Jump to content

Spam from 'infoletter[at]doramail.com' (faked return address?)


99clunk
 Share

Recommended Posts

Been receiving lots of spam from an outfit that purports to be sending from the address:

infoletter[at]doramail.com

Typical header info:

Return-path: <infoletter[at]doramail.com>

Received: from 12-215-248-238.client.mchsi.com (unverified [12.215.248.238]) by webmail.activeisp.com

(Rockliffe SMTPRA 6.1.22) with SMTP id <B0020306614[at]mailengine10.web2000.activeisp.com>;

Mon, 20 Nov 2006 09:35:48 +0100

X-Message-Info: BQCiuDYY205dlGufz/dnTXcQTTannRwgbKijWla95IQV

Received: from lint-xgh5.alcoholic.imail.ru (224.26.190.248) by sus72-rus3.uraniomail.com with Microsoft SMTPSVC(5.0.2195.6824);

Mon, 20 Nov 2006 01:27:08 -0700

From: Grover Stevens <infoletter[at]doramail.com>

To: XXXX[at]XXXXXXX.co.uk

Subject: very nice

Date: Mon, 20 Nov 2006 05:28:08 -0300 EST

Message-ID: <951397437812307.360.91794[at]myosin-tst81.recife.net>

Mime-Version: 1.0

Content-Type: multipart/alternative;

boundary="--9812510016809159"

Now my reading of this is that it obviously spam - duh!, and I will keep reporting it as such, but my curiosity is aroused, and I want to get to know more about who is really generating this. They seem to have caught several legitimate companies within their marketing net with http://www.rookwoodcompany.com being the latest site advertised through their spam. My guess is that some sites advertised have no idea they are being 'marketed' this way. So, how do I find out more? I have the usual Mac OS X tools for doing look-ups etc.

Normally I'd dive right into something like this, but I am aware of a little knowledge being a very dangerous thing, so I thought I'd ask the experts...

Link to comment
Share on other sites

Questions asked and situation described are not directly related to the use of or problems with the SpamCop.net Parsing & Reporting system .... Moved to the Lounge for now.

Technically, nothing there that says it's "definitely spam" .. but agree that the headers are abviously "massaged" which is normal for a spam e-mail ...

12-215-248-238.client.mchsi.com suggests that this is a 'home' computer .. definitely not an mchsi e-mail server

http://spamcop.net/w3m?action=checkblock&a...=12.215.248.238

12.215.248.238 listed in bl.spamcop.net

both spamtrap hits and user complaints

http://www.senderbase.org/search?searchBy=...=12.215.248.238

Date of first message seen from this address 2006-11-14

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.9 .. 7963%

Last 30 days ... 2.6 .... 315%

Average ......... 1.9

One can only imagine this computer owner raising hell with someone because this system is "running so slow" ....

Let's see if we can 'fix' that problem ....

From: "WazoO"

To: "Mediacom Security & Abuse"

Subject: compromised computer at 12.215.248.238

Date: Mon, 20 Nov 2006 04:13:13 -0600

As noted in a SpamCop.net support Forum query, evidence indicates

that the computer sitting at 12.215.248.238 is more than likely being

used by spammers to send their garbage.

<snipped included content from this post>

Not specifically what you were asking, but .. one step at a time ...

Link to comment
Share on other sites

Not specifically what you were asking, but .. one step at a time ...

Perfect - it's this structured, step at a time knowledge - with a little common sense thrown in - that I am after acquiring. The idea behind this is to understand in detail the threats that are out there to vulnerable machines, where the attacks come from, how they are used, spamming etc, etc, and who is doing it. If this then means I can do more to alleviate it - so much the better.

Link to comment
Share on other sites

http://www.senderbase.org/search?searchBy=...=12.215.248.238

Date of first message seen from this address 2006-11-14

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.9 .. 7963%

Last 30 days ... 2.6 .... 315%

Average ......... 1.9

Luverly, 10 minutes with senderbase.org has taught me more than I learned in the last six months. Thanks. :)

Link to comment
Share on other sites

Gotta love that "instant response" one sometimes sees .... geeze ...

So, we follow-up amd escalate it ...

From: "WazoO"

To: "Mediacom Security & Abuse" <abuse[at]mediacomcc.com>

Cc: <abuse[at]att.net>

Subject: Fw: compromised computer at 12.215.248.238

Date: Tue, 21 Nov 2006 19:35:13 -0600

According to SenderBase data, this machine is on its way to reaching 100,000 e-mails a day ....

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.3 .. 17623%

Last 30 days .. 2.7 ..... 319%

Average ........ 2.0

----- Original Message -----

From: "WazoO"

To: "Mediacom Security & Abuse"

Sent: Monday, November 20, 2006 4:13 AM

Subject: compromised computer at 12.215.248.238

> As noted in a SpamCop.net support Forum query, evidence indicates

> that the computer sitting at 12.215.248.238 is more than likely being

> used by spammers to send their garbage.

>

> http://forum.spamcop.net/forums/index.php?showtopic=7528

>

> 12-215-248-238.client.mchsi.com suggests that this is a 'home' computer ..

> definitely not an mchsi e-mail server

>

> http://spamcop.net/w3m?action=checkblock&a...=12.215.248.238

> 12.215.248.238 listed in bl.spamcop.net

> both spamtrap hits and user complaints

>

>

http://www.senderbase.org/search?searchBy=...=12.215.248.238

> Date of first message seen from this address 2006-11-14

> Volume Statistics for this IP

> Magnitude Vol Change vs. Average

> Last day ......... 3.9 .. 7963%

> Last 30 days ... 2.6 .... 315%

> Average ......... 1.9

>

> One can only imagine this computer owner raising hell with someone because

> this system is "running so slow" ....

Link to comment
Share on other sites

Gotta love that "instant response" one sometimes sees .... geeze ...

So, we follow-up amd escalate it ...

It must be costing the ISP in bandwidth to send all this stuff. I can only take it they don't care about costs.

In the meantime, I'm nicely accumulating a series of 'infoletter[at]doramail' spams. The pattern continues, we seem to have a Caribbean holiday company, a gift web site and a browser for kids - Buddy Browser spamvertised*. I've set up a non-identifiable, disposable email, and informed the three companies (they look reasonably legit) that they may have unwittingly hired spammers to do their email marketing, and if they can return any information about who they hired etc, it would be greatly appreciated.

Given trust levels generally with unsolicited emails I don't expect much of a response but you never know.

*The companies are:

http://www.jimbotravel.com/ - this redirects. There is a similar looking 'demo' at the redirect root.

www.gildedgilda.com/

www.buddybrowser.com

Link to comment
Share on other sites

*The companies are:

http://www.jimbotravel.com/ - this redirects. There is a similar looking 'demo' at the redirect root.

Terminology check ..... you say "redirect" .. I don't find any evidence of a 'redirect' ...

11/22/06 08:20:04 Browsing http://www.jimbotravel.com/

Fetching http://www.jimbotravel.com/ ...

GET / HTTP/1.1

Host: www.jimbotravel.com

HTTP/1.1 200 OK

Connection: close

Date: Wed, 22 Nov 2006 14:20:06 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<title>http://www.ytbnet.com/jimbotrips

<frame src="http://www.ytbnet.com/jimbotrips"

This actually inserts the HTML code from the 'src=' site into the browser page ....

11/22/06 08:34:09 Fetching http://www.ytbnet.com/jimbotrips

Fetching http://www.ytbnet.com/jimbotrips ...

GET /jimbotrips HTTP/1.1

Host: www.ytbnet.com

HTTP/1.1 302 Found

Connection: close

Date: Wed, 22 Nov 2006 14:34:45 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Location: /Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1

Object moved to <a href="/Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1">here</a>

Not really a 'redirect' .. but the effect is the same

11/22/06 08:37:19 Fetching http://www.ytbnet.com/Default.aspx?wa=jimb...CookieSupport=1

Fetching http://www.ytbnet.com/Default.aspx?wa=jimb...CookieSupport=1 ...

GET /Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1 HTTP/1.1

Host: www.ytbnet.com

HTTP/1.1 302 Found

Location: /Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1&AspxAutoDetectCookieSupport=1

Set-Cookie: AspxAutoDetectCookieSupport=1; path=/

Object moved to <a href="/Default.aspx?wa=jimbotrips&amp;AspxAutoDetectCookieSupport=1&AspxAutoDetectCookieSupport=1">here

Obviously has a bit of a scri_pt running lookinh at the 'referrer' data ... u.e., where are 'you' coming from ..

www.gildedgilda.com/

www.buddybrowser.com

In the above, hese targets not 'seen ....???

Link to comment
Share on other sites

Terminology check ..... you say "redirect" .. I don't find any evidence of a 'redirect' ...

OK.. learning quickly here. There's a lot I don't know.

I used to teach the unemployed various graphics packages, and part of the first lesson dwelt on not being scared to say "I don't know - tell me". How else do you progress? Well, that's me now...

www.gildedgilda.com/

www.buddybrowser.com

In the above, hese targets not 'seen ....???

gildedgilda.com

buddybrowser.com

My fault - no proper link code in previous message. (Another part of the lesson said: "Always admit straight away when you are wrong. It saves time.") :rolleyes:

No response as yet from any of the web sites spamvertised.

Link to comment
Share on other sites

So, we follow-up amd escalate it ...

Date: 22 Nov 2006 15:47:09 -0500

To: Wazoo (by way of Abuse <abuse[at]mchsi.com>) (by way of Mediacom Abuse <abuse[at]mchsi.com>)

From: abuse[at]mchsi.com

Subject: Re: Fw: compromised computer at 12.215.248.238

Dear Mediacom Services Member

Thank you for contacting the Mediacom Fraud & Abuse Department.

The Fraud & Abuse Department investigated the abuse that you reported and has taken the

appropriate action. Please continue to let us know when such instances occur.

If you have any other questions or concerns, please E-mail us at:

abuse[at]mchsi.com

Regards,

Mediacom Fraud & Abuse Department

http://www.senderbase.org/search?searchBy=...=12.215.248.238

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.9 6015%

Last 30 days 2.7 318%

Average 2.1

Not zero yet, but definitely reduced from yesterday .....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...