Farelf Posted April 12, 2004 Posted April 12, 2004 ..in another post whazoo was asking if I try to get in the spammer's mind...maybe I do, I used to think that most actions serve some purpose...I am starting to change my mind.. :angry: You are just trying to assert some control over what happens to you, as I imagine are all others here. Forgive my impertinence but perhaps you let them "wind you up" overmuch. "They" can only punch your buttons if you let them. I think spamming is an essentially a mindless activity, in its execution, if not its intent; it is like a "machine" with the entertaining ability to evolve to meet challenge.
dra007 Posted April 12, 2004 Posted April 12, 2004 Getting control over this is totally hopeless, I do want to get some insight into the spam business.. if that gives any measure of control, if you feel being stalked, and this is what spam makes me feel like, I want to get some sense of rational in the phenomenon, and hopefully yes, some sense of control... and I am happy to find people that share my frustration and actually do something about it... ..but as you too noticed, there may be people that are not as patient as I in seeking an answer, or at least a measure of control...
silentlarry Posted April 12, 2004 Posted April 12, 2004 I'm filing this spam in the "at least the disclaimer is honest" category. The disclaimer (below) was amost the same length as the rest of the spam. Check out the last paragraph after "Furthermore..." Who wouldn't want to sink their money into this? [various lies deleted] ... > - China World Trade Corp Signs Letter of Intent to Acquire > Controlling Stake of Guangdong Huahao Industries Holdings Limited > > Information within this email contains "forward looking statements" > within the meaning of Section 27A of the Securities Act of 1933 and > Section 21B of the Securities Exchange Act of 1934. Any statements > that express or involve discussions with respect to predictions, > goals, expectations, beliefs, plans, projections, objectives, > assumptions or future events or performance are not statements of > historical fact and may be "forward looking statements." > mycpc wdejn xjjbb udwxw imbvq xgnliqotwg pegrk rursd eanbd > ktdvd whoik idsre ilbjp > Forward looking statements are based on expectations, estimates > and projections at the time the statements are made that involve a > number of risks and uncertainties which could cause actual results > or events to differ materially from those presently anticipated. > Forward looking statements in this action may be identified through > the use of words such as: "projects", "foresee", "expects", > "estimates," "believes," "understands" "will", "anticipates," or > that by statements indicating certain actions "may," "could," or > "might" occur. All information provided within this email > pertaining to investing, stocks, securities must be understood as > information provided and not investment advice. WE advise all readers > and subscribers to seek advice from a registered professional > securities representative before deciding to trade in stocks > featured within this email. None of the material within this > report shall be construed as any kind of investment advice. GS > Research and/or its officers and employees have been compensated > 50,000 open trade shares by a third party for work involved in the > preparation and production of this report > > In compliance with Section 17(, we disclose the holding of > independently purchased shares of the company mentioned prior to > the publication of this report.. Be aware of an inherent conflict > of interest resulting from such holdings due to our intent to > profit from the liquidation of these shares. Shares may be sold at > any time, even after positive statements have been made regarding the > above company. Short term trading targets are only guesses on our > part. Keep in mind that when trading small stocks like the company > above there is a chance you will lose every penny you invest. > Furthermore there have been times in the past when the Company > itself tells lies, gives false information and puts out false > news. This email is for entertainment purposes only. This is not > investment advice. We suggest you check with an investment > professional before investing any stocks or mutual funds. > hntyr hmgoe ermvs xopvz mglou xmgbetrxdf fcefa xoxlw haxrf > numqs aqgou ryeng yezbs
Farelf Posted April 12, 2004 Posted April 12, 2004 This email is for entertainment purposes only. Well, it certainly entertained me (even if the statement is yet anther lie). I've not actually *read* this stuff before, what a hoot! Much obliged silentlarry. Honesty? Maybe - it's marvellous what the prospect of 15-20 in a Federal penitentiary does to improve the morals (and to think how the "corrective services" experts agonize over "rehabilitation"!). Marvellous to reflect what "life without remission" might do for society ;-) hntyr hmgoe ermvs xopvz mglou xmgbetrxdf fcefa xoxlw haxrf I've got no argument with that!
dra007 Posted April 16, 2004 Posted April 16, 2004 Now this is funny, this is the message I got with my last virus attachment! Return-Path: <raffaellof[at]fisiopat.sacco.unimi.it> Received: from mb1i1.ns.pitt.edu (mb1i1.ns.pitt.edu [136.142.185.161])      by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)      ID <GAA17427[at]imap.srv.cis.pitt.edu> for <me [at]imap.pitt.edu>;      Fri, 16 Apr 2004 06:20:41 -0400 (EDT) From: raffaellof[at]fisiopat.sacco.unimi.it Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01L8ZKU7QABK006FEL[at]mb1i1.ns.pitt.edu> for me [at]imap.pitt.edu; Fri, 16 Apr 2004 06:20:40 EDT Received: from imap.pitt.edu ([202.120.139.35]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01L8ZKU43IWC005P6J[at]mb1i1.ns.pitt.edu> for ads5[at]imap.pitt.edu; Fri, 16 Apr 2004 06:20:39 -0400 (EDT) Date: Fri, 16 Apr 2004 18:13:11 +0800 Subject: spam To: me [at]imap.pitt.edu Message-id: <01L8ZKU4I79Q005P6J[at]mb1i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_me8xCnJNW5nd/2v1y6UKxQ)" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_me8xCnJNW5nd/2v1y6UKxQ) Content-type: text/plain; charset="Windows-1252" Content-transfer-encoding: 7bit I have visited this website and I found you in the spammer list. Is that true? --Boundary_(ID_me8xCnJNW5nd/2v1y6UKxQ)
dra007 Posted April 16, 2004 Posted April 16, 2004 This is even funnier, the virus attachment is camouflaged behind a warning that I am spamming, this idiot must really think that I will open that? Return-Path: <> Received: from mb1i1.ns.pitt.edu (mb1i1.ns.pitt.edu [136.142.185.161])      by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)      ID <EAA77206072[at]imap.srv.cis.pitt.edu> for <me [at]imap.pitt.edu>;      Fri, 16 Apr 2004 04:26:27 -0400 (EDT) Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01L8ZGUKENDS00683F[at]mb1i1.ns.pitt.edu> for me [at]imap.pitt.edu; Fri, 16 Apr 2004 04:26:25 EDT Received: from gwmail.cambridgesoft.com ([198.112.109.6]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01L8ZGUJATVI001XAQ[at]mb1i1.ns.pitt.edu> for me [at]imap.pitt.edu; Fri, 16 Apr 2004 04:26:24 -0400 (EDT) Received: by gwmail.cambridgesoft.com with XWall v3.29 ; Fri, 16 Apr 2004 04:28:08 -0400 Content-return: prohibited Date: Fri, 16 Apr 2004 04:28:08 -0400 From: System Administrator <postmaster2[at]cambridgesoft.com> Subject: Non delivery report: 5.9.4 (spam warning) To: "me [at]imap.pitt.edu" <me [at]imap.pitt.edu> Message-id: <324707288.2721492765.1972[at]gwmail.cambridgesoft.com> MIME-version: 1.0 X-Mailer: XWall v3.29 Content-type: multipart/report; boundary="Boundary_(ID_S7mtBz5MYeM+VE1OnldOkw)"; report-type=delivery-status This is a multi part message in MIME format. --Boundary_(ID_S7mtBz5MYeM+VE1OnldOkw) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: quoted-printable Your message =20From: me [at]imap.pitt.edu =20To: mswartz[at]cambridgesoft.com =20Subj: Re: Error =20Sent: 2004-04-16 04:18 has encountered a delivery problem. Reason: spam warning The message was received from a host that is currently on a spam list and is= presumed to be unsolicited email. If you believe this to be an error, please forward this bounce message to no= tspam[at]cambridgesoft.com for review including an explanation of who you were trying to contact. Additional info: The sending host was: 202.120.139.35 [202.120.139.35] The SLS service was: bl.spamcop.net --Boundary_(ID_S7mtBz5MYeM+VE1OnldOkw) Content-type: message/xdelivery-status ; name="delivery-status.txt" Reporting-MTA: dns; gwmail.cambridgesoft.com Received-From-MTA: dns; 202.120.139.35 Arrival-Date: Fri, 16 Apr 2004 04:28:07 -0400 Final-Recipient: rfc822; mswartz[at]cambridgesoft.com Action: failed Status: 5.9.4 Diagnostic-Code: X-XWall; 5.9.4 spam warning --Boundary_(ID_S7mtBz5MYeM+VE1OnldOkw) Content-type: message/rfc822 Received: from 202.120.139.35 [202.120.139.35] by gwmail.cambridgesoft.com with XWall v3.29 ; Fri, 16 Apr 2004 04:28:04 -0400 Date: Fri, 16 Apr 2004 16:18:53 +0800 From: me [at]imap.pitt.edu Subject: Re: Error To: mswartz[at]cambridgesoft.com MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_7zNU/sykPBZJ72tj3TbQOA)" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_7zNU/sykPBZJ72tj3TbQOA) Content-type: text/plain; charset="Windows-1252" Content-transfer-encoding: 7bit You have received an extended message. Please read the instructions. --Boundary_(ID_7zNU/sykPBZJ72tj3TbQOA) Notice the typical missing return path, and forged header, and why does this spammer blame it on spamcop?
StevenUnderwood Posted April 16, 2004 Posted April 16, 2004 dra007: The original message was sent from a host on the bl and it had your email address as the sender. Cambridgesoft's configuration is "bouncing" the message to the forged sender address rather than rejecting it during the SMTP transaction. 202.120.139.35 listed in bl.spamcop.net (127.0.0.2) Since SpamCop started counting, this system has been reported about 10 times by less than 10 users. It has been sending mail consistently for at least 37 hours. In the past 40.1 days, it has been listed 4 times for a total of 13.3 days The previous message you posted may have been similar but with a humorous rather than helpful error message. Further explaination: Notice the typical missing return path, and forged header, and why does this spammer blame it on spamcop? Return-Path is often blank for a bounce message because there is no account to receive it. The mail software is generating it. And I can find no forged header anywhere in this message. Please be more specific. Original email sent to user at cambridgesoft: Received: from 202.120.139.35 [202.120.139.35] by gwmail.cambridgesoft.com with XWall v3.29; Fri, 16 Apr 2004 04:28:04 -0400 Date: Fri, 16 Apr 2004 16:18:53 +0800 From: x[at]imap.pitt.edu Subject: Re: Error To: x[at]cambridgesoft.com Cambridgesoft finds the IP on the spamcop bl and returns the error message to the forged sender email address: Received: from gwmail.cambridgesoft.com ([198.112.109.6]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01L8ZGUJATVI001XAQ[at]mb1i1.ns.pitt.edu> for x[at]imap.pitt.edu; P.S. You left your email address in the header directly above. You will probably want to edit your post.
dra007 Posted April 16, 2004 Posted April 16, 2004 Thanks for the tips Steve, so tell me Cambridgesoft finds the IP on the spamcop bl and returns the error message to the forged sender email address: are you implying the spammer is forging my IP in their spam and I end up on bl list? Also, if this was a bounce why did it also have a virus attachement?
StevenUnderwood Posted April 16, 2004 Posted April 16, 2004 are you implying the spammer is forging my IP in their spam and I end up on bl list? No, the message has forged your email address, not your IP address. The IP address of the original message came from is: 202.120.139.35. There is no rDNS for that IP but spam reports go to: abuse[at]net.edu.cn so that IP is probably in China. Also, if this was a bounce why did it also have a virus attachement? The original message was probably sent by a virus infected machine. Cambridgesoft's systems seem to be configured to check the spamcop bl before performing any virus scanning. Something needs to be checked first. If it never reached their virus scanner, it would not have known to remove the virus. If I were their administrator (and had authority from management) I would check the receiving IP against the blocklists (specifically open relay and dial-up type addresses and possibly spamcop) before accepting any messages and reject those found during the SMTP process rather than accepting, processing and bouncing as they seem to be doing. After accepting the message you can then do virus scans and SpamAssasin scanning on the content but either drop (not good for business purposes) or quarantine items that fail these tests, not bounce.
dra007 Posted April 16, 2004 Posted April 16, 2004 go to: abuse[at]net.edu.cn so that IP is probably in China Seems 80% of my spams are reported there lately, the spammer has discarded other IPS....
dra007 Posted April 19, 2004 Posted April 19, 2004 This idiot in China wants me to open his virus file, rather amusing, I parsed it to see where it came from, and it wasn't symantec, besides, I did not submit a virus since the spam and virus attack started, he must be getting really desperate: Return-Path: <support[at]symantec.com> Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162])      by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)      ID <GAA13614[at]imap.srv.cis.pitt.edu> for < >;      Mon, 19 Apr 2004 06:56:08 -0400 (EDT) From: support[at]symantec.com Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id < [at]mb2i1.ns.pitt.edu> for ; Mon, 19 Apr 2004 06:56:06 EDT Received: from ([202.120.139.35]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01L93SY2VA38009ESU[at]mb2i1.ns.pitt.edu> for ; Mon, 19 Apr 2004 06:56:05 -0400 (EDT) Date: Mon, 19 Apr 2004 18:48:35 +0800 Subject: Re: Submit a Virus Sample To: Message-id: <01L93SY3A60M009ESU[at]mb2i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_czd0k/0j3B1b7WYLCqXE/g)" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_czd0k/0j3B1b7WYLCqXE/g) Content-type: text/plain; charset="Windows-1252" Content-transfer-encoding: 7bit The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature. Sincerly, Robert Ferrew --Boundary_(ID_czd0k/0j3B1b7WYLCqXE/g)
dra007 Posted April 19, 2004 Posted April 19, 2004 Same idiot as the aforementioned post is sending files which automatically open the virus attachment....Now he is really getting desperate, their site bounces spam reports..funny.. Return-Path: <minoue[at]fukuoka-u.ac.jp> Received: from mb1i1.ns.pitt.edu (mb1i1.ns.pitt.edu [136.142.185.161])      by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)      ID < > for < >;      Mon, 19 Apr 2004 09:13:34 -0400 (EDT) From: minoue[at]fukuoka-u.ac.jp Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id < [at]mb1i1.ns.pitt.edu> for ; Mon, 19 Apr 2004 09:13:33 EDT Received: from imap.pitt.edu ([202.120.139.35]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01L93XQ6N5W80189DM[at]mb1i1.ns.pitt.edu> for ; Mon, 19 Apr 2004 09:13:17 -0400 (EDT) Date: Mon, 19 Apr 2004 21:05:47 +0800 Subject: Mail Delivery (failure ) To: Message-id: <01L93XQ74VJU0189DM[at]mb1i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/related; boundary="Boundary_(ID_Qg1l1W8lcc7kcQj1VZttRw)"; type="multipart/alternative" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_Qg1l1W8lcc7kcQj1VZttRw) Content-type: multipart/alternative; boundary="Boundary_(ID_yxXnStlhNmAbfBVx0EmSqg)" --Boundary_(ID_yxXnStlhNmAbfBVx0EmSqg) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: quoted-printable --Boundary_(ID_yxXnStlhNmAbfBVx0EmSqg) Content-type: text/html; charset="iso-8859-1" Content-transfer-encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br> follow the link to read the delivered message.<br><br> Received message is available at:<br> <a href=3Dcid:031401Mfdab4$3f3dL780$73387018[at]57W81fa70Re height=3D0 width=3D0> </a> <iframe src=3Dcid:031401Mfdab4$3f3dL780$73387018[at]57W81fa70Re height=3D0 width=3D0></iframe> <DIV> </DIV></BODY></HTML> --Boundary_(ID_yxXnStlhNmAbfBVx0EmSqg)-- --Boundary_(ID_Qg1l1W8lcc7kcQj1VZttRw) Content-id: <031401Mfdab4$3f3dL780$73387018[at]57W81fa70Re> Content-type: text/plain; name=replaced.txt Content-transfer-encoding: 7BIT IMPORTANT: An attachment included with this message has been automatically removed by the University's electronic mail systems because such attachments may contain computer viruses, worms, or other potentially malicious software code. If you were expecting to receive a message from this sender including an attached executable file (.exe), batch file (.bat), or others, and you know the identity of the sender, you should contact the sender to make other arrangements to receive the file. Please contact the Technology Help Desk at 412 624-HELP [4357] for additional information or assistance. Further information on message attachment removal is available online at http://technology.pitt.edu/security/index.html. Thank you. --Boundary_(ID_Qg1l1W8lcc7kcQj1VZttRw)-- good thing my provider removed the damn thing!
dra007 Posted April 27, 2004 Posted April 27, 2004 days later this idiot is trying once again...same edu.cn domain..I still haven't figured out how he gets the virus to open to a save window automatically... Return-Path: <jeffrey_j_legos[at]gsk.com> Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162])      by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)      ID <UAA19850[at]imap.srv.cis.pitt.edu> for < [at]imap.pitt.edu>;      Mon, 26 Apr 2004 20:11:19 -0400 (EDT) From: jeffrey_j_legos[at]gsk.com Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462) id <01L9ECRH1CWW00BQ8M[at]mb2i1.ns.pitt.edu> for [at]imap.pitt.edu; Mon, 26 Apr 2004 20:11:17 EDT Received: from imap.pitt.edu ([202.120.139.35]) by pitt.edu (PMDF V5.2-32 #41462) with ESMTP id <01L9ECRCDW5K00DZHJ[at]mb2i1.ns.pitt.edu> for imap.pitt.edu; Mon, 26 Apr 2004 20:11:13 -0400 (EDT) Date: Tue, 27 Apr 2004 08:03:42 +0800 Subject: Mail Delivery (failure [at]imap.pitt.edu) To: [at]imap.pitt.edu Message-id: <01L9ECRCSP8E00DZHJ[at]mb2i1.ns.pitt.edu> MIME-version: 1.0 Content-type: multipart/related; boundary="Boundary_(ID_BVoPt7edXgoe6V1UhQbV2Q)"; type="multipart/alternative" X-Priority: 3 X-MSMail-priority: Normal This is a multi-part message in MIME format. --Boundary_(ID_BVoPt7edXgoe6V1UhQbV2Q) Content-type: multipart/alternative; boundary="Boundary_(ID_lQw1+f9hIGFZBvO94GIOZQ)" --Boundary_(ID_lQw1+f9hIGFZBvO94GIOZQ) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: quoted-printable --Boundary_(ID_lQw1+f9hIGFZBvO94GIOZQ) Content-type: text/html; charset="iso-8859-1" Content-transfer-encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br> follow the link to read the delivered message.<br><br> Received message is available at:<br> <a href=3Dcid:031401Mfdab4$3f3dL780$73387018[at]57W81fa70Re height=3D0 width=3D0>www.imap.pitt.edu/inbox/ /read.php?sessionid-31265</a> <iframe src=3Dcid:031401Mfdab4$3f3dL780$73387018[at]57W81fa70Re height=3D0 width=3D0></iframe> <DIV> </DIV></BODY></HTML> --Boundary_(ID_lQw1+f9hIGFZBvO94GIOZQ)-- --Boundary_(ID_BVoPt7edXgoe6V1UhQbV2Q) Content-id: <031401Mfdab4$3f3dL780$73387018[at]57W81fa70Re> Content-type: text/plain; name=replaced.txt Content-transfer-encoding: 7BIT IMPORTANT: An attachment included with this message has been automatically removed by the University's electronic mail systems because such attachments may contain computer viruses, worms, or other potentially malicious software code. If you were expecting to receive a message from this sender including an attached executable file (.exe), batch file (.bat), or others, and you know the identity of the sender, you should contact the sender to make other arrangements to receive the file. Please contact the Technology Help Desk at 412 624-HELP [4357] for additional information or assistance. Further information on message attachment removal is available online at http://technology.pitt.edu/security/index.html. Thank you. --Boundary_(ID_BVoPt7edXgoe6V1UhQbV2Q)--
StevenUnderwood Posted April 27, 2004 Posted April 27, 2004 days later this idiot is trying once again...same edu.cn domain. Probably does not realize he is infected. I have received 10+ virus messages from the same host for over 2 weeks with me reporting to his ISP every day before I remembered the IP block function of our spam prevention solution. Now, if our domain receives 10 or more viruses from the same host in 1 week, they are placed on the local blocklist for 30 days. These are all client type IP addresses so they should not be sending email directly to us anyways. I still haven't figured out how he gets the virus to open to a save window automatically... You have mentioned elsewhere you are using HTML viewing for your email messages. If that is still the case, this is one of the side effects. Have you contacted your CSSD at the link at the bottom of the message with this question. The message you are seeing is not the message as sent by the other end, but a reformatted version which was modified by your university servers. IMPORTANT: An attachment included with this message has been automatically removed by the University's electronic mail systems because such attachments may contain computer viruses, worms, or other potentially malicious software code. If you were expecting to receive a message from this sender including an attached executable file (.exe), batch file (.bat), or others, and you know the identity of the sender, you should contact the sender to make other arrangements to receive the file. Please contact the Technology Help Desk at 412 624-HELP [4357] for additional information or assistance. Further information on message attachment removal is available online at http://technology.pitt.edu/security/index.html. Thank you.
dra007 Posted April 27, 2004 Posted April 27, 2004 Thanks god for them reformatting...but occasionally real viruses do slip through and I have to rely on Norton for protection. There is only one e-mail address that is not filtered and should not be known to anyone else outside the server. Unfortunately that is also the reason why I cannot forward that to spamcop before I see it ..and somehow it made it on the same spamlist as every other e-mail address. I hope spamcop detects and protects from viruses for my other forwarded e-mails. They are sometimes more anoying than the spam whether sent intentionally or from an infected machine...only because you never know if they are detected in time...
dra007 Posted April 28, 2004 Posted April 28, 2004 ticket number {HN645ZT22M} has been received at 2004/4/28 ¤U¤È 01:36:48 . We would like to take this opportunity to thank you for your time and effort fighting spam activity with us. Please be informed that although we are not able to send you the spam report, the information you have provided in your email will be used to investigate the spam activity. Should the spam source prove to originate from a HiNet user, action will be taken in accordance with HiNet Acceptable Usage Policy and Terms of Service Agreement. These guys are funny, I get a doezen spams from them and they send me a ticket in an e-mail half of it in Korean characters, with instructions how to filter junk mail in OE. How did they ever get my name? I though that information was kept confidential in spam reports..
Miss Betsy Posted April 28, 2004 Posted April 28, 2004 If the entity receiving a spamcop report indicates that s/he is not a robot, then a response can be sent to the spamcop report number which is then forwarded by spamcop to you. It sounds as if you received a fairly standard reply from a Korean ISP (which sends its messages out in both english and korean). If your name was in the reply, then it is the name you chose to be on every report. I forget whether getting a reply means that they will be doing anything. However, I received a similar reply from a report to China and I have not received any more spam from that source. I believe that some Chinese and Korean ISP's are interested in cleaning up their IP addresses. It just is not an overwhelming trend as yet. Miss Betsy
zachariah Posted April 29, 2004 Posted April 29, 2004 here's one I got today (I especially like the subject)... Subj: MAYBE I spam for a good cause.... ? Hi, My name is Mathieu Guitard Today I ask for your attention!!! so <b>please read carefully</b> I guess when teenagers and their parents want to find informative pages on sexuality they are getting lost in an abundance of other dirty pay sites. To improve the situation I brought many new domain names like <b>SexEducated.c0m, ArtAndScienceOfSex.c0m, SexAndSmile.c0...</b> I wish to develop them into free educational websites. I already found Sexologists interested in providing free online consultation on <b>AskSexDoctor.c0m</b> Unfortunately I personally live with a skin problem "psoriasis" witch often ruin any activity or works i`m into, by inflicting itching thus scratching then intense pain that consume all my energies. There is a good web site about the Psoriasis disease <a href="http://www.psoriasisconnect.c0m"> PsoriasisConnect.com </a> It could be solved simply by going to direct sunlight or by receiving massage therapy (I tried way too many sorts of cream and pills). As I live in Quebec, the weather is cold... so I plan to move to the southern region very soon. If you can't help me with any of the above your money can help. I just found an interesting new way to raise funds. An old well established company "Hustler" To boost payouts on its 4 newest sites give 100$ for every 3$ you put into purchasing (below). I know it may be hard for some to go through the online form as it may induce you to consume pornography. thus Thank You Very Much <center>Thank YOU. That much.. <img src="http://flyntdigital.c0m/images/news/2004_4_20_61.gif"><a href="http://chezpas.c0m/4.html"> The offer end in only 2 day, Larry Flynt* <img src="http://flyntdigital.c0m/images/news/2004_3_17_54.jpg"> Asian Fever, Amateur Hollywood, Anal Hookers and VCAXXX =96 through the end of April. </center></a> HERE`s <a href="http://c.fsx.c0m/c?z=40,89740,1,afp_ppj,http://www.asianfever.c0m/index.phtml">ASIAN FEVER</a></b>
Miss Betsy Posted April 29, 2004 Posted April 29, 2004 I can never remember the acronym for 'Rolling on the floor with laughter' I know you put it in the right topic, but you should have put an extra C&C warning on it! Miss Betsy
zachariah Posted May 18, 2004 Posted May 18, 2004 again with the funny subjects -- this spammer's been watching too much That '70s Show. To: [xxxxxxxx][at][xxxxxxxx].c0m From: "Paul Lise" <byc1bmyb[at]norcov.c0m> Reply-To: "Paul Lise" <byc1bmyb[at]norcov.c0m> Subject: You Are Stupid Dumbass If U Pay Retail Pricee For Softwares amiably rile bratty Date: Tue, 18 May 2004 13:54:10 -0500 ... X-SpamCop-Disposition: Blocked bl.spamcop.net ----384897755561644 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit candescent preempt sppiritual empress chronology sermons unsealed stylites corruptive ----384897755561644 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit <html> <head> <meta http-equiv="Content-Type" content="text; charset=us-ascii"> </head> <body> <center> <dinocerata unshadowed arcadic respice banshee nettle > <table border=0 cellspacing=0 cellpadding=10 width=640> <tr><td> <font color=D90000 size=5 face=arial><b>Your needed soffttwares at Rock Bottom prri ce! </b><br><font size=2 color=000000>- What you bought previously was go to shop & buuyy a WIND0WS XP Pro that c0mes with a BOX & serial number & the manual cosst 299.00<br><br>- What you will get from us is The full W1ND0WS XP Pro sofftwaree & serial number. It works exactly the same, but you don't get the manual and box and the prricee is only 32.00 . That is a savviing of 254.00</font></font><br><br> <table border=1 cellspacing=1 cellpadding=2 width=550 bordercolor=8080C0> <tr><td width=400> <font size=2 face=arial color=FF80C0><b> So0ftware title </b></font> </td><td width=150> <font size=2 face=arial color=FF80C0><b> Our L0W Priicce </td></tr> </b></font> <tr><td width=400> <font size=2 face=arial> Adobbe Creative Suite (5 cds)<br> Adobbe PhotooShop CS 8.0 (1 cd)<br> 3D Studio Max 6.0 (3 cds)<br> Adobbe Premiere Pro 7.0 (1 cd)<br> Alias Wavefront Maya 5.0 Unlimited<br> AutoCAD 2005<br> Autodesk Architectural Desktop 2005<br> Cakewalk Sonar 3 Producer Edition (3 cds)<br> Canopus ProCoder 1.5 (1 cd)<br>Â Â Â Â Â Â Â Â Â Corel Draw 12 Graphic Suite (3 cds)<br> Dragon Naturally Speaking Preferred 7.0<br> Macromedia Dreamweaver MX 2004 v7.0<br> Macromedia Fireworks MX 2004 v7.0<br>Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Macromedia Flash MX 2004 v7.0 Professional<br> Macromedia Studio MX 2004 (1 cd)<br> Micros0ft Money 2004 Deluxe (1 cd)<br> Micros0ft Office 2003 System Professional (5 cds)<br> Micros0ft Office 2003 Multilingual User Interface Pack (2 cds)<br> Micros0ft Project 2002 Pro<br> Micros0ft Publisher XP 2002<br> Micros0ft Visio for Enterprise Architects 2003<br> Micros0ft Wind0ws XP Corporate Edition with SP1<br> Micros0ft Wind0ws XP Professional<br>Â Â Â Â Â Â Â Â Â Â Â Â Â Â Nort0n Antivirus 2004 Pro<br> Nort0n SystemWorks Pro 2004 (1 cd)<br> OmniPage 14 Office (1 cd)<br> Pinnacle Impression DVD Pro 2.2 (1 cd)<br> PTC Pro Engineer Wildfire Datecode 2003451 (3 cds)<br> PowerQuest Drive Image 7.01 Multilanguage (1 cd)<br> Ulead DVD Workshop 2.0<br> Micros0ft Visual Studio .NET 2003 Enterprise Architect (8 cds)<br> Winfax PRO 10.03<br> <font color=BF0000>and MORE soft wares - have <b>850 soft ware titles</b> on our site for u</font> </b></font> </td><td width=150 align=center valign=top> <font size=2 face=arial><b> 55.00<br> 32.00<br> 50.00<br> 32.00<br> 40.00<br> 32.00<br> 32.00<br> 36.00<br> 25.00<br> 32.00<br> 25.00<br> 25.00<br> 32.00<br> 30.00<br> 50.00<br> 20.00<br> 40.00<br> 25.00<br> 32.00<br> 20.00<br> 25.00<br> 40.00<br> 32.00<br> 20.00<br> 20.00<br> 25.00<br> 25.00<br> 40.00<br> 20.00<br> 20.00<br> 93.00<br> 20.00<br> </td></tr> </b></font> </td></tr></table> <font color=000000 size=2 face=arial> Download your sofftwaares from our Superfast (100mbits connection) site & you will be given your own exclusive registration key to register the sofftwaares you bought from us, and now you have your own registered copy of sofftwaares (will never expired again)<br><br> It's <b>0EM version</b> of sofftwaares which is an <b>Original/Genuine sofftwaares</b>, strictly no piracy sofftwaares </font> <center> <b><a href=http://drs.yahoo.c0m/discipline/poolroomdionysus/*http://buggerynomology.shopgroup.b!z/0/p/ target=_blank><font color=0000FF size=5 face=arial><u>Over 850 popular titles for you to choose from<br><br>Act quick now before all sold<br><br>Start using your needed sofftwaares now<br>== CÂ L I C K - H EÂ R E ==</b><br><font size=2>(Plz give 2-3 mins to c0mplete the page loading bcos the page has 850 titles on it)</font><br><br></u></a> <a href=http://drs.yahoo.c0m/siberianpyre./limbedrevising/*http://naturel.shopgroup.b!z/unsub.html target=_blank><font size=1>take me down</font></a> </font> </center> </td></tr></table> </center> </body> </html> ----384897755561644-- (com's c0m'd and b!z's b!z'd for your protection subject bolded for your entertainment)
dra007 Posted May 24, 2004 Posted May 24, 2004 This spammer hopes to intice you in buying their goods: First he insults then he warns you will lose the money. Now, does he really hope to make some money? Return-Path: <waleed_louri[at]yahoo.com> X-Original-To: spam[at]stargate.pitt.edu Delivered-To: spam[at]stargate.pitt.edu Received: from localhost (localhost [127.0.0.1]) by smtp-ext-03-priv.mx.pitdc1.expedient.net (Postfix) with ESMTP id 5F7E19259F for <spam[at]stargate.pitt.edu>; Mon, 24 May 2004 15:45:54 -0400 (EDT) Received: from smtp-ext-03.mx.pitdc1.expedient.net ([127.0.0.1]) by localhost (smtp-ext-03 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 26344-02-35 for < [at]stargate.pitt.edu>; Mon, 24 May 2004 15:45:53 -0400 (EDT) Received: from backup1.mx.expedient.net (backup1.mx.cle.expedient.net [66.181.64.18]) by smtp-ext-03.mx.pitdc1.expedient.net (Postfix) with ESMTP id DF6F8924B8 for < [at]stargate.pitt.edu>; Mon, 24 May 2004 15:45:53 -0400 (EDT) Received: from ip503c9474.speed.planet.nl (ip503c9474.speed.planet.nl [80.60.148.116]) by backup1.mx.expedient.net (Postfix) with SMTP id D80383F0 for < [at]stargate.pitt.edu>; Mon, 24 May 2004 15:46:23 -0400 (EDT) Received: from 95.49.168.10 by 80.60.148.116; Tue, 25 May 2004 00:38:17 +0400 Message-ID: <KUWHIHOVDUUZUHJVSTBTBEQZ[at]hotmail.com> From: "Aubrey Gross" <waleed_louri[at]yahoo.com> Reply-To: "Aubrey Gross" <waleed_louri[at]yahoo.com> To:Â [at]stargate.pitt.edu Subject: *****POSSIBLE spam***** fu** YOU Date: Mon, 24 May 2004 14:38:17 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--55658522454627443778" X-Webmail-Time: Mon, 24 May 2004 16:37:17 -0400 X-Virus-Scanned: by amavisd-new at mail.stargate.net X-spam-Status: Yes, hits=8.0 tagged_above=-999.0 required=5.5 tests=BAYES_90, DCC_CHECK, FORGED_YAHOO_RCVD, RATWR19_MESSID, SARE_ADLTSUB2 X-spam-Level: ******* X-spam-Flag: YES ----55658522454627443778 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable if YOU WANNA TO LOST UR MONEY ---> INVEST US -->>> http://www.wecareaboutmoney.com/ ----55658522454627443778-- if YOU WANNA TO LOST UR MONEY ---> INVEST US -->>> http://www.wecareaboutmoney.com/ Does anyone know their IP? Tracking message source: 80.60.148.116: Routing details for 80.60.148.116 [refresh/show] Cached whois for 80.60.148.116 : abuse[at]planet.nl Using abuse net on abuse[at]planet.nl abuse net planet.nl = abuse[at]planet.nl Using best contacts abuse[at]planet.nl Yum, this spam is fresh! Message is 1 hours old 80.60.148.116 not listed in dnsbl.njabl.org 80.60.148.116 not listed in dnsbl.njabl.org 80.60.148.116 not listed in cbl.abuseat.org 80.60.148.116 not listed in dnsbl.sorbs.net 80.60.148.116 not listed in relays.ordb.org. 80.60.148.116 not listed in query.bondedsender.org 80.60.148.116 not listed in iadb.isipp.com Possible open relay: 66.181.64.18 Yum, this spam is fresh! Message is 1 hours old 66.181.64.18 not listed in relays.ordb.org.
Wazoo Posted May 24, 2004 Posted May 24, 2004 Is this what you mean? C:\>ping www.wecareaboutmoney.com Pinging wecareaboutmoney.com [64.202.163.188] Trying 64.202.163.188 at ARIN Trying 64.202.163 at ARIN OrgName: Go Daddy Software, Inc. OrgID: GDS-31 Address: 14455 N Hayden Road Address: Suite 226 City: Scottsdale StateProv: AZ PostalCode: 85260 Country: US NetRange: 64.202.160.0 - 64.202.175.255 CIDR: 64.202.160.0/20 NetName: GO-DADDY-SOFTWARE-INC And from the web-page (HTML removed) 05/24/04 17:08:33 Browsing http://www.wecareaboutmoney.com/ Fetching http://www.wecareaboutmoney.com/ ... GET / HTTP/1.1 Host: www.wecareaboutmoney.com Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Mon, 24 May 2004 22:08:54 GMT Server: Apache/1.3.28 (Unix) FrontPage/5.0.2.2634 Last-Modified: Wed, 17 Mar 2004 20:49:13 GMT In 1998 Gregory Dixon and Willson Marshall, graduate Miami University-Oxford as Master's. They funded the Gregory&Willson Investment Company. In the last two years all their investments has become 200-316% profit per month. Gregory&Willson discovered failures and their potential to make safety business. Gregory&Willson help its customers make better decisions, faster. Gregory&Willson professional team uses a multidisciplinary approach, providing a solid foundation of knowledge and expertise. The union of this knowledge and expertise helps us advise you on strategies to protect your financial future. We have: Over 400 employees. Operations in 23 countries We also have more than 1.2 million information users in the fields of law, tax, accounting, reference information, corporate training and assessment, financial services, scientific research and healthcare. We are planing to build ‘till 2006 a new building with 24th floors for large offices in Barcelona. The building is designed by the Zima Gunwale Fresco Partnership of Portland, Ore., and built by J.E. Dune Construction Co. The exterior is clad in granite from Brazil. We want to build an office building where we could get work done for clients We are thinking forward!
dra007 Posted May 24, 2004 Posted May 24, 2004 I went to their website (www.wecareaboutmoney.com ) and reported the abuse, asked if they were aware of it...I am still waiting for an answer. What puzzles me is what the spammers hope to accomplish with such spam, they are certainly not likely to make any money on it.
StevenUnderwood Posted May 25, 2004 Posted May 25, 2004 I too got thos last spam today. I actually did not report it because it had come in over the weekend (work account) and spamcop was down at the time so it would have expired by the time it was repotable. Oh well, I'll get em next time. Glad you were able to report it.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.