Nostalgic Rumblings
The Ramblings of an Old Man

If you appreciate the lists and websites, please consider contributing to their maintenance.

Categories

November 2005
S M T W T F S
« Oct   Dec »
 12345
6789101112
13141516171819
20212223242526
27282930  

Search:

Contact Webmaster

Links

Meta

  • RSS 2.0
    The main feed; in a news aggrigator, it's the news items, in a podcast client, it's the media files


  • Comments RSS 2.0
    This is the feed for global comments (any comment made to the board); each entry has a seperate comments feed, too

© 2005 L.O.F. Communications;
All Rights Reserved

Times listed are U.S. Eastern

We don't need no much stinkin' CSS...

 
Please Keep These Pages Free; Check Out Our Sponsors by Clicking the Banner!

Check out the Geeks for great savings!
Check out the Geeks for great savings!

 

11/16/2005

Here we go again…

Filed under: General — Charlie Summers @ 2:43 pm

In our on-going saga of spam messages with forged headers making it appear we’re responsible…

For quick background, see this blog entry which explains the fun we went through for the first three months of this year. Go ahead, read that one first…I’ll wait. (Some of the last comments on that entry are about the newest run, but most are about the forgery from the beginning of the year.)

Oh, you’re back; sorry, was doing something else. Anyway, the latest forgery appears to contain within the body of the message (and I say “appears” because to date no one has yet sent me a copy with complete header fields…all of the people who have copied these things have only sent the incomplete ones) a header field similar to:

Received: from megachild (lof@chcgil2-ar3-4-43-971-006.chcgil2.dsl-verizon.net [140.140.54.160])
   by www.lofcom.com (8.4.3/8.8.3) with ESMTP id MAA36217;
   Wed, 16 Nov 2005 13:44:41 -0500

Note the forged IP is different in every one I’ve seen, as is the date. But they all have that Chicago Verizon DSL machine name, as well as the machine name “www.lofcom.com.” The first reported sighting was yesterday afternoon, and they apparently escalated today (I’m receiving bunches of mis-directed complaints, which is of course the scum’s intention).

This appears to have been stolen from a really old message; years ago, Verizon had my south-central Pennsylvania DSL line on a Chicago IP, which later moved to Washington, D.C. and then later to Harrisburg, PA. And a _long_ time ago I had a machine which answered to the name “www.lofcom.com” (the current mail server does not)…so the slime who is doing this clearly stole information from an old email.

So please, folks; if you are going to post a copy of the spam you received (and I urge you to do so), please, please, PLEASE include complete headers! If you don’t know how, check the Help file of your email client. But I’m really curious to know if these, like the earlier ones, are coming from a network of zombies, or from a single location.

And stop yelling at me…I didn’t have anything to do with it. (And to the slug who posted, “Dang, boy,” to me, jump in a lake until you learn some manners.)

 

 
Update 16 December,3:30pm EST: Thanks to George Burnham and Harieta Havarneanu, I have two examples showing where the spam originated; one from Korea and the other from Spain, which tends to suggest this is another attack from a coordinated set of zombined machines around the world.

The mail is basically set up with the “real” header fields (missing To: headers, but that isn’t a problem since the delivery address is always in the out-of-band, or envelope, information), then a blank line which I’m betting is an error (spammers are, by definition, stupid), then the forged header block in the body which is what’s riling everyone up, then the encoded web page (which doesn’t resolve because of the screwup).

 

 
Update 17 December, 11:03am EST: I cannot believe the number of unsubscribe requests coming into the server…people, you all should be really grateful I’m not the spammer, since sending an unsubscribe request simply validates that you have a legitimate email address. To properly report spam, if you don’t know how to read a Received: header field (or even know what one is), please go to http://www.spamcop.net/ and get yourself a free account. SpamCop will properly report the spam, won’t bother innocents, and will keep your address from being harvested by the bad guys by using phony ones on each reported spam. Also, consider doing a Google search on reporting spam, so you can understand how really bad an idea it is to request an unsubscribe from a list onto which you never subscribed in the first place. (An example of an opt-IN list is the OTR Digest, where you subscribe and unsubscribe yourself at will. That’s a wholely different thing from spam, where some scum harvests your email address from somewhere and shoves commercial crap down your throat.)

 

 
Update 17 December, 6:35pm EST: Ok, scratch that part about not bothering innocents; because the www.lofcom.com domain is in the body of the message in the forged header block, SpamCop is dutifully reporting it as a spamvertized website. (*shrug*) But the truth is, SpamCop is too valuable for me to be upset about it (I have a paid account, and report every spam I receive through it - probably what ticked this slimeball off in the first place).

Also used a really cool website, http://www.toastedspam.com/decode64 to decode the data inside the spam; turns out it’s advertising some website hosted in China selling some scam nonsense. No, I won’t publish it here (you kidding? I should give this scum exposure?), but if you got this spam, you can easily use the TostedSpam decoder to find it. (And that decoder gets a high-ranking bookmark from me!)