4Tdh23QbD59mUqBAcmxOnj7IkWEjE4DA - X-Yahoo-SMTP: LoI572yswBCSbUI_5YkmxJmLSAqIHsv.SzvTWEeVrl.eSN.23aXFE9aQAQqZOiS5QKhCox0- From: Senior Living <yunkovalcik8829@yahoo.com> To: ispalten@cfl.rr.com Subject: Looking for 55+ living in 2017? Content-Type: text/html; charset=UTF-8 X-Authority-Analysis: v=2.1 cv=WtfWSorv c=1 sm=1 tr=0 a=IXwzD+xon/F+YVC+ra/VSA==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=79YnABSCSewA:10 a=IgFoBzBjUZAA:10 a=FD_G_oyTAAAA:8 a=ayC55rCoAAAA:8 a=fhRY4CD02UBmV23WEHMA:9 a=QEXdDO2ut3YA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=jf6ifqx8wrbFtL1ejoTd:22 a=B_RyunTPg8udlmYm5Cu2:22 X-Cloudmark-Score: 0 X-RR-Connecting-IP: 107.14.168.212:25 ================= Body contains: ============= <center> <a href="http://robhelzlattmoor.party/cdo8ihcq5gai/19915506a176o1118741/k779tlpvbmwx"> <img src="http://robhelzlattmoor.party/lfyi137qxx3f/mT/g1aa5ie3k95c" border="0" /> </a> <br /> <a href="http://robhelzlattmoor.party/bge3j39ogj6a/19915507a176o1118741/k0o8j79nl86x"> <img src="http://robhelzlattmoor.party/9fs59t0qbwrv/6l/59neeq17kf67" border="0" /> </a><img src="http://robhelzlattmoor.party/415501a176o1118741.gif" /><img src="http://robhelzlattmoor.party/19915508a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915509a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915510a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915511a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915512a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915513a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915514a176o1118741?eb=i*******@*****.com" /><img src="http://robhelzlattmoor.party/19915515a176o1118741?eb=i*******@*****.com" /> ============== So basically I have 2 questions? 1) How does this all translate into SERVERHUB.COM as the 'sender' to be reported too? 2) Why are the reports being ignored? I've even used my ISP's spam REPORTING and it still had not stopped? My ISP does have spam Filters, but only back on FROM and blocking all YAHOO.COM doesn't help me. Link to comment Share on other sites More sharing options...
Lking Posted January 30, 2017 Share Posted January 30, 2017 Welcome to the SpamCop forum. Please note that I have broken the first link in your post. Not knowing what the spammer now has at the end of this link OR may have in the future, I do not want to follow the link. Nor does SpamCop want to have, what may be a poisonous link in this forum that some visitor could follow to disastrous results. We do not want a link on this forum to assist a spammer get better SEO ratings by having references to their domain. Thank you for providing a Tracking URL as an example of the spam you are addressing. By providing the Tracking URL, all of up can see the spam, and how the SpamCop parser processed your submission, without you copping the spam into your post. I notice the spam cut/pasted into your post is not the same as the Tracking URL 8 hours ago, IrvSp said: 1) How does this all translate into SERVERHUB.COM as the 'sender' to be reported too? If you will look near the bottom of the results of parsing the spam you will see Quote Tracking link: http://robhelzlattmoor.party/cdo8ihcq5gai/19915506a176o1118741/k779tlpvbmwx [report history] Host robhelzlattmoor.party (checking ip) = 104.140.17.220 Resolves to 104.140.17.220Routing details for 104.140.17.220 Using smaller IP block (/ 11 vs. / 16 ) Removing 1 larger (> / 11 ) route(s) from cache[refresh/show] Cached whois for 104.140.17.220 : noc@serverhub.com Using abuse net on noc@serverhub.com abuse net serverhub.com = admin@serverhub.com, postmaster@serverhub.com Using best contacts admin@serverhub.com postmaster@serverhub.com admin@serverhub.com redirects to spamcop@serverhub.com postmaster@serverhub.com redirects to spamcop@serverhub.com Which explains why reports were sent to SERVERHUB.COM, because they host a link included in the body of the spam, not because they sent the spam. Looking at the bottom of the results you will see Quote Re: 98.138.207.12 (Administrator of network where email originates) Internal spamcop handling: (yahoo) Which tells us that the IP address where the spam originated, is controlled by Yahoo, and SpamCop does not send them spam reports. 8 hours ago, IrvSp said: 2) Why are the reports being ignored? Because they are spammers and they don't care. Link to comment Share on other sites More sharing options...
IrvSp Posted March 1, 2017 Author Share Posted March 1, 2017 Well, something must have got to them? About a week ago it stopped.... 2 weeks ago I started sending them to my ISP's spam Handler... well it was short lived... started up again yesterday. About all I can tell is they changed the end part of the URL from .party/ to .stream/. I guess it is hard to stop whomever it is? Shut them down and they come right back... Sigh... On 1/29/2017 at 7:09 PM, Lking said: Because they are spammers and they don't care. Surely there must be a way? Even adding SERVERHUB to a black list maybe? Link to comment Share on other sites More sharing options...
IrvSp Posted March 1, 2017 Author Share Posted March 1, 2017 I looked at a few of these today. All have the SAME info at the bottom. Yes, I know it is part of the JPG it seems, and it does link off to a slightly different ending on the URL line, but I googled part of it, " 8123 Interport Blvd Englewood, CO 80112" and added spam to it. I was SURPRISED at all the HITS I got... it seems to be the 'home' for many different companies posting. Why can't this information help stop this? Of course that link it does go to might not be them at all either??? Link to comment Share on other sites More sharing options...
petzl Posted March 2, 2017 Share Posted March 2, 2017 On 30/01/2017 at 2:12 AM, IrvSp said: I Quote 'm getting 3 to 5 of these a day for 2 months now. ============== So basically I have 2 questions? 1) How does this all translate into SERVERHUB.COM as the 'sender' to be reported too? 2) Why are the reports being ignored? I've even used my ISP's spam REPORTING and it still had not stopped? My ISP does have spam Filters, but only back on FROM and blocking all YAHOO.COM doesn't help me. SpamCop reporting addresses I see often as a legacy issue and are set in mud (ignored/old defunct reporting addresses) https://www.spamcop.net/sc?id=z6354566965z58e6e1b554cd81aafb9894c99b1451dcz 98.138.207.12 : abuse [at] yahoo-inc.com is sent to yahoo [at] admin.spamcop.net 104.140.17.220 : noc [at] serverhub.com is sent to spamcop [at] serverhub.com You need to use SpamCop to "clue" one in as to IP source, Then check abuse addresses with a "who is" program like "IPNetInfo" And send from the email it was sent to (some have privacy concerns in doing this). Also submit from SpamCop Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.