Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: New to me, versions of spam

17 Jan 2012   #1

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
New to me, versions of spam

Has anyone seen this type of email/gmail spam?

Notice the red rectangles: New to me, versions of spam-email.jpg

I have tried searching for email sender blacked out , but have had no success as of yet.
The only lead I have is that they both originated from

My System SpecsSystem Spec
19 Jan 2012   #2


In many email services you can identify the sender. The exact method is different for every email service though.

This is what you do in Hotmail:
Open the email sent by the hacker. Click on the down-arrow next to Reply.
Select: “View Message Source.” Scroll down to Sender’s (hacker’s) name listed following the text that says : X-SID-PRA:
The sender’s ISP address will be listed following either (1) X’Originating-IP: or (2) Received From:
(The ISP address will be a number like this, in brackets: [123.456.78.91]).

Then go to a utility such as whois which will identify the identity and location of the hacker’s ISP, from which the email was sent.

My System SpecsSystem Spec
19 Jan 2012   #3

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1

A funny thing happened on the way to the Forum....

I took your advice, and looked at the netwatchman (MNW) link you provided, and saw the forensic scanner tool, so I downloaded, scanned it with MBAM (results okay), and ran it.

In order to submit the scan I had to register, and MNW sent me a validation email.

When I opened the email WOT had branded the link with an orange circle. With some elements of the link removed for security/privacy, this is what I saw:
New to me, versions of spam-mnw.jpg | WOT Reputation Scorecard | WOT (Web of Trust), Malware Patrol says it "Appeared on a list of malware distributors".

I then checked the complete header with Whois.

To show the complete header in gmail:
  • Once you open the email go to the upper right where it says reply.
  • Click on the down arrow to its right.
  • Click on Show Original.
The results, again with some elements of the link removed for security/privacy:

Received: by  with SMTP id  ;         Thu, 19 Jan 2012 10:41:38 -0800 (PST) 

Received: by   with SMTP id  ;         Thu, 19 Jan 2012 10:41:36 -0800 (PST) 

Return-Path: <> 

Received: from ( [])         by  ;         Thu, 19 Jan 2012 10:41:36 -0800 (PST)

Received-SPF: pass ( : domain of designates as permitted sender) client-ip=; 

Authentication-Results:  ; spf=pass ( domain of designates as permitted sender) 

Received: from monster ([])         by (8.14.2/8.14.2) with ESMTP id          for < >; Thu, 19 Jan 2012 13:53:01 -0500 Date: Thu, 19 Jan 2012 13:41:35 -0500 (EST)

From: To:   Message-ID: < .JavaMail.root@monster> Subject: SecCheck Registration Verification (link included) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit

Thank you for registering.  In order to validate your login, please go to the following link in your browser:
Please do not reply to this message via e-mail. This is an automated message and the address is unattended.
The full whois report on MNW:
Final results obtained from 
# The following results may also be obtained via:

NetRange: -
NetHandle:      NET-66-110-192-0-1
Parent:         NET-66-0-0-0-0
NetType:        Direct Allocation
RegDate:        2002-12-12
Updated:        2006-03-31

OrgId:          GPW
Address:        1470 RIVER EDGE PARKWAY
City:           ATLANTA
StateProv:      GA
PostalCode:     30328
Country:        US
RegDate:        2002-01-09
Updated:        2009-05-18

ReferralServer: rwhois://

OrgAbuseHandle: GPWNO-ARIN
OrgAbuseName:   GPWNOC
OrgAbusePhone:  +1-888-662-6324 

OrgTechHandle: NELSO2-ARIN
OrgTechName:   Nelson, Frank A
OrgTechPhone:  +1-770-661-2783 

OrgNOCPhone:  +1-888-662-6324 

RAbuseHandle: NELSO2-ARIN
RAbuseName:   Nelson, Frank A
RAbusePhone:  +1-770-661-2783 

RTechHandle: NELSO2-ARIN
RTechName:   Nelson, Frank A
RTechPhone:  +1-770-661-2783 

# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
It has been my understanding that IP addresses that start with a are generally spam or malware.

I'm usually not paranoid, but now MNW has my email.
I'll check back after I do some scans.

My System SpecsSystem Spec

20 Jan 2012   #4

Windows 8 Pro w/MC 32-bit

Quote   Quote: Originally Posted by Anak View Post
...It has been my understanding that IP addresses that start with a are generally spam or malware...
Assuming you mean, I doubt that the "66" means anything. My ISP is Covad and all of my internet routable IPs begin ""
My System SpecsSystem Spec
20 Jan 2012   #5

Windows 8.1 Pro RTM x64

My System SpecsSystem Spec
20 Jan 2012   #6

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1

Mornin' Ron,

The operative word here is "generally".
Whenever I go to check on an IP address the 66 prefix stands out, why? I am not really sure, but somewhere in my observations it has.

It wasn't Imperfect1 that told me to download anything, all I was trying to do is relate my experience.
I do realize that ratings can be poisoned by hateful reviewers.

I was trying to be careful how I worded my last post because I did not want Imperfect1 to feel that I was sore about the advice that s/he offered.

Obviously, I failed.

Thank you Dwarf. I now have four more weapons in my arsenal.
My System SpecsSystem Spec
20 Jan 2012   #7


My apologies if my suggestion to take a look at the article caused any problems. I've deleted the suggestion in my post above.

The purpose of my post was only to show that we can identify the hacker in some emails.
My System SpecsSystem Spec
21 Jan 2012   #8

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1

No apologies are needed I1, you were only doing what you knew to be okay.

It has taken a day or so to reply because I wanted to think-over how I would.
My first thought was I need something better than WOT to guard my wife, and me when we are surfing the web.
Even in Dwarf's links I ran across a WOT warning with the safe site info link.
It seems that WOT is even more paranoid than I am.

I did re-run the SecCheck program offered by MNW, and after several runs my machine is okay.

Since my last contact with you I had another spam email delivered with the blacked out sender, but this time I screwed up my courage, clicked on the link, and opened the Show Original link in my gmail tools.

I went through every address, and numerical IP address, with some addresses omitted for security:
 Delivered-To:   Received: by   with SMTP id  ;         Fri, 20 Jan 2012 21:31:39 -0800 (PST) Received: by with SMTP id  ;         Fri, 20 Jan 2012 21:31:37 -0800 (PST) Return-Path: <> Received: from ([ ])         by with ESMTPS id           (version=TLSv1/SSLv3 cipher=OTHER);         Fri, 20 Jan 2012 21:31:37 -0800 (PST) Received-SPF: softfail ( domain of transitioning does not designate 178. permitted sender) client-ip=178...; Authentication-Results:; spf=softfail ( domain of transitioning does not designate permitted sender) Received: from host -static. ( )         by  with SMTP id  ;         Sat, 21 Jan 2012 06:29:53 +0100 Received: from ( []) by with SMTP id wcy59W64LLSci57441;          Wed, 01 Feb 2012 02:20:59 -0300 From: "�i�i���������z�밪�~��DVD��.����-�g�j����" <> Reply-To: "DVD���j.�M��26��-�槹���� " <> Subject: ��H: ���z����.�U���̧C-��26�� To: Message-ID: <> X-Mailer: Microsoft Outlook Express 5.00.2615.200 Date: Wed, 01 Feb 2012 06:24:59 +0100 Organization: Microsoft Outlook Express 5.00.2615.200 Mime-Version: 1.0 Content-Type: multipart/alternative;         boundary="=_NextPart_851_4frk_cys4ms53.xfoxxi4n" X-FEAS-SBL: score 1 X-FEAS-SURL:  This is a multi-part message in MIME format.  --=_NextPart_851_4frk_cys4ms53.xfoxxi4n Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline  grain of sand inside football team, from gonad, and beyond customer are what made America great!He called her Tabatha (or was it Tabatha?).living with plaintiff, bonbon beyond, and from defendant are what made America great!  --=_NextPart_851_4frk_cys4ms53.xfoxxi4n Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> lpupxmjr <p>&nbsp;</p> <p>&nbsp;</p> <a rel=3D"nofollow" target=3D"_blank" href=3D""><= font color=3D"#669933"<font size=3D"6"><b>=A5~=AD=B1=BC=F6=AA=BA=ADn-=A6=BA= =A6b=AEa.=AC=DDA=A4=F9=B3=CC=B2n</b></font></a>    --=_NextPart_851_4frk_cys4ms53.xfoxxi4n--
when I came across a link to spandle at .
I punched it in to the Google Safe Browsing Diagnostic, and this is what came out:
New to me, versions of spam-gd.jpg
Don't click on that link to spandle. The only way I could defeat the link was to remove the @ sign, and replace it with at.
Even the remove link feature here in the forum wouldn't do it.

Now that I am armed with the information I can alert hotmail, and all of the corresponding dependencies of this email to what is happening.
As I was getting this ready I received another blackie, only this time it was from AOL.
What's that saying...An alert user's (woman's) work is never done?

I feel sad that you felt you had to remove that link to MNW because of a reaction that I took.
If you have been doing anything a certain way, and it has always come out on the plus side then continue to do it.

There is never any reason to apologize, if you know in your heart the course of action that you take is right.
Steven Y, 1951 - 20??
You know, that sounds pretty good. I think I'll add that to my sig....

My System SpecsSystem Spec

 New to me, versions of spam

Thread Tools

Similar help and support threads
Thread Forum
Problem with previous versions: "No previous versions available"
I (stupidly and accidentally) deleted all files in my "Downloads" folder. As in, hard deleted them - not to the recycle bin. I right-clicked the folder and picked "Properties", "Previous versions". Lo and behold, there were several previous versions. I opened the one from today, browsed through...
Backup and Restore
Previous Versions not working-There are no previous versions available
Hi, Whenever I try to restore a file (right click > "Restore previous versions") that I know has recently changed, I see: "There are no previous versions available" on the file's "Previous Versions" tab. I've been running Windows 7 x64 Business for a long time now, and I have never seen it...
Performance & Maintenance
Restore Previous Versions always says "There are no previous versions"
I've set up a scheduled daily backup of particular data folders on my C drive. The backups are taking place as scheduled, and the latest versions of the files are appearing in the backup. But when I use Win. Explorer and right-click>Restore Previous Versions, no previous versions show up. Daily...
Backup and Restore
?Two versions?
Have just had to uninstal - reboot - reinstall CC v3/02.1343 (64bit) because of some wretched cookies the old download couln't remove - a couple of little bugga's named & the second one I could be wrong on the letters but the first is right. The core. still...
OEM Versions?
This is actually a three part post. First some background: I build my own systems...for myself and for fun, not for profit. I have three machines: the current/newest, a five year old XP Pro build, and a Linux box. I've been putting the 64-bit version of the RC through stress and endurance on...
Installation & Setup

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 20:29.
Twitter Facebook Google+