[Scspamcop] Re: eh?

jg connyank at cox.net
Wed Aug 1 11:35:56 EDT 2007 

On 7/31/2007 6:22 AM Mike Easter inquired:

> jg wrote:
>> This particular piece of garbage was duly reported:
> 
> This is a data.zip spam which I won't characterize right now, because
> its characteristics aren't 'strictly' germane to the discussion yet.
> 
> Your reporting style is to report to the source/spamvertiser, and also
> to report to some other 3rd parties.  The addresses of who is reported
> to would have to be 'derived' as they aren't immediately apparent from
> your trackers because of standard SC munge.  For now, suffice it to say
> that your report went 'out there' to some number of addresses, where
> your report has the spam attached.  It is not large enough to be
> truncated by SC., but it isn't 'small'.
> 
>> got a strange reject msg
> 
> That mail is from kddi.ne.jp about the kddi server not being successful
> in sending your mail to spaaaaaam at gmail.com because the gmail server
> rejected it.
> 
>> kddi.ne.jp never figured into orig report - did I miss something?
> 
> Your manual report from your own Tbird via cox's mailserver was
> addressed To: cox <x>, FTC <x>,  Phish report <x>,  SC <x>
> and one of those addresses resulted in your/that mail going from cox >
> ikmta.ironkey.com > kddi.ne.jp on its way to gmail's server, which
> rejected it.
> 
> That indicates to me that one of your addressees was configured to
> forward things via that path to the gmail username spaaaaaam.  It isn't
> possible to see which that was from the SC munge.  It might possibly be
> found in one of the header Received tracelines if you look at the
> original.  I suggest you check out the kddi.ne.jp mail in the line which
> starts with:
> 
> Received: from ikmta.ironkey.com
> 
> There is a munged 'for <x>'  deep in the 'by' field that might contain a
> recognizable addy.  Perhaps it is the phish report recipient.
> 

I think it that recipient as well.  I've been sending reports to them
for a while, adding to their database.  I started reporting to them when
I was loking to report phishes for which I could not find a decent abuse
addy.
That address is reportphishing at  antiphishing.org.  Last month, out of
the blue, I got 2 rejects from them, I forget what the reject was but it
was a straight reject.  This appears to be a redirect.  Curious, but
I'll have to wait till the next one - am tied up in other things for the
moment, which is why I took so long to reply.

More information about the SCspamcop mailing list