[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Help in analyzing a junk email solicited

Posted on 2011-04-24
8
Medium Priority
?
824 Views
Last Modified: 2012-06-27
Hello everybody and Happy Easter.

I need to ask for help. A customer of mine (and many people he knows as well as myself) are getting spam, the "typical" junk with just a link in the email. Always his email address is shown as the sender address.

I have tested his machine (XP SP3); MS Security Essentials, MalwareBytes and SuperAntiSpyware say the machine is clean. My machine (W7 SP1) is clean by the same tests as well and naturally we have never clicked on any of the links. We both use the Mozilla Thunderbird email client version 3.1.9.

I am not a networking guy beyond the basics and can not decipher what IP address (and email account?) the mails are originating from.

So I add the source of the mail in text format following this post hoping for help.

Thank you in advance. Eike
--------------------
From - Sun Apr 24 17:33:24 2011
X-Account-Key: account1
X-UIDL: AE1Vk0UAALNjTbSjvAciIUDMnwI
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                
X-Apparently-To: ejheinze@att.net via 69.147.85.77; Sun, 24 Apr 2011 15:27:07 -0700
X-YahooFilteredBulk: 209.191.85.55
Received-SPF: none (mta1010.sbc.mail.sp1.yahoo.com: domain of larry.koltz@yahoo.com does not designate permitted sender hosts)
X-YMailISG: RdRa0BYcZAqbZj3HW9bLq4Km65VL2O9BWxaNuJ_lIzOODqo2
 kJ7pz8VryVsRT4NWx7lCLMz3ggFNGIgAuM5B59lnJCGiDFPrnReMVSvi5nja
 hFLFXUizkMdb4CCG9vvW28lYeMpGJuIfhYRB5mrF2_xgukFxHmsv.lBP79h7
 dP2rHtPkLs6DKrp8GmZjO.uIPcVNF9i_xbDZDXybkj.w8mXoZFodQ4jEvHGe
 3pNw5nWZzyFd5BsZaJ2HIX3FyIyh9TXqGRzVhmuapeFluhC_T2Sl0Ool32rK
 DKT0Fh033tQB4y8WYQWGuCjAI4Kt0LaUoptu8C8lsdy6_xYvmsl_O0kRpd3u
 Ed72JuDdZhmCxFwAsEx905ln8Z5Q.E3eaAdPDsGI2QMNhZ6Pt9cNTL7t_OI4
 MtK_F2cbmkXoXW4mkyGXuTVaShHPpt_vzx9Z151NpUqwTLKl0qH9Q4YxBRSA
 fe6w2LgYgcoTKC1anr6AAxNYcgD42lU-
X-Originating-IP: [209.191.85.55]
Authentication-Results: mta1010.sbc.mail.sp1.yahoo.com  from=yahoo.com; domainkeys=pass (ok);  from=yahoo.com; dkim=pass (ok)
Received: from 204.127.208.84  (EHLO sccwmxc04.att.net) (204.127.208.84)
  by mta1010.sbc.mail.sp1.yahoo.com with SMTP; Sun, 24 Apr 2011 15:27:07 -0700
Received: from web36804.mail.mud.yahoo.com ([209.191.85.55])
          by att.net (sccwmxc04) with SMTP
          id <20110424222706s0400io4a9e>; Sun, 24 Apr 2011 22:27:06 +0000
X-Originating-IP: [209.191.85.55]
Received: (qmail 56903 invoked by uid 60001); 24 Apr 2011 22:27:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1303684026; bh=kttlTHIdys+9glH7u/CJvEoeaz4sdgMOQ7JdchLHNn4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=5qrRbIa6DnuzEtGxESfeMoJDArJjmXPIj9sH1OoI4cxySd4CnsfBLOLnFzzRU2Qzn045rysa4tvGGH2VSL7Hc1wMkJ4x5GHtRA+TQLwO8KjFfSl/OZrfTEQi/ZXePRSt+6mnhsKywciaQ5gZLCCd15h3zTxt8rXoPYKDbtBtS5E=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=HCIFby5B4UyMrguPNZHAv01REMXtbHcCyKoYhR09f/JZMjg00O5gn+Xx8R24pMCNmnf/Jt12K73s5XcHWaWuqBHvyEVc3QZNE9AMIVALWDdzeX/aMmNNY0PQbn0iOz0p2MpUTtdcusIgStCQU71sbIhJS35BPybgziuLVM+CQKA=;
Message-ID: <313269.28423.qm@web36804.mail.mud.yahoo.com>
X-YMail-OSG: L5nbghUVM1kiRBeQmswrxy5WDB66KCSXSzrsBLZvYwsNePr
 Wac490KMY2CXbwoD0hUE4zk2v9tm9pIbliwdyLJ_597EOBHtW_Hi64Uju_N2
 9Y_58pyVudFrho1T02_m_BZimFsMGTpY5TXrKIu8iMuk6P7wsPTPPe6JvqSG
 0QKAk0615cOYDcpUVRkZtfeyCmn1e8yLRqBAL8rVAmWHPgOIxXbFTxiXW4ba
 o65AhoiFaLtsnm5UHDQBWvdQz_6OuGIbB2gLtm5FRMgVYfdlFbjmpM3Et_XB
 pcjUEZsDFkFzEEY2dodMNQDt9yn3whdmQCSij4l5pdcIgXfFWw_NPnacUiNf
 E1LF1_ooEf.suyVBL
Received: from [202.128.5.98] by web36804.mail.mud.yahoo.com via HTTP; Sun, 24 Apr 2011 15:27:06 PDT
X-Mailer: YahooMailWebService/0.8.110.299900
Date: Sun, 24 Apr 2011 15:27:06 -0700 (PDT)
From: Larry Koltz <larry.koltz@yahoo.com>
Subject: Re:4
To: dean@outdoornews.com, dirtybob47@gmail.com, editor@lakelandtimes.com,
  ejheinze@att.net, erica.lake@imail.org, jjflickenger@hotmail.com,
  furrie@wi.rr.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

http://lamaisonenchantee.fr/cool01.11.php?SID=326       --- Do NOT click this link!

--------------------------
0
Comment
Question by:eikelein
8 Comments
 
LVL 99

Expert Comment

by:John Hurst
ID: 35457441
It is an exceedingly common spam trick to forge the from so as to be from the sender. I see this all the time in my spam quarantine.

So long as your mail server is not a open relay, and so long as your email clients have not been compromised with malware, then really all you can do is check your spam filtering rules and try to exclude spam based on its characteristics (more of an art than a science). ... Thinkpads_User
0
 
LVL 1

Author Comment

by:eikelein
ID: 35457476
Thank you thinkpads_user.
I am sorry but I knew all this; I am just trying to help a customer to maybe stop what he perceives almost as a personal assault.
But again, thanks.
0
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 400 total points
ID: 35457480
By the way, you can use Smart Whois or like tool to trace IP addresses.

209.191.85.55 is Yahoo!
202.128.5.98 is a more likely candidate. It is registered to Kuentos Communications, Inc. in Guam.

.. Thinkpads_User
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 99

Expert Comment

by:John Hurst
ID: 35457490
My email is by now very well filtered and I see very little spam. Accordingly, I do not trace much spam any more. However, a decent approach (and one you can use here I think) is to look at the IP farthest down. In many cases, this is where the spam is coming from. ... Thinkpads_User
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 600 total points
ID: 35457543
It looks to me like someone has guessed his Yahoo password and now has access to his account and they are sending spam out as though it were him.  Has his password been changed yet?
0
 
LVL 1

Author Comment

by:eikelein
ID: 35457555
@thinkpads_user: Thanks for the comment with the translated IP addresses; that certainly may become helpful. And the tip with the IP furthest down, THAT is the kind of tips I was hoping for.

@DaveBaldwin: THANK YOU Dave.  I am biting my hinders that I didn't think of that... You are a contender for at least some of the points.
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 35481354
typically the source for the email comes from the "Received: from" and in this case it is 202.128.5.98 which is another ISP ( Kuentos Communication in Guam.

http://www.robtex.com/ip/202.128.5.98.html

Doesn't look so likely that your customer may have any dealing in that area (i supposed). Having said that, spam would forged "Received:" lines, intended to throw you off the trail. But the last one is normally the source.

Some sharing
- The "X-Apparently-To:" header line was added by 'mta1010.sbc.mail.sp1.yahoo.com' to identify the SMTP "RCPT TO:" email address.
- The "X-YahooFilteredBulk:" header line was added by Yahoo! SpamGuard to tag this email as matching specific tests for spam.
- The "X-Originating-IP:" immediately below was added by 'mta1010.sbc.mail.sp1.yahoo.com' to identify the source IP address.

But to make it simple, just paste the header chunk into this link and it will tell you more in organised fashion
@ http://www.iptrackeronline.com/header.php
0
 
LVL 1

Author Closing Comment

by:eikelein
ID: 35481859
Wow breadtan! Thank you! That was the kind of info I was looking for.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question