curious e-mails

A

Archy

I received the following e-mails which says it came from my e-mail
address???? which it has not. I have replaced the real mail address with
"mymail".

Its spamming a loan company

How have they done this?????

Return-Path: <[email protected]>
Delivery-Date: Mon, 11 Aug 2003 06:41:43 +0100
Received: from sbqaj.miudj.lvchzfp.eofqdi.kzt.dfjxcyizgioyogygn (actually
host wbar2.sjo1-4-4-032-087.sjo1.dsl-verizon.net) by dswu26 with SMTP
(XT-PP); Mon, 11 Aug 2003 06:41:30 +0100
X-Priority: 3 (Normal)
From: (e-mail address removed)
To: (e-mail address removed)
X-Sender: (e-mail address removed)
Message-Id: <[email protected]>
Date: Sun, 10 Aug 2003 23:37:27 -0700
Return-Path: (e-mail address removed)
X-MSMail-Priority: Normal
Received: from sbqaj.miudj.lvchzfp.eofqdi.kzt.dfjxcyizgioyogygn by
4b67ke.sbqaj.miudj.lvchzfp.eofqdi.kzt.dfjxcyizgioyogygn with SMTP for
(e-mail address removed); Sun, 10 Aug 2003 23:37:27 -0700
Subject: Extreme consolidation guidance
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: Quoted-Printable
<html>
</:
275:GKIJYNGVGCJXCFVDFBWFBEKDSTNELIBSGCDPAMWPWTDIXJTLPETUTASSLS8CAC5D8F41E019
C6769842E711C648E71EC2608DB563DE0F3CEA>
</:
275:866410840250874674056879128472018161730360719645347897826266113670097664
89888700687016997534969881370961547554152794113985101886646>
<body>
<p align=3D"center"><a href=3D"http://www.oasis.pro.br/det/"><img
border=3D"0" =
src=3D"http://www.oasis.pro.br/det/de0217.jpg" width=3D"400" height=3D385" =
align=3D"middle"></a></p>
</p>
Click to expand...
</body>


AND ALSO:- this one from a porn site:-

Return-Path: <[email protected]>
Delivery-Date: Sun, 10 Aug 2003 20:07:45 +0100
Received: from 192.168.254.31 (actually host
ip-69-33-65-183.chi.megapath.net) by dswu26 with SMTP (XT-PP); Sun, 10 Aug
2003 20:07:42 +0100
Received: from triad.rr.com ([138.138.138.138]) by triad.rr.com
(8.9.3/8.9.3) with SMTP id 27680 for <[email protected]>; Sun, 10 Aug 2003
15:08:27 -0400
Message-ID: <[email protected]>
Received: from [138.138.138.138] by web27680.mail.yahoo.com via HTTP; Sun,
10 Aug 2003 15:08:27 -0400
From: "Edwyn Ralph" (e-mail address removed) """BUT NOT MY ISP"""
To: "centaurmetals" <[email protected]>
Date: Sun, 10 Aug 2003 15:08:22 -0400
Subject: hey
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0000_6C206C20.6C206C20"

------=_NextPart_000_0000_6C206C20.6C206C20
Content-Type: text/html;
Content-Transfer-Encoding: base64

PGh0bWw+PCEyNzY4MD4KPEJPRFkgYmdjb2xvcj0iIzAwMDAzMyIgdGV4dD0iI0ZGQ0MwMCI+Cjxw
IGFsaWduPSJjZW50ZXIiPjxmb250IGZhY2U9IkFyaWFsIiBzaXplPSIzIiBjb2xvcj0iI0ZGMDAw
MCI+PGI+PGZvbnQgc2l6ZT0iNSI+SEFSRENPUkUgT0ZGSUNFIFNFWCE8L2ZvbnQ+PC9iPjwvZm9u
dD48Zm9udCBjb2xvcj0iI0ZGQ0MwMCIgc2l6ZT0iNSI+PC9mb250PjwvcD4KPHAgYWxpZ249ImNl
bnRlciI+PGZvbnQgY29sb3I9IiNGRjk5MDAyNzY4MCI+PGZvbnQgc2l6ZT0iNCI+LUhpPCEyNzY4
MD5naCBjbDwhMjc2ODA+YXNzIFNsdTwhMjc2ODA+dHMhPC9mb250PjwvZm9udD48YnI+PGZvbnQg
Y29sb3I9IiNGRjY2MDAiIHNpemU9IjQiPgotU2VlIDEwMDBzIG9mIGhvPCEyNzY4MD50LCB5b3U8
ITIwNDExPm5nIGFuZCBob3JueSA8YnI+c2VjcmU8ITIwNDExPnRhcmllcyBnZXR0PCEyMDQxMT5p
bmcgZnVjPCEyMDQxMT5rZWQgYXQgdGhlIG9mZmljZSE8L2ZvbnQ+PC9wPgo8cCBhbGlnbj0iY2Vu
dGVyIiA+PHN0cm9uZz48YnI+PGZvbnQgY29sb3I9IiNGRjk5MDAyMDQxMSIgc2l6ZT0iNSI+Ci08
L2ZvbnQ+PGZvbnQgc2l6ZT0iNSI+QWJzb2x1PCEyMDQxMT50ZWx5IEZyPCEyMDQxMT5lZSE8L2Zv
bnQ+PGJyPjwvc3Ryb25nPjwvcD48ZGl2IGFsaWduPSJjZW50ZXIiPgo8cD48YSBocmVmPSJodHRw
Oi8vMjExLjQxLjI0Ni42OC9kbWFkaGhzLmh0bWwiPjwhMjA0MTE+PGZvbnQgY29sb3I9IiNGRkZG
RkYiIHNpemU9IjYiPkdvIHRvIGFjPCEyMDQxMT50bG88ITIwNDExPm48ITIwNDExP


</html>
 
A

Archy

GSV,

Thanks for that, I thought they had gained access to my computer somehow and
were using it to send spam.

GSV Three Minds in a Can said:
from the wonderful person said:
I received the following e-mails which says it came from my e-mail
address???? which it has not. I have replaced the real mail address with
"mymail".

Its spamming a loan company

How have they done this?????
Click to expand...

They faked the from, and reply to, addresses .. not uncommon in Spam.
Obviously you can't do this via a decent ISP's SMTP server, but there
are plenty of ways available to the unscrupulous (i.e. spammers). If you
stick the raw text (headers + email) into spamcop.net you can a) find
out where they really came from, and b) report them.

the first one needs to go to (e-mail address removed):

host wbar2.sjo1-4-4-032-087.sjo1.dsl-verizon.net (checking ip) =
4.4.32.87
host 4.4.32.87 (getting name) =
wbar2.sjo1-4-4-032-087.sjo1.dsl-verizon.net.
DNS checks pass
Possible spammer: 4.4.32.87
4.4.32.87 is not an MX for wbar2.sjo1-4-4-032-087.sjo1.dsl-verizon.net
host wbar2.sjo1-4-4-032-087.sjo1.dsl-verizon.net (checking ip) =
4.4.32.87
Received line accepted

Received: from sbqaj.miudj.lvchzfp.eofqdi.kzt.dfjxcyizgioyogygn by
4b67ke.sbqaj.miudj.lvchzfp.eofqdi.kzt.dfjxcyizgioyogygn with SMTP for x;
Sun, 10 Aug 2003 23:37:27 -0700
no ip found in received line
Checking non-IP received line
host sbqaj.miudj.lvchzfp.eofqdi.kzt.dfjxcyizgioyogygn (checking ip) ip
not found ; sbqaj.miudj.lvchzfp.eofqdi.kzt.dfjxcyizgioyogygn discarded
as fake.
DNS check fails


Tracking message source: 4.4.32.87:
Display data:
"whois (e-mail address removed)" (Getting contact from whois.arin.net )
Found AbuseEmail in whois (e-mail address removed)
4.0.0.0 - 4.255.255.255:[email protected]
Routing details for 4.4.32.87
Using abuse net on (e-mail address removed)
abuse net genuity.com = (e-mail address removed)
Using best contacts (e-mail address removed)
4.4.32.87 listed in dnsbl.njabl.org ( 127.0.0.3 )
4.4.32.87 listed in dnsbl.njabl.org ( 127.0.0.3 )
4.4.32.87 not listed in proxies.blackholes.easynet.nl
4.4.32.87 listed in dnsbl.sorbs.net ( 127.0.0.3 )
4.4.32.87 is an open proxy
4.4.32.87 not listed in query.bondedsender.org

Finding links in message body

Would send message source reports to:

Re:4.4.32.87 (Administrator of network where email originates)

(e-mail address removed)

-------------------------------------------------------------------------
--------------------------

the second one belongs to (e-mail address removed)

Received: from 192.168.254.31 (actually host
ip-69-33-65-183.chi.megapath.net) by dswu26 with SMTP (XT-PP); Sun, 10
Aug 2003 20:07:42 +0100
Bogus IP in HELO removed: 192.168.254.31
Received: from x (actually host ip-69-33-65-183.chi.megapath.net) by
dswu26 with SMTP (XT-PP); Sun, 10 Aug 2003 20:07:42 +0100
no ip found in received line
Checking non-IP received line
host ip-69-33-65-183.chi.megapath.net (checking ip) = 69.33.65.183
host 69.33.65.183 (getting name) = ip-69-33-65-183.chi.megapath.net.
DNS checks pass
Possible spammer: 69.33.65.183
69.33.65.183 is not an MX for ip-69-33-65-183.chi.megapath.net
host ip-69-33-65-183.chi.megapath.net (checking ip) = 69.33.65.183
Received line accepted

Received: from triad.rr.com ([138.138.138.138]) by triad.rr.com
(8.9.3/8.9.3) with SMTP id 27680 for <[email protected]>; Sun, 10 Aug
2003
host 69.33.65.183 (getting name) = ip-69-33-65-183.chi.megapath.net.
host ip-69-33-65-183.chi.megapath.net (checking ip) = 69.33.65.183
69.33.65.183 not listed in dnsbl.njabl.org
69.33.65.183 not listed in proxies.blackholes.easynet.nl
69.33.65.183 not listed in dnsbl.sorbs.net
69.33.65.183 is not an MX for triad.rr.com
69.33.65.183 not listed in dnsbl.njabl.org
Possible spammer: 138.138.138.138
host triad.rr.com (checking ip) = 24.28.227.96
24.28.227.96 not listed in dnsbl.njabl.org
24.28.227.96 not listed in proxies.blackholes.easynet.nl
24.28.227.96 not listed in dnsbl.sorbs.net
138.138.138.138 is not an MX for triad.rr.com
Looks like a forgery

Tracking message source: 69.33.65.183:
Routing details for 69.33.65.183
[refresh/show] Cached whois for 69.33.65.183 : (e-mail address removed)
Using abuse net on (e-mail address removed)
abuse net megapath.net = (e-mail address removed)
Using best contacts (e-mail address removed)
69.33.65.183 not listed in dnsbl.njabl.org
69.33.65.183 not listed in dnsbl.njabl.org
69.33.65.183 not listed in proxies.blackholes.easynet.nl
69.33.65.183 not listed in dnsbl.sorbs.net
69.33.65.183 not listed in relays.ordb.org.
69.33.65.183 not listed in query.bondedsender.org

Finding links in message body
error: couldn't parse head
Message body parser requires full, accurate copy of message
More information on this error..
no links found


Please make sure this email IS spam:
From: "Edwyn Ralph" (e-mail address removed) """BUT NOT MY ISP""" (hey)
------=_NextPart_000_0000_6C206C20.6C206C20
Content-Type: text/html;
View full message


Report Spam to:


Re:69.33.65.183 (Administrator of network where email originates)
To: (e-mail address removed) (Notes)
Click to expand...
 
M

mzlindyone

They faked the from, and reply to, addresses .. not uncommon in Spam.
Obviously you can't do this via a decent ISP's SMTP server,
Click to expand...

Of course you can. Check your e-mail.... :)

Carol
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

My email address being spoofed or have I a virus? 3
Persistent moron sending virus attachment! 4
Undelivered mail that I haven't sent? 14
Can I tell who has me in their address book 2
Anybody seen this one? 3
Outlook 2003 NDR error message missing details 2
Retrieve text from a text 4
***HOTMAIL/SPAM ABUSE*** WARNING 4

Top