Spammed

[Wazoo]

Good morning campers 

Does this help?

36950[/snapback]

[How-to] Post a Question

The Details

If it's a spam in question, do not post the spam here. Use a Tracking URL Tracking URL to offer a link to both the spam and the parse results. That way we're all talking about the same data.

If it's a bounce/rejection notification, provide the critical lines of data. The IP address being rejected will be at the root of any research.

One created with just the snippet provided (thus having no idea what the actual e-mail body looked like) is seen at http://www.spamcop.net/sc?id=z834385364z25...6b00b6572bf381z

reported via a non-MailHosted accout .. not showig any resemblance to a "self-reported" parse result in this sample. But yes, this would have been much more helpful at the start of this Topic.

[maz]

I post this too?

Your message

  To:      herbertn[at]ulm.de

  Subject: [*spam-TAG*] 3: ALL MAJOR DESIGNER REPLICA //ATCHES!    Save $38

  Sent:    Wed, 30 Nov 2005 15:27:33 +0100

did not reach the following recipient(s):

herbertn[at]ulm.de on Wed, 30 Nov 2005 15:28:20 +0100

    Der Name des Empfängers wurde nicht erkannt.

Die MTS-ID der ursprünglichen Nachricht ist:

c=de;a=dbp;p=bwl;l=SUS000180511301428X7RB9QLW

    MSEXCH:IMS:Stadt Ulm:STADTULM:SUS00018 0 (000C05A6) Unbekannter

Empfänger

From: jpocas[at]mercuryexposure.org

Date: November 30, 2005 6:27:33 AM PST

To: herbertn[at]ulm.de

Subject: [*spam-TAG*] 3: ALL MAJOR DESIGNER REPLICA //ATCHES!    Save $38

Get the  <http://ctqvim.opcxcfbybwc1hoo4toomt666.slipbandbf.com/?owyu>

Finest Rolex Watch Replica!

We only sell premium watches. There's no battery in these replicas just like

the real ones since they get recharged as you move. The second hand moves

JUST like the real ones, too. These original watches are sold in stores for

thousands of dollars. We sell them for a fraction of a price.

- Replicated to the Smallest Detail

- 98% Perfectly Accurate Markings

- Signature Green Sticker with Serial Number on Watch Back

- Magnified Quickset Date

- Includes all Proper Markings 

Make your  <http://qqnw.m5avav9w9cshx4m2rmm2944m.sawdernb.com/?yrsi> order

before the prices go up.

Order Rolex  <http://ctqvim.opcxcfbybwc1hoo4toomt666.slipbandbf.com/?owyu>

or other Swiss watches online

To unsubscribe click here!

<http://ctqvim.opcxcfbybwc1hoo4toomt666.slipbandbf.com/Qot?ucs>

[StevenUnderwood]

Good morning campers 

Thank you for understanding.

Does this help?

36950[/snapback]

I will give it a shot. A tracking URL would help, though.

My lookup of the word Unzustellbar: roughly translates to undelivered, i.e. the host 195.243.22.149 bounced this message to the forged email address jpocas.

1)You can report this bounce using spamcop.

2)As stated elsewhere, there is nothing you can do to stop the original machine from using your email address forged in the headers.

3)Spamcop will not see you as a spammer because of the forged name.

4)If you were listed, it was for another reason.

Please continue to ask questions about spam related things you are still uncertain about. Your issues with Mercury dumping, while I am sympathetic, nothing can be done here.

[justauser]

So a misconfigured Microsoft Exchange Internet Mail Service Version 5.5.2657.72 configured to use the German Language, three levels deep in a German network, and calling itself postmaster[at]ulm.de bounced the spam without revealing any of the Received Header Lines, so we can't track the source of that particular message without asking postmaster[at]ulm.de, who probably does not prefer English. However, we do have the payload URLs, all of which point to IP Address 218.65.209.27, listed twice by the SBL as SBL34434 (218.65.209.27/32) and SBL34688 218.65.209.0/24; see also the ROKSO records for Ukranians Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov (compsoagg.com ; syzygialjc.info ; sa.akekicb.com). SpamCop's parser recommends reporting abuse by that IP Address to hostmaster[at]gx163.net, anti-spam[at]chinanet.cn.net, ct-abuse[at]abuse.sprint.net, and postmaster[at]gx163.net. I'd suggest adding abuse[at]gx163.net (because it should work) and abuse[at]savvis.net (which provides connectivity from chinanet directly to the US (LA, Dallas, Atlanta, Washington, and New York) per my traceroute). Would you care to post another bounce message, this time with the Received Header Lines in the bounced message it contains? Thanks!

[maz]

http://www.spamcop.net/sc?id=z834560796z76...fe00dd4be07f5cz

From postmaster[at]planalfa.es Wed Nov 30 15:29:46 2005

Received: from me3 by server012.kionic.com with local-bsmtp (Exim 4.54 (FreeBSD))

id 1Ehafa-0000l3-2D

for help[at]mercuryexposure.org; Wed, 30 Nov 2005 16:43:22 -0600

X-spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on

server012.kionic.com

X-spam-Level:

X-spam-Status: No, score=1.0 required=3.0 tests=FUZZY_ROLEX autolearn=no

version=3.1.0

Received: from [217.75.236.253] (helo=onesmtp.planalfa.es)

by server012.kionic.com with esmtp (Exim 4.54 (FreeBSD))

id 1EhafZ-0000kf-OI

for otakut[at]mercuryexposure.org; Wed, 30 Nov 2005 16:43:21 -0600

Received: from correo.planalfa.es ([172.16.0.10]) by onesmtp.planalfa.es with Microsoft SMTPSVC(6.0.3790.1830);

  Wed, 30 Nov 2005 23:43:14 +0100

Received: by CORREO with Internet Mail Service (5.5.2656.59)

id <W75G3LYQ>; Wed, 30 Nov 2005 23:44:46 +0100

Message-ID: <B39D3314D88D524B95F545ECC797AD140763B4E5[at]CORREO>

From: System Administrator <postmaster[at]planalfa.es>

To: otakut[at]mercuryexposure.org

Subject: Undeliverable: [Probable spam] - 2: What to look for when purchas

ing a replica watch!    Save $33

Date: Wed, 30 Nov 2005 23:44:46 +0100

MIME-Version: 1.0

X-Mailer: Internet Mail Service (5.5.2656.59)

X-MS-Embedded-Report:

Content-Type: multipart/mixed;

boundary="----_=_NextPart_000_01C5F5FF.A99F07E0"

X-OriginalArrivalTime: 30 Nov 2005 22:43:14.0978 (UTC) FILETIME=[734C6820:01C5F5FF]

This message is in MIME format. Since your mail reader does not understand

this format, some or all of this message may not be legible.

------_=_NextPart_000_01C5F5FF.A99F07E0

Content-Type: text/plain;

charset="iso-8859-1"

Your message

  To:      ocdav[at]planalfa.es

  Subject: [Probable spam] - 2: What to look for when purchasing a replica

watch!    Save $33

  Sent:    Wed, 30 Nov 2005 22:48:22 +0100

did not reach the following recipient(s):

OCDAV[at]PLANALFA.ES on Wed, 30 Nov 2005 23:44:33 +0100

    The recipient name is not recognized

The MTS-ID of the original message is: c=es;a= ;p=plan alfa

s.l.;l=CORREO0511302244W75G3LYJ

    MSEXCH:IMS:Plan Alfa S.L.:DOM_CORREOPA:CORREO 0 (000C05A6) Unknown

Recipient

------_=_NextPart_000_01C5F5FF.A99F07E0

Content-Type: message/rfc822

Message-ID: <001f01c5f600$2a87d9ca$0100a8c0[at]your-3hcef8q6j0>

From: otakut[at]mercuryexposure.org

To: ocdav[at]planalfa.es

Subject: [Probable spam] - 2: What to look for when purchasing a replica w

atch!    Save $33

Date: Wed, 30 Nov 2005 22:48:22 +0100

MIME-Version: 1.0

X-Mailer: Internet Mail Service (5.5.2656.59)

X-MS-Embedded-Report:

Content-Type: text/plain;

charset="iso-8859-1"

<http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue> VIP REPLICA

//ATCHES!

We offer a free gift box with every VIP watch ordered. You can use it as a

lovely gift for your friends or

relatives or keep your gorgeous watch there. No matter what you do with your

watch, you will enjoy it.

-All Time Classics

-Exquisite R0lex Replica

-Superb Quality //atch

and others!#

<http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue> Check out our

gift boxes that will make the present even more glamorous.

To unsubscribe click here!

<http://uyvg.wfknkn16jmk97wecjeecjeew.lowlandmf.com/Frc?hJz>

------_=_NextPart_000_01C5F5FF.A99F07E0--

Like this? Raw source instead of headers.

This one is the latest and collects in a different folder.

This said yum this is fresh spam, nothing to do.

http://www.spamcop.net/sc?id=z834561519z60...32317adae675f6z

From MAILER-DAEMON[at]me.freeserve.com Wed Nov 30 15:38:51 2005

Received: from me3 by server012.kionic.com with local-bsmtp (Exim 4.54 (FreeBSD))

id 1EhbV5-0006lK-N2

for help[at]mercuryexposure.org; Wed, 30 Nov 2005 17:36:35 -0600

X-spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on

server012.kionic.com

X-spam-Level: **

X-spam-Status: No, score=2.1 required=3.0 tests=FUZZY_ROLEX,HTML_FONT_BIG,

HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF autolearn=no

version=3.1.0

Received: from [193.252.22.158] (helo=smtp1.freeserve.com)

by server012.kionic.com with esmtp (Exim 4.54 (FreeBSD))

id 1EhbV4-0006l6-R0

for ekyfw[at]mercuryexposure.org; Wed, 30 Nov 2005 17:36:35 -0600

Received: by mwinf3010.me.freeserve.com (SMTP Server)

id 6F9485C21ED1; Thu,  1 Dec 2005 00:17:21 +0100 (CET)

Date: Thu,  1 Dec 2005 00:17:21 +0100 (CET)

X-ME-UUID: 20051130224332358.577B688004DD[at]mwinf3014.me.freeserve.com

From: MAILER-DAEMON[at]me.freeserve.com (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

To: ekyfw[at]mercuryexposure.org

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="3D0075C883EB.1133392641/me.freeserve.com"

Message-Id: <20051130231721.6F9485C21ED1[at]mwinf3010.me.freeserve.com>

This is a MIME-encapsulated message.

--3D0075C883EB.1133392641/me.freeserve.com

Content-Description: Notification

Content-Type: text/plain

This is the SMTP Server program at host me.freeserve.com.

I'm sorry to have to inform you that your message could not be

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

   The SMTP Server program

<gabinetto.presidenza[at]consiglioregionale.piemonte>: Host or domain name not

    found. Name service error for name=consiglioregionale.piemonte type=A: Host

    not found

--3D0075C883EB.1133392641/me.freeserve.com

Content-Description: Delivery report

Content-Type: message/delivery-status

Reporting-MTA: dns; me.freeserve.com

X-SMTP-Server-Queue-ID: 3D0075C883EB

X-SMTP-Server-Sender: rfc822; ekyfw[at]mercuryexposure.org

Arrival-Date: Wed, 30 Nov 2005 23:43:33 +0100 (CET)

Final-Recipient: rfc822; gabinetto.presidenza[at]consiglioregionale.piemonte

Action: failed

Status: 5.0.0

Diagnostic-Code: X-SMTP-Server; Host or domain name not found. Name service

    error for name=consiglioregionale.piemonte type=A: Host not found

--3D0075C883EB.1133392641/me.freeserve.com

Content-Description: Undelivered Message

Content-Type: message/rfc822

Received: from smtp1.freeserve.com (mwinf3014 [172.22.159.42])

by mwinf3010.me.freeserve.com (SMTP Server) with ESMTP id 3D0075C883EB

for <gabinetto.presidenza[at]consiglioregionale.piemonte>; Wed, 30 Nov 2005 23:43:33 +0100 (CET)

Received: from me-wanadoo.net (localhost [127.0.0.1])

by mwinf3014.me.freeserve.com (SMTP Server) with ESMTP id 2D85388004EA

for <gabinetto.presidenza[at]consiglioregionale.piemonte>; Wed, 30 Nov 2005 23:43:33 +0100 (CET)

Received: from your-3hcef8q6j0 (user-1938.l1.c1.dsl.pol.co.uk [81.77.71.146])

by mwinf3014.me.freeserve.com (SMTP Server) with SMTP id 577B688004DD

for <gabinetto.presidenza[at]consiglioregionale.piemonte.>; Wed, 30 Nov 2005 23:43:32 +0100 (CET)

X-ME-UUID: 20051130224332358.577B688004DD[at]mwinf3014.me.freeserve.com

Message-ID: <002101c5f600$4421fa3c$0100a8c0[at]your-3hcef8q6j0>

From: <ekyfw[at]mercuryexposure.org>

To: <gabinetto.presidenza[at]consiglioregionale.piemonte>

Subject: 9: replica //atches! rolex, patek philippe, vacheron constantin and others!    Ref:333

Date: Wed, 30 Nov 2005  22:49:05 +0100

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_001E_01C5F600.441F9300"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

------=_NextPart_000_001E_01C5F600.441F9300

Content-Type: text/plain;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_001E_01C5F600.441F9300

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">

<META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR>

<STYLE></STYLE>

</HEAD>

<BODY bgcolor=3D"#FFFFFF">

<div align=3D"center">

  <p align=3D"left"><font size=3D"+1"><b><a href=3D"http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue"><i><font color=3D"#FF0000">VIP</font>

    REPLICA //ATCHES!</i></a></b></font></p>

  <p align=3D"left"><font size=3D"+1">We offer a free gift box with every VIP watch

    ordered. You can use it as a lovely gift for your friends or<br>

    relatives or keep your gorgeous watch there. No matter what you do with your

    watch, you will enjoy it. </font></p>

  <p align=3D"left">-All Time Classics<br>

    -Exquisite R0lex Replica<br>

    -Superb Quality //atch </p>

  <p align=3D"left">and others!#</p>

  <p align=3D"left"><a href=3D"http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue"><font size=3D"+1"><i><b>Check

    out our gift boxes that will make the present even more glamorous.</b></i></font></a><br>

  </p>

  </div>

<DIV align=3D"center"><FONT face=3DArial size=3D2>To unsubscribe <A href=3D"http://uyvg.wfknkn16jmk97wecjeecjeew.lowlandmf.com/Frc?hJz">click here!</FONT></DIV>

</BODY>

</HTML>

------=_NextPart_000_001E_01C5F600.441F9300--

--3D0075C883EB.1133392641/me.freeserve.com--

http://www.spamcop.net/sc?id=z834564085zee...dda60a8880c7cfz

[dbiel]

Yes, those are tracking URL, pasting of all the data simply duplicates the tracking URL and is not necessary

BUT!!!!!!

What is your question?

This topic has gone in too many circles to guess at what you current question is.

The tracking URL will help to answer the question (if the question relates to it)

[turetzsr]

<snip examples>

36968[/snapback]

...The ones I looked at definitely look like bounce messages to the forged "From" address (various[at]mercuryexposure.org). As mentioned earlier, these tend to go on for a few days and then the spammer starts forging someone else's e-mail address in the "From" lline. In the meantime, the clueless admins who are bouncing the spam over to you need to be smacked on the head by being reported, so I hope you'll continue to do that as time permits. Thanks!

This said yum this is fresh spam, nothing to do.

http://www.spamcop.net/sc?id=z834561519z60...32317adae675f6z

36968[/snapback]

...That's just saying that none of the abuse addresses SpamCop knows of will work, so it can not report. However, it will include your submission in its decision as to whether to include in the SpamCop blocklist the IP address from which the bounce came so, again, I hope you'll report as many of these as you have time to do. Thanks!

[maz]

I have tried to get through to outblaze because they are rejecting good emails from forum.

I don't know if they can add an option to allow one to pass through that does not spam.

If I have a number of returns with the same relavent info only different to and from usernames, are they considered duplicates? Or do they add to the validity of the spamming?

Thank you

[dbiel]

They are all separate individual bounces which can be reported as separate "spam" messages under the new rules.

If they were true duplicates, same message ID, that your system happened to forward duplicate copies of, then only one should be reported, but in that case all information would be identical.

[Jeff G.]

I have tried to get through to outblaze because they are rejecting good emails from forum.

I don't know if they can add an option to allow one to pass through that does not spam.

36977[/snapback]

Please try using a different email address to contact postmaster[at]outblaze.com, explain the situation (referencing this Topic as appropriate), and tell Suresh Ramasubramanian you admire his work. Suresh is a long-time anti-spammer. If you still can't reach him, try him at ops.lists[at]gmail.com.

If I have a number of returns with the same relavent info only different to and from usernames, are they considered duplicates? Or do they add to the validity of the spamming?

36977[/snapback]

They add to the volume of Reports. Please feel free to save them for last in your Reporting, as Reporting of them provides the lowest marginal value.

[maz]

Thank you.

Gateway Timeout

The proxy server did not receive a timely response from the upstream server.

Reference #1.44f1840.1133422808.27e4e3d

It could be me running slow.

[Jeff G.]

Gateway Timeout

36981[/snapback]

Sorry, you were unlucky enough to hit the Parsing and Reporting System during a performance dip. I hate it when that happens! Please try again.

[maz]

spamcop to google goes into the spam folder

[turetzsr]

spamcop to google goes into the spam folder

37000[/snapback]

...Sorry, I don't understand -- exactly what is it that is going into a spam folder? And where is this spam folder -- in your SpamCop e-mail account?

[Wazoo]

spamcop to google goes into the spam folder

37000[/snapback]

until you mark it as "not spam"

[Merlyn]

spamcop to google goes into the spam folder

37000[/snapback]

Not for me

[Jeff G.]

spamcop to google goes into the spam folder

37000[/snapback]

When I send a SpamCop Report to an address that is forwarded to my Gmail account (because its address is shorter than my Gmail address and I need the real estate in "Public standard report recipients"), the Report generally ends up in my Gmail spam Folder. I think this is what is also happening to maz. I have already suggested to Gmail that they allow whitelisting and that they allow whitelisting of everything (bypassing their anti-spam feature), but they have not acted on those suggestions. The more of you fellow Gmail users that make similar suggestions, the more they weight they should give those suggestions.

[maz]

Maybe they will read the thread, I wrote because they are named in the title of the spam I am receiving.

[maz]

Now I'm getting this as returned spam, and a zip file.

  Transaction Denied by Bank.

  Order details:

  Date: 11/21/05

  Order number is: 003725

  You have ordered the following:

  Price

  RING 1 147.20

  RING 2 125.80

  Setup fee 3.00

  +VAT 93.50

  _____________________________

  Total in USD: 276.90

  Please see attached file.

  GOLDNOW SHOP Billing Team.

  Thank you for choosing CCBill as the eMerchant for your subscription!

Also getting returned mime files.

Is it possible that with so much spam rerouting that its picking up viruses along the way before being returned under the fraudalent reply header?

More blacklisting

[Jeff G.]

Is it possible that with so much spam rerouting that its picking up viruses along the way before being returned under the fraudalent reply header?

37187[/snapback]

What is more likely is the following scenario:

• Person A had some interest in maz and/or her cause, domain, or website/forum.
  
• maz's domain name ended up on Person A's computer because Person A browsed to her website/forum, sent her email, or got email from her.
  
• Person A's computer (Computer A) was infected with a worm that sent email with maz's domain as the from or envelope from. This was the primary source.
  
• maz started getting bounces from misconfigured servers that received the primary source's messages. There may not have been many of these.
  
• Spammer A got one of those infected email messages (or possibly scraped maz's domain name or email address from somewhere), and started sending spam with maz's domain as the from or envelope from. This was the secondary source.
  
• maz started getting bounces from misconfigured servers that received the secondary source's messages.
  
• Person B opened one of the infected email messages, infected Person B's computer (Computer , and Computer B started spewing infected email messages with maz's domain in the from or envelope from. This was the tertiary source.
  
• maz started getting bounces from misconfigured servers that received the tertiary source's messages.
  
• More people opened more infected messages, causing more computers to become infected and spew infected messages, causing maz to get more bounces.
  
• Eventually, the people responsible for those computers or their connectivity to the net will stop the madness. We hope.
  

[maz]

Oh what do we have now?

http://www.spamcop.net/sc?id=z836737427zab...ef02747f21b59fz

So I called the number to call the CIA and its someone's home phone number.

Of course I did not open the attachment.

[maz]

Eventually, the people responsible for those computers or their connectivity to the net will stop the madness. We hope.

Glad to be of assistance - clean sweeping the internet.

http://www.spamcop.net/sc?id=z836747331z25...1fae2d13fdb32bz

X-Virus-Scan-Result: Repaired 5617 Trojan.Danmec