eikelein
asked on
Help in analyzing a junk email solicited
Hello everybody and Happy Easter.
I need to ask for help. A customer of mine (and many people he knows as well as myself) are getting spam, the "typical" junk with just a link in the email. Always his email address is shown as the sender address.
I have tested his machine (XP SP3); MS Security Essentials, MalwareBytes and SuperAntiSpyware say the machine is clean. My machine (W7 SP1) is clean by the same tests as well and naturally we have never clicked on any of the links. We both use the Mozilla Thunderbird email client version 3.1.9.
I am not a networking guy beyond the basics and can not decipher what IP address (and email account?) the mails are originating from.
So I add the source of the mail in text format following this post hoping for help.
Thank you in advance. Eike
--------------------
From - Sun Apr 24 17:33:24 2011
X-Account-Key: account1
X-UIDL: AE1Vk0UAALNjTbSjvAciIUDMnw I
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: ejheinze@att.net via 69.147.85.77; Sun, 24 Apr 2011 15:27:07 -0700
X-YahooFilteredBulk: 209.191.85.55
Received-SPF: none (mta1010.sbc.mail.sp1.yaho o.com: domain of larry.koltz@yahoo.com does not designate permitted sender hosts)
X-YMailISG: RdRa0BYcZAqbZj3HW9bLq4Km65 VL2O9BWxaN uJ_lIzOODq o2
kJ7pz8VryVsRT4NWx7lCLMz3gg FNGIgAuM5B 59lnJCGiDF PrnReMVSvi 5nja
hFLFXUizkMdb4CCG9vvW28lYeM pGJuIfhYRB 5mrF2_xguk FxHmsv.lBP 79h7
dP2rHtPkLs6DKrp8GmZjO.uIPc VNF9i_xbDZ DXybkj.w8m XoZFodQ4jE vHGe
3pNw5nWZzyFd5BsZaJ2HIX3FyI yh9TXqGRzV hmuapeFluh C_T2Sl0Ool 32rK
DKT0Fh033tQB4y8WYQWGuCjAI4 Kt0LaUoptu 8C8lsdy6_x Yvmsl_O0kR pd3u
Ed72JuDdZhmCxFwAsEx905ln8Z 5Q.E3eaAdP DsGI2QMNhZ 6Pt9cNTL7t _OI4
MtK_F2cbmkXoXW4mkyGXuTVaSh HPpt_vzx9Z 151NpUqwTL Kl0qH9Q4Yx BRSA
fe6w2LgYgcoTKC1anr6AAxNYcg D42lU-
X-Originating-IP: [209.191.85.55]
Authentication-Results: mta1010.sbc.mail.sp1.yahoo .com from=yahoo.com; domainkeys=pass (ok); from=yahoo.com; dkim=pass (ok)
Received: from 204.127.208.84 (EHLO sccwmxc04.att.net) (204.127.208.84)
by mta1010.sbc.mail.sp1.yahoo .com with SMTP; Sun, 24 Apr 2011 15:27:07 -0700
Received: from web36804.mail.mud.yahoo.co m ([209.191.85.55])
by att.net (sccwmxc04) with SMTP
id <20110424222706s0400io4a9e >; Sun, 24 Apr 2011 22:27:06 +0000
X-Originating-IP: [209.191.85.55]
Received: (qmail 56903 invoked by uid 60001); 24 Apr 2011 22:27:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1303684026; bh=kttlTHIdys+9glH7u/CJvEo eaz4sdgMOQ 7JdchLHNn4 =; h=Message-ID:X-YMail-OSG:R eceived:X- Mailer:Dat e:From:Sub ject:To:MI ME-Version :Content-T ype; b=5qrRbIa6DnuzEtGxESfeMoJD ArJjmXPIj9 sH1OoI4cxy Sd4CnsfBLO LnFzzRU2Qz n045rysa4t vGGH2VSL7H c1wMkJ4x5G HtRA+TQLwO 8KjFfSl/OZ rfTEQi/ZXe PRSt+6mnhs KywciaQ5gZ LCCd15h3zT xt8rXoPYKD btBtS5E=
DomainKey-Signature:a=rsa- sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:R eceived:X- Mailer:Dat e:From:Sub ject:To:MI ME-Version :Content-T ype;
b=HCIFby5B4UyMrguPNZHAv01R EMXtbHcCyK oYhR09f/JZ Mjg00O5gn+ Xx8R24pMCN mnf/Jt12K7 3s5XcHWaWu qBHvyEVc3Q ZNE9AMIVAL WDdzeX/aMm NNY0PQbn0i Oz0p2MpUTt dcusIgStCQ U71sbIhJS3 5BPybgziuL VM+CQKA=;
Message-ID: <313269.28423.qm@web36804. mail.mud.y ahoo.com>
X-YMail-OSG: L5nbghUVM1kiRBeQmswrxy5WDB 66KCSXSzrs BLZvYwsNeP r
Wac490KMY2CXbwoD0hUE4zk2v9 tm9pIbliwd yLJ_597EOB HtW_Hi64Uj u_N2
9Y_58pyVudFrho1T02_m_BZimF sMGTpY5TXr KIu8iMuk6P 7wsPTPPe6J vqSG
0QKAk0615cOYDcpUVRkZtfeyCm n1e8yLRqBA L8rVAmWHPg OIxXbFTxiX W4ba
o65AhoiFaLtsnm5UHDQBWvdQz_ 6OuGIbB2gL tm5FRMgVYf dlFbjmpM3E t_XB
pcjUEZsDFkFzEEY2dodMNQDt9y n3whdmQCSi j4l5pdcIgX fFWw_NPnac UiNf
E1LF1_ooEf.suyVBL
Received: from [202.128.5.98] by web36804.mail.mud.yahoo.co m via HTTP; Sun, 24 Apr 2011 15:27:06 PDT
X-Mailer: YahooMailWebService/0.8.11 0.299900
Date: Sun, 24 Apr 2011 15:27:06 -0700 (PDT)
From: Larry Koltz <larry.koltz@yahoo.com>
Subject: Re:4
To: dean@outdoornews.com, dirtybob47@gmail.com, editor@lakelandtimes.com,
ejheinze@att.net, erica.lake@imail.org, jjflickenger@hotmail.com,
furrie@wi.rr.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
http://lamaisonenchantee.fr/cool01.11.php?SID=326 --- Do NOT click this link!
--------------------------
I need to ask for help. A customer of mine (and many people he knows as well as myself) are getting spam, the "typical" junk with just a link in the email. Always his email address is shown as the sender address.
I have tested his machine (XP SP3); MS Security Essentials, MalwareBytes and SuperAntiSpyware say the machine is clean. My machine (W7 SP1) is clean by the same tests as well and naturally we have never clicked on any of the links. We both use the Mozilla Thunderbird email client version 3.1.9.
I am not a networking guy beyond the basics and can not decipher what IP address (and email account?) the mails are originating from.
So I add the source of the mail in text format following this post hoping for help.
Thank you in advance. Eike
--------------------
From - Sun Apr 24 17:33:24 2011
X-Account-Key: account1
X-UIDL: AE1Vk0UAALNjTbSjvAciIUDMnw
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: ejheinze@att.net via 69.147.85.77; Sun, 24 Apr 2011 15:27:07 -0700
X-YahooFilteredBulk: 209.191.85.55
Received-SPF: none (mta1010.sbc.mail.sp1.yaho
X-YMailISG: RdRa0BYcZAqbZj3HW9bLq4Km65
kJ7pz8VryVsRT4NWx7lCLMz3gg
hFLFXUizkMdb4CCG9vvW28lYeM
dP2rHtPkLs6DKrp8GmZjO.uIPc
3pNw5nWZzyFd5BsZaJ2HIX3FyI
DKT0Fh033tQB4y8WYQWGuCjAI4
Ed72JuDdZhmCxFwAsEx905ln8Z
MtK_F2cbmkXoXW4mkyGXuTVaSh
fe6w2LgYgcoTKC1anr6AAxNYcg
X-Originating-IP: [209.191.85.55]
Authentication-Results: mta1010.sbc.mail.sp1.yahoo
Received: from 204.127.208.84 (EHLO sccwmxc04.att.net) (204.127.208.84)
by mta1010.sbc.mail.sp1.yahoo
Received: from web36804.mail.mud.yahoo.co
by att.net (sccwmxc04) with SMTP
id <20110424222706s0400io4a9e
X-Originating-IP: [209.191.85.55]
Received: (qmail 56903 invoked by uid 60001); 24 Apr 2011 22:27:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1303684026; bh=kttlTHIdys+9glH7u/CJvEo
DomainKey-Signature:a=rsa-
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:R
b=HCIFby5B4UyMrguPNZHAv01R
Message-ID: <313269.28423.qm@web36804.
X-YMail-OSG: L5nbghUVM1kiRBeQmswrxy5WDB
Wac490KMY2CXbwoD0hUE4zk2v9
9Y_58pyVudFrho1T02_m_BZimF
0QKAk0615cOYDcpUVRkZtfeyCm
o65AhoiFaLtsnm5UHDQBWvdQz_
pcjUEZsDFkFzEEY2dodMNQDt9y
E1LF1_ooEf.suyVBL
Received: from [202.128.5.98] by web36804.mail.mud.yahoo.co
X-Mailer: YahooMailWebService/0.8.11
Date: Sun, 24 Apr 2011 15:27:06 -0700 (PDT)
From: Larry Koltz <larry.koltz@yahoo.com>
Subject: Re:4
To: dean@outdoornews.com, dirtybob47@gmail.com, editor@lakelandtimes.com,
ejheinze@att.net, erica.lake@imail.org, jjflickenger@hotmail.com,
furrie@wi.rr.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
http://lamaisonenchantee.fr/cool01.11.php?SID=326 --- Do NOT click this link!
--------------------------
ASKER
Thank you thinkpads_user.
I am sorry but I knew all this; I am just trying to help a customer to maybe stop what he perceives almost as a personal assault.
But again, thanks.
I am sorry but I knew all this; I am just trying to help a customer to maybe stop what he perceives almost as a personal assault.
But again, thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My email is by now very well filtered and I see very little spam. Accordingly, I do not trace much spam any more. However, a decent approach (and one you can use here I think) is to look at the IP farthest down. In many cases, this is where the spam is coming from. ... Thinkpads_User
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@thinkpads_user: Thanks for the comment with the translated IP addresses; that certainly may become helpful. And the tip with the IP furthest down, THAT is the kind of tips I was hoping for.
@DaveBaldwin: THANK YOU Dave. I am biting my hinders that I didn't think of that... You are a contender for at least some of the points.
@DaveBaldwin: THANK YOU Dave. I am biting my hinders that I didn't think of that... You are a contender for at least some of the points.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow breadtan! Thank you! That was the kind of info I was looking for.
So long as your mail server is not a open relay, and so long as your email clients have not been compromised with malware, then really all you can do is check your spam filtering rules and try to exclude spam based on its characteristics (more of an art than a science). ... Thinkpads_User