How to figure out a 'forged' SPAM e-mail header????

new

« Prev
1
Next »

irvsp
Guru

Posts: 644

How to figure out a 'forged' SPAM e-mail header???? Jul 4, 2017 12:46:39 GMT

Quote

Post by irvsp on Jul 4, 2017 12:46:39 GMT

I've been FLOODED for the past few months with SPAM, 2 to 4 a day usually. I use SPAMCOP to report it, but of course that doesn't really help and the SPAM does use a few different servers to send the e-mails out. Looks like the real userID gets shutdown, switches to a new e-mail provider and comes back to the old one once that gets shutdown.

This is a TYPICAL header, and I can't read it to figure out where it originated, but SPAMCOP can and tells me SERVERMAINIA.COM?

==================

Return-Path: <The.Wall.Street.Journal@mcmarsbachmcguizeshunt.com>
Received: from cdptpa-pub-iedge-vip.email.rr.com ([107.14.174.245])
by cdptpa-fep15.email.rr.com
(InterMail vM.8.04.03.24 201-2389-100-172-20151028) with ESMTP
id <20170704064441.ZGMV19922.cdptpa-fep15.email.rr.com@cdptpa-pub-iedge-vip.email.rr.com>
for <ispalten@cfl.rr.com>; Tue, 4 Jul 2017 06:44:41 +0000
Return-Path: <The.Wall.Street.Journal@mcmarsbachmcguizeshunt.com>
Authentication-Results: cdptpa-imsmta04 header.DKIM-Signature=@mcmarsbachmcguizeshunt.com; dkim=tempfail (key unavailable)
Received: from [144.168.154.248] ([144.168.154.248:44809] helo=mcmarsbachmcguizeshunt.com)
by cdptpa-imsmta04 (envelope-from <The.Wall.Street.Journal@mcmarsbachmcguizeshunt.com>)
(ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTP
id BF/67-29449-8593B595; Tue, 04 Jul 2017 06:44:40 +0000
DKIM-Signature: v=1;
a=rsa-sha1; c=relaxed/relaxed; d=mcmarsbachmcguizeshunt.com;
s=gamma; t=1499150668; bh=UP+rOQWj/fOQU7LViNyGVH9Mrsw=; h=To:From;
b=gfH5O+EUl0u6dPDt2ZVR2YZILyA1iXW0NbymsWjBKSPrw7yBChiLlW0i+F5pEgJk7
Ud0XhpENTR19xyCHRnJbtQOiIa9Woa5MGkSLMjW/zZrqIpVjCG3v4JUvBp3xunH1Zi
LuKNG4ii4eWCJ7JzxlPMdHjdgnAZ/2VoytiemMs4=
Message-ID: <BF.67.29449.8593B595@cdptpa-imsmta04>
From: "The Wall Street Journal" <The.Wall.Street.Journal@mcmarsbachmcguizeshunt.com>
To: "The Wall Street Journal" <The.Wall.Street.Journal@mcmarsbachmcguizeshunt.com>
Subject: =?UTF-8?Q?Real_News._Real_Journalism._From_America=E2=80=99s_Most_Trusted_Newspaper.?=
Date: 04 Jul 2017 02:44:28 -0400
Content-Type: text/html;
X-Authority-Analysis: v=2.2 cv=PtLjV0E3 c=1 sm=1 tr=0 a=PuE6Mb8OjkD4PKdjJk5baA==:117 a=PuE6Mb8OjkD4PKdjJk5baA==:17 a=Tyvxj6_BAAAA:20 a=Hfvi4NBBAAAA:20 a=lD-iK1zxAAAA:20 a=I794Q0D6AAAA:20 a=5g1Cvp-yFcDSkZToDXUA:9 a=fhsdHeyJ7IUGmGHouAUpkHkRngc=:19 a=3Uu_7gefoNZw26iH:21 a=x96reBz1HwM8RFO3:21 a=OqH0kw6z3GQA:10 a=M5UfAgMftloA:10 a=HFS7LFQXJ0IA:10 a=XzWuT8x7JZkA:10
X-Cloudmark-Score: 0
X-RR-Connecting-IP: 107.14.168.210:25
===================

Obviously sent to me using BCC:.

Contents from the SPAM's vary, most use BITLY to direct one to the desired SPAM...

They will look like this:

=========
bit.ly/2tz985 <= don't bother taking it, I dropped of the last character
ciaosvenfermtouchleidloo.ml/20644758d165e1889948?sf=5839283,2647020,1440318547,1539872&eb=my_email_address
=========

Understand the first one, but NOT the 2nd one?

This is what SPAMCOP figured out from the header:

===============
Submitted: 7/4/2017, 7:17:17 AM -0400:
=?UTF-8?Q?Real_News._Real_Journalism._From_America=E2=80=99s_Most_Trusted_New...

6675754448 ( bit.ly/2tz985A ) To: security@bit.ly
6675754447 ( bit.ly/2tBo5DK ) To: security@bit.ly
6675754446 ( 144.168.154.248 ) To: postmaster#servermania.com@devnull.spamcop.net
6675754445 ( 144.168.154.248 ) To: abuse@servermania.com
=============

I'm so confused, here are other report to SPAMCOP and what they did:

===============

Submitted: 7/2/2017, 9:59:16 AM -0400:
Xarelto Users, Read This! Free Legal Review and Potential Compensation

6674385759 ( dauddustcejclagggrettslandnischhtun.ml/2... ) To: postmaster#servermania.com@devnull.spamcop.net
6674385758 ( dauddustcejclagggrettslandnischhtun.ml/2... ) To: postmaster#servermania.com@devnull.spamcop.net
6674385757 ( 23.250.48.158 ) To: postmaster#servermania.com@devnull.spamcop.net
6674385756 ( dauddustcejclagggrettslandnischhtun.ml/2... ) To: abuse@servermania.com
6674385755 ( dauddustcejclagggrettslandnischhtun.ml/2... ) To: abuse@servermania.com
6674385754 ( 23.250.48.158 ) To: abuse@servermania.com

Submitted: 7/2/2017, 9:59:16 AM -0400:
Money Saving Oil Change Coupons

6674385763 ( dacfelsnoncreelrail.cf/20641073o94k15675... ) To: abuse@neterra.net
6674385762 ( dacfelsnoncreelrail.cf/20641072o94k15675... ) To: abuse@neterra.net
6674385761 ( 85.217.138.125 ) To: nomaster@devnull.spamcop.net

Submitted: 7/1/2017, 7:02:06 AM -0400:
Review your eHarmony Matches for FREE

6674037450 ( chadtherspufzmapithyel.ml/20638311x138r1... ) To: djok@evo.bg
6674037449 ( chadtherspufzmapithyel.ml/20638310x138r1... ) To: djok@evo.bg
6674037448 ( 185.5.119.252 ) To: postmaster@neterra.net
6674037447 ( 185.5.119.252 ) To: abuse@neterra.net

Submitted: 6/30/2017, 10:20:09 AM -0400:
Stay Active While Watching TV - 30-Day Free Trial!

6673505375 ( ratzhholzchisttedtrausottoffquai.tk/2063... ) To: postmaster#servermania.com@devnull.spamcop.net
6673505374 ( ratzhholzchisttedtrausottoffquai.tk/2063... ) To: postmaster#servermania.com@devnull.spamcop.net
6673505373 ( 104.144.122.129 ) To: postmaster#servermania.com@devnull.spamcop.net
6673505372 ( ratzhholzchisttedtrausottoffquai.tk/2063... ) To: abuse@servermania.com
6673505371 ( ratzhholzchisttedtrausottoffquai.tk/2063... ) To: abuse@servermania.com
6673505370 ( 104.144.122.129 ) To: abuse@servermania.com
-------------

Ones that go to @devnull.spamcop.net are basically NOP's... SPAMCOP knows nothing will be done with the report.

One of the above shows why I'm having a problem figuring this all out? The 7/2 report for instance:

=============
SpamCop v 4.8.6 © 2017 Cisco Systems, Inc. All rights reserved.
Parsing input: dauddustcejclagggrettslandnischhtun.ml/20641089h150q1260656?sf=5838559,2646619,402272414,1539502&eb=x
[report history]
Host dauddustcejclagggrettslandnischhtun.ml (checking ip) = 23.250.48.2
Routing details for 23.250.48.2
[refresh/show] Cached whois for 23.250.48.2 : support@servermania.com
Using abuse net on support@servermania.com
abuse net servermania.com = noc@servermania.com, postmaster@servermania.com
Using best contacts noc@servermania.com postmaster@servermania.com
noc@servermania.com redirects to abuse@servermania.com
postmaster@servermania.com bounces (99 sent : 99 bounces)
Using postmaster#servermania.com@devnull.spamcop.net for statistical tracking.
Statistics:
23.250.48.2 not listed in bl.spamcop.net
More Information.
23.250.48.2 not listed in cbl.abuseat.org
23.250.48.2 not listed in dnsbl.sorbs.net

Reporting addresses:
abuse@servermania.com
===============

How did they arrive at this line, "Host dauddustcejclagggrettslandnischhtun.ml (checking ip) = 23.250.48.2"

? Yes, that IP Address is SERVERMANIA. So is the first one I guess (144.168.154.248) and all these appear to be B2 Net Solutions servers. Specifically what is used to come up with 23.250.48.2 from that line? Does this, 20641089h150q1260656?sf=5838559,2646619,402272414,1539502, translate into that IP Address? Can not figure this out.

I can create RULES to dump this junk before it even gets to my inbox but there appears to be so many variations it is almost impossible.

Ones that scare me are the ones that have my email address on the link line.

GuiltySpark Guru Administrator “There isn't a way things should be. There's just what happens, and what we do.” Posts: 1,534	How to figure out a 'forged' SPAM e-mail header???? Jul 4, 2017 21:29:54 GMT Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by GuiltySpark on Jul 4, 2017 21:29:54 GMT 23.250.48.2 = dauddustcejclagggrettslandnischhtun.ml

irvsp
Guru

Posts: 644

How to figure out a 'forged' SPAM e-mail header???? Jul 6, 2017 12:54:53 GMT

Quote

Post by irvsp on Jul 6, 2017 12:54:53 GMT

Jul 4, 2017 21:29:54 GMT GuiltySpark said:

23.250.48.2 = dauddustcejclagggrettslandnischhtun.ml

No, that is what the forgery is. There is no such server or URL. However if you lookup the IP Address, like HERE you'd see it is B2 Net Solutions, and the Comment is servermania.com.

That is my problem, ServerMania has umpteen server IP Addresses. Whoever is sending the crap out either gets a new account and forges everything. MailWasher can only block based what is in the header, sender, or body. It can't resolve the IP Address. SPAMCOP does and locates the ABUSE address, however for SERVERMANIA it sends it to a special holding box, not SERVERMANIA.

Some of the forgeries I've gotten:

Received: from [138.128.73.39] ([138.128.73.39:60440] helo=cystolgrantlamhell.com)
Received: from [144.168.154.248] ([144.168.154.248:44809] helo=mcmarsbachmcguizeshunt.com)
Received: from [85.217.132.83] ([85.217.132.83:36534] helo=rochstaeusstritrelph.com)
Received: from [104.144.114.7] ([104.144.114.7:39204] helo=kraekdorfhmonsgermfeldt.com)
Received: from [23.250.48.158] ([23.250.48.158:33696] helo=chuchtabhywzornfrees.com)
Received: from [85.217.138.125] ([85.217.138.125:41478] helo=moanpeakjezshiftbrook.com
Received: from [185.5.119.252] ([185.5.119.252:55850] helo=lomslncermannlouan.com)
Received: from [104.144.122.129] ([104.144.122.129:55391] helo=labwetchquicjel.com)
Received: from [50.3.123.91] ([50.3.123.91:50110] helo=kraekdorfhmonsgermfeldt.com)
Received: from [188.191.150.163] ([188.191.150.163:38151] helo=skeadungthiefjephiatt.com)

Those are just some of the ones I got this week.

I could create a rule where Received contained [23.250.48, [104.144.1, and [85.217.13 and I'd catch 6 of those. Problem what if REAL email came from there too?

What the root problem is that I don't know what the payload is? I get 2 types, the BITLY and the ones I can't even figure out? BITLY is just a link. The few times I used the iPad to see it it was something to purchase and appeared to be real copied over, but those links on it also appeared to be real? Suspect they are using the 'from' to get a partial cent for referring you to the site. The worrisome on is this, from the last line above:

============
<a href="http://spurtvilsnogdpierdrach.tk/20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address">
<img src="http://spurtvilsnogdpierdrach.tk/images/6633815925.png" border="0" />
</a>
==========

I know from the last line above it translates into 188.191.150.163 where it will go to. However what exactly is the rest of the line, 20629772k77f1449977?sf=5836412,2645245,3166672547,1538181&eb=my email address, and why is my e-mail address on it? I can't find ANY information on that? Since it is in HTML code when Thunderbird sucks it in it well basically execute that code, and I'll see the PNG file. I'm worried about some malware coming it with it.

As for MWP I'd have to write umpteen rules with no guarantee I'd not filter out good mail as well. So I couldn't even set it to auto-delete. Fear one should be missed and I didn't manually delete it and TB would execute it.

I guess if I knew what that line did or translated into I'd feel better?

GuiltySpark
Guru

Administrator

“There isn't a way things should be. There's just what happens, and what we do.”

Posts: 1,534

How to figure out a 'forged' SPAM e-mail header???? Jul 7, 2017 20:47:56 GMT

Quote

Post by GuiltySpark on Jul 7, 2017 20:47:56 GMT

They look like trailheaders. The

20629772k77f1449977?sf=5836412,

is possibly the return address, the clue being

SF=5836412

This suggests SalesForce.

The other numbers could be ticket numbers which refer to email addresses, i.e., yours + two others.

The last part which says "my email address" could be the sender's email receipt or your email (general) as to which it's being viewed by.

SalesForce usually has a email list pickup which will show who or what email has viewed / clicked a or all links.

Last Edit: Jul 7, 2017 20:56:43 GMT by GuiltySpark

irvsp
Guru

Posts: 644

How to figure out a 'forged' SPAM e-mail header???? Jul 8, 2017 16:23:15 GMT

Quote

Post by irvsp on Jul 8, 2017 16:23:15 GMT

Jul 7, 2017 20:47:56 GMT GuiltySpark said:

They look like trailheaders. The

20629772k77f1449977?sf=5836412,

is possibly the return address, the clue being

SF=5836412

I edited my post and took out my e-mail address and replaced it with 'my email address'... I'm sure if I did open the file it would identify me, possibly for more spam.

I'm sort of thinking "20641089h150q1260656?sf=5838559,2646619,402272414,1539502" the part after sf= is an IP Address? Before it actually a PROGRAM to run? With no letters in the 4 numbers after the sf I'd think it would be possibly converted to an IPv4 or 6 address? I just can't figure out the meaning of the numbers and how they were produced?

Here is the complete HTML sent to me on one of these:

===========================
<center>

<a href="http://cruxfindszvermoerk.ml/20649224h96x1778390?sf=5840018,2647580,2323663143,1540408&eb=ispxxx@xxx.com">
<img src="http://cruxfindszvermoerk.ml/images/750bfdd886.png" border="0" />
</a>
<br><br>
<a href="http://cruxfindszvermoerk.ml/20649225h96x1778390?sf=5840018,2647580,2323663143,1540408&eb=ispxxx@xxx.com">
<img src="http://cruxfindszvermoerk.ml/images/a749f9d0b9.png" border="0" />
</a>

<br><br>

<div style="color: #fff">potpourri psychoanalyst. thyratron seelhaft. Alameda hindman bolden lemontier ascription Durer haldmuller tassell row price solicitude amide herein josue cover armorer var rittenberg rickey gelatin Rotarian parlo maclaren zama ash chumming gibbous hullabaloo faustino nahni miscarriage cherd sluky Newfoundland mynah eigenspace howitt
.
.
. loads of lines like this that show if you can't see HTML in your e-mail client
.
.
ayudhaya. connart beckwith duce joadcannotarzan noble salesman. citrate excursion oilmen carol machination profess mcalister pagan anastomotic rudolpho postlethwaite good protege odis tucci prospect transposition bullock Allah hunch burghoff kutvolgyi loyd aldama quasiorder gilman arieh abrahan kimmy petraglia delbridge hackenbush courson boutigny. sal9000.</div>

</center>
================

That would show 2 different images... copies of REAL images from the site that pertained to the Subject.... I assume clicking on either link would go to the spammer's site or worse, infect me?

I just don't know how to read the line with all those numbers and my email address?

GuiltySpark
Guru

Administrator

“There isn't a way things should be. There's just what happens, and what we do.”

Posts: 1,534

How to figure out a 'forged' SPAM e-mail header???? Jul 9, 2017 12:31:38 GMT

Quote

Post by GuiltySpark on Jul 9, 2017 12:31:38 GMT

I tried going to one of those sites only with a throwaway email I use and it redirects to r.aimbl, it could be a IP in the numbers or it may just be a redirect within a webpage not sure.

Alienvault throws up this ; otx.alienvault.com/indicator/domain/r.aimlb.com/

I did play with it a little (can't remember exactly what I did now) but it shows up as a beauty shopping site which I still think is to do with the "sf" in the URL being Sales Force.

Either way it's Phishing and generally not worth clicking.

irvsp
Guru

Posts: 644

How to figure out a 'forged' SPAM e-mail header???? Jul 12, 2017 11:10:31 GMT

Quote

Post by irvsp on Jul 12, 2017 11:10:31 GMT

Well they might have been on vacation? For a few days nada, today, 2 came in. Messages from SERVERMANIA but payload on 2 different places.

My son works for SalesForce, I might ask him, but I doubt it has to do with them.

I did try a few links out on my iPad. Figured that it was less likely to get attacked. From what I could see the subject and the displayed web page are the same. So are all the links within the JPG/PNG file, both legitimate and the same as the legal site. That is why I think this coding somehow directs back to the spammer. My e-mail address is sent along I assume IN CASE I should order something? That said, why can't I figure out the numbers? They are not IPv6 nor a decimal number representation for an IP Address?

I too think it is a form of Phishing, but not one confirmation of this using Google with various inputs. About all I can find is that SERVERMANIA.COM is a haven for spammer's.

As far as NOT clicking, the problem is that TB does load the payload. If there is anything 'bad' it might cause me a problem if it can get past my F/W, A/V, and RansomeFree? Right now a majority of them are stopped by MailWasher which marks them as 'bad'. That is based on the BITLY and my e-mail address in the body. I can't set them to auto-delete though as both of those do come in legitimate e-mail. MailWasher can't find the true sender based on IP Address and SERVERMANIA has a TON of IP Addresses so making a rule for ALL of them would take time and be a pain, as well as SIGNIFICANTLY slow down the e-mail fetch if I had even hundreds of rules to check.

GuiltySpark Guru Administrator “There isn't a way things should be. There's just what happens, and what we do.” Posts: 1,534	How to figure out a 'forged' SPAM e-mail header???? Jul 25, 2017 13:50:55 GMT Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by GuiltySpark on Jul 25, 2017 13:50:55 GMT Did your son find out anything?

irvsp
Guru

Posts: 644

How to figure out a 'forged' SPAM e-mail header???? Aug 2, 2017 11:41:43 GMT

Quote

Post by irvsp on Aug 2, 2017 11:41:43 GMT

Jul 25, 2017 13:50:55 GMT GuiltySpark said:

Did your son find out anything?

Nope. I'm still getting flooded each day. Servers change often as does where the payload sits.

I still don't know what the 'game' is? Suspect it is nothing more that a 'money making' scheme to get a fraction of a cent if one does take the link?

Shoutbox

Shout, but with a whisper!

ru.2000USD: ru.2000USD Feb 3, 2024 10:18:27 GMT

Lighthouse: bubbs, could you please ask these questions on the main forum. Nobody looks in here! Oct 11, 2019 0:47:50 GMT *

bubbatie1: actually win 10 refuses to install on my win 7 comp.help Oct 10, 2019 0:24:38 GMT

bubbatie: if win 7 is becoming obsolete what free upgrade should i do ? Oct 4, 2019 18:47:34 GMT

Lighthouse: Yeah, it does.Could you send me an email please. Look for the address in my profile. Oct 2, 2019 3:25:16 GMT

bubbatie: that sux Oct 1, 2019 15:27:33 GMT

Lighthouse: Not hardly any I'm sad to say Sept 28, 2019 23:31:39 GMT

bubbatie1: is everyone still active ? Sept 27, 2019 17:38:52 GMT

bubbatie1: hi all im back again been a wild ride Sept 27, 2019 17:38:24 GMT

Lighthouse: Hey bubbatie, have a good one:) Jul 29, 2018 12:08:31 GMT

Lighthouse: Happy Birthday to you Irv. Jul 14, 2018 10:14:25 GMT

Lighthouse: Happy Birthday Howard (Straspey), I did send you an email Apr 12, 2018 4:05:20 GMT

Lighthouse: Have a good one Mike:) Mar 26, 2018 5:51:36 GMT

Lighthouse: A very Happy Birthday to you Brian Mar 17, 2018 16:49:48 GMT

Lighthouse: on a wheel on a semi Jan 27, 2018 19:24:12 GMT

Admin_Vistamike: semi flat hedgehog run over by a semi deflated tyre? Jan 27, 2018 1:25:23 GMT

Admin_Vistamike: ah, prices have spiked here............ Jan 27, 2018 0:08:56 GMT

Lighthouse: \thanks Mike, but all I really wanted was a semi flat hedgehog so I could get a good meal. Jan 26, 2018 22:47:33 GMT

Admin_Vistamike: And a link to your prezzie (only 1 left) goo.gl/2HDJgC Jan 26, 2018 19:38:42 GMT

Admin_Vistamike: Many happy returns of the day LH, have a good one, hic Jan 26, 2018 19:11:31 GMT

How to figure out a 'forged' SPAM e-mail header????

Post by irvsp on Jul 4, 2017 12:46:39 GMT

Post by GuiltySpark on Jul 4, 2017 21:29:54 GMT

Post by irvsp on Jul 6, 2017 12:54:53 GMT

Post by GuiltySpark on Jul 7, 2017 20:47:56 GMT

Post by irvsp on Jul 8, 2017 16:23:15 GMT

Post by GuiltySpark on Jul 9, 2017 12:31:38 GMT

Post by irvsp on Jul 12, 2017 11:10:31 GMT

Post by GuiltySpark on Jul 25, 2017 13:50:55 GMT

Post by irvsp on Aug 2, 2017 11:41:43 GMT

Shoutbox