Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New to me, versions of spam

17 Jan 2012   #1

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 
New to me, versions of spam

Has anyone seen this type of email/gmail spam?

Notice the red rectangles: New to me, versions of spam-email.jpg

I have tried searching for email sender blacked out , but have had no success as of yet.
The only lead I have is that they both originated from hotmail.com.




My System SpecsSystem Spec
.

19 Jan 2012   #2

 
 

In many email services you can identify the sender. The exact method is different for every email service though.

This is what you do in Hotmail:
Open the email sent by the hacker. Click on the down-arrow next to Reply.
Select: “View Message Source.” Scroll down to Sender’s (hacker’s) name listed following the text that says : X-SID-PRA:
The sender’s ISP address will be listed following either (1) X’Originating-IP: or (2) Received From:
(The ISP address will be a number like this, in brackets: [123.456.78.91]).

Then go to a utility such as whois which will identify the identity and location of the hacker’s ISP, from which the email was sent.

My System SpecsSystem Spec
19 Jan 2012   #3

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

A funny thing happened on the way to the Forum....

I took your advice, and looked at the netwatchman (MNW) link you provided, and saw the forensic scanner tool, so I downloaded, scanned it with MBAM (results okay), and ran it.

In order to submit the scan I had to register, and MNW sent me a validation email.

When I opened the email WOT had branded the link with an orange circle. With some elements of the link removed for security/privacy, this is what I saw:
New to me, versions of spam-mnw.jpg
sc.mynetwatchman.com | WOT Reputation Scorecard | WOT (Web of Trust), Malware Patrol says it "Appeared on a list of malware distributors".

I then checked the complete header with Whois.

To show the complete header in gmail:
  • Once you open the email go to the upper right where it says reply.
  • Click on the down arrow to its right.
  • Click on Show Original.
The results, again with some elements of the link removed for security/privacy:
Code:
 Delivered-To:

Received: by  with SMTP id  ;         Thu, 19 Jan 2012 10:41:38 -0800 (PST) 

Received: by   with SMTP id  ;         Thu, 19 Jan 2012 10:41:36 -0800 (PST) 

Return-Path: <donotreply@mynetwatchman.com> 

Received: from fwhosting01.mynetwatchman.com (host1.mynetwatchman.com. [66.110.201.18])         by  ;         Thu, 19 Jan 2012 10:41:36 -0800 (PST)

Received-SPF: pass ( : domain of donotreply@mynetwatchman.com designates 66.110.201.18 as permitted sender) client-ip=66.110.201.18; 

Authentication-Results:  ; spf=pass (google.com: domain of donotreply@mynetwatchman.com designates 66.110.201.18 as permitted sender) smtp.mail=donotreply@mynetwatchman.com 

Received: from monster ([])         by fwhosting01.mynetwatchman.com (8.14.2/8.14.2) with ESMTP id          for < >; Thu, 19 Jan 2012 13:53:01 -0500 Date: Thu, 19 Jan 2012 13:41:35 -0500 (EST)

From: donotreply@mynetwatchman.com To:   Message-ID: < .JavaMail.root@monster> Subject: SecCheck Registration Verification (link included) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit

Thank you for registering.  In order to validate your login, please go to the following link in your browser:  http://sc.mynetwatchman.com/seccheck/
Please do not reply to this message via e-mail. This is an automated message and the address is unattended.
The full whois report on MNW:
Code:
Final results obtained from whois.arin.net. 
Results:
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=66.110.201.18?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       66.110.192.0 - 66.110.223.255
CIDR:           66.110.192.0/19
OriginAS:       
NetName:        GEORGIA-PUBLIC-WEB
NetHandle:      NET-66-110-192-0-1
Parent:         NET-66-0-0-0-0
NetType:        Direct Allocation
RegDate:        2002-12-12
Updated:        2006-03-31
Ref:            http://whois.arin.net/rest/net/NET-66-110-192-0-1

OrgName:        GEORGIA PUBLIC WEB, INC.
OrgId:          GPW
Address:        1470 RIVER EDGE PARKWAY
City:           ATLANTA
StateProv:      GA
PostalCode:     30328
Country:        US
RegDate:        2002-01-09
Updated:        2009-05-18
Ref:            http://whois.arin.net/rest/org/GPW

ReferralServer: rwhois://rwhois.gapublicweb.net:4321

OrgAbuseHandle: GPWNO-ARIN
OrgAbuseName:   GPWNOC
OrgAbusePhone:  +1-888-662-6324 
OrgAbuseEmail:  telecomnoc@gapublicweb.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/GPWNO-ARIN

OrgTechHandle: NELSO2-ARIN
OrgTechName:   Nelson, Frank A
OrgTechPhone:  +1-770-661-2783 
OrgTechEmail:  fnelson@gapublicweb.net
OrgTechRef:    http://whois.arin.net/rest/poc/NELSO2-ARIN

OrgNOCHandle: GPWNO-ARIN
OrgNOCName:   GPWNOC
OrgNOCPhone:  +1-888-662-6324 
OrgNOCEmail:  telecomnoc@gapublicweb.net
OrgNOCRef:    http://whois.arin.net/rest/poc/GPWNO-ARIN

RAbuseHandle: NELSO2-ARIN
RAbuseName:   Nelson, Frank A
RAbusePhone:  +1-770-661-2783 
RAbuseEmail:  fnelson@gapublicweb.net
RAbuseRef:    http://whois.arin.net/rest/poc/NELSO2-ARIN

RTechHandle: NELSO2-ARIN
RTechName:   Nelson, Frank A
RTechPhone:  +1-770-661-2783 
RTechEmail:  fnelson@gapublicweb.net
RTechRef:    http://whois.arin.net/rest/poc/NELSO2-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
It has been my understanding that IP addresses that start with a 66.xxx.xxx.x.x are generally spam or malware.

I'm usually not paranoid, but now MNW has my email.
I'll check back after I do some scans.


My System SpecsSystem Spec
.


20 Jan 2012   #4

Windows 8 Pro w/MC 32-bit
 
 

Quote   Quote: Originally Posted by Anak View Post
...It has been my understanding that IP addresses that start with a 66.xxx.xxx.x.x are generally spam or malware...
Assuming you mean 66.xxx.xxx.xxx, I doubt that the "66" means anything. My ISP is Covad and all of my internet routable IPs begin "66.134.xxx.xxx"
My System SpecsSystem Spec
20 Jan 2012   #5

Windows 8.1 Pro RTM x64
 
 

My System SpecsSystem Spec
20 Jan 2012   #6

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Mornin' Ron,

The operative word here is "generally".
Whenever I go to check on an IP address the 66 prefix stands out, why? I am not really sure, but somewhere in my observations it has.

It wasn't Imperfect1 that told me to download anything, all I was trying to do is relate my experience.
I do realize that ratings can be poisoned by hateful reviewers.

I was trying to be careful how I worded my last post because I did not want Imperfect1 to feel that I was sore about the advice that s/he offered.

Obviously, I failed.



Thank you Dwarf. I now have four more weapons in my arsenal.
My System SpecsSystem Spec
20 Jan 2012   #7

 
 

My apologies if my suggestion to take a look at the mynetwatchman.com article caused any problems. I've deleted the suggestion in my post above.

The purpose of my post was only to show that we can identify the hacker in some emails.
My System SpecsSystem Spec
21 Jan 2012   #8

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

No apologies are needed I1, you were only doing what you knew to be okay.

It has taken a day or so to reply because I wanted to think-over how I would.
My first thought was I need something better than WOT to guard my wife, and me when we are surfing the web.
Even in Dwarf's links I ran across a WOT warning with the sc.mynetwatchman.com safe site info link.
It seems that WOT is even more paranoid than I am.

I did re-run the SecCheck program offered by MNW, and after several runs my machine is okay.


Since my last contact with you I had another spam email delivered with the blacked out sender, but this time I screwed up my courage, clicked on the link, and opened the Show Original link in my gmail tools.

I went through every address, and numerical IP address, with some addresses omitted for security:
Code:
 Delivered-To:   Received: by   with SMTP id  ;         Fri, 20 Jan 2012 21:31:39 -0800 (PST) Received: by 10.213.9.65 with SMTP id  ;         Fri, 20 Jan 2012 21:31:37 -0800 (PST) Return-Path: <dfece@hotmail.com> Received: from antyspam.aster.pl ([ ])         by mx.google.com with ESMTPS id           (version=TLSv1/SSLv3 cipher=OTHER);         Fri, 20 Jan 2012 21:31:37 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning dfece@hotmail.com does not designate 178. ..as permitted sender) client-ip=178...; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning dfece@hotmail.com does not designate 178...as permitted sender) smtp.mail=dfece@hotmail.com Received: from host -static. -b.business.telecomitalia.it ( )         by antyspam.aster.pl  with SMTP id  ;         Sat, 21 Jan 2012 06:29:53 +0100 Received: from uqgdkj.yahoogroups.com (c57.yahoogroups.com [240.124.85.156:1080]) by 85.39.204.18 with SMTP id wcy59W64LLSci57441;          Wed, 01 Feb 2012 02:20:59 -0300 From: "�i�i���������z�밪�~��DVD��.����-�g�j����" <dfece@hotmail.com> Reply-To: "DVD���j.�M��26��-�槹���� " <dfece@hotmail.com> Subject: ��H: ���z����.�U���̧C-��26�� To: spandle@pchome.com.tw Message-ID: <915817155122.8a79t5o65u@yahoo.com> X-Mailer: Microsoft Outlook Express 5.00.2615.200 Date: Wed, 01 Feb 2012 06:24:59 +0100 Organization: Microsoft Outlook Express 5.00.2615.200 Mime-Version: 1.0 Content-Type: multipart/alternative;         boundary="=_NextPart_851_4frk_cys4ms53.xfoxxi4n" X-FEAS-SBL: 85.39.204.18 score 1 X-FEAS-SURL: http://ciritag.z7sksg.com  This is a multi-part message in MIME format.  --=_NextPart_851_4frk_cys4ms53.xfoxxi4n Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline  grain of sand inside football team, from gonad, and beyond customer are what made America great!He called her Tabatha (or was it Tabatha?).living with plaintiff, bonbon beyond, and from defendant are what made America great!  --=_NextPart_851_4frk_cys4ms53.xfoxxi4n Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> lpupxmjr <p>&nbsp;</p> <p>&nbsp;</p> <a rel=3D"nofollow" target=3D"_blank" href=3D"http://ciritag.z7sksg.com"><= font color=3D"#669933"<font size=3D"6"><b>=A5~=AD=B1=BC=F6=AA=BA=ADn-=A6=BA= =A6b=AEa.=AC=DDA=A4=F9=B3=CC=B2n</b></font></a>    --=_NextPart_851_4frk_cys4ms53.xfoxxi4n--
when I came across a link to spandle at pchome.com.tw .
I punched it in to the Google Safe Browsing Diagnostic, and this is what came out:
Name:  GD.JPG
Views: 5
Size:  46.8 KB
Don't click on that link to spandle. The only way I could defeat the link was to remove the @ sign, and replace it with at.
Even the remove link feature here in the forum wouldn't do it.

Now that I am armed with the information I can alert hotmail, and all of the corresponding dependencies of this email to what is happening.
As I was getting this ready I received another blackie, only this time it was from AOL.
What's that saying...An alert user's (woman's) work is never done?

I feel sad that you felt you had to remove that link to MNW because of a reaction that I took.
If you have been doing anything a certain way, and it has always come out on the plus side then continue to do it.

Quote:
There is never any reason to apologize, if you know in your heart the course of action that you take is right.
Steven Y, 1951 - 20??
You know, that sounds pretty good. I think I'll add that to my sig....


My System SpecsSystem Spec
Reply

 New to me, versions of spam




Thread Tools



Similar help and support threads for2: New to me, versions of spam
Thread Forum
Solved Previous Versions not working-There are no previous versions available Performance & Maintenance
Solved how many versions of 7 General Discussion
?Two versions? Software
How many versions ? General Discussion
OEM Versions? Installation & Setup
Different Versions General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:33 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33