IrvSp Posted July 6, 2017 Share Posted July 6, 2017 I keep getting stuff 2 or 3 a day. SPAMCOP reports go into DEVNULL so it probably is worthless reporting it? Spammer does use other ISP occasionally. The header IS forged like this from a few from last week: Received: from [220.127.116.11] ([18.104.22.168:60440] helo=cystolgrantlamhell.com) Received: from [22.214.171.124] ([126.96.36.199:44809] helo=mcmarsbachmcguizeshunt.com) Received: from [188.8.131.52] ([184.108.40.206:36534] helo=rochstaeusstritrelph.com) Received: from [220.127.116.11] ([18.104.22.168:39204] helo=kraekdorfhmonsgermfeldt.com) Received: from [22.214.171.124] ([126.96.36.199:33696] helo=chuchtabhywzornfrees.com) Received: from [188.8.131.52] ([184.108.40.206:41478] helo=moanpeakjezshiftbrook.com Received: from [220.127.116.11] ([18.104.22.168:55850] helo=lomslncermannlouan.com) Received: from [22.214.171.124] ([126.96.36.199:55391] helo=labwetchquicjel.com) Received: from [188.8.131.52] ([184.108.40.206:50110] helo=kraekdorfhmonsgermfeldt.com)Received: from [220.127.116.11] ([18.104.22.168:38151] helo=skeadungthiefjephiatt.com) What the root problem is that I don't know what the payload is? I get 2 types, the BITLY and the ones I can't even figure out? BITLY is just a link. The few times I used the iPad to see it it was something to purchase and appeared to be a real PNG copied over, but those links using the PNG links on it also appeared to be real? Couldn't really tell as I never took any. Suspect they are using the 'from' to get a partial cent for referring you to the site. The worrisome one is this, from the last line email above in RED: ============ <a href="http://spurtvilsnogdpierdrach.tk/20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address"> <img src="http://spurtvilsnogdpierdrach.tk/images/6633815925.png" border="0" /> </a> ========== I know from the last line above it translates into 22.214.171.124 where it will go to. However what exactly is the rest of the line, 20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address, and why is my e-mail address on it? I can't find ANY information on that? Since it is in HTML code when Thunderbird sucks it in it well basically execute that code, and I'll see the PNG file. I'm worried about some malware coming it with it due to the href? Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.