One of the nice things about having your own domain
is that you can "invent" email addresses with the company name as the
mailbox.
As a result, when you get spammed from that email address you have a
pretty DAMN GOOD IDEA
where it came from [or who sold it to spammers].
My real domain has, of course, been modified to "mydomain".
Return-Path: <sc6bxew178n@hotmail.com>
Received: from 12-229-248-131.client.attbi.com ([12.229.248.131] verified)
by mail.webhostingprovider.com (CommuniGate Pro SMTP 4.1.1)
with SMTP id 33618504 for cheaptickets@mydomain.com; Tue, 26 Aug 2003 05:03:42 -0700
Received: from 0ty.3px49.net [25.234.130.80] by 12-229-248-131.client.attbi.com id NhB54YM0T1MV for
<cheaptickets@mydomain.com>; Tue, 26 Aug 2003 09:58:43 -0300
Message-ID: <t3d-2z4k73-qt1-8r8z358@4i03n86xo3ut>
From: "Johnathan Douglas" <sc6bxew178n@hotmail.com>
To: cheaptickets@mydomain.com
Subject: Re: Drug Center Now open
Date: Tue, 26 Aug 03 09:58:43 GMT
X-Mailer: MIME-tools 5.503 (Entity 5.501)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="FBD4E4E_B_..F.3D20_0_2"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
--FBD4E4E_B_..F.3D20_0_2
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Best Online Price for Drugs Anywhere!
Overnight Worlwide Shipping!
See how much you can save!
Go here: http://www.pharmacysale.biz/health/
To be taken off our lists, go here:
http://www.pharmacysale.biz/a.html
t ylun
jwewfknsst ajd
--FBD4E4E_B_..F.3D20_0_2--
--------
Here's the analysis:
SpamX analysis report for Return-Path: <sc6bxew178n@hotmail.com>
Start at: Tuesday, August 26, 2003 Time: 1:27:34:749 PM
Open Proxy @ 12.229.248.131
Sent from an open proxy is the first clue this is spam!
BTW, you will notice the content has NOTHING to do with "tickets/hotels" or
anything else along those lines! spam - spam - spam - spam...
Any additional 'Received:' lines cannot be trusted
Subject: Re: Drug Center Now open
Date: Tue, 26 Aug 03 09:58:43 GMT
Rejected for Open Proxy
Last source IP checked = 12.229.248.131
Primary Complain to addresses:
abuse@att.net
End at: Tuesday, August 26, 2003 Time: 1:27:34:814 PM
Elapsed time = 0 min 0 sec 65.0 ms
--------
And here's the report
User-Agent: SpamX v1.1
Subject: FW: Re: Drug Center
Date: Tue, 26 Aug 2003 13:28:30 -0800
Message-ID: <288180115931168%donotreply@cox.net>
From: donotreply@cox.net
To: abuse@att.net,
anti-spam@ns.chinanet.cn.net,
Content-Type: text/plain; charset=US-ASCII
ATTN: Postmaster/Sysadmin.
Below is a SPAM I received. It appears to have come directly from
one of your email servers, has been relayed through an Open
Relay/Open Proxy you are operating, contains a link to a website
you host or is using an EMail address on your server as a 'drop
box' to collect responses. Your responsible cooperation would be
greatly appreciated in tracking this user down and applying any
relevant AUP's you have. A copy of the SPAM (possibly edited for
length, decoded from base64 where applicable and cleaned of
extraneous tracings back to my email address inserted by the
perpetrator but including full headers) is appended.
Thank you for your prompt attention to this matter.
--------
12.229.248.131 is an open proxy
see http://www.fr1.documents.cyberabuse.org/docs/fixop.htm for assistance
http://www.pharmacysale.biz/health/ is a website link in the spam body
http://www.pharmacysale.biz/a.html is a website link in the spam body
--------
Return-Path: <sc6bxew178n@hotmail.com>
Received: from 12-229-248-131.client.attbi.com ([12.229.248.131] verified)
by mail.webhostingprovider.com (CommuniGate Pro SMTP 4.1.1)
with SMTP id 33618504 for x; Tue, 26 Aug 2003 05:03:42 -0700
Received: from 0ty.3px49.net [25.234.130.80] by 12-229-248-131.client.attbi.com id NhB54YM0T1MV for <x>; Tue, 26 Aug 2003 09:58:43 -0300
Message-ID: <t3d-2z4k73-qt1-8r8z358@4i03n86xo3ut>
From: "Johnathan Douglas" <sc6bxew178n@hotmail.com>
To: x
Subject: Re: Drug
Date: Tue, 26 Aug 03 09:58:43 GMT
X-Mailer: MIME-tools 5.503 (Entity 5.501)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="FBD4E4E_B_..F.3D20_0_2"
X-Priority: 3
X-MSMail-Priority: Normal
Best Online Price for Drugs Anywhere!
Overnight Worlwide Shipping!
See how much you can save!
Go here: http://www.pharmacysale.biz/health/
To be taken off our lists, go here:
http://www.pharmacysale.biz/a.html
MORE...
Return-Path: <lijewski@cocolee.net>
Received: from [68.235.66.63] (HELO 68-235-66-63.atlsfl.adelphia.net)
by mail.webhostingprovider.com (CommuniGate Pro SMTP 4.1.8)
with SMTP id 46361896 for cheaptickets@mydomain.com; Sun, 30 Nov 2003 08:31:43 -0800
Received: from cocolee.net (cocolee-net.mr.outblaze.com [205.158.62.38])
by 68-235-66-63.atlsfl.adelphia.net (Postfix) with ESMTP id 180822D748
for <cheaptickets@mydomain.com>; Sun, 30 Nov 2003 23:36:16 -0500
From: "Pontiac U. Tailgating" <lijewski@cocolee.net>
To: Cheaptickets <cheaptickets@mydomain.com>
Subject: Cheaptickets, meet horny singles in your area KmLmhUG0jI862jTG
Date: Sun, 30 Nov 2003 23:36:16 -0500
Message-ID: <000001c3b7c4$4a5abf78$c0792552@cocolee.net>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: 68-235-66-63.atlsfl.adelphia.net)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4=2e01 Transitional//EN">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv=3d"Content-Type" content=3d"text/html; charset=3diso-885=
9-1">
</head>
<body>
Notice how the spammers insert this drivel to confuse context
recognition spam filters
<p><font color=3d"#FFFFFF">The Defense Technical Information Center (DTIC=
=ae) is the central facility for the collection and dissemination of scie=
ntific and technical information for the Department of Defense (DoD)=2e M=
uch of this information is made available by DTIC in the form of technica=
l reports about completed research, and research summaries of ongoing res=
earch=2e ygvivkUGlPnytR8xJZGiQ9BQTVccWBwv</font></p>
Notice the ASCII encodings to try to conceal the links from spam filters
<p align=3d"center"><strong><a href=3d"http:/=
/www.easyoff
=
1;rs.biz/alex2.=
;html"><font size=3d"3" face=3d"Verdana, Arial, Helve=
tica, sans-serif">CLICK=20
HE<zymtossl7>RE <zymtossl6>T<zymtossl5>O GE<zymtossl4>T L<zymtossl3>A<z=
ymtossl2>ID=20
N<zymtossl1>OW<br>
<br>
IT<zymtossl4>'S 10<zymtossl4>0% FR<zymtossl4>EE TO J<zymtossl4>OI<zymto=
ssl4>N!!<zymtossl4>!</font></a></strong></p>
<p align=3d"center"><a href=3d"http://=
19;ww.easyoffer=
s.biz/alex2.h&=
#116;ml"><img src=3d"http://=
19;ww.datingoff=
ers.com/fpa12&=
#46;jpg" width=3d"600" height=3d"400" border=3d"0"></a>=20=
</p>
<p align=3d"center"><a href=3d"http://=
19;ww.easyoffer=
s.biz/nothank=
;s/nothanks.p=
04;p"><img src=3d"http://ww=
;w.easyoffers&#=
46;biz/pics/rm.=
03;if" width=3d"385" height=3d"52" border=3d"0"></a>=20
</p>
<p>Notice how the spammers insert MORE drivel to confuse context
recognition spam filters
<font color=3d"#FFFFFF">The Handle System allows handles to be both cr=
eated and resolved in a distributed fashion (see the diagram on this page=
for an overview of the Handle System architecture)=2e Both creation and =
resolution can be accomplished using dedicated clients, common clients su=
ch as web browsers using special extensions or plug-ins, or unextended cl=
ients going through various proxies=2e In all cases, communication with t=
he Handle System is carried out using the Handle System protocol which ha=
s a formal specification and some specific impl
ementations, all freely av=
ailable from CNRI=2e The protocol has a corresponding client library avai=
lable in C and Java=2e The C client library has been used by CNRI in the =
creation of a handle-aware extension to the Netscape and Microsoft web br=
owsers=2e The Java client library has been used to create an http-to-hand=
le proxy and caching server=2e Administration clients are used for the cr=
eation and editing of handles=2e Several have been implemented by CNRI in=
Java, which are used in various web servlets, batch input utilities, and=
other custom projects=2e The above diagram shows the basic architecture =
and operation of the Handle System=2e To improve the productivity of thos=
e who use scientific and technical information to accomplish a Defense mi=
ssion objective, DTIC manages 13 Information Analysis Centers staffed by =
experienced information specialists, scientists and engineers who help cu=
stomers locate, analyze and use scientific and technical information in a=
</font></p>
</body>
</html>
Here's the analysis:
Notice how SpamX has decoded the ASCII encodings used by the spammer to
conceal the REAL link addresses AND disposed of the 'drivel'...
User-Agent: SpamX v1.2
Subject: FW: x, meet horny
Date: Sun, 30 Nov 2003 11:43:34 -0700
Message-ID: <289180542386550%donotreply@spamx.com>
From: donotreply@spamx.com
To: abuse@xo.com,
abuse@adelphia.net,
arin@adelphiacom.net,
ipadmin@attla.net.ar,
Content-Type: text/plain; charset=US-ASCII
ATTN: Postmaster/Sysadmin.
Below is a SPAM I received. It appears to have come directly from
one of your email servers, has been relayed through an Open
Relay/Open Proxy you are operating, contains a link to a website
you host or is using an EMail address on your server as a 'drop
box' to collect responses. Your responsible cooperation would be
greatly appreciated in tracking this user down and applying any
relevant AUP's you have. A copy of the SPAM (possibly edited for
length, decoded from base64 where applicable and cleaned of
extraneous tracings back to my email address inserted by the
perpetrator but including full headers) is appended.
Thank you for your prompt attention to this matter.
--------
68.235.66.63 is listed as an open relay
href=3d"http://www.easyoffers.biz/alex2.html" is a website link in the spam body
href=3d"http://www.easyoffers.biz/nothanks/nothanks.php" is a website link in the spam body
--------
Return-Path: <lijewski@cocolee.net>
Received: from [68.235.66.63] (HELO 68-235-66-63.atlsfl.adelphia.net)
by mail.webhostingprovider.com (CommuniGate Pro SMTP 4.1.8)
with SMTP id 46361896 for x; Sun, 30 Nov 2003 08:31:43 -0800
Received: from cocolee.net (cocolee-net.mr.outblaze.com [205.158.62.38])
by 68-235-66-63.atlsfl.adelphia.net (Postfix) with ESMTP id 180822D748
for <x>; Sun, 30 Nov 2003 23:36:16 -0500
From: "Pontiac U. Tailgating" <lijewski@cocolee.net>
To: x <x>
Subject: x, meet horny singles in your area
Date: Sun, 30 Nov 2003 23:36:16 -0500
Message-ID: <000001c3b7c4$4a5abf78$c0792552@cocolee.net>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: 68-235-66-63.atlsfl.adelphia.net)
<html>
<body>
<p>'drivel' removed</p>
links prefectly visible<strong><a href=3d"http://www.easyoffers.biz/alex2.html">
<font size=3d"3" face=3d"Verdana, Arial, Helvetica, sans-serif">CLICK
HERE TO GET LAID
NOW<br>
<br>
IT'S 100% FREE TO JOIN!!!</font></a></strong></p>
<a href=3d"http://www.easyoffers.biz/alex2.html"><img width=3d"600" height=3d"400" border=3d"0"></a>
</p>
<a href=3d"http://www.easyoffers.biz/nothanks/nothanks.php"
</body>
</html>
AND MORE...
Return-Path: <415frznnam@yahoo.com>
Received: from DTG-137.216-16-80.dtgnet.com ([216.16.80.137] verified)
by mail.webhostingprovider.com (CommuniGate Pro SMTP 4.1.8)
with SMTP id 46897738 for cheaptickets@mydomain.com; Thu, 04 Dec 2003 08:35:49 -0800
Received: from [170.98.48.145] by DTG-137.216-16-80.dtgnet.com with ESMTP id 97674788; Thu, 04 Dec 2003 10:24:30 -0600
Message-ID: <52y855$58-f$$38v26-f17-n7y4-b94@0iaa2t>
From: "Gilda Carver" <415frznnam@yahoo.com>
Reply-To: "Gilda Carver" <415frznnam@yahoo.com>
To: cheaptickets@mydomain.com
Subject: RE:Vicodin.n Vicodin.n Valium.m Xanax.x ltyjd rfiayvnl d
Date: Thu, 04 Dec 03 10:24:30 GMT
X-Mailer: eGroups Message Poster
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="3.8.C7D40D_"
X-Priority: 3
X-MSMail-Priority: Normal
--3.8.C7D40D_
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Many Specials running this week
THE RE.AL THING
not like the other sites that
imitate these products.
No hidd.en char.ges - Fast Delivery
Vic.odin Val.ium Xan.ax
Via.gra Diaz.epam Alpra.zolam
So.ma Fior.icet Amb.ien
Stil.nox Ult.ram Zo.loft
Clon.azepam At.ivan Tr.amadol
Xeni.cal Cele.brex Vi.oxx
Pro.zac Bus.par Much M.ore....
http://www.nowbetterthis.biz/l/105/index.htm
If you have recieved this in error
please use
http://www.nowbetterthis.biz/byee.html
pogf kdlk xludi
zghwe xpuq ibzgdr ioe fp w m p h
--3.8.C7D40D_--
Here's the analysis:
User-Agent: SpamX v1.2
Subject: FW: RE:Vicodin.n Vicodin.n Valium.m
Date: Thu, 04 Dec 2003 11:12:16 -0700
Message-ID: <289194665796981%donotreply@spamx.com>
From: donotreply@spamx.com
To: abuse@iw.net,
root@public1.nc.jx.cn,
hostmaster@public1.nc.jx.cn,
postmaster@public1.nc.jx.cn,
uce@ftc.gov,
Content-Type: text/plain; charset=US-ASCII
ATTN: Postmaster/Sysadmin.
Below is a SPAM I received. It appears to have come directly from
one of your email servers, has been relayed through an Open
Relay/Open Proxy you are operating, contains a link to a website
you host or is using an EMail address on your server as a 'drop
box' to collect responses. Your responsible cooperation would be
greatly appreciated in tracking this user down and applying any
relevant AUP's you have. A copy of the SPAM (possibly edited for
length, decoded from base64 where applicable and cleaned of
extraneous tracings back to my email address inserted by the
perpetrator but including full headers) is appended.
Thank you for your prompt attention to this matter.
--------
216.16.80.137 is listed as an open relay
http://www.nowbetterthis.biz/l/105/index.htm is a website link in the spam body
http://www.nowbetterthis.biz/byee.html is a website link in the spam body
--------
Return-Path: <415frznnam@yahoo.com>
Received: from DTG-137.216-16-80.dtgnet.com ([216.16.80.137] verified)
by mail.webhostingprovider.com (CommuniGate Pro SMTP 4.1.8)
with SMTP id 46897738 for x; Thu, 04 Dec 2003 08:35:49 -0800
Received: from [170.98.48.145] by DTG-137.216-16-80.dtgnet.com with ESMTP id 97674788; Thu, 04 Dec 2003 10:24:30 -0600
Message-ID: <52y855$58-f$$38v26-f17-n7y4-b94@0iaa2t>
From: "Gilda Carver" <415frznnam@yahoo.com>
Reply-To: "Gilda Carver" <415frznnam@yahoo.com>
To: x
Subject: RE:Vicodin.n Vicodin.n
Date: Thu, 04 Dec 03 10:24:30 GMT
X-Mailer: eGroups Message Poster
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="3.8.C7D40D_"
X-Priority: 3
X-MSMail-Priority: Normal
Many Specials running this week
THE RE.AL THING
not like the other sites that
imitate these products.
No hidd.en char.ges - Fast Delivery
Vic.odin Val.ium Xan.ax
Via.gra Diaz.epam Alpra.zolam
So.ma Fior.icet Amb.ien
Stil.nox Ult.ram Zo.loft
Clon.azepam At.ivan Tr.amadol
Xeni.cal Cele.brex Vi.oxx
Pro.zac Bus.par Much M.ore....
http://www.nowbetterthis.biz/l/105/index.htm
If you have recieved this in error
please use
http://www.nowbetterthis.biz/byee.html
pogf kdlk xludi
zghwe xpuq ibzgdr ioe fp w m p h
--
But that's just my opinion - feel free to make up your own
mind...
Home