spam problem

Beginner

Posts: 3 Points: 1 Rating: 0 Authority: 0 Joined: 02 November 2006

02 November 2006 15:41:51

My apologies to all for bothering anyone, but I've been getting wierd, vulgar gibberish spam messages for months, and forwarding each one to my ISP tech dept to block, but they keep coming. I finally used MailWasher to check full header plus the typically broken mssg on what seems to be another one today, and it is as follows (I replaced my actual email address prefix by [DELETED] for privacy);

Return-path: <akstcaustraliamnsdgs@australia.edu>
Envelope-to: DELETED@ruraltel.net
Received: from mail3.ruraltel.net ([24.225.0.36])
by atmail with smtp (Exim 4.60)
(envelope-from <akstcaustraliamnsdgs@australia.edu>)
id 1GfZ4S-0007tV-G1
for DELETED@ruraltel.net; Thu, 02 Nov 2006 03:41:12 -0600
X-Spam-Score: 2.4
X-Spam-Flag: NO
X-Spam-Level: **
X-Spam-Status: No, hits=2.4 required=4.0
X-Spam-Processed-By: spamd3.ruraltel.net
X-Spam-Report: 2.4 points, 4.0 required
* 2.4 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.4555]
Received: from amazonas-4642.adsl.datanet.hu (HELO Krissz) (91.120.114.70)
by mail3.ruraltel.net with SMTP; 2 Nov 2006 09:41:11 -0000
Received-SPF: none (mail3.ruraltel.net: domain at australia.edu does not designate permitted sender hosts)
Received: from 216.15.179.130 (HELO gold.internet-media.net)
by ruraltel.net with esmtp (S113MYCUH3A BIN2O)
id 9NBUHG-216973-B2
for svferg@ruraltel.net; Thu, 2 Dec 2006 09:41:12 -0060
Date: Thu, 2 Dec 2006 09:41:12 -0060
From: "Rachel Newell" <akstcaustraliamnsdgs@australia.edu>
X-Mailer: The Bat! (v2.00.9) Educational
X-Priority: 3 (Normal)
Message-ID: <481698102.91985773155631@thebat.net>
To: svferg@ruraltel.net
Subject: nose-leafed mosaic binding
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Spam: Not detected

elizabeth almost stared at her. "can this be mr. darcy?" thought=20=
she."that is to say, you had given your permission. i guessed as much."=20=
and though he exclaimed at

END QUOTE.

Please notice it contains a line that starts;
X-Mailer: The Bat!

which is what brought me here. I've heard of viruses that can hijack innocent users' machines to do stuff like this, even substituting false headers for real ones somehow. I'm seeking responses from anyone who thinks they can help figure out what is going on here. Perhaps someone just needs to be informed their pc has been hijacked? If I get any more, I will see if they also contain a thebat line.

My personal email contact for this forum is through SNEAKEMAIL, which is a legitimate paid anti-spam virtual email service, but the spammer seems to be targeting my actual home email address.

Regards,

'thebatnut'

ritlabsnut

Beginner

Posts: 3 Points: 1 Rating: 0 Authority: 0 Joined: 02 November 2006

05 November 2006 02:18:20

Hi again everyone,

I see there've been a few hits on this post. Active stalking is always an interesting subject. There seems to be no 'thebat' line in this one, but I thought people might like to see the apparent results of my post here, because for the first time in months of daily or bi-daily spam/stalker emails to me, this is the first time the sender has ever shown any open animosity. I would survise that it was somehow brought to the attention of the sender that I posted here, possibly by someone at 'thebat' tracing him by the info I posted here, and cutting off his 'thebat' account. Just a guess. Anyways, I've put the usual [DELETED] in my actual home email line, and I will add the sender has also for the first time indicated that he actually knows I subscribe to musician literature, that I am older, and that I am retired, and has added a thinly veiled threat with the words 'you, an aging amateur musician drawn from retirement to risk his life' (meaning me). Oh, now I am 'risking my life' am I? Apparently, the stalker did not like having his 'thebat' account header info posted here and possibly cut off. Getting a little creepy here.

Notice also his wierd, offensive use of a misspelled 'viagra' reference, possibly not spelled right to get past spam filters.

I thank the admin for letting me post this here, as the best treatment for this kind of wierdness seems to be a good public airing.

Regards to all,

'thebatnut'

Full email header and spam/stalker mssg follows:

Subject:
Re: tip 328
From:
"Jaswinder Pettiford" <besseylumusi@agsprint.com>
Date: Sat, 4 Nov 2006 03:04:46 -0800
To: DELETED@ruraltel.net
Return-path: <besseylumusi@agsprint.com>
Envelope-to: DELETED@ruraltel.net
Received: from mail2.ruraltel.net ([24.225.0.35]) by atmail with smtp (Exim 4.60) (envelope-from <besseylumusi@agsprint.com>) id 1GgJKy-0007UA-Nw for DELETED@ruraltel.net; Sat, 04 Nov 2006 05:05:20 -0600
X-Spam-Score:
3.9
X-Spam-Flag:
NO
X-Spam-Level:
***
X-Spam-Status:
No, hits=3.9 required=4.0
X-Spam-Processed-By:
spamd2.ruraltel.net
X-Spam-Report:
3.9 points, 4.0 required * 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: kasedunhyuietionde.com] * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4880] * 0.0 HTML_70_80 BODY: Message is 70% to 80% HTML
Received:
from amontpellier-156-1-90-187.w83-205.abo.wanadoo.fr (HELO agsprint.com) (83.205.209.187) by mail2.ruraltel.net with SMTP; 4 Nov 2006 11:05:19 -0000
Received-SPF:
none (mail2.ruraltel.net: domain at agsprint.com does not designate permitted sender hosts)
Message-ID:
<000001c70001$09b4a730$6b9ea8c0@zwifand>
Reply-To:
"Jaswinder Pettiford" <besseylumusi@agsprint.com>
X-Priority:
3
X-MSMail-Priority:
Normal
X-Mailer:
Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE:
Produced By Microsoft MimeOLE V6.00.2800.1106
X-Antivirus:
avast! (VPS 0645-4, 03/11/2006), Outbound message
X-Antivirus-Status:
Clean
X-Antivirus:
AVG for E-mail 7.1.409 [268.13.27/517]
MIME-Version:
1.0
Content-Type:
multipart/mixed; boundary="=======AVGMAIL-454CB0F66FA0======="

Hi,
VljlAGRA $ 3, 35 http://www.kasedunhyuietionde.com

you, an aging amateur musician drawn from retirement to risk his life

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.27/517 - Release Date: 11/3/2006

Roelof Otten

Guru

Posts: 2963 Points: 5336 Rating: 60 Authority: 60 Joined: 19 September 2004

05 November 2006 03:29:29

Quote
Date: Thu, 2 Dec 2006 09:41:12 -0060 From: "Rachel Newell" <akstcaustraliamnsdgs@australia.edu> X-Mailer: The Bat! (v2.00.9) Educational X-Priority: 3 (Normal) Message-ID: <481698102.91985773155631@thebat.net>

I see that you'd like a reaction.
The headers of the first spam message are faked, it's clearly no TB message-id. TB's message-ids are built like this: randomnumber.yyyymmddmmss@domain (with the first double m being the month and the second double m being the minutes of the timedate of message creation), as you can see the message-id doesn't match that pattern so you can assume that the message is created by something else then TB.
In case you're interested, yes there are spam tools that create messages with faked message headers, not only the from address can be faked, but a lot of the other headers can be faked too.

Blaming Ritlabs or TB for the first message is as useless as blaming Microsoft and OE for the second, my guess is that OE isn't used either for the second message as it's not very suited for the real spam, nor do I think it very likely that AVG and avast are using the same custom header in the same message.

The only remotely useful headers for tracking a message to it's source are the Receved: headers and you neglected to mention those.

Apart from that, this whole subject is rather off topic here as this forum is intended for user to user support for configuring The Bat!

__________________________________
I'm just a user of The Bat! I don't work for Ritlabs.

ritlabsnut Beginner Posts: 3 Points: 1 Rating: 0 Authority: 0 Joined: 02 November 2006	#4 0 05 November 2006 05:50:31 Got the message, and it was not my intention to cast thebat in an ill-light. So, the Received: headers are where to look? I didn't show those? I'll see if I can find that, possibly with MailWasher, and figure it out, possibly with the help of DiamondCS Port Explorer, and check into that, and I'll stop posting to this thread. Thank you.

Rick G Guru Posts: 774 Points: 2063 Rating: 53 Authority: 52 Joined: 23 July 2006	#5 0 07 November 2006 23:16:13 Highlighting the message and pressin F9 gets the headers which it looks like that's what you did Then from the message body start reading upward until you come to an IP address Received: from 216.15.179.130 (HELO gold.internet-media.net) ...and that IP does belong to intermedia.net - many spammers will try to hide it but the IP tells unless you have someone REALLY good with DNS that can spoof where it is coming from (be nice when you contact - they may be being abused also) THis is not the full story of how to follow headers. Your best bet might be to copy the message from the f9 screen and paste it into the "report spam" area at Spamcop http://www.spamcop.net/

Products

Support

News

Company

Community