New Spam email message that disgusts me..

[btech]

I've received this a few times and I HOPE someone, somewhere recognizes this as illegal.

X-SpamCop-Disposition: Blocked bl.spamcop.net

Welcome to our web site www.shadowcrew.com/phpBB2/index.php

Please use http://63.240.81.5 in case of our domain outage.

You\'re invited to shop for large selection of bombs and different

kinds of rockets such as surface-to-air,

surface-to-surface and weaponry available at reduced price. With the

following types of rockets you will be

able to commit terrorist attacks, destroy buildings, electric power

stations, bridges, factories and anything

else that comes your mind. Most items are in stock and available for

next day freight delivery in the USA.

Worldwide delivery is available at additional cost. Prices are

negotiable.

Please feel free to inquire by ICQ # 176928755 or contacting us

directly:

+1-305-592-2222

+1-919-319-8249

+1-314-770-3395

Today special:

******* AIR BOMBS *******

OFAB-500U HE fragmentation air bomb

Fuel-air explosive air bombs -Not in stock

BETAB-500U concrete-piercing air bomb

ZB-500RT incendiary tank

500-KG SIZE RBK-500U unified cluster bomb

RBK-500U OAB-2.5PT loaded with fragmentation submunitions

RBK-500U BETAB-M loaded with concrete-piercing submunitions-Not in

stock

RBK-500U OFAB-50UD loaded with HE fragmentation submunitions

******* UNGUIDED AIRCRAFT ROCKETS  *******

Main-purpose unguided aircraft rockets

S-8 unguided aircraft rockets

S-8KOM

S-8BM-Not in stock

S-13 unguided aircraft rockets

S-13, S-13T, S-13-OF, S-13D, S-13DF

S-25-0

S-25-OFM

S-24B -Not in stock

RS-82

RS-132-Not in stock

******* ROCKET PODS *******

B-8M pod for S-8 rockets

B-8V20-A pod for S-8 rockets

B-13L pod for S-13 rockets

Recently received *NEW*

Hydra 70 2.75 inch Rockets

Air-Launched 2.75-Inch Rockets

FIM-92A Stinger Weapons System

Stinger 101: Anti-Air

Our clients are well known Al-Qaida, Hizballah, Al-Jihad, HAMAS, Abu

Sayyaf Group and many other terrorist groups. We are well known

supplier in the market and looking forward to expand our clientage

with assistance of Internet.

Do not hesitate to contact us via ICQ # 176928755

Impatiently awaiting for your orders,

ShadowCrew

I'm sure this is a phishing scam, but if it's not... WHY has the host of the spamvertised site not done something, since I'm pretty sure this is illegal.

[dra007]

I am sure someone is on their trail with a phisher like that. Actually the web page is down.

[dra007]

Seems phishers were on the rise today, I got more of them then actual spam. Some even advertising spam lists and spam programs, this one I had a reply for almost as soon as I reported a few minutes ago:

Hello,

Thank you for writing to eBay regarding the email you received.

Emails such as this, commonly referred to as "spoof" or "phished"

messages, are sent in an attempt to collect sensitive personal or

financial information from the recipients.

The email you reported was not sent by eBay. We have reported this email

to the appropriate authorities.

In the future, be very cautious of any email that asks you to submit

information such as your credit card number or your email password. eBay

will never ask you for sensitive personal information such as passwords,

bank account or credit card numbers, Personal Identification Numbers

(PINs), or Social Security Numbers in an email. If you ever need to

provide sensitive information to us, please open a new Web browser, type

www.ebay.com into your browser address field, and click on the "site

map" link located at the top the page to access the eBay page you need.

[btech]

Seems phishers were on the rise today, I got more of them then actual spam. Some even advertising spam lists and spam programs, this one I had a reply for almost as soon as I reported a few minutes ago:

17512[/snapback]

I've found some phishers/spammers sending fake Admin emails, making it seem as if an email I sent was bounced back, which is funny, because the email address they say I sent from is not one of mine.

[keythumper]

My current pet pieve is mail admins that send virus complaints to postmaster. Just because the originating email address pretends to be from our system, they do not bother to include the originating headers. They do, however send the original virus.

Can anyone suggest a good boiler plate to reply with?

[StevenUnderwood]

The one I use was originally "stolen" from this forum somewhere and slightly modified.

Attention Postmaster,

The most recent batch of computer viruses and worms released upon the internet almost invariably forge the sender information.  Any alert notice to the address indicated in the "from" header usually is sent to an innocent party who has nothing to do with the original message.

We request that you reconfigure your mail gateway to not generate notifications sent by email to the from address within the message.  Rejecting the message during the initial SMTP transaction is the best way to accomplish this.

If you examine the headers of the message that you received you'll see, by researching the IP address in question, that the virus came from some other network.  Please contact *their* administrator if you wish to notify someone.

Thank you for taking the time to read this response. If you need assistance in configuring the mail gateway, please consult the software developer.

This is form-letter response.

------------------------- BEGIN HEADERS -----------------------------

-------------------------- END HEADERS ------------------------------

[keythumper]

The one I use was originally "stolen" from this forum somewhere and slightly modified.

17570[/snapback]

Great Stuff!

The only thing I would add, is the bit about NOT sending the virus.

Regards

[StevenUnderwood]

That's true, but then the messages with viruses never reach my machine because spamcop disposes of them for me. I have not had 1 slip through in almost 2 years now.

Disclaimer: Past performance is not an indication of future results

[dra007]

hmmm...I was wandering why some e-mail I forwrded or popped on webmail never made it there.... Some I kept in trash boxes and when I looked more carefully they did indeed contain exploits or viruses...

[Bumpkin]

In reference to the OP's e-mail, this is not a phish, but a joe job.

Definition (courtesy of searchcio):

A Joe job is an e-mail spoofing exploit in which someone sends out huge volumes of spam that appear to be from someone other than the actual source. A Joe job is sometimes conducted as an act of revenge on someone who reports a spammer to their Internet service provider (ISP) or publicly advocates anti-spam legislation. The perpetrator is said to be Joeing the legitimate owner of the e-mail address they use. The Joe job is one of the oldest spamming operations in existence, and one of the simplest ones to carry out: the spammer may not have to do anything more than change the "Reply To" address in their e-mail program.

The term originated from an attack on Joe Doll, proprietor of Joe's CyberPost (joes.com). Doll's Web site, online since 1994, offers free Web pages to anyone who agrees to his stipulated rules, which include "good netiquette when publicizing your page." In 1996, one of his free page users sent bulk, unsolicited messages to a number of newsgroups. When questioned, the user claimed to have been unaware that this behavior contravened Doll's rules. Soon afterwards, the same person started promoting their Web page through an e-mail spam campaign and Doll terminated the user's account. One of the recipients-turned-spammer retaliated with threats, mail bombs, and forged messages to spam lists that made the messages appear to come from Doll. The recipients of the forged e-mail messages, believing Doll had sent the spam, retaliated by attacking joes.com and disabling Joe's CyberPost for over 10 days.

No company in their right mind would advertise that they are terrorist friendly. The sites that are.... well, they're usually unknown to the general public.

The spam should be reported as such... spam. It's 99% likely that it is nothing more than that.

[Bumpkin]

Forgot to mention...

Phishing definiton:

In computing, phishing is luring sensitive information, such as passwords and financial data, from a victim by masquerading as someone trustworthy with a real need for such information.

The term was coined in the mid nineties by crackers attempting to steal AOL accounts.

The initial communication with the victim is usually in the form of an e-mail message. Typically this will provide a link to a fake webpage (which may link to other fake pages) which looks like one of a trustworthy company, in order to fraudulently take personal information - for example a website appearing exactly like one of PayPal's in order to obtain credit card details.

Checking the URL in the address bar of the browser may not be sufficient, as, in some browsers, that can be faked too. The file properties feature of the browser may disclose the real URL of the fake webpage.

[moonbroth]

I've received this a few times and I HOPE someone, somewhere recognizes this as illegal.

I'm sure this is a phishing scam, but if it's not... WHY has the host of the spamvertised site not done something, since I'm pretty sure this is illegal.

17509[/snapback]

It's a joe-job: pay no attention. (Someone at ShadowCrew must have annoyed a spammer a while back, as this has been going on for years: Google for shadowcrew joe-job for details).

Cheers, Nick

[Merlyn]

I believe this is a Joe Job.

nuff said.

[dra007]

A Joe job is an e-mail spoofing exploit in which someone sends out huge volumes of spam that appear to be from someone other than the actual source. A Joe job is sometimes conducted as an act of revenge on someone who reports a spammer to their Internet service provider (ISP) or publicly advocates anti-spam legislation. The perpetrator is said to be Joeing the legitimate owner of the e-mail address they use. The Joe job is one of the oldest spamming operations in existence, and one of the simplest ones to carry out: the spammer may not have to do anything more than change the "Reply To" address in their e-mail program.

My brother just recieved a virus containing e-mail with my e-mail address forged in the header, (so have some of my friends) would that be considered a Joe Job? (why is that in makes me think of a B Job, it is extreemly annoying nevertheless)

[DavidT]

My brother just recieved a virus containing e-mail with my e-mail address forged in the header, (so have some of my friends) would that be considered a Joe Job?

No...go back up the thread and read the definotion that Bumpkin posted.

However, if I were you, I'd try to get one of the recipients to provide you with the headers from one of those infected messages. You may be able to determine which one of your friends and/or colleagues has the infection, because that's the likely scenario.

DT

[dra007]

No, it was the same IP that keeps sending me viruses since last yer (5-10/day), and yes I contacted their abuse desk and upstream providers, no results so far.

[DavidT]

No, it was the same IP that keeps sending me viruses since last yer (5-10/day), and yes I contacted their abuse desk and upstream providers, no results so far.

What do you mean by "No"? The most likely source would be anyone with whom you have corresponded....or anyone who might have received your address in forwarded mail. That's where these worms get the addresses that they spoof and the addresses that they attack.

DT

[dra007]

What do you mean by "No"? The most likely source would be anyone with whom you have corresponded....or anyone who might have received your address in forwarded mail. That's where these worms get the addresses that they spoof and the addresses that they attack.

DT

17706[/snapback]

The only reson I ever corresponded with their abuse desk was to request that they stop the abuse. I recieved an e-mail from them today with mydoom attachment defanged (by postini) and postmaster[at]my.domain spoofed in the <<from:>> of the header, they are presently listed in sorbs:

Received: from source ([207.194.18.89]) by exprod7mx28.postini.com ([64.18.6.10]) with SMTP;

Fri, 24 Sep 2004 01:42:38 EDT

From: "Returned mail" <postmaster[at]my domain>

To: myself

Subject: Test

Date: Thu, 23 Sep 2004 22:54:17 -0700

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0001_68027079.4A47FFB7"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

X-pstn-levels:     (S:13.03352/99.64271 R:95.9108 P:95.9108 M:98.9607 C:80.1007 )

X-pstnvirus: W32/Mydoom.o[at]MM

X-pstn-settings: 1 (0.1500:0.4500) gt3 gt2 gt1 r p m C

X-pstn-addresses: from <postmaster[at]my.domain> forward (good recip) [1804/59]

boundary="

I exchanged personal messages with their abuse desk on a few occasions:

host 207.194.18.89 = vanc06m02-89.bctel.ca (cached)

No recent reports, no history available

Routing details for 207.194.18.89

[refresh/show] Cached whois for 207.194.18.89 : ted_murray[at]bctel.net

Using last resort contacts ted_murray[at]bctel.net

Statistics:

207.194.18.89 not listed in bl.spamcop.net

More Information..

207.194.18.89 not listed in dnsbl.njabl.org

207.194.18.89 not listed in dnsbl.njabl.org

207.194.18.89 not listed in cbl.abuseat.org

207.194.18.89 listed in dnsbl.sorbs.net ( 127.0.0.10 )

207.194.18.89 not listed in relays.ordb.org.

Reporting addresses:

ted_murray[at]bctel.net

[DavidT]

they are presently listed in sorbs

The reason that IP is listed at SORBS is that it's dynamic....used by an end-user, and not a mail server. It's not there due to any specific abuse issues. In other words, someone in British Columbia, CA, has a computer that has "seen" your address, either by corresponding with you or by receiving a message containing your address (as in a forward from a family member or friend). That computer is infected and therefore can send messages either To you or From you, or both.

Keep after the ISP...have you tried telephoning Mr. Murray at 604-454-5151? That's what I usually do (although in many cases with these numbers, it's an Abuse Desk recording, with no operator).

DT

[Bumpkin]

My brother just recieved a virus containing e-mail with my e-mail address forged in the header, (so have some of my friends) would that be considered a Joe Job? (why is that in makes me think of a B Job, it is extreemly annoying nevertheless)

17647[/snapback]

I receive viral e-mails that appear to be from myself sometimes. Instead of playing "who's got a virus?", I contact the technical contact for the originating IP address. I usually forward the original header information with the originating IP highlighted, letting them know that a virus is originating from their server.

In the case of one I'm dealing with this week, I just called our ISP and asked them to put a block on an IP that's been spewing viral mails for over two weeks and the administrator/postmaster/techie is non-responsive.

[dra007]

I receive viral e-mails that appear to be from myself sometimes.  Instead of playing "who's got a virus?", I contact the technical contact for the originating IP address.  I usually forward the original header information with the originating IP highlighted, letting them know that a virus is originating from their server.

In the case of one I'm dealing with this week, I just called our ISP and asked them to put a block on an IP that's been spewing viral mails for over two weeks and the administrator/postmaster/techie is non-responsive.

17720[/snapback]

Thank you Bumpkin, indeed I follow the same procedure and also cc a copy to my own ISP since these e-mails often spoof postmaster or mailer-demon[at]my.domain.name. Unfortunately, some of these IPs have been sending viruses since last year, and almost on a daily basis. You would think they had ample time to correct a temporary problem. I have a large collection of e-mails exchanged with administrators, even went to upstream ISPs and government agencies, had whole ranges of IPs blocked and removed. That only worked briefly, the pattern repeats itself over and over. And guess what, same admins that where responsible with past IPs re-emerge for these new e-mails. Needless to say it reminds me of THIS STORY!