salamandir Posted December 23, 2008 Share Posted December 23, 2008 i got the following email: ----- Dear Webmail Subscriber, This mail is to inform all our webmail users that we will be maintaining and upgrading our website in a couple of days from now.As a Subscriber you are required to send us your Email account details to enable us know if you are still making use of your mailbox. Be informed that we will be deleting all mail account that is not functioning to enable us create more space for new subscribers, You are to send your mail account details which are as follows: *Username: *Password: *Alternate email: Failure to do this will immediately render your email address deactivated from our database. Thank you for using our Webmail! FROM THE SUPPORT TEAM. ----- i looked at the header and it didn't seem quite right, and when i submitted it, it said ----- Hostname verified: mx01.csolutions.net Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. ----- but i recognise csolutions.net... the entire message is here: http://www.spamcop.net/sc?id=z2468886872zd...;action=display is this for real, or is it just spammers playing games with me? Link to comment Share on other sites More sharing options...
turetzsr Posted December 23, 2008 Share Posted December 23, 2008 i got the following email: <snip> ...Noting this from the header (thank you for including the tracking URL!):<snip> From: "Spamcop Support Team" <tech-support[at]spamcop.net> <snip> Received: from 208.43.68.148 <snip> ...SpamCop admins will not ask for your password via the mail and they definitely wouldn't use tech-support[at]spamcop.net as the e-mail address. Looking up the IP address:SpamCop v 2 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved. Parsing input: 208.43.68.148 Reporting addresses: abuse[at]softlayer.com ...Not a SpamCop address! ...My conclusion: this is spam. Link to comment Share on other sites More sharing options...
salamandir Posted December 23, 2008 Author Share Posted December 23, 2008 ...Noting this from the header (thank you for including the tracking URL!):...SpamCop admins will not ask for your password via the mail and they definitely wouldn't use tech-support[at]spamcop.net as the e-mail address. Looking up the IP address:...Not a SpamCop address! ...My conclusion: this is spam. thanks. i was about 95% sure that it was spam... although if you can trace it to softlayer.com, how come spamcop can't? Link to comment Share on other sites More sharing options...
Farelf Posted December 23, 2008 Share Posted December 23, 2008 ...although if you can trace it to softlayer.com, how come spamcop can't?Good question to ask! Something to do with your mailhosts setup - SC parser will pick it up 'unhosted' as in http://www.spamcop.net/sc?id=z2469238840z3...ccecd9675a0f8ez ...yet your parse http://www.spamcop.net/sc?id=z2468886872zd...f53950a9483085z says (amongst other things) No source IP address found, cannot proceed. Add/edit your mailhost configuration Link to comment Share on other sites More sharing options...
salamandir Posted December 23, 2008 Author Share Posted December 23, 2008 No source IP address found, cannot proceed. Add/edit your mailhost configuration i added another mailhost (somehow my "real" email host got deleted?) and tried it again, and i got a completely different parse, which names "abuse[at]tera-byte.com" as the responsible address, and it says that they acknowledge the spam and that it will end "after Sun 21 Dec 2008"... well this message is dated 22 Dec 2008, so that's wrong, but there's no place for me to report it anyway. i'm stumped... Link to comment Share on other sites More sharing options...
turetzsr Posted December 23, 2008 Share Posted December 23, 2008 <snip> and it says that they acknowledge the spam and that it will end "after Sun 21 Dec 2008" <snip> ...Is the phrase "ISP has indicated spam will cease"? If so, type that phrase, with question marks at the beginning and end, into the box near the top center of the page between the "Search for --?" and "GO" buttons, then click one of those buttons. You should get a page of links to SpamCop Forum "threads" that discuss it further. Link to comment Share on other sites More sharing options...
kae Posted December 23, 2008 Share Posted December 23, 2008 i got the following email ... <snip>I got one too. I've seen several spamcop news items warning about these type of email messages asking for your spamcop login and password, but this is the first one that I've actually seen land in my Inbox. Here's the Tracking URL. I got this today, so the ISP must be having trouble blocking these messages or they are just saying that they will have it fixed by "yesterday". Link to comment Share on other sites More sharing options...
salamandir Posted December 23, 2008 Author Share Posted December 23, 2008 so who do i report this to: abuse[at]softlayer.com or abuse[at]tera-byte.com? Link to comment Share on other sites More sharing options...
Farelf Posted December 23, 2008 Share Posted December 23, 2008 i added another mailhost (somehow my "real" email host got deleted?) and tried it again, and i got a completely different parse, which names "abuse[at]tera-byte.com" as the responsible address, ...Yeah, if we look at the two parses (since your original one has now reconfigured itself), yours baulks at5: Received: from 208.43.68.148 (SquirrelMail authenticated user acmeafa) by mail.wildroseinternet.ca with HTTP; Mon, 22 Dec 2008 15:15:01 -0700 (MST) Hostname verified: odin.fusedhosting.net Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header and drops back toTracking message source: 216.194.85.131:which was step 4:. Mine goes on Possible spammer: 208.43.68.148 Host mail.wildroseinternet.ca (checking ip) = 216.194.85.131 216.194.85.131 not listed in dnsbl.njabl.org 216.194.85.131 not listed in cbl.abuseat.org 216.194.85.131 not listed in dnsbl.sorbs.net Chain test:mail.wildroseinternet.ca =? mail.wildroseinternet.ca Host mail.wildroseinternet.ca (checking ip) = 216.194.85.131 216.194.85.131 is not an MX for mail.wildroseinternet.ca Host mail.wildroseinternet.ca (checking ip) = 216.194.85.131 ips are identical mail.wildroseinternet.ca and mail.wildroseinternet.ca have close IP addresses - chain verified Possible relay: 216.194.85.131 216.194.85.131 has already been sent to relay testers Received line accepted Tracking message source: 208.43.68.148: There's insufficient justification to stop the parse where it does with yours IMO - or rather the justification found to continue mine should (logically) apply equally to yours. Don (SC Admin) or a deputy would need to consider this to assist any change. Ordinarily. But in this case both providers have begged for a moratorium while they fix their networks so it doesn't really matter. Per the lookups suggested by Steve T, you will see there is a 'period of grace' while they do this. That's what the suspension of reporting is all about and if they fail to deliver, deputies will re-start the process towards listing . I got this today, so the ISP must be having trouble blocking these messages or they are just saying that they will have it fixed by "yesterday". As above, period of grace is about ~24 hours or when a deputy decides, IIUC - check/search previous references in the forum for more detail. so who do i report this to: abuse[at]softlayer.com or abuse[at]tera-byte.com?A manual report? I don't think either, under the circumstances (they both know already that there's something passing through their networks that shouldn't so they don't need that 'heads up'.) Link to comment Share on other sites More sharing options...
Spamnophobic Posted December 23, 2008 Share Posted December 23, 2008 SpamCop admins will not ask for your password via the mail and they definitely wouldn't use tech-support[at]spamcop.net as the e-mail address. And can we assume said admins have also jumped on any such addresses, which would need to be valid to "land the catch"? Link to comment Share on other sites More sharing options...
rconner Posted December 23, 2008 Share Posted December 23, 2008 And can we assume said admins have also jumped on any such addresses, which would need to be valid to "land the catch"? Not sure I know what you mean by "jumped on," but tech-support (at) spamcop.net does not have to be valid in this case. The spammer has included a reply-to address (techsupport (at) info.lt) which is what your mail program will probably use as the target of any reply messages you send. The spamcop address is used mainly to get the mail past mail hosts and to try to convince you that the message is genuine. It is not intended for replies. -- rick Link to comment Share on other sites More sharing options...
Spamnophobic Posted December 23, 2008 Share Posted December 23, 2008 By "jumped on" I meant closed, TOSsed, LARTed, disintegrated, abolished, exterminated and generally destroyed all past, present and future instances of any such address and holder thereof. I was going on the "return path", and as you point out and I of course know if I switch my brain on, mail programmes will use the "From" or "Reply to" addresses if you hit Reply. My first reaction to the OP's "No source IP address found" was "Aha, it's an inside job, the phishers are sending from a spamcop.net address to look genuine!" and a superficial scan of the header (the plain text version not the SC parse) seemed to show non-spammy IPs, which I mistakenly saw as confirmation. Perhaps even an intended ploy by the phisherfolk? Which train of thought lead me to wonder whether SpamCop mail admins are indeed keeping a lookout for subscriptions with suspicious addresses in these times of phishing for SpamCoppers, "use" of SpamCop addresses in lists (something which like Elind over in the currently most active thread in the Reporting Help section, I've thought about a lot recently) and suchlike. I was though jumping to incorrect conclusions on the basis of superficial examination, my apologies. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.