Recent spam reporting troubles

[Lynn]

My computer knowledge is very basic (in other words, I'm a computer idiot )I work for a local government and all of the sudden we've been receiving a lot of spam (first time ever). Someone must have gotten a hold of the email list and sold it, because I've never used my work address for anything but work, the same with my co-workers in my office)

All of the subject lines are similar just a number e.g. (re:13 Alhtough the body of the messages are anything from drugs to sex[but no rocknroll]) and I have been able to report a few through Spamcop. The problem is, I am having trouble reporting the last couple that I've received because the body of the message is a .gif file.

Any suggestions?

[Wazoo]

I am having trouble reporting the last couple that I've received because the body of the message is a .gif file

I'm not sure what type of problem it is that you might be trying to describe. The SpamCop parser does not do graphic images, this is true. But just because the body of the spam contains a graphic there isn't an error flag raised.

If it's just that you want to report someone/something inside the graphic, that's a whole different situation. You started with the "computer knowledge is very basic" so I'm actually leaning more towards aksing "why are looking at your spam & pictures within that spam?" Allowing this kind of stuff to show up within your e-mail app leads to other issues .. (and going with office environment, basic knowledge, it seems reasonable to make the assumption that Outlook or Outlook Express is in use there) I would rather suggest that you change settings within your application to "Read as Plain Text Only" and take some of this stuff out of the equation. )Actually, there are a number of security settings and issues I'd normally recommend, but that's not what you asked.)

You could take another look at your "problem" report and copy over the Tracking URL so that "we" could see the spam in question, perhaps even taking a look at the graphic in question (no guarantee there)

[DavidT]

All of the subject lines are similar just a number e.g. (re:13 Alhtough the body of the messages are anything from drugs to sex[but no rocknroll]) and I have been able to report a few through Spamcop.  The problem is, I am having trouble reporting the last couple that I've received because the body of the message is a .gif file.

This is a relatively new type of spam that's been described in both the SpamCop newsgroups and in "news-admin.net-abuse.email" (those are both available by using a Newsreader, and the latter is also available at "groups.google.com"). There has been speculation that they might be coming from infected computers being used as "Zombies" by spammers....here'a s link to an article that describes this concept:

http://www.usatoday.com/money/industries/t...ombieuser_x.htm

I contributed to a discussion on this in the main "spamcop" newsgroup (available on the "news.spamcop.net" server) back in late August with the Subject "Spamvertised URLs hidden in GIFs." The original idea of the thread was that the URL was in the GIF itself (and I've seen a few like that), but more common are spams that contain both some HTML code at the top and an embedded GIF image, which will take you to the URL from the HTML code. The URL is usually a ".info" domain. This in itself isn't unusual, but the Subject lines on this particular variant is often only:

re [13]

re[2]

re[23]:

etc.

However, I've also received some with all the same characteristics, but with Subject lines like this:

Subject: warning

Subject: updates

Subject: Re: precsription drgus online - Vecodin lortab oxycontin

Subject: Pick up your order #885139

Here's a description of those characteristics:

They all have "multipart/related" bodies with two parts...the first is

an HTML part that contains an anchor link to a ".info" URL that's

wrapped around an IMG SRC tag that points to the CID (Content-ID) of the

GIF file that comprises the second portion of the MIME message. There's

also a little anti-Bayes gibberish (to avoid blocking by SpamAssassin filtering).

I think that all of the sources of the actual emails are in "dynamic IP space," giving creedence to the theory that they're coming from PCs that have been "zombified." As in your case, some of the addresses I've received them at weren't published anywhere, but would only appear in the headers of messages sent between members of a particular profession or listserve. The idea is that their computers have been compromised and the spammers are harvesting those addresses out of their inboxes and other mail folders.

In the "spamcop" newsgroup thread, some "spam Hunter" popped up and said that these are coming from the "RSG" (Russian spam Gang).

Anyway, I've given up trying to figure out anything else about these, but if they have the characteristics I've mentioned above, you should be able to report them through the SpamCop system, as long as you select "Full details" as opposed to "Simple output" which will then analyze the URL that's above the GIF in the body of the message.

DT

[dra007]

The Russion gang hypothesis sounds plasible. I have recieved a few of those myself. They are more dangerous than plain text spam for security issues raised by Wazoo above.

Lynn, I would also check with the the computer guru in your office and request that the computer you use to read e-mail is throughly checked for malware, adware, spyware etc. It may also be that some of these spam carry trojans so I would get to it ASAP.

[Lynn]

Thank you all for your responses. We use Novell Groupwise and I access it through Citrix ICA.

David, the examples that you cited in your response are indeed unwanted emails that I been receiving recently. The ones with the subject of "warning" or "here is your order," etc. I delete those without a second glance. I don't even open them. (those I've been receiving for a long time.) The article about the zombie computers is very interesting - thanks for the link.

The other ones with the numbers in the subject line just started showing up about 2 weeks ago. I created a spamcop account only recently and forwarded some of the first ones I received and the reporting process worked just fine. The last 2 of those that I tried reporting, came back unsuccessful. (note to Wazoo I never download anything from an unfamiliar sender, and I'm very careful when the sender is someone I know, but these GIFs are right there when you open the mail) Perhaps instead of just reporting these, then I should delete them without opening them. I had thought that someone was spamming us directly and that was why I was opening and reporting them. Our IS department said there was nothing they could do about them, because they were addressed correctly, so I decided to try the spam reporting on my own.

Since there are no restrictions on what we can download to our computers I have Spybot search and Destroy and Ad-aware loaded onto my PC. They haven't detected anything worse than the tracking cookies one gets from surfing the internet. We also have Symantec Anti-Virus Client. It says I'm clean.

dra - we don't have a computer guru anymore -- he retired. IS dept. is well........I'll be nice I not say anything else.

[dbiel]

Lynn, the question that seems unaswered is how are you reporting the spam.

The best way is to forward as an attachement. Most other methods seem to alter the original message in varrious ways based on many different factors including the email client and web brower being used.

[Miss Betsy]

All I know about is Outlook Express, but I do know that it isn't a good idea to 'open' any unsolicited email in the regular way. IN OE there is a way to view the message in without activating any web bugs (it shows the HTML code as well) and I think that it is true in other applications.

Also in OE, you can 'forward as attachment' without opening the email. Forwarding as attachment is different than forwarding in line. Again, it depends on your application how that is done. You can find that information in the FAQ.

Miss Betsy

[Lynn]

Lynn, the question that seems unaswered is how are you reporting the spam.

The best way is to forward as an attachement.  Most other methods seem to alter the original message in varrious ways based on many different factors including the email client and web brower being used.

17051[/snapback]

Sorry, I was forwarding the email to the address given on the spam reporting page.

[dbiel]

Sorry, I was forwarding the email to the address given on the spam reporting page.

17111[/snapback]

By "forwarding" do you mean clicking on the "forward" button. If so you may what to try the alternate and better method of 'forwarding as attachment" It prevents a lot of the problems created when sending as a standard forward.