[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Here is the Tracking URL

Mike Easter MikeE at ster.invalid
Tue May 16 14:16:21 EDT 2006 

Nigel Featherston wrote:

www.spamcop.net/sc?id=z945557411z13c22d3cfce8e5f033884bc08c04bb9az

Preface:  I don't recommend reading spam subjects receptively, I don't
recommend opening spam to find out what is inside, I don't recommend
reading spambodies for 'content', and I don't recommend trying to read
the mind of the spammer who created the Subject or why /that/ subject,
or the From and why /that/ From, or the body words and why /those/
words, or the bogus lines and why /those/ bogus lines.

Chapter 1:  Before I 'dissect' any spambody, I dissect its headers.
There's something funny about those headers

  Abbreviated Received tracelines *comment
  from (smtp101.biz.mail.re2.yahoo.com [68.142.229.215]) by
mx9.pacifier.net
  from unknown (HELO da168 at ebankerscorus.com)
(da168 at ebankerscorus.com@65.113.104.154 with login) by
smtp101.biz.mail.re2.yahoo.com

I believe that the item was relayed by a yahoo server to pacifier, but
that the yahoo server's headers are noncompliant, so I'm having to guess
at the IP source for the yahoo server, ie is it 65.113.104.154  no rDNS?

whois -h whois.arin.net 65.113.104.154 ...
Qwest Comm  65.112.0.0 - 65.127.255.255
VIPOWERNET  65.113.104.0 - 65.113.111.255

In addition, the item carries a pacifier.net mid

Message-Id: <2006_________________4265 at mx9.pacifier.net>

suggesting that either the item got all the way thru' the yahoo
mailserver without an mid which was ultimately provided by pacifier, or
else the source fabricated a pacifier mid before mailing/injection.  So,
that makes 2 strange situations in the headers already.

In that case, I'll look at the From, which I normally do not, which sez
monster.com

So far I conclude, "Funky headers.  Unanswered questions."

Chapter 2:  Look at the body.

There's a problem with the body.  It has been mangled thrice, once by OL
when it was being stored by the MAPI client OL which mapi-izes the html,
then again a second time by OL when it was removed from storage and
de-mapi-ized to try to turn it back into an approximation of the
original html version, and then the 3rd time by SC which is configured
to do a hack on an html spam when it is submitted by an OL or Eurdora
client.

That is too much mangling by all of those parties to rely on the correct
structure anymore.  The original spam has been lost.  This is a spam
'forged' or manufactured or synthesized to try to look like the original
might be guessed to have looked.

I can find a mailto for thestocktongroup.com and I can find a link for
http://www.thestocktongroup.com/jobs.html

which doesn't resolve, neither, due to nameserver failure

Searching for www.thestocktongroup.com A record at
ns1.allhostingsolutions.com. [63.239.178.210]: Server failure! [took 214
ms].

so the email addies aren't going to go anywhere either.

Chapter 3: Back to Nigel's original question.

> SC says the email addresses
> 'jobs at thestocktongroup.com'
> 'adriaan.p at thestocktongroup.com'
>
>  and the web URL: http://www.thestocktongroup.com/  are no good.

That is correct.  They do not resolve.  The domain registrationa at
wildwestdomains.com  for thestocktongroup.com just shows a domains by
proxy registration and gives the nameservers which aren't working.

> If so, what possible purpose does this email serve?

None.  It is b0rken.



-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-Help mailing list