Help in analyzing a junk email solicited

Posted on 2011-04-24
Last Modified: 2012-06-27
Hello everybody and Happy Easter.

I need to ask for help. A customer of mine (and many people he knows as well as myself) are getting spam, the "typical" junk with just a link in the email. Always his email address is shown as the sender address.

I have tested his machine (XP SP3); MS Security Essentials, MalwareBytes and SuperAntiSpyware say the machine is clean. My machine (W7 SP1) is clean by the same tests as well and naturally we have never clicked on any of the links. We both use the Mozilla Thunderbird email client version 3.1.9.

I am not a networking guy beyond the basics and can not decipher what IP address (and email account?) the mails are originating from.

So I add the source of the mail in text format following this post hoping for help.

Thank you in advance. Eike
From - Sun Apr 24 17:33:24 2011
X-Account-Key: account1
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Apparently-To: via; Sun, 24 Apr 2011 15:27:07 -0700
Received-SPF: none ( domain of does not designate permitted sender hosts)
X-YMailISG: RdRa0BYcZAqbZj3HW9bLq4Km65VL2O9BWxaNuJ_lIzOODqo2
X-Originating-IP: []
Authentication-Results:; domainkeys=pass (ok);; dkim=pass (ok)
Received: from  (EHLO (
  by with SMTP; Sun, 24 Apr 2011 15:27:07 -0700
Received: from ([])
          by (sccwmxc04) with SMTP
          id <20110424222706s0400io4a9e>; Sun, 24 Apr 2011 22:27:06 +0000
X-Originating-IP: []
Received: (qmail 56903 invoked by uid 60001); 24 Apr 2011 22:27:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1303684026; bh=kttlTHIdys+9glH7u/CJvEoeaz4sdgMOQ7JdchLHNn4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=5qrRbIa6DnuzEtGxESfeMoJDArJjmXPIj9sH1OoI4cxySd4CnsfBLOLnFzzRU2Qzn045rysa4tvGGH2VSL7Hc1wMkJ4x5GHtRA+TQLwO8KjFfSl/OZrfTEQi/ZXePRSt+6mnhsKywciaQ5gZLCCd15h3zTxt8rXoPYKDbtBtS5E=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
Message-ID: <>
X-YMail-OSG: L5nbghUVM1kiRBeQmswrxy5WDB66KCSXSzrsBLZvYwsNePr
Received: from [] by via HTTP; Sun, 24 Apr 2011 15:27:06 PDT
X-Mailer: YahooMailWebService/
Date: Sun, 24 Apr 2011 15:27:06 -0700 (PDT)
From: Larry Koltz <>
Subject: Re:4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii       --- Do NOT click this link!

Question by:eikelein
    LVL 89

    Expert Comment

    by:John Hurst
    It is an exceedingly common spam trick to forge the from so as to be from the sender. I see this all the time in my spam quarantine.

    So long as your mail server is not a open relay, and so long as your email clients have not been compromised with malware, then really all you can do is check your spam filtering rules and try to exclude spam based on its characteristics (more of an art than a science). ... Thinkpads_User
    LVL 1

    Author Comment

    Thank you thinkpads_user.
    I am sorry but I knew all this; I am just trying to help a customer to maybe stop what he perceives almost as a personal assault.
    But again, thanks.
    LVL 89

    Assisted Solution

    by:John Hurst
    By the way, you can use Smart Whois or like tool to trace IP addresses. is Yahoo! is a more likely candidate. It is registered to Kuentos Communications, Inc. in Guam.

    .. Thinkpads_User
    LVL 89

    Expert Comment

    by:John Hurst
    My email is by now very well filtered and I see very little spam. Accordingly, I do not trace much spam any more. However, a decent approach (and one you can use here I think) is to look at the IP farthest down. In many cases, this is where the spam is coming from. ... Thinkpads_User
    LVL 82

    Assisted Solution

    by:Dave Baldwin
    It looks to me like someone has guessed his Yahoo password and now has access to his account and they are sending spam out as though it were him.  Has his password been changed yet?
    LVL 1

    Author Comment

    @thinkpads_user: Thanks for the comment with the translated IP addresses; that certainly may become helpful. And the tip with the IP furthest down, THAT is the kind of tips I was hoping for.

    @DaveBaldwin: THANK YOU Dave.  I am biting my hinders that I didn't think of that... You are a contender for at least some of the points.
    LVL 60

    Accepted Solution

    typically the source for the email comes from the "Received: from" and in this case it is which is another ISP ( Kuentos Communication in Guam.

    Doesn't look so likely that your customer may have any dealing in that area (i supposed). Having said that, spam would forged "Received:" lines, intended to throw you off the trail. But the last one is normally the source.

    Some sharing
    - The "X-Apparently-To:" header line was added by '' to identify the SMTP "RCPT TO:" email address.
    - The "X-YahooFilteredBulk:" header line was added by Yahoo! SpamGuard to tag this email as matching specific tests for spam.
    - The "X-Originating-IP:" immediately below was added by '' to identify the source IP address.

    But to make it simple, just paste the header chunk into this link and it will tell you more in organised fashion
    LVL 1

    Author Closing Comment

    Wow breadtan! Thank you! That was the kind of info I was looking for.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
    In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
    This video discusses moving either the default database or any database to a new volume.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now