I think someone is impersonating SpamCop emails

[stillwaters]

Hello,

I know this is going to sound strange but for the last 2 weeks I have been receiving very weird emails that say they are from SpamCop. I usually submit my reports via the email system. Sometimes I will get an email back that says "SpamCop encountered errors". These used to contain helpful info concerning a report I made. The last 2 weeks I have been receiving many "SpamCop encountered errors " that contain copies of spam emails I NEVER received and therefore NEVER reported. They all contain advertisements and also MANY links and email addresses to the following domain: dimeandfive5.com

I have tried in so many ways to contact SpamCop and received no response. If these emails are from SpamCop then there really is a serious problem because they involve the reporting of spam messages I never personally received and consequently could not have reported.

PLEASE HELP! I receive VERY MANY each day and it is ironic because it is as though I am receiving spam from SPAMCOP !!!!!!!!!!!!!!

Thank you for your help.

[Merlyn]

They are virus laden email not coming from Spamcop.

Why aren't you using a virus program? If you are it is not a good one because it is not scanning your inbound email and if it is, it is missing the virus.

[stillwaters]

Dear Merlyn,

The email address I receive communications from SpamCop is at YAHOO.

So, as I am sure you know, my virus scanner on my computer can not possibly scan Yahoo's servers. Our PC virus software can only scan the emails we download (automatically or manually) from POP/SMTP servers to our mail clients such as Outlook Express.

I am fairly up to date with current viruses and especially mailing worms. I know of none that are impersonating SpamCop.

If there is a new mailing worm targeting SpamCop than this particular one would be absolutely the most incredibly sophisticated one to date.

Thank you for your help but I do not believe that SpamCOP is infected with a mailing worm. I am sure their security measures are exceptional.

[Wazoo]

I have tried in so many ways to contact SpamCop and received no response

There really aren't that many ways to make contact, a few e-mail addresses, newsgroup postings, and these Forums. I've no knowledge of your e-mail attempts, but I can say for sure that this is the first entry of a problem such as you describe. There was a virus that made the headlines on 25/26 July that hit various search engines hard, and many, many e-mail servers, even SpamCop's own, but that wasn't "two weeks" ago, and the description of the contents was a lot different than what you're describing. A couple of these Topic discussions;

Phishing from "Spamcop Tech Support team"?

Possible forged email? noreply[at]spamcop.net

Without seeing the headers of these items, there's no way to guess from here as to what the story actually is. On one hand, if these really are error returns from the SpamCop system, perhaps there has been some kind of glitch in the user account database and you're getting someone else's stuff ... or your account has been compromised and some one is reporting their stuff for/as you .. again, headers might explain some of this ... an e-mail to service <at> admin.spamcop.net with sufficient data for Don to check out your account particulars might help.

On the other hand, perhaps you are the victim of a really, really crafty spammer, and this is something that might end up needing to be seen by Julian himself ... you'd start with providing copies of the spew to Deputies <at> admin.spamcop.net ....

Again, not that many places to make contact, and without seeing what you're complaining about, this is as far as any analysis can go ....

[StevenUnderwood]

Is it possible that these spam messages are going directly to your submit.*[at]spam.spamcop.net address that may have been compromised?

You would have to look at the content of the spamcop error message, but sending email directly to that address will give you that error message.

The entire first part of the error message should be the entire message as eceived by spamcop. The just the headers of the message as received are listed at the bottom. If you post just the part after the "The email which triggered this auto-response had the following headers:" part, we can help you with this. PLease mung any email addresses, psecifically your submit address wich should be in there as it received the message.

[Merlyn]

Dear Merlyn,

The email address I receive communications from SpamCop is at YAHOO.

14381[/snapback]

Yes I think their virus scanners are good also. (Maybe not exceptional)

Can ya post a set of headers?

[stillwaters]

Thank you everyone for your help. Here is one of the emails that certainly looks like it is from SpamCop but I did NOT receive this particular NIKE spam and therfore did not report it.

I am concerned that by posting this I am compromising my email account code with SpamCop. Should I get a new one?

Also, please note the unsubscribe info at the bottom contains my SpamCop account info as well.

From SpamCop AutoResponder Thu Jul 29 08:42:05 2004

X-Apparently-To: "myemailaddress" [at]yahoo.com via 66.218.78.20; Thu, 29 Jul 2004 08:42:05 -0700

X-Originating-IP: [64.74.133.250]

Return-Path: <spamid.[at]bounces.spamcop.net>

Received: from 64.74.133.250 (EHLO vmx2.spamcop.net) (64.74.133.250) by mta368.mail.scd.yahoo.com with SMTP; Thu, 29 Jul 2004 08:42:05 -0700

Received: from unknown (HELO spamcop.net) (192.168.19.204) by vmx2.spamcop.net with SMTP; 29 Jul 2004 08:51:28 -0700

From: "SpamCop AutoResponder" <spamcop[at]devnull.spamcop.net> Add to Address Book

To: "myemailaddress" [at]yahoo.com

Subject: SpamCop encountered errors

Date: Thu, 29 Jul 2004 15:42:05 GMT

Message-ID: <ss41091acdgd188[at]msgid.spamcop.net>

Content-type: text/plain

In-Reply-To: <388jje$8svlmh[at]vmx2.spamcop.net>

References: <388jje$8svlmh[at]vmx2.spamcop.net>

Content-Length: 2939

SpamCop encountered errors while saving spam for

processing:

SpamCop could not find your spam message in this

email:

Return-Path:

<bounce-5741-submit.KDD7estdYe9gOphe=spam.spamcop.net[at]dimeandfive5.com>

Received: from vmx2.spamcop.net

(sc-smtp2.eq.ironport.com [192.168.18.82])

by sc-app4.eq.ironport.com (Postfix) with ESMTP id

497F35140

for <submit.kdd7estdye9gophe[at]spam.spamcop.net>; Thu,

29 Jul 2004 08:38:43 -0700 (PDT)

Received: from mta2.dimeandfive5.com (69.45.16.55)

by vmx2.spamcop.net with SMTP; 29 Jul 2004 08:48:05

-0700

Message-Id: <388jje$8svlmh[at]vmx2.spamcop.net>

Received: (qmail 2406 invoked by uid 0); 29 Jul 2004

12:00:02 -0000

MIME-Version: 1.0

From: marketing[at]surplusalert.com

<info-5741[at]dimeandfive5.com>

Subject: Nike Blowout

To: submit.KDD7estdYe9gOphe[at]spam.spamcop.net

Content-Type: multipart/alternative;

boundary="=_ba16025c9cb6a761794b1f7f3673b904"

Date: Thu, 29 Jul 2004 08:38:43 -0700 (PDT)

--=_ba16025c9cb6a761794b1f7f3673b904

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

-----------------------------------------------------------------

N I K E P O R T A B L E M P 3 P L A Y

E R

50% OFF!

Go Here: http://www.surplusalert.com/nike_mp3_player

-----------------------------------------------------------------

You can get the HOTTEST product in portable digital

audio today,

for over 50% off! The Nike ACT200 Portable MP3

player's sleek

design gives you 64 MB of your favorite songs for half

the price!

- 64 MB of memory

- 10 hours of continuous play

- Sport headphones included

- Armband and butterfly clip included

- $5 coupon to cover shipping

List Price: $129.99

Amazon.com Price: $99.00

-----------------------------

YOUR PRICE: $64.87 (save 50%)

-----------------------------

FREE SHIPPING FOR A LIMITED

TIME!********************************

If you buy in the next 72 hours, you can use coupon

code

15N4Y7 to get FREE SHIPPING! The FREE SHIPPING Code is

valid through Saturday July 31, 2004

*****************************************************************

Go Here: http://www.surplusalert.com/nike_mp3_player

FREE SHIPPING CODE: 15N4Y7

----

You are receiving this email as a subsciber to Dime

and Five Mail. To unsubscribe you can visit this link,

spam.spamcop.net]http://dimeandfive5.com/unsubscribe/?cid=2...pam.spamcop.net,

or mail us at: WM inc, P.O. Box 483 Midtown Station,

New York, NY 10018.

[stillwaters]

When I cut & pasted the above email it didn't show the full path of the unsubscribe info that has my spamcop info so here it is. Thank you again.

You are receiving this email as a subsciber to Dime

and Five Mail. To unsubscribe you can visit this link,

http://dimeandfive5.com/unsubscribe/?

cid=2417&did=5741&e=submit.KDD7estdYe9gOphe[at]spam.spamcop.net,

or mail us at: WM inc, P.O. Box 483 Midtown Station,

New York, NY 10018.

[Merlyn]

Wow, knock me down, I was way off on this one. Looks like StevenUnderwood hit the nail on the head!

[StevenUnderwood]

I am concerned that by posting this I am compromising my email account code with SpamCop. Should I get a new one?

Looks like it is already comprimised. If this is a reporting-only account, contact deputies<at>spamcop.net. I would start there as well, even if it is an email account as they might be the ones to issue new submit addresses.

Good luck and keep us posted.

[stillwaters]

Oh boy, I misunderstood Steve's instructions. I did NOT mung the submit email address like he said to. I need to get this account cancelled with SpamCop ASAP. Does anyone know how?

Also - I found the part of the e-mail at the bottom after A LOT of HTML source code that Steve was talking about.

Here it is:

The email which triggered this auto-response had the

following headers:

Return-Path:

<bounce-5741-submit.KDD7estdYe9gOphe=spam.spamcop.net[at]dimeandfive5.com>

Received: from vmx2.spamcop.net

(sc-smtp2.eq.ironport.com [192.168.18.82])

by sc-app4.eq.ironport.com (Postfix) with ESMTP id

497F35140

for <submit.kdd7estdye9gophe[at]spam.spamcop.net>; Thu,

29 Jul 2004 08:38:43 -0700 (PDT)

Received: from mta2.dimeandfive5.com (69.45.16.55)

by vmx2.spamcop.net with SMTP; 29 Jul 2004 08:48:05

-0700

Message-Id: <388jje$8svlmh[at]vmx2.spamcop.net>

Received: (qmail 2406 invoked by uid 0); 29 Jul 2004

12:00:02 -0000

MIME-Version: 1.0

From: marketing[at]surplusalert.com

<info-5741[at]dimeandfive5.com>

Subject: Nike Blowout

To: submit.KDD7estdYe9gOphe[at]spam.spamcop.net

Content-Type: multipart/alternative;

boundary="=_ba16025c9cb6a761794b1f7f3673b904"

Date: Thu, 29 Jul 2004 08:38:43 -0700 (PDT)

SORRY ABOUT MY MISTAKE. THanks for the help.

[stillwaters]

Thank you Steve. I emailed them. I look forward to getting this straightened out.

[Merlyn]

It is interesting, the payloaad surplusalert.com is Ref: SBL6725

204.246.128.208/28 is listed on the Spamhaus Block List (SBL)

28-May-2004 05:28 GMT | SR

ebaymyway / secureapprove opt-out spammers

2004-04-28

Hired "Brilliant Marketing" on Richter's Wholesalebandwidth to spam for them.

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL6725

but the Opt out link dimeandfive5.com belongs Ref: SBL13583

209.213.200.0/24 is listed on the Spamhaus Block List (SBL)

24-Jan-2004 19:23 GMT | SR12

joimailertoo.com / Endai Networks

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13583

--------------------------------------------

So, who is sleeping with whom in this spam mess?

[stillwaters]

Dear Steve & Merlyn,

Thanks for your help. I can't believe how quickly SpamCop responded. I am very relieved. Now I can go back to spam reporting business as usual!

[Merlyn]

Thanks, I am very happy your problem is solved and Steve was great at uncovering it. Wish everyone went this way. Keep up the reporting.