Has anyone seen this type of email/gmail spam?
Notice the red rectangles:
I have tried searching for email sender blacked out , but have had no success as of yet.
The only lead I have is that they both originated from hotmail.com.
In many email services you can identify the sender. The exact method is different for every email service though.
This is what you do in Hotmail:
Open the email sent by the hacker. Click on the down-arrow next to Reply.
Select: “View Message Source.” Scroll down to Sender’s (hacker’s) name listed following the text that says : X-SID-PRA:
The sender’s ISP address will be listed following either (1) X’Originating-IP: or (2) Received From:
(The ISP address will be a number like this, in brackets: [123.456.78.91]).
Then go to a utility such as whois which will identify the identity and location of the hacker’s ISP, from which the email was sent.
Last edited by Imperfect1; 20 Jan 2012 at 11:20.
A funny thing happened on the way to the Forum....
I took your advice, and looked at the netwatchman (MNW) link you provided, and saw the forensic scanner tool, so I downloaded, scanned it with MBAM (results okay), and ran it.
In order to submit the scan I had to register, and MNW sent me a validation email.
When I opened the email WOT had branded the link with an orange circle. With some elements of the link removed for security/privacy, this is what I saw:
sc.mynetwatchman.com | WOT Reputation Scorecard | WOT (Web of Trust), Malware Patrol says it "Appeared on a list of malware distributors".
I then checked the complete header with Whois.
To show the complete header in gmail:
- Once you open the email go to the upper right where it says reply.
- Click on the down arrow to its right.
- Click on Show Original.
The results, again with some elements of the link removed for security/privacy:The full whois report on MNW:Code:Delivered-To: Received: by with SMTP id ; Thu, 19 Jan 2012 10:41:38 -0800 (PST) Received: by with SMTP id ; Thu, 19 Jan 2012 10:41:36 -0800 (PST) Return-Path: <donotreply@mynetwatchman.com> Received: from fwhosting01.mynetwatchman.com (host1.mynetwatchman.com. [66.110.201.18]) by ; Thu, 19 Jan 2012 10:41:36 -0800 (PST) Received-SPF: pass ( : domain of donotreply@mynetwatchman.com designates 66.110.201.18 as permitted sender) client-ip=66.110.201.18; Authentication-Results: ; spf=pass (google.com: domain of donotreply@mynetwatchman.com designates 66.110.201.18 as permitted sender) smtp.mail=donotreply@mynetwatchman.com Received: from monster ([]) by fwhosting01.mynetwatchman.com (8.14.2/8.14.2) with ESMTP id for < >; Thu, 19 Jan 2012 13:53:01 -0500 Date: Thu, 19 Jan 2012 13:41:35 -0500 (EST) From: donotreply@mynetwatchman.com To: Message-ID: < .JavaMail.root@monster> Subject: SecCheck Registration Verification (link included) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Thank you for registering. In order to validate your login, please go to the following link in your browser: http://sc.mynetwatchman.com/seccheck/ Please do not reply to this message via e-mail. This is an automated message and the address is unattended.
It has been my understanding that IP addresses that start with a 66.xxx.xxx.x.x are generally spam or malware.Code:Final results obtained from whois.arin.net. Results: # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=66.110.201.18?showDetails=true&showARIN=false&ext=netref2 # NetRange: 66.110.192.0 - 66.110.223.255 CIDR: 66.110.192.0/19 OriginAS: NetName: GEORGIA-PUBLIC-WEB NetHandle: NET-66-110-192-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation RegDate: 2002-12-12 Updated: 2006-03-31 Ref: http://whois.arin.net/rest/net/NET-66-110-192-0-1 OrgName: GEORGIA PUBLIC WEB, INC. OrgId: GPW Address: 1470 RIVER EDGE PARKWAY City: ATLANTA StateProv: GA PostalCode: 30328 Country: US RegDate: 2002-01-09 Updated: 2009-05-18 Ref: http://whois.arin.net/rest/org/GPW ReferralServer: rwhois://rwhois.gapublicweb.net:4321 OrgAbuseHandle: GPWNO-ARIN OrgAbuseName: GPWNOC OrgAbusePhone: +1-888-662-6324 OrgAbuseEmail: telecomnoc@gapublicweb.net OrgAbuseRef: http://whois.arin.net/rest/poc/GPWNO-ARIN OrgTechHandle: NELSO2-ARIN OrgTechName: Nelson, Frank A OrgTechPhone: +1-770-661-2783 OrgTechEmail: fnelson@gapublicweb.net OrgTechRef: http://whois.arin.net/rest/poc/NELSO2-ARIN OrgNOCHandle: GPWNO-ARIN OrgNOCName: GPWNOC OrgNOCPhone: +1-888-662-6324 OrgNOCEmail: telecomnoc@gapublicweb.net OrgNOCRef: http://whois.arin.net/rest/poc/GPWNO-ARIN RAbuseHandle: NELSO2-ARIN RAbuseName: Nelson, Frank A RAbusePhone: +1-770-661-2783 RAbuseEmail: fnelson@gapublicweb.net RAbuseRef: http://whois.arin.net/rest/poc/NELSO2-ARIN RTechHandle: NELSO2-ARIN RTechName: Nelson, Frank A RTechPhone: +1-770-661-2783 RTechEmail: fnelson@gapublicweb.net RTechRef: http://whois.arin.net/rest/poc/NELSO2-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
I'm usually not paranoid, but now MNW has my email.
I'll check back after I do some scans.
Some reports on sc.mynetwatchman.com
Google Safe Browsing diagnostic page for sc.mynetwatchman.com
sc.mynetwatchman.com safe site results
Norton Safe Web, from Symantec - report for mynetwatchman.com
mynetwatchman.com | McAfee SiteAdvisor Software
All come back as Safe.
Mornin' Ron,
The operative word here is "generally".
Whenever I go to check on an IP address the 66 prefix stands out, why? I am not really sure, but somewhere in my observations it has.
It wasn't Imperfect1 that told me to download anything, all I was trying to do is relate my experience.
I do realize that ratings can be poisoned by hateful reviewers.
I was trying to be careful how I worded my last post because I did not want Imperfect1 to feel that I was sore about the advice that s/he offered.
Obviously, I failed.
Thank you Dwarf. I now have four more weapons in my arsenal.
My apologies if my suggestion to take a look at the mynetwatchman.com article caused any problems. I've deleted the suggestion in my post above.
The purpose of my post was only to show that we can identify the hacker in some emails.
No apologies are needed I1, you were only doing what you knew to be okay.
It has taken a day or so to reply because I wanted to think-over how I would.
My first thought was I need something better than WOT to guard my wife, and me when we are surfing the web.
Even in Dwarf's links I ran across a WOT warning with the sc.mynetwatchman.com safe site info link.
It seems that WOT is even more paranoid than I am.
I did re-run the SecCheck program offered by MNW, and after several runs my machine is okay.
Since my last contact with you I had another spam email delivered with the blacked out sender, but this time I screwed up my courage, clicked on the link, and opened the Show Original link in my gmail tools.
I went through every address, and numerical IP address, with some addresses omitted for security:
when I came across a link to spandle at pchome.com.tw .Code:Delivered-To: Received: by with SMTP id ; Fri, 20 Jan 2012 21:31:39 -0800 (PST) Received: by 10.213.9.65 with SMTP id ; Fri, 20 Jan 2012 21:31:37 -0800 (PST) Return-Path: <dfece@hotmail.com> Received: from antyspam.aster.pl ([ ]) by mx.google.com with ESMTPS id (version=TLSv1/SSLv3 cipher=OTHER); Fri, 20 Jan 2012 21:31:37 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning dfece@hotmail.com does not designate 178. ..as permitted sender) client-ip=178...; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning dfece@hotmail.com does not designate 178...as permitted sender) smtp.mail=dfece@hotmail.com Received: from host -static. -b.business.telecomitalia.it ( ) by antyspam.aster.pl with SMTP id ; Sat, 21 Jan 2012 06:29:53 +0100 Received: from uqgdkj.yahoogroups.com (c57.yahoogroups.com [240.124.85.156:1080]) by 85.39.204.18 with SMTP id wcy59W64LLSci57441; Wed, 01 Feb 2012 02:20:59 -0300 From: "�i�i���������z�밪�~��DVD��.����-�g�j����" <dfece@hotmail.com> Reply-To: "DVD���j.�M��26��-�槹���� " <dfece@hotmail.com> Subject: ��H: ���z����.�U���̧C-��26�� To: spandle@pchome.com.tw Message-ID: <915817155122.8a79t5o65u@yahoo.com> X-Mailer: Microsoft Outlook Express 5.00.2615.200 Date: Wed, 01 Feb 2012 06:24:59 +0100 Organization: Microsoft Outlook Express 5.00.2615.200 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_851_4frk_cys4ms53.xfoxxi4n" X-FEAS-SBL: 85.39.204.18 score 1 X-FEAS-SURL: http://ciritag.z7sksg.com This is a multi-part message in MIME format. --=_NextPart_851_4frk_cys4ms53.xfoxxi4n Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline grain of sand inside football team, from gonad, and beyond customer are what made America great!He called her Tabatha (or was it Tabatha?).living with plaintiff, bonbon beyond, and from defendant are what made America great! --=_NextPart_851_4frk_cys4ms53.xfoxxi4n Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> lpupxmjr <p> </p> <p> </p> <a rel=3D"nofollow" target=3D"_blank" href=3D"http://ciritag.z7sksg.com"><= font color=3D"#669933"<font size=3D"6"><b>=A5~=AD=B1=BC=F6=AA=BA=ADn-=A6=BA= =A6b=AEa.=AC=DDA=A4=F9=B3=CC=B2n</b></font></a> --=_NextPart_851_4frk_cys4ms53.xfoxxi4n--
I punched it in to the Google Safe Browsing Diagnostic, and this is what came out:
Don't click on that link to spandle. The only way I could defeat the link was to remove the @ sign, and replace it with at.
Even the remove link feature here in the forum wouldn't do it.
Now that I am armed with the information I can alert hotmail, and all of the corresponding dependencies of this email to what is happening.
As I was getting this ready I received another blackie, only this time it was from AOL.
What's that saying...An alert user's (woman's) work is never done?
I feel sad that you felt you had to remove that link to MNW because of a reaction that I took.
If you have been doing anything a certain way, and it has always come out on the plus side then continue to do it.
You know, that sounds pretty good. I think I'll add that to my sig....There is never any reason to apologize, if you know in your heart the course of action that you take is right.
Steven Y, 1951 - 20??
Quote
