[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Here is the Tracking URL

Nigel Featherston spamtrap-02 at ec-magic.com
Tue May 16 19:36:08 EDT 2006 

Thanks Mike,

I sure appreciate you looing it over like that.

I suspected it might be an old spam with no longer valid links, perhaps sent 
to probe a new email address.  I say ths because to the best of my knowledge 
the address to which it was sent has never before been spammed.  The 
recipient email address also contained both the words "spam" and "abuse".

The copies of my manual lart were sent to the addresses in the spam email as 
well as those found in WHOIS for the domain thestocktongroup.com (as I have 
always done). Since my bottom line is having a clean inbox, listwashing is 
encouraged here.  Chances are they now know it is a reporting address.  So 
far no bounces have been received as yet..

Fortunately, if this is an indication this particular email address has 
gotten "out", it will only take a couple of hours work to replace it with a 
new address.  This address is used for very few specific things.

One of my concerns was whether anything in this email looked (to anyone 
else) like a virus/malware attempt.

Regards,
Nigel

"Mike Easter" <MikeE at ster.invalid> wrote in message 
news:e4dbuh$rud$1 at news.spamcop.net...
> Nigel Featherston wrote:
>
> www.spamcop.net/sc?id=z945557411z13c22d3cfce8e5f033884bc08c04bb9az
>
> Preface:  I don't recommend reading spam subjects receptively, I don't
> recommend opening spam to find out what is inside, I don't recommend
> reading spambodies for 'content', and I don't recommend trying to read
> the mind of the spammer who created the Subject or why /that/ subject,
> or the From and why /that/ From, or the body words and why /those/
> words, or the bogus lines and why /those/ bogus lines.
>
> Chapter 1:  Before I 'dissect' any spambody, I dissect its headers.
> There's something funny about those headers
>
>  Abbreviated Received tracelines *comment
>  from (smtp101.biz.mail.re2.yahoo.com [68.142.229.215]) by
> mx9.pacifier.net
>  from unknown (HELO da168 at ebankerscorus.com)
> (da168 at ebankerscorus.com@65.113.104.154 with login) by
> smtp101.biz.mail.re2.yahoo.com
>
> I believe that the item was relayed by a yahoo server to pacifier, but
> that the yahoo server's headers are noncompliant, so I'm having to guess
> at the IP source for the yahoo server, ie is it 65.113.104.154  no rDNS?
>
> whois -h whois.arin.net 65.113.104.154 ...
> Qwest Comm  65.112.0.0 - 65.127.255.255
> VIPOWERNET  65.113.104.0 - 65.113.111.255
>
> In addition, the item carries a pacifier.net mid
>
> Message-Id: <2006_________________4265 at mx9.pacifier.net>
>
> suggesting that either the item got all the way thru' the yahoo
> mailserver without an mid which was ultimately provided by pacifier, or
> else the source fabricated a pacifier mid before mailing/injection.  So,
> that makes 2 strange situations in the headers already.
>
> In that case, I'll look at the From, which I normally do not, which sez
> monster.com
>
> So far I conclude, "Funky headers.  Unanswered questions."
>
> Chapter 2:  Look at the body.
>
> There's a problem with the body.  It has been mangled thrice, once by OL
> when it was being stored by the MAPI client OL which mapi-izes the html,
> then again a second time by OL when it was removed from storage and
> de-mapi-ized to try to turn it back into an approximation of the
> original html version, and then the 3rd time by SC which is configured
> to do a hack on an html spam when it is submitted by an OL or Eurdora
> client.
>
> That is too much mangling by all of those parties to rely on the correct
> structure anymore.  The original spam has been lost.  This is a spam
> 'forged' or manufactured or synthesized to try to look like the original
> might be guessed to have looked.
>
> I can find a mailto for thestocktongroup.com and I can find a link for
> http://www.thestocktongroup.com/jobs.html
>
> which doesn't resolve, neither, due to nameserver failure
>
> Searching for www.thestocktongroup.com A record at
> ns1.allhostingsolutions.com. [63.239.178.210]: Server failure! [took 214
> ms].
>
> so the email addies aren't going to go anywhere either.
>
> Chapter 3: Back to Nigel's original question.
>
>> SC says the email addresses
>> 'jobs at thestocktongroup.com'
>> 'adriaan.p at thestocktongroup.com'
>>
>>  and the web URL: http://www.thestocktongroup.com/  are no good.
>
> That is correct.  They do not resolve.  The domain registrationa at
> wildwestdomains.com  for thestocktongroup.com just shows a domains by
> proxy registration and gives the nameservers which aren't working.
>
>> If so, what possible purpose does this email serve?
>
> None.  It is b0rken.
>
>
>
> -- 
> Mike Easter
> kibitzer, not SC admin
>

More information about the SpamCop-Help mailing list