Here we go again…
In our on-going saga of spam messages with forged headers making it appear we’re responsible…
For quick background, see this blog entry which explains the fun we went through for the first three months of this year. Go ahead, read that one first…I’ll wait. (Some of the last comments on that entry are about the newest run, but most are about the forgery from the beginning of the year.)
Oh, you’re back; sorry, was doing something else. Anyway, the latest forgery appears to contain within the body of the message (and I say “appears” because to date no one has yet sent me a copy with complete header fields…all of the people who have copied these things have only sent the incomplete ones) a header field similar to:
Received: from megachild (lof@chcgil2-ar3-4-43-971-006.chcgil2.dsl-verizon.net [140.140.54.160])
by www.lofcom.com (8.4.3/8.8.3) with ESMTP id MAA36217;
Wed, 16 Nov 2005 13:44:41 -0500
Note the forged IP is different in every one I’ve seen, as is the date. But they all have that Chicago Verizon DSL machine name, as well as the machine name “www.lofcom.com.” The first reported sighting was yesterday afternoon, and they apparently escalated today (I’m receiving bunches of mis-directed complaints, which is of course the scum’s intention).
This appears to have been stolen from a really old message; years ago, Verizon had my south-central Pennsylvania DSL line on a Chicago IP, which later moved to Washington, D.C. and then later to Harrisburg, PA. And a _long_ time ago I had a machine which answered to the name “www.lofcom.com” (the current mail server does not)…so the slime who is doing this clearly stole information from an old email.
So please, folks; if you are going to post a copy of the spam you received (and I urge you to do so), please, please, PLEASE include complete headers! If you don’t know how, check the Help file of your email client. But I’m really curious to know if these, like the earlier ones, are coming from a network of zombies, or from a single location.
And stop yelling at me…I didn’t have anything to do with it. (And to the slug who posted, “Dang, boy,” to me, jump in a lake until you learn some manners.)
Update 16 December,3:30pm EST: Thanks to George Burnham and Harieta Havarneanu, I have two examples showing where the spam originated; one from Korea and the other from Spain, which tends to suggest this is another attack from a coordinated set of zombined machines around the world.
The mail is basically set up with the “real” header fields (missing To: headers, but that isn’t a problem since the delivery address is always in the out-of-band, or envelope, information), then a blank line which I’m betting is an error (spammers are, by definition, stupid), then the forged header block in the body which is what’s riling everyone up, then the encoded web page (which doesn’t resolve because of the screwup).
Update 17 December, 11:03am EST: I cannot believe the number of unsubscribe requests coming into the server…people, you all should be really grateful I’m not the spammer, since sending an unsubscribe request simply validates that you have a legitimate email address. To properly report spam, if you don’t know how to read a Received: header field (or even know what one is), please go to http://www.spamcop.net/ and get yourself a free account. SpamCop will properly report the spam, won’t bother innocents, and will keep your address from being harvested by the bad guys by using phony ones on each reported spam. Also, consider doing a Google search on reporting spam, so you can understand how really bad an idea it is to request an unsubscribe from a list onto which you never subscribed in the first place. (An example of an opt-IN list is the OTR Digest, where you subscribe and unsubscribe yourself at will. That’s a wholely different thing from spam, where some scum harvests your email address from somewhere and shoves commercial crap down your throat.)
Update 17 December, 6:35pm EST: Ok, scratch that part about not bothering innocents; because the www.lofcom.com domain is in the body of the message in the forged header block, SpamCop is dutifully reporting it as a spamvertized website. (*shrug*) But the truth is, SpamCop is too valuable for me to be upset about it (I have a paid account, and report every spam I receive through it - probably what ticked this slimeball off in the first place).
Also used a really cool website, http://www.toastedspam.com/decode64 to decode the data inside the spam; turns out it’s advertising some website hosted in China selling some scam nonsense. No, I won’t publish it here (you kidding? I should give this scum exposure?), but if you got this spam, you can easily use the TostedSpam decoder to find it. (And that decoder gets a high-ranking bookmark from me!)
November 17th, 2005 at 6:29 am
Here is what was sent to me in my email address and I copied everything in the message. The main hearder doesn’t have a sender.
Received: from megachild (lof@chcgil2-ar3-4-18-111-006.chcgil2.dsl-verizon.net [237.75.147.88])
by www.lofcom.com (8.9.3/8.4.3) with ESMTP id MAA33617;
Thu, 17 Nov 2005 03:45:27 +0200
X-Envelope-From: llttpwybmxi@yahoo.com
X-Sender: llttpwybmxi@yahoo.com
Message-Id:
Date: Thu, 17 Nov 2005 06:44:27 +0500
From: “Lavonne Blanchard” >llttpwybmxi @yahoo.com>
To: XXXXXXXXXXXX@missvalley.com
Subject: Feeling loved, wanted and understood again is just what you deserve <3>
MIME-Version: 1.0
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: 7bit
TE9TVCBJTiBMT1ZFID8gRklORCBZT1VSIFdBWSAtIFRIRSBFQVNZIFdBWSENCmh0dHA6Ly8y
NTIuOXV4YnhndzRmZ2Z0ZXI5cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz8zNjMNCg0KQSB5
ZWFyIGFnbywgdGhlIGxvdmUgb2YgbXkgbGlmZSB3YXMgaW52b2×2ZWQgaW4gYW4gZXh0cmFt
YXJpdGFsIGFmZmFpciwgYW5kICB3YW50ZWQgYSBzZXBhcmF0aW9uLg0KU28gSSBoYXZlIGJl
ZW4gkXRoZXJlkiwgZ29uZSB0aHJvdWdoIJFpdJIsIGFuZCBsaXZlZCB0aHJvdWdoIHdoYXQg
SSB3b3VsZCBjYWxsICJhIGxpdmluZyBoZWxsIi4NCg0KV2hlbiBteSByZWxhdGlvbnNoaXAg
ZmFpbGVkLCBJIHdhbnRlZCB0byBicmluZyBiYWNrIG15IGxvdmVyLCBhcyBJIGZlbHQgZGVl
cCBpbiBteSBoZWFydCB0aGF0IHdlIHNob3VsZCBiZSB0b2dldGhlci4NCkJ1dCBJIGRpZCBu
b3Qga25vdyB3aGF0IHdlbnQgd3JvbmcgYW5kIHdoeSB0aGluZ3MgaGFwcGVuZWQgdGhlIHdh
eSB0aGV5IGRpZCENCg0KV2VsbCBtZWFuaW5nIGZyaWVuZHMgYW5kIGFzc29jaWF0ZXMgdHJp
ZWQgdG8gY291bnNlbCBtZSBhbmQgZG8gZXZlcnl0aGluZyB0aGV5IGNvdWxkIHRvIGhlbHAg
bWUuDQpUaGV5IGRpZCBub3QgYW5zd2VyIG15IG1vc3QgcHJlc3NpbmcgcXVlc3Rpb24gliBX
SFk/DQpUaGV5IGRpZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBzdG9wIHRoZSBzZXBhcmF0
aW9uIG9yIGhvdyB0byByZS11bml0ZSB3aXRoIG15IGxvdmVkIG9uZS4NClRoZXkgZGlkIG5v
dCB0ZWxsIG1lIGhvdyB0byBzdG9wIGFsbCB0aGF0IHBhaW4gYW5kIGh1cnQuDQpUaGV5IGRp
ZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBhY2hpZXZlIGEgaGFybW9uaW91cyBhbmQgZnVs
ZmlsbGluZyByZWxhdGlvbnNoaXAsIGZvciBhcyBsb25nIGFzIEkgd2lzaGVkIGFuZCBleGFj
dGx5IGFzIEkgd2FudGVkIGl0Lg0KDQpUaGUgdHJ1dGggaXMgeW91IGRvbid0IGhhdmUgdG8g
Y2hhbmdlIGEgYml0LiBZb3Uga25vdyBhbGwgdGhlIGFuc3dlcnMgYW5kIHRoaXMgYm9vayB3
aWxsIGhlbHAgeW91IHRvIGZpbmQgdGhlbS4NCmh0dHA6Ly81NjAuOXV4YnhndzRmZ2Z0ZXI5
cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz85NjE=
This is the body, but doesn’t include complete headers. Note the “headers” you include are actually in the body of the message, with headers external. –cfs3
November 17th, 2005 at 1:36 pm
(*sigh*) Pay attention, person-from-ntl.com; I didn’t send this to you, so I can’t stop sending. Really, read before you post silliness. –cfs3
Received: from megachild (lof@chcgil2-ar6-4-64-911-006.chcgil2.dsl-verizon.net [172.221.57.248])
by www.lofcom.com (8.0.3/8.4.3) with ESMTP id MAA34487;
Thu, 17 Nov 2005 06:14:56 +0600
X-Envelope-From: ewcdgjiafsyzd@msn.com
X-Sender: ewcdgjiafsyzd@msn.com
Message-Id:
Date: Thu, 17 Nov 2005 03:13:56 +0300
From: “Erin Law”
To: XXXXXXXXXXXX@ntlworld.com
Subject: lost love is not lost forever. you can bring it back <3>
MIME-Version: 1.0
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: 7bit
TE9TVCBJTiBMT1ZFID8gRklORCBZT1VSIFdBWSAtIFRIRSBFQVNZIFdBWSENCmh0dHA6Ly83
MzIuOXV4YnhndzRmZ2Z0ZXI5cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz84NjcNCg0KQSB5
ZWFyIGFnbywgdGhlIGxvdmUgb2YgbXkgbGlmZSB3YXMgaW52b2×2ZWQgaW4gYW4gZXh0cmFt
YXJpdGFsIGFmZmFpciwgYW5kICB3YW50ZWQgYSBzZXBhcmF0aW9uLg0KU28gSSBoYXZlIGJl
ZW4gkXRoZXJlkiwgZ29uZSB0aHJvdWdoIJFpdJIsIGFuZCBsaXZlZCB0aHJvdWdoIHdoYXQg
SSB3b3VsZCBjYWxsICJhIGxpdmluZyBoZWxsIi4NCg0KV2hlbiBteSByZWxhdGlvbnNoaXAg
ZmFpbGVkLCBJIHdhbnRlZCB0byBicmluZyBiYWNrIG15IGxvdmVyLCBhcyBJIGZlbHQgZGVl
cCBpbiBteSBoZWFydCB0aGF0IHdlIHNob3VsZCBiZSB0b2dldGhlci4NCkJ1dCBJIGRpZCBu
b3Qga25vdyB3aGF0IHdlbnQgd3JvbmcgYW5kIHdoeSB0aGluZ3MgaGFwcGVuZWQgdGhlIHdh
eSB0aGV5IGRpZCENCg0KV2VsbCBtZWFuaW5nIGZyaWVuZHMgYW5kIGFzc29jaWF0ZXMgdHJp
ZWQgdG8gY291bnNlbCBtZSBhbmQgZG8gZXZlcnl0aGluZyB0aGV5IGNvdWxkIHRvIGhlbHAg
bWUuDQpUaGV5IGRpZCBub3QgYW5zd2VyIG15IG1vc3QgcHJlc3NpbmcgcXVlc3Rpb24gliBX
SFk/DQpUaGV5IGRpZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBzdG9wIHRoZSBzZXBhcmF0
aW9uIG9yIGhvdyB0byByZS11bml0ZSB3aXRoIG15IGxvdmVkIG9uZS4NClRoZXkgZGlkIG5v
dCB0ZWxsIG1lIGhvdyB0byBzdG9wIGFsbCB0aGF0IHBhaW4gYW5kIGh1cnQuDQpUaGV5IGRp
ZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBhY2hpZXZlIGEgaGFybW9uaW91cyBhbmQgZnVs
ZmlsbGluZyByZWxhdGlvbnNoaXAsIGZvciBhcyBsb25nIGFzIEkgd2lzaGVkIGFuZCBleGFj
dGx5IGFzIEkgd2FudGVkIGl0Lg0KDQpUaGUgdHJ1dGggaXMgeW91IGRvbid0IGhhdmUgdG8g
Y2hhbmdlIGEgYml0LiBZb3Uga25vdyBhbGwgdGhlIGFuc3dlcnMgYW5kIHRoaXMgYm9vayB3
aWxsIGhlbHAgeW91IHRvIGZpbmQgdGhlbS4NCmh0dHA6Ly80MjguOXV4YnhndzRmZ2Z0ZXI5
cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz8wNjU=
November 18th, 2005 at 2:49 am
heres the real header of the email and its very strange in itself.
it originated from 222.137.6.120 which looks to be chinese in origin. the city of Henan.
heh did you piss off a romanian? looks like something they would do.
Return-path: <gzmfcrxmuy @msn.com>
Envelope-to: *****@mikeace.com
Delivery-date: Fri, 18 Nov 2005 02:37:45 -0500
Received: from [222.137.6.120] (helo=38.113.98.150)
by mikeace.com with smtp (Exim 4.21)
id 1Ed0oT-0007Ty-U3
for *****@mikeace.com; Fri, 18 Nov 2005 02:37:39 -0500
Message-Id: <e1ed0ot -0007Ty-U3@mikeace.com>
From: GZMFCRXMUY@msn.com
Bcc:
Date: Fri, 18 Nov 2005 02:37:39 -0500
November 20th, 2005 at 8:18 pm
Good thing I checked the spamvertized website first. Looks like someone is Joe-ing you good. The message appears to have been from a trojaned machine, so it wouldn’t suprize me that it was a zombied network controlled by someone who you would have had some kind of dealings in the past. Whether it was an effective lart or a TOS violation hosting, it would be a good read. Do follow up in news.admin.net-abuse.email as this is relevant to that group of admins and anti-spammers who deal with this sort of thing daily.
This spam appears to be a guize to get spamcop’s parser to get fooled into reporting the spamvertized website to the wrong party, (namely yours) The following is a decode of the encoded text:
==============start of decoded spam message=====================
LOST IN LOVE ? FIND YOUR WAY - THE EASY WAY!
http://XXXXXXXXXXXXXX
A year ago, the love of my life was involved in an extramarital affair, and wanted a separation.
So I have been ‘there’, gone through ‘it’, and lived through what I would call “a living hell”.
When my relationship failed, I wanted to bring back my lover, as I felt deep in my heart that we should be together.
But I did not know what went wrong and why things happened the way they did!
Well meaning friends and associates tried to counsel me and do everything they could to help me.
They did not answer my most pressing question – WHY?
They did not tell me how I could stop the separation or how to re-unite with my loved one.
They did not tell me how to stop all that pain and hurt.
They did not tell me how I could achieve a harmonious and fulfilling relationship, for as long as I wished and exactly as I wanted it.
The truth is you don’t have to change a bit. You know all the answers and this book will help you to find them.
http://XXXXXXXXXXXXXXXXX
============end decoded spam message================
As posted below, the top portion of this spam was left off above the last recieved line (my private server’s info and stuff not relevant). The last line of the message header (mine) is the X-Blist-Pattern: 58.0.0.0 - 59.255.255.255. The next line after the blank space is actually part of the body of the message (as already mentioned by another poster).
This spam will be posted in news.admin.net-abuse.sightings shortly so you may be able to see more details there. However, keep in mind that I do munge a lot of info in the headers.
One last note, Do NOT email me at the given email address (it’s set up for whitelist only). If you need to contact me, do so in news.admin.net-abuse.email. Reference your post with my handle.
Received: from 59.35.172.149 (HELO 4.79.181.13) (59.35.172.149)
by mta160.mail.mud.yahoo.com with SMTP; Sun, 20 Nov 2005 10:03:11 -0800
Content-Length: 1311
X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.201 59.35.172.149
X-SpamCop-Disposition: Blocked bl.spamcop.net
X-SpamCop-Disposition: Blacklist yahoo.com
X-P2P: SPAM
X-SpamPal: SPAM BLIST 59.35.172.149
X-Blist-Pattern: 58.0.0.0 - 59.255.255.255
Received: from megachild (lof@chcgil2-ar4-4-34-311-006.chcgil2.dsl-verizon.net [36.89.125.72])
by www.lofcom.com (8.3.3/8.5.3) with ESMTP id MAA35927;
Sun, 20 Nov 2005 13:01:32 -0500
X-Envelope-From: YXSCIXHUBGFEKM@yahoo.com
X-Sender: YXSCIXHUBGFEKM@yahoo.com
Message-Id: <v0380032258f05c2ebbd @so.uk>
Date: Sun, 20 Nov 2005 15:57:32 -0200
From: “Kristen Chavez” <yxscixhubgfekm @yahoo.com>
To: i79tiger@yahoo.com
Subject: Feeling loved, wanted and understood again is just what you deserve <3>
MIME-Version: 1.0
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: 7bit
TE9TVCBJTiBMT1ZFID8gRklORCBZT1VSIFdBWSAtIFRIRSBFQVNZIFdBWSENCmh0dHA6Ly80
MjcuOXV4YnhndzRmZ2Z0ZXI5cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz8zMzANCg0KQSB5
ZWFyIGFnbywgdGhlIGxvdmUgb2YgbXkgbGlmZSB3YXMgaW52b2×2ZWQgaW4gYW4gZXh0cmFt
YXJpdGFsIGFmZmFpciwgYW5kICB3YW50ZWQgYSBzZXBhcmF0aW9uLg0KU28gSSBoYXZlIGJl
ZW4gkXRoZXJlkiwgZ29uZSB0aHJvdWdoIJFpdJIsIGFuZCBsaXZlZCB0aHJvdWdoIHdoYXQg
SSB3b3VsZCBjYWxsICJhIGxpdmluZyBoZWxsIi4NCg0KV2hlbiBteSByZWxhdGlvbnNoaXAg
ZmFpbGVkLCBJIHdhbnRlZCB0byBicmluZyBiYWNrIG15IGxvdmVyLCBhcyBJIGZlbHQgZGVl
cCBpbiBteSBoZWFydCB0aGF0IHdlIHNob3VsZCBiZSB0b2dldGhlci4NCkJ1dCBJIGRpZCBu
b3Qga25vdyB3aGF0IHdlbnQgd3JvbmcgYW5kIHdoeSB0aGluZ3MgaGFwcGVuZWQgdGhlIHdh
eSB0aGV5IGRpZCENCg0KV2VsbCBtZWFuaW5nIGZyaWVuZHMgYW5kIGFzc29jaWF0ZXMgdHJp
ZWQgdG8gY291bnNlbCBtZSBhbmQgZG8gZXZlcnl0aGluZyB0aGV5IGNvdWxkIHRvIGhlbHAg
bWUuDQpUaGV5IGRpZCBub3QgYW5zd2VyIG15IG1vc3QgcHJlc3NpbmcgcXVlc3Rpb24gliBX
SFk/DQpUaGV5IGRpZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBzdG9wIHRoZSBzZXBhcmF0
aW9uIG9yIGhvdyB0byByZS11bml0ZSB3aXRoIG15IGxvdmVkIG9uZS4NClRoZXkgZGlkIG5v
dCB0ZWxsIG1lIGhvdyB0byBzdG9wIGFsbCB0aGF0IHBhaW4gYW5kIGh1cnQuDQpUaGV5IGRp
ZCBub3QgdGVsbCBtZSBob3cgSSBjb3VsZCBhY2hpZXZlIGEgaGFybW9uaW91cyBhbmQgZnVs
ZmlsbGluZyByZWxhdGlvbnNoaXAsIGZvciBhcyBsb25nIGFzIEkgd2lzaGVkIGFuZCBleGFj
dGx5IGFzIEkgd2FudGVkIGl0Lg0KDQpUaGUgdHJ1dGggaXMgeW91IGRvbid0IGhhdmUgdG8g
Y2hhbmdlIGEgYml0LiBZb3Uga25vdyBhbGwgdGhlIGFuc3dlcnMgYW5kIHRoaXMgYm9vayB3
aWxsIGhlbHAgeW91IHRvIGZpbmQgdGhlbS4NCmh0dHA6Ly8xMzAuOXV4YnhndzRmZ2Z0ZXI5
cmZyOTlmcjk5LnVuaXRhcnlibi5pbmZvLz84ODM=
The only change I made was to remove the slime’s website URL from your decoded copy. After all the other fun I’ve been having, I’ll be damned if I’ll give the slime advertising…as I mentioned, it’s a site hosted in China (Hong Kong, specifically), and is consistant with the others I’ve decoded.
The interesting thing is, because of that blank line, most mailers won’t directly decode it (dunno about Microsoft apps). And had the guy not put that blank in there, 99% of the people who are sending me “unsubscribe” messages (*sigh*) wouldn’t even see my domain name. Of course as you note, because it is in the body, SpamCop is dutifully reporting each one sent to it to my provider, who has thankfully been really understanding about the whole thing.
I used to frequent NANAE a lot, but eventually stopped reading it. Too few hours in a day, and for a while it was hit with so many forged and resent messages it got cumbersome to read. –cfs3
November 20th, 2005 at 8:35 pm
Upon further review, it appears that you are just a victim of SpamCop’s parser being exploited to report to the wrong party. The responsible people, according to Spamhaus is a ROKSO group of spammers .
ROKSO - Register of Known Spammer Operations, is a list of LOSERS who have been kicked off of 3 other providers of internet service.
unitarybn.info
[58.177.249.223]
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL34942 58.177.249.223/32 20-Nov-2005 11:50 GMT | SR04 ROKSO
Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov