99clunk Posted November 20, 2006 Share Posted November 20, 2006 Been receiving lots of spam from an outfit that purports to be sending from the address: infoletter[at]doramail.com Typical header info: Return-path: <infoletter[at]doramail.com> Received: from 12-215-248-238.client.mchsi.com (unverified [12.215.248.238]) by webmail.activeisp.com (Rockliffe SMTPRA 6.1.22) with SMTP id <B0020306614[at]mailengine10.web2000.activeisp.com>; Mon, 20 Nov 2006 09:35:48 +0100 X-Message-Info: BQCiuDYY205dlGufz/dnTXcQTTannRwgbKijWla95IQV Received: from lint-xgh5.alcoholic.imail.ru (224.26.190.248) by sus72-rus3.uraniomail.com with Microsoft SMTPSVC(5.0.2195.6824); Mon, 20 Nov 2006 01:27:08 -0700 From: Grover Stevens <infoletter[at]doramail.com> To: XXXX[at]XXXXXXX.co.uk Subject: very nice Date: Mon, 20 Nov 2006 05:28:08 -0300 EST Message-ID: <951397437812307.360.91794[at]myosin-tst81.recife.net> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--9812510016809159" Now my reading of this is that it obviously spam - duh!, and I will keep reporting it as such, but my curiosity is aroused, and I want to get to know more about who is really generating this. They seem to have caught several legitimate companies within their marketing net with http://www.rookwoodcompany.com being the latest site advertised through their spam. My guess is that some sites advertised have no idea they are being 'marketed' this way. So, how do I find out more? I have the usual Mac OS X tools for doing look-ups etc. Normally I'd dive right into something like this, but I am aware of a little knowledge being a very dangerous thing, so I thought I'd ask the experts... Link to comment Share on other sites More sharing options...
Wazoo Posted November 20, 2006 Share Posted November 20, 2006 Questions asked and situation described are not directly related to the use of or problems with the SpamCop.net Parsing & Reporting system .... Moved to the Lounge for now. Technically, nothing there that says it's "definitely spam" .. but agree that the headers are abviously "massaged" which is normal for a spam e-mail ... 12-215-248-238.client.mchsi.com suggests that this is a 'home' computer .. definitely not an mchsi e-mail server http://spamcop.net/w3m?action=checkblock&a...=12.215.248.238 12.215.248.238 listed in bl.spamcop.net both spamtrap hits and user complaints http://www.senderbase.org/search?searchBy=...=12.215.248.238 Date of first message seen from this address 2006-11-14 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.9 .. 7963% Last 30 days ... 2.6 .... 315% Average ......... 1.9 One can only imagine this computer owner raising hell with someone because this system is "running so slow" .... Let's see if we can 'fix' that problem .... From: "WazoO" To: "Mediacom Security & Abuse" Subject: compromised computer at 12.215.248.238 Date: Mon, 20 Nov 2006 04:13:13 -0600 As noted in a SpamCop.net support Forum query, evidence indicates that the computer sitting at 12.215.248.238 is more than likely being used by spammers to send their garbage. <snipped included content from this post> Not specifically what you were asking, but .. one step at a time ... Link to comment Share on other sites More sharing options...
99clunk Posted November 20, 2006 Author Share Posted November 20, 2006 Not specifically what you were asking, but .. one step at a time ... Perfect - it's this structured, step at a time knowledge - with a little common sense thrown in - that I am after acquiring. The idea behind this is to understand in detail the threats that are out there to vulnerable machines, where the attacks come from, how they are used, spamming etc, etc, and who is doing it. If this then means I can do more to alleviate it - so much the better. Link to comment Share on other sites More sharing options...
99clunk Posted November 20, 2006 Author Share Posted November 20, 2006 http://www.senderbase.org/search?searchBy=...=12.215.248.238 Date of first message seen from this address 2006-11-14 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.9 .. 7963% Last 30 days ... 2.6 .... 315% Average ......... 1.9 Luverly, 10 minutes with senderbase.org has taught me more than I learned in the last six months. Thanks. Link to comment Share on other sites More sharing options...
Wazoo Posted November 22, 2006 Share Posted November 22, 2006 Gotta love that "instant response" one sometimes sees .... geeze ... So, we follow-up amd escalate it ... From: "WazoO" To: "Mediacom Security & Abuse" <abuse[at]mediacomcc.com> Cc: <abuse[at]att.net> Subject: Fw: compromised computer at 12.215.248.238 Date: Tue, 21 Nov 2006 19:35:13 -0600 According to SenderBase data, this machine is on its way to reaching 100,000 e-mails a day .... Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 4.3 .. 17623% Last 30 days .. 2.7 ..... 319% Average ........ 2.0 ----- Original Message ----- From: "WazoO" To: "Mediacom Security & Abuse" Sent: Monday, November 20, 2006 4:13 AM Subject: compromised computer at 12.215.248.238 > As noted in a SpamCop.net support Forum query, evidence indicates > that the computer sitting at 12.215.248.238 is more than likely being > used by spammers to send their garbage. > > http://forum.spamcop.net/forums/index.php?showtopic=7528 > > 12-215-248-238.client.mchsi.com suggests that this is a 'home' computer .. > definitely not an mchsi e-mail server > > http://spamcop.net/w3m?action=checkblock&a...=12.215.248.238 > 12.215.248.238 listed in bl.spamcop.net > both spamtrap hits and user complaints > > http://www.senderbase.org/search?searchBy=...=12.215.248.238 > Date of first message seen from this address 2006-11-14 > Volume Statistics for this IP > Magnitude Vol Change vs. Average > Last day ......... 3.9 .. 7963% > Last 30 days ... 2.6 .... 315% > Average ......... 1.9 > > One can only imagine this computer owner raising hell with someone because > this system is "running so slow" .... Link to comment Share on other sites More sharing options...
99clunk Posted November 22, 2006 Author Share Posted November 22, 2006 Gotta love that "instant response" one sometimes sees .... geeze ... So, we follow-up amd escalate it ... It must be costing the ISP in bandwidth to send all this stuff. I can only take it they don't care about costs. In the meantime, I'm nicely accumulating a series of 'infoletter[at]doramail' spams. The pattern continues, we seem to have a Caribbean holiday company, a gift web site and a browser for kids - Buddy Browser spamvertised*. I've set up a non-identifiable, disposable email, and informed the three companies (they look reasonably legit) that they may have unwittingly hired spammers to do their email marketing, and if they can return any information about who they hired etc, it would be greatly appreciated. Given trust levels generally with unsolicited emails I don't expect much of a response but you never know. *The companies are: http://www.jimbotravel.com/ - this redirects. There is a similar looking 'demo' at the redirect root. www.gildedgilda.com/ www.buddybrowser.com Link to comment Share on other sites More sharing options...
Wazoo Posted November 22, 2006 Share Posted November 22, 2006 *The companies are: http://www.jimbotravel.com/ - this redirects. There is a similar looking 'demo' at the redirect root. Terminology check ..... you say "redirect" .. I don't find any evidence of a 'redirect' ... 11/22/06 08:20:04 Browsing http://www.jimbotravel.com/ Fetching http://www.jimbotravel.com/ ... GET / HTTP/1.1 Host: www.jimbotravel.com HTTP/1.1 200 OK Connection: close Date: Wed, 22 Nov 2006 14:20:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET <title>http://www.ytbnet.com/jimbotrips <frame src="http://www.ytbnet.com/jimbotrips" This actually inserts the HTML code from the 'src=' site into the browser page .... 11/22/06 08:34:09 Fetching http://www.ytbnet.com/jimbotrips Fetching http://www.ytbnet.com/jimbotrips ... GET /jimbotrips HTTP/1.1 Host: www.ytbnet.com HTTP/1.1 302 Found Connection: close Date: Wed, 22 Nov 2006 14:34:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: /Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1 Object moved to <a href="/Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1">here</a> Not really a 'redirect' .. but the effect is the same 11/22/06 08:37:19 Fetching http://www.ytbnet.com/Default.aspx?wa=jimb...CookieSupport=1 Fetching http://www.ytbnet.com/Default.aspx?wa=jimb...CookieSupport=1 ... GET /Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1 HTTP/1.1 Host: www.ytbnet.com HTTP/1.1 302 Found Location: /Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1&AspxAutoDetectCookieSupport=1 Set-Cookie: AspxAutoDetectCookieSupport=1; path=/ Object moved to <a href="/Default.aspx?wa=jimbotrips&AspxAutoDetectCookieSupport=1&AspxAutoDetectCookieSupport=1">here Obviously has a bit of a scri_pt running lookinh at the 'referrer' data ... u.e., where are 'you' coming from .. www.gildedgilda.com/ www.buddybrowser.com In the above, hese targets not 'seen ....??? Link to comment Share on other sites More sharing options...
99clunk Posted November 22, 2006 Author Share Posted November 22, 2006 Terminology check ..... you say "redirect" .. I don't find any evidence of a 'redirect' ... OK.. learning quickly here. There's a lot I don't know. I used to teach the unemployed various graphics packages, and part of the first lesson dwelt on not being scared to say "I don't know - tell me". How else do you progress? Well, that's me now... www.gildedgilda.com/ www.buddybrowser.com In the above, hese targets not 'seen ....??? gildedgilda.com buddybrowser.com My fault - no proper link code in previous message. (Another part of the lesson said: "Always admit straight away when you are wrong. It saves time.") No response as yet from any of the web sites spamvertised. Link to comment Share on other sites More sharing options...
Wazoo Posted November 22, 2006 Share Posted November 22, 2006 So, we follow-up amd escalate it ... Date: 22 Nov 2006 15:47:09 -0500 To: Wazoo (by way of Abuse <abuse[at]mchsi.com>) (by way of Mediacom Abuse <abuse[at]mchsi.com>) From: abuse[at]mchsi.com Subject: Re: Fw: compromised computer at 12.215.248.238 Dear Mediacom Services Member Thank you for contacting the Mediacom Fraud & Abuse Department. The Fraud & Abuse Department investigated the abuse that you reported and has taken the appropriate action. Please continue to let us know when such instances occur. If you have any other questions or concerns, please E-mail us at: abuse[at]mchsi.com Regards, Mediacom Fraud & Abuse Department http://www.senderbase.org/search?searchBy=...=12.215.248.238 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.9 6015% Last 30 days 2.7 318% Average 2.1 Not zero yet, but definitely reduced from yesterday ..... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.