Oriolus Posted January 5, 2009 Share Posted January 5, 2009 I received an e-mail that was recognized as spam, but I am in doubt about whether it is spam indeed. Could someone, please, judge whether â€sender“ is in danger because he is not aware of the fact that this might be a dangerous e-mail? I hope it's OK that I wiped out â€sender’s“ real name, and that I flushed the link to the real report and my KnujOn reporting address. Should I flush any more, to be safer, by the way? If this is spam indeed, I'll report it for real, of course. I would be very grateful if someone could tell something about this supposed spam. If more information is needed, I'm glad to write it down, as long as I don't do any harm whatsoever to whoever. Please find hereunder what the SpamCop reporting service would have sent, if I didn’t cancel the sending of this report. SpamCop v 2 Copyright © 1998-2006, IronPort Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/ <flushed> Skip to Reports Return-Path: <x> Received: from mwinf6621.online.nl (mwinf6621.online.nl) by mwinb6006 (SMTP Server) with LMTP; Sun, 04 Jan 2009 12:06:25 +0100 X-Sieve: Server Sieve 2.2 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf6621.online.nl (SMTP Server) with ESMTP id A67792800091 for <x>; Sun, 4 Jan 2009 12:06:25 +0100 (CET) Received: from imo-m22.mail.aol.com (imo-m22.mx.aol.com [64.12.137.3]) by mwinf6621.online.nl (SMTP Server) with ESMTP id 81D03280009D; Sun, 4 Jan 2009 12:06:23 +0100 (CET) X-ME-UUID: 20090104110623531.81D03280009D[at]mwinf6621.online.nl Received: from x by imo-m22.mx.aol.com (mail_out_v39.1.) id h.d33.484c4c19 (37520) for <x>; Sun, 4 Jan 2009 06:04:06 -0500 (EST) Received: from privefd60913cd (3e33a5f7.dslaccess.aol.com [62.51.165.247]) by cia-ma08.mx.aol.com (v121_r5.5) with ESMTP id MAILCIAMA085-92904960977e376; Sun, 04 Jan 2009 06:03:40 -0500 Reply-To: <x> From: "sender" <x> To: "x" <x> Subject: FW: Fw: unbelievable Date: Sun, 4 Jan 2009 12:01:35 +0100 Message-ID: <LPBB________________________________erFH[at]cs.com> MIME-Version: 1.0 X-Content-Type: multipart/related; boundary="----=_NextPart_000_0004_01C96E64.31293960" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Importance: Normal X-AOL-IP: 62.51.165.247 X-spam-Flag:NO Content-Type: text/html X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack) View entire message Parsing header: 0: Received: from imo-m22.mail.aol.com (imo-m22.mx.aol.com [64.12.137.3]) by mwinf6621.online.nl (SMTP Server) with ESMTP id 81D03280009D; Sun, 4 Jan 2009 12:06:23 +0100 (CET) Hostname verified: imo-m22.mx.aol.com orange.nl received mail from sending system 64.12.137.3 1: Received: from privefd60913cd (3e33a5f7.dslaccess.aol.com [62.51.165.247]) by cia-ma08.mx.aol.com (v121_r5.5) with ESMTP id MAILCIAMA085-92904960977e376; Sun, 04 Jan 2009 06:03:40 -0500 No unique hostname found for source: 62.51.165.247 Trusted site mx.aol.com received mail from 62.51.165.247 Sender relay: 64.12.137.3 Routing details for 64.12.137.3 [refresh/show] Cached whois for 64.12.137.3 : domains[at]aol.net Using abuse net on domains[at]aol.net abuse net aol.net = abuse[at]aol.com Using best contacts abuse[at]aol.com Tracking message source: 62.51.165.247: Routing details for 62.51.165.247 [refresh/show] Cached whois for 62.51.165.247 : domains[at]aol.net Using abuse net on domains[at]aol.net abuse net aol.net = abuse[at]aol.com Using best contacts abuse[at]aol.com Message is 8 hours old 62.51.165.247 not listed in dnsbl.njabl.org 62.51.165.247 not listed in dnsbl.njabl.org 62.51.165.247 not listed in cbl.abuseat.org 62.51.165.247 not listed in dnsbl.sorbs.net 62.51.165.247 not listed in accredit.habeas.com 62.51.165.247 not listed in plus.bondedsender.org 62.51.165.247 not listed in iadb.isipp.com Finding links in message body Parsing HTML part Resolving link obfuscation https://www.invite2messenger.nl/Default.aspx http://www.avg.com/ http://events.live.com/ Host events.live.com (checking ip) = 65.55.103.54 host 65.55.103.54 (getting name) no name http://www.spamfighter.com/lnl Host www.spamfighter.com (checking ip) = 12.190.48.107 host 12.190.48.107 (getting name) no name http://www.nod32.nl/ Host www.nod32.nl (checking ip) = 213.133.34.161 host 213.133.34.161 (getting name) = notused.is.nl. Tracking link: https://www.invite2messenger.nl/Default.aspx [report history] Resolves to 213.199.165.50 Routing details for 213.199.165.50 [refresh/show] Cached whois for 213.199.165.50 : bharatr[at]microsoft.com Using last resort contacts bharatr[at]microsoft.com bharatr[at]microsoft.com bounces (533 sent : 267 bounces) Using bharatr#microsoft.com[at]devnull.spamcop.net for statistical tracking. Tracking link: http://www.spamfighter.com/lnl No recent reports, no history available www.spamfighter.com hosted by akamai - no reports Cannot resolve http://www.spamfighter.com/lnl Tracking link: http://events.live.com/ [report history] Resolves to 65.55.103.54 Routing details for 65.55.103.54 [refresh/show] Cached whois for 65.55.103.54 : abuse[at]hotmail.com Using best contacts report_spam[at]hotmail.com Tracking link: http://www.nod32.nl/ [report history] ISP does not wish to receive report regarding http://www.nod32.nl/ Resolves to 213.133.34.161 Routing details for 213.133.34.161 [refresh/show] Cached whois for 213.133.34.161 : abuse[at]is.nl. Using abuse net on abuse[at]is.nl. abuse net is.nl = postmaster[at]is.nl, abuse[at]is.nl, klantenservice[at]is.nl, helpdesk[at]is.nl, administratie[at]is.nl Using best contacts postmaster[at]is.nl abuse[at]is.nl klantenservice[at]is.nl helpdesk[at]is.nl administratie[at]is.nl ISP does not wish to receive reports regarding http://www.nod32.nl/ - no date available Please make sure this email IS spam: From: "sender" <x> (FW: Fw: unbelievable) [tab][/tab] Who is living in this house. The enormous luxury. View full message Report spam to: Re: 62.51.165.247 (Administrator of network where email originates) To: abuse[at]aol.com (Notes) Re: 62.51.165.247 (User defined recipient) To: <flushed>[at]coldrain.net (Notes) Re: 64.12.137.3 (Administrator interested in intermediary handling of spam) To: abuse[at]aol.com (Notes) Re: http://events.live.com/ (Administrator of network hosting website referenced in spam) To: report_spam[at]hotmail.com (Notes) Re: https://www.invite2messenger.nl/Default.aspx (Administrator of network hosting website referenced in spam) To: bharatr#microsoft.com[at]devnull.spamcop.net (Notes) PS. Would a filled in “Additional notes (optional - max 2000 characters):-box†be a better solution than the way I copy this report with some changes for security matters? I don't know how Additional notes are handled: Are they always be read and will the reader sometimes decide not to pass the report as a spam report to get handled like there were no Additional notes? Thank you in advance for your answer! Link to comment Share on other sites More sharing options...
rconner Posted January 5, 2009 Share Posted January 5, 2009 I received an e-mail that was recognized as spam, but I am in doubt about whether it is spam indeed.If you didn't solicit the mailing (i.e., didn't ask for it and didn't give prior permission for it to be sent), and it was sent to you as part of a bulk delivery, then it is spam according to SpamCop's definition, and you can use SpamCop to report it as such. Rather than simply copy-and-paste the SpamCop parser output as you did, it would have been more helpful to us to for you to have provided the tracking URL (which you apparently rubbed out). See this page to find out why and how. As it is, we can't see the body of the message so we can't see where all the URLs come into play. Since we don't know what you do with your spam already, we can't figure out whether what you propose (with "additional notes") is a better idea. You say that you "copy the message with some changes for security matters." Does this mean that you alter the spam message before reporting it? This is a very bad idea, and in fact is against SpamCop rules. SpamCop will already "munge" out your e-mail addresses from reports (if you have set it up to do so), I don't think any other changes to header info, body contents, etc., would be kosher. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted January 5, 2009 Share Posted January 5, 2009 Not sure if I can help much - the data shown doesn't mean much to me, better for you to have just posted the tracking url for the cancelled report (the data for which you can always resubmit if necessary) though I see your point if you are reluctant to show the sender address. You could still do this this with a cancelled report but with some work to be done to munge the addresses in the headers that SC doesn't handle before submission and so-on. In tems of thorough anonymizing, the message ID usually shows the sender's domain by the way - if you wanted to keep that completely secret you would munge that too - I don't think that is really necessary. Anyway, from what I can see, looks like just a 'social spam' which is (sometimes) not a reportable spam at all. The indications of this ('social') are the multiple forwards and AVG, invite2messenger etc. advertizing apparently from free email applications used. Also it looks like there are no forgeries in the relay/forwarding chain. I can't see what would make it a spam except (evidently) you do not know the sender and something in your delivery chain identified it as spam. Is there anything in the content of the body which makes it look spammy (or 'commercial')? Usually with social spam there is a whole address list in the To: and/or CC: fields and there is someone you know/correspond with in there (which essentially makes it unreportable) and the content is ... well, more social than commercial. This one doesn't fit that pattern with the addressing but I still would not be inclined to report it as spam (without knowing the content) because there could be reasons behind the addressing 'anomaly'. Yes, spam is defined by consent rather than content but if the content is wholly commercial there is no doubt that it is NOT social. Even if it is (apparently) just social but you don't know the sender and it keeps coming and annoys you, some would say to report it, certainly it is apparently permitted. But I think I would take a chance and simply contact the sender, telling them to stop in that circumstance. The only times I have come near to that point the annoyance has stopped by itself (it was probably inadvertent and some other unintended recipient has already complained maybe). In your case you say it is dangerous (to the sender) because you may not always remove such messages from your reporting. So I would still prefer to contact the sender, only sooner rather than later. I would approach it this way with the thought that reporting 'social' spam might reduce the impact of SpamCop with the ISPs (who might see the complaint as fanatical). With some of them that doesn't much matter but only because they don't take any notice anyway (so the 'big stick' of the SCbl is not going to stop the spam anyway, especially with a major webmail service). Notes are intended to be the reporter's way to assist the ISP in dealing with the spam issue by adding information or highlighting data they might otherwise miss. Under usual circumstances I should think no-one in SpamCop would see them (exceptions being flagged cases for appealing 'no reports status', etc., to deputies), there is no assurance that the ISPs would read them and, as far as I can tell, little/no ISP feedback on them. The only changes you should make to the headers or body of spam are to munge your address(s) - SC usually/mostly does that anyway but it is permitted if the 'automatic' process is deficient (but note, reviewing the reports before sending may wipe out any notes you added when you move on to send the reports). Other changes are NOT permitted, especially anything to 'help' the parser find an address or URL. Link to comment Share on other sites More sharing options...
Oriolus Posted January 5, 2009 Author Share Posted January 5, 2009 If you didn't solicit the mailing (i.e., didn't ask for it and didn't give prior permission for it to be sent), and it was sent to you as part of a bulk delivery, then it is spam according to SpamCop's definition, and you can use SpamCop to report it as such. Sorry for being not more clear about the sender. It's a friend who sent it; that's why I am careful with his identity. I would like to know whether this chain letter is more than that: does it contain malicious stuff? Rather than simply copy-and-paste the SpamCop parser output as you did, it would have been more helpful to us to for you to have provided the tracking URL (which you apparently rubbed out). See this page to find out why and how. As it is, we can't see the body of the message so we can't see where all the URLs come into play. I was not sure if it would be wise to publish everything in this forum, but if its safe to do, I will publish the url. Though, in there, my reporting address, and my friend's name will be visible. Won't that be dangerous? Since we don't know what you do with your spam already, we can't figure out whether what you propose (with "additional notes") is a better idea. You say that you "copy the message with some changes for security matters." Does this mean that you alter the spam message before reporting it? This is a very bad idea, and in fact is against SpamCop rules. SpamCop will already "munge" out your e-mail addresses from reports (if you have set it up to do so), I don't think any other changes to header info, body contents, etc., would be kosher. Please, don't misunderstand me: If I were sure that I wouldn't do any harm to my friend (as the sender of the chain letter), I would report the mail, but since he is not the 'primary creator' of the mail, I would only cause damage to him in stead of the original creator of the mail. That's why I wiped out his address: he received this mail without having been triggered of the fact that the mail might be spam. Normally I'm reporting in the proper way, of course, but since I didn't want to report before being sure the mail contains harmful matter, I wanted to ask the forum about this mail. In my PS I tried to ask whether I could have asked the same question as I do in this forum: "Before I report this mail, could you look into the report being offered whether this mail is malicious. If so, would this report harm my friend as the forwarder of a mail that was spam when he received it?" All seems to sound rather stupid, but I don't know how to handle this matter in a correct way. And after all I realize now, that I am stupid, and that the primary sender who sent the mail to my friend via-via-via cannot be retrieved any more: I should find the first victim of this chain mail to recognize the real creator, and I think I'm not able to find him. So, I'm afraid I have to think harder before I try to get help in this case. If you agree to that, we can stop this discussion, and I'm saying sorry for my stupidity... Link to comment Share on other sites More sharing options...
Farelf Posted January 5, 2009 Share Posted January 5, 2009 ... "Before I report this mail, could you look into the report being offered whether this mail is malicious. If so, would this report harm my friend as the forwarder of a mail that was spam when he received it?" All seems to sound rather stupid, but I don't know how to handle this matter in a correct way. And after all I realize now, that I am stupid, and that the primary sender who sent the mail to my friend via-via-via cannot be retrieved any more: I should find the first victim of this chain mail to recognize the real creator, and I think I'm not able to find him. So, I'm afraid I have to think harder before I try to get help in this case. If you agree to that, we can stop this discussion, and I'm saying sorry for my stupidity... Oriolus, if you think that you are stupid you may be the only person to believe that . I don't believe it. If the message comes from a friend, no it should not be reported (On what type of email should I (not) use SpamCop? - similar to "Forwarded/CCed email from "friends and family" regarding signing petitions." which are NOT to be reported, by extension other 'chain mail' from family and friends which might be spam but it is spam within another message and, as you say, there is no surety that you can track back to the actual source besides which it is your friend passing it to you, it is not 'your' spam). What you want is some way to whitelist your friend's mail so it does not end up in your junk/'to be reported' folder. Whitelists take precedence over other processing/filtering. Or, tactfully, point out to your friend the danger of sending this stuff to you. They might stop sending you anything! Some would say that would be no loss. They need to take the Boulder Pledge. Also SC should recognize the advertisements inserted by 'free' mail systems are never 'spamvertizing' (and usually does) but that is another matter, maybe for SC Admin (Don). Link to comment Share on other sites More sharing options...
Oriolus Posted January 5, 2009 Author Share Posted January 5, 2009 In tems of thorough anonymizing, the message ID usually shows the sender's domain by the way - if you wanted to keep that completely secret you would munge that too - I don't think that is really necessary. You are right, and I didn't wipe that out! Anyway, from what I can see, looks like just a 'social spam' which is (sometimes) not a reportable spam at all. The indications of this ('social') are the multiple forwards and AVG, invite2messenger etc. advertizing apparently from free email applications used. Also it looks like there are no forgeries in the relay/forwarding chain. Yes, that's what I was realizing; please see my earlier reply. I can't see what would make it a spam except (evidently) you do not know the sender and something in your delivery chain identified it as spam. Is there anything in the content of the body which makes it look spammy (or 'commercial')? Not commercial. As a matter of fact I have Outlook to block pictures, therefor I forwarded it to my Gmail address, where I can see the pictures, and from the accompanying text I concluded that they were pictures of Mugabe's estate and so on: Shame on him. But forwarding the mail to my Gmail resulted in a block by my ISP, another problem that I'm trying to solve: I cannot forward spams anymore to either Frontbridge or Coldrain because of this blocking by my ISP. They refuse to open more than one (SpamCop!) address to where I can forward spam to... Usually with social spam there is a whole address list in the To: and/or CC: fields and there is someone you know/correspond with in there (which essentially makes it unreportable) and the content is ... well, more social than commercial. This one doesn't fit that pattern with the addressing but I still would not be inclined to report it as spam (without knowing the content) because there could be reasons behind the addressing 'anomaly'. There was only my friend's address as Receiver, typically a mail that uses Bcc. Nothing wrong, but thus there were no other addresses. Yes, spam is defined by consent rather than content but if the content is wholly commercial there is no doubt that it is NOT social. Even if it is (apparently) just social but you don't know the sender and it keeps coming and annoys you, some would say to report it, certainly it is apparently permitted. But I think I would take a chance and simply contact the sender, telling them to stop in that circumstance. The only times I have come near to that point the annoyance has stopped by itself (it was probably inadvertent and some other unintended recipient has already complained maybe). In your case you say it is dangerous (to the sender) because you may not always remove such messages from your reporting. So I would still prefer to contact the sender, only sooner rather than later. I fully agree. Please see my earlier reply. I would approach it this way with the thought that reporting 'social' spam might reduce the impact of SpamCop with the ISPs (who might see the complaint as fanatical). With some of them that doesn't much matter but only because they don't take any notice anyway (so the 'big stick' of the SCbl is not going to stop the spam anyway, especially with a major webmail service). I Think I have to leave things as they are: I was not annoyed by my friends forwarded mail, I only was worried about the fact that it was marked as spam and apparently not by my friend's e-mail program. Notes are intended to be the reporter's way to assist the ISP in dealing with the spam issue by adding information or highlighting data they might otherwise miss. Under usual circumstances I should think no-one in SpamCop would see them (exceptions being flagged cases for appealing 'no reports status', etc., to deputies), there is no assurance that the ISPs would read them and, as far as I can tell, little/no ISP feedback on them. I am very glad to read about how Notes are handled in practice; thank you. So it was of no use if I had done so, apart from my stupidity... The only changes you should make to the headers or body of spam are to munge your address(s) - SC usually/mostly does that anyway but it is permitted if the 'automatic' process is deficient (but note, reviewing the reports before sending may wipe out any notes you added when you move on to send the reports). Other changes are not permitted, especially anything to 'help' the parser find an address or URL. Again thank you for you great explanations! Link to comment Share on other sites More sharing options...
rconner Posted January 5, 2009 Share Posted January 5, 2009 Thanks for the clarifications. Please don't be discouraged; asking basic questions about matters you don't understand is hardly a sign of stupidity, even if you aren't entirely sure about the questions you are asking. If the message came straight from a friend, I would be reluctant to consider it spam as it was presumably not bulk-delivered to strangers. If this is one of the usual MMF chain letters or the like, it is pretty much impossible to trace it any further back than to your friend; the headers from the version he received are long gone (as are those from the version that that person received, and so forth). You are correct that reporting this through SpamCop is going to put the finger right on your friend and his internet service, and it won't do anything about the original perps or their helpers. If you want an opinion here as to whether it contains malign stuff, then the tracking URL is the best route as it allows us to get a look at the body (which is where the bad stuff will generally be). As you can read in the link I gave you, most details of the message (except for some of the e-mail addresses) will be visible to those who examine the tracking URL. The page will not be visible in Google searches etc. because the pages at the tracking URLs cannot be indexed. You can cancel the reporting of the message after getting the tracking URL if you do not want to report right away; you can resubmit the message later on if you change your mind. Posting a tracking URL is certainly less safe than not posting anything at all, but much more safe than pasting e-mail messages or SpamCop parses into the forum verbatim. -- rick Link to comment Share on other sites More sharing options...
Miss Betsy Posted January 5, 2009 Share Posted January 5, 2009 The Boulder Pledge is a better solution in this case, IMHO. Unless you really do like to get FW:FW:'s from your friend, having your system mark it as spam provides you with a good reason to, as tactfully as possible, tell your friend that it is not a good idea to send on these anonymous emails - partly because they may contain web bugs and partly because they may get tagged as spam. However, I have a relative who has been told by numerous people not to forward such items. She has been referred to snopes.com and truthorfiction.com to verify the claims of some of them (such as the virus warnings and the claim that MS is giving people money to forward email and various outrageous details of celebrity lives), but has not listened. I miss some of her real emails because I rarely read anything she sends. Although she renames the subject line so it is not obvious that she has forwarded the email, she includes every one of her over one hundred contacts in the CC. I am sure someone has told her about that also. So your best solution would probably be to whitelist your friend's address so you don't inadvertently report email from your friend. The only stupid people are the people who never learn anything - and how does one learn something except by asking questions? You see you now know about Tracking URLs and the Boulder Pledge!! Miss Betsy Link to comment Share on other sites More sharing options...
Oriolus Posted January 5, 2009 Author Share Posted January 5, 2009 The Boulder Pledge is a better solution in this case, IMHO. I had to look this up, and found the meaning of it. Thank you Miss Betsy! "Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community." Link to comment Share on other sites More sharing options...
Oriolus Posted January 5, 2009 Author Share Posted January 5, 2009 I had to look this up, and found the meaning of it. Whah, Farelf offered me a ready-to-use-link to The Boulder Pledge Thank you even more, Farelf! And accept my apologies, please! I think a knot can be made in this end of the thread. Thank you all for your kind help! Oriolus Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.