From g.hyde at bigNOSPAMpond.net.au Fri Feb 5 20:59:35 2010 From: g.hyde at bigNOSPAMpond.net.au (Geoffrey Hyde) Date: Fri Feb 5 21:00:07 2010 Subject: [Scspamcop] Beware of scammers phishing for information by pretending to be from disaster relief. Message-ID: How low will the scammers go? Wonder no more: http://www.spamcop.net/sc?id=z3713126835ze359d6c73d16147a1df46e4b43786227z I'm pretty sure that the websites listed in this scam email are IB's as SpamCop did not pick them up as actually being websites. Cheers ... Geoffrey Hyde From nobody at spamcop.net Fri Feb 5 21:48:21 2010 From: nobody at spamcop.net (bar0) Date: Fri Feb 5 21:50:09 2010 Subject: [Scspamcop] Re: Beware of scammers phishing for information by pretending to be from disaster relief. References: Message-ID: "Geoffrey Hyde" wrote in message news:hkiif5$53i$1@news.spamcop.net... > How low will the scammers go? Wonder no more: Wherever they can smell money. No Sh*t! From user at domain.invalid Fri Feb 5 21:55:14 2010 From: user at domain.invalid (Farelf) Date: Fri Feb 5 22:00:08 2010 Subject: [Scspamcop] Re: Beware of scammers phishing for information by pretending to be from disaster relief. In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > How low will the scammers go? Wonder no more: > > http://www.spamcop.net/sc?id=z3713126835ze359d6c73d16147a1df46e4b43786227z > > I'm pretty sure that the websites listed in this scam email are IB's as > SpamCop did not pick them up as actually being websites. > > > Cheers ... > > Geoffrey Hyde > > > Possibly - its the "Web:" in front of the domain/page that baulks the parser, the author evidently wants that site left out of any report generation and you have to wonder why a phisher (already established as the lowest of the low, lower-than-a-python's-belly class) would be so considerate of somebody else's website if it was just there for camouflage - and not very convincing camo unless someone's obliging mail client somehow renders that text as clickable links. The e-mail address will be far from innocent. The parser doesn't volunteer e-mail address resolution (hasn't for a long time, not even in the body) but will do it as a separate paste-in operation: Parsing input: helphaiti[at]in.com 123.108.40.1 is an MX ( 10 ) for in.com Routing details for 123.108.40.1 [refresh/show] Cached whois for 123.108.40.1 : network[at]netmagicsolutions.com Using abuse net on network[at]netmagicsolutions.com abuse net netmagicsolutions.com = abuse[at]netmagicsolutions.com Using best contacts abuse[at]netmagicsolutions.com And we can see from DNS lookup elsewhere route: 123.108.32.0/19 descr: Netmagic Datacenter Mumbai From DLipman~nospam~ at Verizon.Net Fri Feb 5 22:12:07 2010 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Fri Feb 5 22:15:08 2010 Subject: [Scspamcop] Re: Beware of scammers phishing for information by pretending to be from disaster relief. References: Message-ID: From: "Geoffrey Hyde" | How low will the scammers go? Wonder no more: | http://www.spamcop.net/sc?id=z3713126835ze359d6c73d16147a1df46e4b43786227z | I'm pretty sure that the websites listed in this scam email are IB's as | SpamCop did not pick them up as actually being websites. | Cheers ... | Geoffrey Hyde How about scammers pretending to offer you a job. Watch out for Michael Garcia pretending to offer a position at Bechtel Corp. It is called Social Engineering and it is *very* effective as it is the human exploit. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From joegill at removethis Sat Feb 6 11:13:47 2010 From: joegill at removethis (Joe Gill) Date: Sat Feb 6 11:15:08 2010 Subject: [Scspamcop] Re: Beware of scammers phishing for information by pretending to be from disaster relief. In-Reply-To: References: Message-ID: "Geoffrey Hyde" wrote in message news:hkiif5$53i$1@news.spamcop.net... > How low will the scammers go? Wonder no more: > > http://www.spamcop.net/sc?id=z3713126835ze359d6c73d16147a1df46e4b43786227z > > I'm pretty sure that the websites listed in this scam email are IB's as > SpamCop did not pick them up as actually being websites. > > > Cheers ... > > Geoffrey Hyde > > My 'modus operendi' on most emails, that solicit information is as follows: A) Parse it and see if it looks legitimate. Report it if genuine spam. B) Usually if it is outside the US or Canada, I delete it... B) Look at what they are asking. C) Find the REAL site via Google and go there. D) I hardly ever click on an email link unless -1- It contains certain info that I know is not general knowledge about me -2- AND the link is clear -3- AND the it is someplace I have a genuine relationship with As for scam sites related to Haiti, people should pick charities they know and TRUST.... and go directly to their site. Also if giving to Haiti, relief, I would research on the organizaitons that we MOST effective during Katrina, and its not necessarily the bit one that comes to mind! From nobody at spamcop.net Sun Feb 7 18:42:58 2010 From: nobody at spamcop.net (Twayne) Date: Sun Feb 7 18:45:08 2010 Subject: [Scspamcop] FYI Virus; 3rd time I've received it Message-ID: FYI, this French PayPal notice arrived three times so far here by e-mail. Norton fortunately catches and removes the attachment; Insight shows it as Level III (dangerous/malicious) and one that invites other trojans in. XP SP3, OE6 IE8 STRANGE THING: NO TRACKER WAS GIVEN! ------- Parsing input: 41.248.213.106 Routing details for 41.248.213.106 [refresh/show] Cached whois for 41.248.213.106 : elasri@menara.ma oumlil@iam.net.ma Using last resort contacts elasri@menara.ma oumlil@iam.net.ma Statistics: 41.248.213.106 not listed in bl.spamcop.net More Information.. 41.248.213.106 not listed in dnsbl.njabl.org ( 127.0.0.8 ) 41.248.213.106 not listed in dnsbl.njabl.org ( 127.0.0.9 ) 41.248.213.106 not listed in cbl.abuseat.org 41.248.213.106 not listed in dnsbl.sorbs.net Reporting addresses: elasri@menara.ma oumlil@iam.net.ma -------- Parsing input: 147.202.32.97 Routing details for 147.202.32.97 [refresh/show] Cached whois for 147.202.32.97 : abuse@layeredtech.com Using abuse net on abuse@layeredtech.com abuse net layeredtech.com = abuse@layeredtech.com Using best contacts abuse@layeredtech.com Statistics: 147.202.32.97 not listed in bl.spamcop.net More Information.. 147.202.32.97 not listed in dnsbl.njabl.org ( 127.0.0.8 ) 147.202.32.97 not listed in dnsbl.njabl.org ( 127.0.0.9 ) 147.202.32.97 not listed in cbl.abuseat.org 147.202.32.97 not listed in dnsbl.sorbs.net Reporting addresses: abuse@layeredtech.com ------------ Source Code: Return-Path: Delivered-To: X Received: (qmail 3869 invoked from network); 7 Feb 2010 -0000 Received: from ns7.nameway.com (HELO host7.nameway.com) (memberids:?247569376@147.202.32.97) by q5-in-norm.netfirms.com with SMTP; 7 Feb 2010 X-Remote-Host: ns7.nameway.com X-RBL-Msg: none Received: from nobody by host7.nameway.com with local (Exim 4.69) (envelope-from ) id X for X Sun, 07 Feb 2010 To:X Subject: [Norton AntiSpam]L'acc?s ? votre c?mpte est restreint! X-PHP-Script: support.worldnet.nl/euro).php for From: PaypaI?2010 Reply-To: PaypaI@Contact.fr MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: base64 Message-Id: Date: Sun, 07 Feb 2010 22:35:54 +0100 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host7.nameway.com X-AntiAbuse: Original Domain - X X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - host7.nameway.com X-Brightmail-Tracker: == PHNwYW4gaWQ9ej4NCjx4aHRtbD4NCjxoZWFkPjx0aXRsZT5QYXlQYWw8L3RpdGxlPjwvaGVh ... ----------------- Sorry about the missing tracker: There just wasn't one, for whatever reason. Regards, Twayne` From DLipman~nospam~ at Verizon.Net Sun Feb 7 19:02:50 2010 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Sun Feb 7 19:05:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: From: "Twayne" | FYI, this French PayPal notice arrived three times so far here by e-mail. | Norton fortunately catches and removes the attachment; Insight shows it as | Level III (dangerous/malicious) and one that invites other trojans in. | XP SP3, OE6 IE8 < snip > What does/did Symantec declare the malware to be ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From nobody at spamcop.net Mon Feb 8 13:21:46 2010 From: nobody at spamcop.net (Twayne) Date: Mon Feb 8 13:25:07 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: In news:hknkbb$te4$1@news.spamcop.net, David H. Lipman typed: > From: "Twayne" > > >> FYI, this French PayPal notice arrived three times so far here by >> e-mail. Norton fortunately catches and removes the attachment; >> Insight shows it as Level III (dangerous/malicious) and one that >> invites other trojans in. XP SP3, OE6 IE8 > > < snip > > > What does/did Symantec declare the malware to be ? Hmm, sorry about that! I should have thought of that myself. ============ >From the Insight log: Risk: High Details: unknown00000000.data contained thr... W32.Chir.B@mm(html) (inside e-mail attachment). [ NO, I did NOT open or otherwise look at the e-mail in any way! ] Detected by: E-mail scanner Origin: not available 1 action performed Email: all French language Subject, etc., Sender:PaypalA`(c) 2010 < Paypal@Contact.fr > Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium. Status: Quarantined. UNKNOWN in the Norton Community. File Release: unknown Risk: High Final Disposition: Sent to Symantec Deleted from Quarantine. =========== That's about all the info I have on the business. It did apparently partially begin to work because it damaged NIS (Norton Internet Security) so it refused to run, at the same time killing the Firewall and AntiVirus protection. The information is from the last time it hit. No hits/blocks etc today but several preceding it, and I DID experience the unexplained destruction of NIS twice before this, days apart so it's apparently been drilling away at me (and others) with some sort of "plan". I threw every AV and malware scanner I owned at the machine yesterday and discovered: XP' Security Center had been turned off. So it's a good thing Norton Insight alerted me! AV found nothing. Spybot S&D stopped a HOSTS file entry change. Adaware found something else I forget now, and MalwareBytes was trashed and won't run. I've redownloaded it but not reinstalled it yet. So, even though everything appeared to continue to work just fine, there was some rather substantial damage done that a newbie possibly wouldn't have discovered until they had quite a mess built up if it wasn't stopped. BTW, Norton claims to have known about this virus since 2002 from the look of it, so it's not new and Norton did do most of its job (some damage was still done) by removing it. Sorry to be so verbose; just wanted to advise as much as I know. I've tried to be accurate, but cannot take any responsibility for misinformation in the above. Regards, Twayne` -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From nobody at spamcop.net Mon Feb 8 14:31:35 2010 From: nobody at spamcop.net (bar0) Date: Mon Feb 8 14:35:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it In-Reply-To: References: Message-ID: "Twayne" wrote in message news:hkpknm$j72$1@news.spamcop.net... > In news:hknkbb$te4$1@news.spamcop.net, > David H. Lipman typed: >> From: "Twayne" >> >> >>> FYI, this French PayPal notice arrived three times so far here by >>> e-mail. Norton fortunately catches and removes the attachment; >>> Insight shows it as Level III (dangerous/malicious) and one that >>> invites other trojans in. XP SP3, OE6 IE8 >> >> < snip > >> >> What does/did Symantec declare the malware to be ? > > Hmm, sorry about that! I should have thought of that myself. > ============ > From the Insight log: > Risk: High > Details: unknown00000000.data contained thr... > W32.Chir.B@mm(html) (inside e-mail attachment). > > [ NO, I did NOT open or otherwise look at the e-mail in any way! ] > ........................ I don't get it , how can a malware attachment sitting in your mail store, PST, OST, or attachments directory have trashed anything before SNorton removed it? I've had lots (large lots) of malware arriving in mails, none of it's ever done anything to me. Even WetlookExpress 5 (or was it 6 already?) never did anything with the malware that came its way. It's not harmful until something opens it and does something with it. Now I never permitted OE to auto open attachments either and never use a preview pane. From DLipman~nospam~ at Verizon.Net Mon Feb 8 16:50:20 2010 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Mon Feb 8 16:55:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: From: "Twayne" | In news:hknkbb$te4$1@news.spamcop.net, | David H. Lipman typed: >> From: "Twayne" >>> FYI, this French PayPal notice arrived three times so far here by >>> e-mail. Norton fortunately catches and removes the attachment; >>> Insight shows it as Level III (dangerous/malicious) and one that >>> invites other trojans in. XP SP3, OE6 IE8 >> < snip > >> What does/did Symantec declare the malware to be ? | Hmm, sorry about that! I should have thought of that myself. | ============ | From the Insight log: | Risk: High | Details: unknown00000000.data contained thr... | W32.Chir.B@mm(html) (inside e-mail attachment). | [ NO, I did NOT open or otherwise look at the e-mail in any way! ] | Detected by: E-mail scanner | Origin: not available | 1 action performed | Email: all French language Subject, etc., | Sender:PaypalA`(c) 2010 | < Paypal@Contact.fr > | Programs that infect other programs, files, or areas of a computer by | inserting themselves or attaching themselves to that medium. | Status: Quarantined. UNKNOWN in the Norton Community. | File Release: unknown Risk: High | Final Disposition: Sent to Symantec | Deleted from Quarantine. | =========== | That's about all the info I have on the business. It did apparently | partially begin to work because it damaged NIS (Norton Internet Security) so | it refused to run, at the same time killing the Firewall and AntiVirus | protection. | The information is from the last time it hit. No hits/blocks etc today but | several preceding it, and I DID experience the unexplained destruction of | NIS twice before this, days apart so it's apparently been drilling away at | me (and others) with some sort of "plan". | I threw every AV and malware scanner I owned at the machine yesterday and | discovered: XP' Security Center had been turned off. So it's a good thing | Norton Insight alerted me! | AV found nothing. Spybot S&D stopped a HOSTS file entry change. Adaware | found something else I forget now, and MalwareBytes was trashed and won't | run. I've redownloaded it but not reinstalled it yet. | So, even though everything appeared to continue to work just fine, there | was some rather substantial damage done that a newbie possibly wouldn't have | discovered until they had quite a mess built up if it wasn't stopped. | BTW, Norton claims to have known about this virus since 2002 from the look | of it, so it's not new and Norton did do most of its job (some damage was | still done) by removing it. | Sorry to be so verbose; just wanted to advise as much as I know. I've tried | to be accurate, but cannot take any responsibility for misinformation in the | above. | Regards, | Twayne` | -- | Life is the only real counselor; wisdom unfiltered | through personal experience does not become a | part of the moral tissue. Yes, this is an 8 yr old Mass Mailer worm (@MM suffix in the name means Mass Mailer) http://www.symantec.com/security_response/writeup.jsp?docid=2002-072920-3942-99 Note: Risk Level 2 What ISP are you receiving this email through ? I ask because most ISP's use an anti virus application at the email server and thus you shouldn't be getting the email or at least the email stripped of the attachment. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From DLipman~nospam~ at Verizon.Net Mon Feb 8 16:51:50 2010 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Mon Feb 8 16:55:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: From: "bar0" | I don't get it , how can a malware attachment sitting in your mail store, | PST, OST, or attachments directory have trashed anything before SNorton | removed it? I've had lots (large lots) of malware arriving in mails, none of | it's ever done anything to me. | Even WetlookExpress 5 (or was it 6 already?) never did anything with the | malware that came its way. It's not harmful until something opens it and | does something with it. Now I never permitted OE to auto open attachments | either and never use a preview pane. It can't UNLESS the email body used HTML exploit code that can cause the attachment to be auto-executed. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From nobody at spamcop.net Mon Feb 8 17:21:09 2010 From: nobody at spamcop.net (Twayne) Date: Mon Feb 8 17:25:07 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: In news:hkpoqn$kld$1@news.spamcop.net, bar0 typed: > "Twayne" wrote in message > news:hkpknm$j72$1@news.spamcop.net... >> In news:hknkbb$te4$1@news.spamcop.net, >> David H. Lipman typed: >>> From: "Twayne" >>> >>> >>>> FYI, this French PayPal notice arrived three times so far here by >>>> e-mail. Norton fortunately catches and removes the attachment; >>>> Insight shows it as Level III (dangerous/malicious) and one that >>>> invites other trojans in. XP SP3, OE6 IE8 >>> >>> < snip > >>> >>> What does/did Symantec declare the malware to be ? >> >> Hmm, sorry about that! I should have thought of that myself. >> ============ >> From the Insight log: >> Risk: High >> Details: unknown00000000.data contained thr... >> W32.Chir.B@mm(html) (inside e-mail attachment). >> >> [ NO, I did NOT open or otherwise look at the e-mail in any way! ] >> ........................ > > I don't get it , how can a malware attachment sitting in your mail > store, PST, OST, or attachments directory have trashed anything > before SNorton removed it? I've had lots (large lots) of malware > arriving in mails, none of it's ever done anything to me. > > Even WetlookExpress 5 (or was it 6 already?) never did anything with > the malware that came its way. It's not harmful until something opens > it and does something with it. Now I never permitted OE to auto open > attachments either and never use a preview pane. Afraid I'm just the intended victim here; no idea. I do know I've read several times in reputable places that malware can be triggered without opening/viewing/etc. it but that's as far as my knowledge goes. It's also possible I suppose that I may have had multiple things get by somehow, although I haven't downloaded anything in a long, long time, nor visited unknown websites, but those can all end up being "famous last words" too. Perhaps someone more knowedgeable will chime in. Regards, Twayne` -- -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From nobody at spamcop.net Mon Feb 8 17:28:29 2010 From: nobody at spamcop.net (Twayne) Date: Mon Feb 8 17:30:07 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: In news:hkq0uu$nce$1@news.spamcop.net, David H. Lipman typed: > From: "Twayne" > >> In news:hknkbb$te4$1@news.spamcop.net, >> David H. Lipman typed: >>> From: "Twayne" > > >>>> FYI, this French PayPal notice arrived three times so far here by >>>> e-mail. Norton fortunately catches and removes the attachment; >>>> Insight shows it as Level III (dangerous/malicious) and one that >>>> invites other trojans in. XP SP3, OE6 IE8 > >>> < snip > > >>> What does/did Symantec declare the malware to be ? > >> Hmm, sorry about that! I should have thought of that myself. >> ============ >> From the Insight log: >> Risk: High >> Details: unknown00000000.data contained thr... >> W32.Chir.B@mm(html) (inside e-mail attachment). > >> [ NO, I did NOT open or otherwise look at the e-mail in any way! ] > >> Detected by: E-mail scanner >> Origin: not available >> 1 action performed >> Email: all French language Subject, etc., >> Sender:PaypalA`(c) 2010 >> < Paypal@Contact.fr > >> Programs that infect other programs, files, or areas of a >> computer by inserting themselves or attaching themselves to that >> medium. >> Status: Quarantined. UNKNOWN in the Norton Community. >> File Release: unknown Risk: High >> Final Disposition: Sent to Symantec >> Deleted from Quarantine. >> =========== > >> That's about all the info I have on the business. It did apparently >> partially begin to work because it damaged NIS (Norton Internet >> Security) so it refused to run, at the same time killing the >> Firewall and AntiVirus protection. > >> The information is from the last time it hit. No hits/blocks etc >> today but several preceding it, and I DID experience the unexplained >> destruction of NIS twice before this, days apart so it's apparently >> been drilling away at me (and others) with some sort of "plan". >> I threw every AV and malware scanner I owned at the machine >> yesterday and discovered: XP' Security Center had been turned off. >> So it's a good thing Norton Insight alerted me! >> AV found nothing. Spybot S&D stopped a HOSTS file entry change. >> Adaware found something else I forget now, and MalwareBytes was >> trashed and won't run. I've redownloaded it but not reinstalled it >> yet. So, even though everything appeared to continue to work just >> fine, there was some rather substantial damage done that a newbie >> possibly wouldn't have discovered until they had quite a mess built >> up if it wasn't stopped. > >> BTW, Norton claims to have known about this virus since 2002 from >> the look of it, so it's not new and Norton did do most of its job >> (some damage was still done) by removing it. > >> Sorry to be so verbose; just wanted to advise as much as I know. >> I've tried to be accurate, but cannot take any responsibility for >> misinformation in the above. > >> Regards, > >> Twayne` >> -- >> Life is the only real counselor; wisdom unfiltered >> through personal experience does not become a >> part of the moral tissue. > > > Yes, this is an 8 yr old Mass Mailer worm (@MM suffix in the name > means Mass Mailer) > http://www.symantec.com/security_response/writeup.jsp?docid=2002-072920-3942-99 > Note: Risk Level 2 > > What ISP are you receiving this email through ? > I ask because most ISP's use an anti virus application at the email > server and thus you shouldn't be getting the email or at least the > email stripped of the attachment. Say, that's a good point! It came thru my web site's web mail which is popped to my OE mail and so traverses Verizon/Yahoo servers to get to me. Which also means it's likely still sitting there on the server! And YES, I have spam and AV protection turned on, on the server. I'll look into that and get rid of it; guess I'll let them know too. I'll definitely mark it as spam if nothing else! Thanks for the catch! Sometimes I get forgetful. Regards, Twayne` -- -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From nobody at spamcop.net Mon Feb 8 17:36:29 2010 From: nobody at spamcop.net (bar0) Date: Mon Feb 8 17:40:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it In-Reply-To: References: Message-ID: "Twayne" wrote in message news:hkq2oh$o5h$1@news.spamcop.net... > In news:hkpoqn$kld$1@news.spamcop.net, > bar0 typed: >> "Twayne" wrote in message >> news:hkpknm$j72$1@news.spamcop.net... >>> In news:hknkbb$te4$1@news.spamcop.net, >>> David H. Lipman typed: >>>> From: "Twayne" >>>> >>>> >>>>> FYI, this French PayPal notice arrived three times so far here by >>>>> e-mail. Norton fortunately catches and removes the attachment; >>>>> Insight shows it as Level III (dangerous/malicious) and one that >>>>> invites other trojans in. XP SP3, OE6 IE8 >>>> >>>> < snip > >>>> >>>> What does/did Symantec declare the malware to be ? >>> >>> Hmm, sorry about that! I should have thought of that myself. >>> ============ >>> From the Insight log: >>> Risk: High >>> Details: unknown00000000.data contained thr... >>> W32.Chir.B@mm(html) (inside e-mail attachment). >>> >>> [ NO, I did NOT open or otherwise look at the e-mail in any way! ] >>> ........................ >> >> I don't get it , how can a malware attachment sitting in your mail >> store, PST, OST, or attachments directory have trashed anything >> before SNorton removed it? I've had lots (large lots) of malware >> arriving in mails, none of it's ever done anything to me. >> >> Even WetlookExpress 5 (or was it 6 already?) never did anything with >> the malware that came its way. It's not harmful until something opens >> it and does something with it. Now I never permitted OE to auto open >> attachments either and never use a preview pane. > > Afraid I'm just the intended victim here; no idea. I do know I've read > several times in reputable places that malware can be triggered without > opening/viewing/etc. it but that's as far as my knowledge goes. > It's also possible I suppose that I may have had multiple things get by > somehow, although I haven't downloaded anything in a long, long time, nor > visited unknown websites, but those can all end up being "famous last > words" too. > Perhaps someone more knowedgeable will chime in. So you've been experiencing something like Heidi then? From nobody at spamcop.net Mon Feb 8 17:43:19 2010 From: nobody at spamcop.net (Twayne) Date: Mon Feb 8 17:45:08 2010 Subject: [Scspamcop] PS Re: FYI Virus; 3rd time I've received it References: Message-ID: Just noticed the Level 2 from Symantec; didn't notice it my first time there today: However, Norton (Symantec) NIS 2010 clearly listed it as "HIGH" risk which I think is Level III IIRC here, not Level II. That's interesting. I know it asked to send the file to Symantec, so I let it do so. Insight mentioned in one sentence that it also downloads other malware, which Symantec doesn't seem to mention and there was no mention of the mass mailing end of things. I keep two of my own e-mail addresses in my address book just in case it gets mass mailed; no sign of anything yet. I wonder if it's been reworked or something? I don't have a good handle on this sort of thing so I can't really make much of a judgement except to point out the discrepencies. Nothing substantial has changed on this machine in quite awhile except for win updates, so I think I'll re-image this sucker back about a month and rerun the scanners tonite, just for GPs. If I've got some botched images that far back I'll literally scream loud enough for the whole neighborhood to hear me! I checked my webmail; the subject e-mail wasn't there. I forgot, I delete them the day after they're forwarded to me, so I just missed it. A mind is a terrible thing to lose! lol Regards, Twayne` In news:hkq0uu$nce$1@news.spamcop.net, David H. Lipman typed: > From: "Twayne" > >> In news:hknkbb$te4$1@news.spamcop.net, >> David H. Lipman typed: >>> From: "Twayne" > > >>>> FYI, this French PayPal notice arrived three times so far here by >>>> e-mail. Norton fortunately catches and removes the attachment; >>>> Insight shows it as Level III (dangerous/malicious) and one that >>>> invites other trojans in. XP SP3, OE6 IE8 > >>> < snip > > >>> What does/did Symantec declare the malware to be ? > >> Hmm, sorry about that! I should have thought of that myself. >> ============ >> From the Insight log: >> Risk: High >> Details: unknown00000000.data contained thr... >> W32.Chir.B@mm(html) (inside e-mail attachment). > >> [ NO, I did NOT open or otherwise look at the e-mail in any way! ] > >> Detected by: E-mail scanner >> Origin: not available >> 1 action performed >> Email: all French language Subject, etc., >> Sender:PaypalA`(c) 2010 >> < Paypal@Contact.fr > >> Programs that infect other programs, files, or areas of a >> computer by inserting themselves or attaching themselves to that >> medium. >> Status: Quarantined. UNKNOWN in the Norton Community. >> File Release: unknown Risk: High >> Final Disposition: Sent to Symantec >> Deleted from Quarantine. >> =========== > >> That's about all the info I have on the business. It did apparently >> partially begin to work because it damaged NIS (Norton Internet >> Security) so it refused to run, at the same time killing the >> Firewall and AntiVirus protection. > >> The information is from the last time it hit. No hits/blocks etc >> today but several preceding it, and I DID experience the unexplained >> destruction of NIS twice before this, days apart so it's apparently >> been drilling away at me (and others) with some sort of "plan". >> I threw every AV and malware scanner I owned at the machine >> yesterday and discovered: XP' Security Center had been turned off. >> So it's a good thing Norton Insight alerted me! >> AV found nothing. Spybot S&D stopped a HOSTS file entry change. >> Adaware found something else I forget now, and MalwareBytes was >> trashed and won't run. I've redownloaded it but not reinstalled it >> yet. So, even though everything appeared to continue to work just >> fine, there was some rather substantial damage done that a newbie >> possibly wouldn't have discovered until they had quite a mess built >> up if it wasn't stopped. > >> BTW, Norton claims to have known about this virus since 2002 from >> the look of it, so it's not new and Norton did do most of its job >> (some damage was still done) by removing it. > >> Sorry to be so verbose; just wanted to advise as much as I know. >> I've tried to be accurate, but cannot take any responsibility for >> misinformation in the above. > >> Regards, > >> Twayne` >> -- >> Life is the only real counselor; wisdom unfiltered >> through personal experience does not become a >> part of the moral tissue. > > > Yes, this is an 8 yr old Mass Mailer worm (@MM suffix in the name > means Mass Mailer) > http://www.symantec.com/security_response/writeup.jsp?docid=2002-072920-3942-99 > Note: Risk Level 2 > > What ISP are you receiving this email through ? > I ask because most ISP's use an anti virus application at the email > server and thus you shouldn't be getting the email or at least the > email stripped of the attachment. -- -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From DLipman~nospam~ at Verizon.Net Mon Feb 8 19:48:41 2010 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Mon Feb 8 19:50:08 2010 Subject: [Scspamcop] Re: PS Re: FYI Virus; 3rd time I've received it References: Message-ID: From: "Twayne" | Just noticed the Level 2 from Symantec; didn't notice it my first time there | today: However, Norton (Symantec) NIS 2010 clearly listed it as "HIGH" risk | which I think is Level III IIRC here, not Level II. | That's interesting. I know it asked to send the file to Symantec, so I let | it do so. Insight mentioned in one sentence that it also downloads other | malware, which Symantec doesn't seem to mention and there was no mention of | the mass mailing end of things. I keep two of my own e-mail addresses in my | address book just in case it gets mass mailed; no sign of anything yet. | I wonder if it's been reworked or something? I don't have a good handle | on this sort of thing so I can't really make much of a judgement except to | point out the discrepencies. | Nothing substantial has changed on this machine in quite awhile except for | win updates, so I think I'll re-image this sucker back about a month and | rerun the scanners tonite, just for GPs. If I've got some botched images | that far back I'll literally scream loud enough for the whole neighborhood | to hear me! | I checked my webmail; the subject e-mail wasn't there. I forgot, I delete | them the day after they're forwarded to me, so I just missed it. A mind is a | terrible thing to lose! lol | Regards, | Twayne` Symantec is so inconsistent. :-( -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From nobody at spamcop.net Mon Feb 8 20:39:09 2010 From: nobody at spamcop.net (Twayne) Date: Mon Feb 8 20:40:07 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: In news:hkq3le$oda$1@news.spamcop.net, bar0 typed: > "Twayne" wrote in message > news:hkq2oh$o5h$1@news.spamcop.net... >> In news:hkpoqn$kld$1@news.spamcop.net, >> bar0 typed: >>> "Twayne" wrote in message >>> news:hkpknm$j72$1@news.spamcop.net... >>>> In news:hknkbb$te4$1@news.spamcop.net, >>>> David H. Lipman typed: >>>>> From: "Twayne" >>>>> >>>>> >>>>>> FYI, this French PayPal notice arrived three times so far here by >>>>>> e-mail. Norton fortunately catches and removes the attachment; >>>>>> Insight shows it as Level III (dangerous/malicious) and one that >>>>>> invites other trojans in. XP SP3, OE6 IE8 >>>>> >>>>> < snip > >>>>> >>>>> What does/did Symantec declare the malware to be ? >>>> >>>> Hmm, sorry about that! I should have thought of that myself. >>>> ============ >>>> From the Insight log: >>>> Risk: High >>>> Details: unknown00000000.data contained thr... >>>> W32.Chir.B@mm(html) (inside e-mail attachment). >>>> >>>> [ NO, I did NOT open or otherwise look at the e-mail in any way! ] >>>> ........................ >>> >>> I don't get it , how can a malware attachment sitting in your mail >>> store, PST, OST, or attachments directory have trashed anything >>> before SNorton removed it? I've had lots (large lots) of malware >>> arriving in mails, none of it's ever done anything to me. >>> >>> Even WetlookExpress 5 (or was it 6 already?) never did anything with >>> the malware that came its way. It's not harmful until something >>> opens it and does something with it. Now I never permitted OE to >>> auto open attachments either and never use a preview pane. >> >> Afraid I'm just the intended victim here; no idea. I do know I've >> read several times in reputable places that malware can be triggered >> without opening/viewing/etc. it but that's as far as my knowledge >> goes. It's also possible I suppose that I may have had multiple >> things get by somehow, although I haven't downloaded anything in a >> long, long time, nor visited unknown websites, but those can all end >> up being "famous last words" too. >> Perhaps someone more knowedgeable will chime in. > > So you've been experiencing something like Heidi then? Well, I probably would be except Norton caught it before it got more than one "action" in, which seems to have been to kill my firewall and AV before Norton successfully shut everything down e-mail wise. Since it was caught during the incoming e-mail scan, I -think- it was deleted before much of it got to hit the hard drive or get stored in any buffers anywhere. I've run every diagnostic and scanner I can now, and found nothing plus everything is working to "spec" so to speak, so I seem to be clean. I've cleaned out quarantine, killed/restarted restore points, deep-scanned my disk images, etc. etc. so I'm reasonably confident I'm OK. The piece I'm really not sure of is whether it was just this one incident, or whether some past incidents may have snuck in somehow without being detected. I probably would be in the same boat though if this one had managed to get in, I don't know. If nothing else it's been interesting. Interesting of course is relative: My logs is showing about 5 attempts per minute to log in, re-occurring about every 2 to 4 minutes. It started yesterday morning, continued all day and night and all day today. I'm guessing that I've now been "identified" as a possibility so it's pounding on me over & over to get in. Unfortunately though, so far there's nothing I can get hold of to completely block it; it's coming from all over the world if the data collection can be believed. At any rate, I've begun to minimize its chances of success by keeping the modem power switch off except for long enough to download/upload e-mails and surf with FF 3.6. I refuse to let bottom feeding bass turds scare me off the 'net but at the same time I'm not stupid enough to give them all the time in the world. Plus, since I use Netflix, once I turn the computer off, the modem goes back on so I can watch the video-on-demand from Netflix on TV. It took me awhile to be able to separate the Netflix traffic from the "real" malicious attempts; it makes a mess of the log files. I've also changed my gateway password, just in case. Like I said, if nothing else it's interesting. I took a few minutes and burned my latest image set to DVDs though, just in case I need to use it. Fortunately I've nothing of any value on the computer that's not in an encrypted state. Cheers, Twayne -- Newsgroups are great places to get assistance. But always verify important information with other sources to be certain you have a clear understanding of it and that it is accurate. From MikeE at ster.invalid Tue Feb 9 10:34:26 2010 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 9 10:35:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it In-Reply-To: References: Message-ID: Twayne wrote: > Interesting of course is relative: My logs is showing about 5 attempts > per minute to log in, re-occurring about every 2 to 4 minutes. It > started yesterday morning, continued all day and night and all day > today. I'm guessing that I've now been "identified" as a possibility so > it's pounding on me over & over to get in. Unfortunately though, so far > there's nothing I can get hold of to completely block it; it's coming > from all over the world if the data collection can be believed. Are we talking about router logs or what? > At any rate, I've begun to minimize its chances of success by keeping > the modem power switch off except for long enough to download/upload > e-mails and surf with FF 3.6. My cable modem has a standby function. That performs the equivalent of disengaging my side of the modem while allowing the modem to be in communication with its parent network. -- Mike Easter From nobody at spamcop.net Tue Feb 9 13:11:44 2010 From: nobody at spamcop.net (Twayne) Date: Tue Feb 9 13:15:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: In news:hkrva2$d9a$1@news.spamcop.net, Mike Easter typed: > Twayne wrote: > >> Interesting of course is relative: My logs is showing about 5 >> attempts per minute to log in, re-occurring about every 2 to 4 >> minutes. It started yesterday morning, continued all day and night >> and all day today. I'm guessing that I've now been "identified" as a >> possibility so it's pounding on me over & over to get in. Unfortunately >> though, so far there's nothing I can get hold of to >> completely block it; it's coming from all over the world if the data >> collection can be believed. > > Are we talking about router logs or what? A combo of logs actually; NIS's Recent History and the Westell router logs for the more detailed stuff w/r to times/periods. NIS is too slow & uses too much screen real estate to get volume information from it; there's three screens of data per entry. But, NIS of course gives a lot more than the router logs too since it's "calling home" to get details I imagine. The wordings in the NIS log errors & counts is almost exactly ver-batim of what router shows, almost as though the two are communicating somehow. I don't know how they'd communicate though since I haven't given the router access password anywhere and don't even have it stored on the PC. > >> At any rate, I've begun to minimize its chances of success by >> keeping the modem power switch off except for long enough to >> download/upload e-mails and surf with FF 3.6. > > My cable modem has a standby function. That performs the equivalent > of disengaging my side of the modem while allowing the modem to be in > communication with its parent network. Hmm, that would be handy; wonder if I have anything like it? Don't think so but I'll have to look. As it is right now, it's just a power switch on my power center to kill the modem. Of course there is the requisite re-syncing delay when you turn it back on. Interestingly enough, I left the modem on overnight last night and killed power to the PC and there were a lot fewer hits last night. They're still too many to count, but the list was a lot shorter from last night than from the previous two nights. I wish now I'd thought to save the logs before I cleared them. I seem to have gotten more curious about this crap than I intended to get. Finally got a chance to check the remaining limited accounts this AM; nothing untoward that I could find in any of them. NOT gonna let that lull me into a sense of possibly false security yet though. Cheers, Twayne` -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From MikeE at ster.invalid Tue Feb 9 13:42:28 2010 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 9 13:45:09 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it In-Reply-To: References: Message-ID: Twayne wrote: > Mike Easter >> Are we talking about router logs or what? > A combo of logs actually; NIS's Recent History and the Westell router > logs for the more detailed stuff w/r to times/periods. I don't know which Westell you have, but WallWatcher supports these Westells and more I think: Westell - Versalink 327W, 7500 (Verizon) I really like the type of log analysis and graphic portrayal it does. http://www.wallwatcher1.com/ collects, displays, and analyzes log information from more than 135 Routers and firewalls >> My cable modem has a standby function. > Hmm, that would be handy; wonder if I have anything like it? Mine is Motorola SB5101 -- Mike Easter From nobody at spamcop.net Tue Feb 9 15:15:51 2010 From: nobody at spamcop.net (Twayne) Date: Tue Feb 9 15:20:07 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: In news:hksaal$h1p$1@news.spamcop.net, Mike Easter typed: > Twayne wrote: >> Mike Easter > >>> Are we talking about router logs or what? > >> A combo of logs actually; NIS's Recent History and the Westell router >> logs for the more detailed stuff w/r to times/periods. > > I don't know which Westell you have, but WallWatcher supports these > Westells and more I think: > > Westell - Versalink 327W, 7500 (Verizon) > > I really like the type of log analysis and graphic portrayal it does. > http://www.wallwatcher1.com/ collects, displays, and analyzes log > information from more than 135 Routers and firewalls > >>> My cable modem has a standby function. > >> Hmm, that would be handy; wonder if I have anything like it? > > Mine is Motorola SB5101 Hmm, thanks, Mike. I'll check out wallwatcher1 and see what it looks like. I do have a Westell 327W. I've never had much luck with sniffers et al but this time I have a reason so maybe it'll make a difference. Twayne -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From nobody at spamcop.net Tue Feb 9 16:53:10 2010 From: nobody at spamcop.net (bar0) Date: Tue Feb 9 16:55:07 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it In-Reply-To: References: Message-ID: "Twayne" wrote in message news:hksfpi$it1$1@news.spamcop.net... > In news:hksaal$h1p$1@news.spamcop.net, > Mike Easter typed: >> Twayne wrote: >>> Mike Easter >> >>>> Are we talking about router logs or what? >> >>> A combo of logs actually; NIS's Recent History and the Westell router >>> logs for the more detailed stuff w/r to times/periods. >> >> I don't know which Westell you have, but WallWatcher supports these >> Westells and more I think: >> >> Westell - Versalink 327W, 7500 (Verizon) >> >> I really like the type of log analysis and graphic portrayal it does. >> http://www.wallwatcher1.com/ collects, displays, and analyzes log >> information from more than 135 Routers and firewalls >> >>>> My cable modem has a standby function. >> >>> Hmm, that would be handy; wonder if I have anything like it? >> >> Mine is Motorola SB5101 > > Hmm, thanks, Mike. I'll check out wallwatcher1 and see what it looks like. > I do have a Westell 327W. I've never had much luck with sniffers et al but > this time I have a reason so maybe it'll make a difference. > I'm still curious as to how getting an emailed trojan can infect you unless you open or run the attachment. From DLipman~nospam~ at Verizon.Net Tue Feb 9 18:27:34 2010 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Tue Feb 9 18:30:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: From: "bar0" | "Twayne" wrote in message | news:hksfpi$it1$1@news.spamcop.net... >> In news:hksaal$h1p$1@news.spamcop.net, >> Mike Easter typed: >>> Twayne wrote: >>>> Mike Easter >>>>> Are we talking about router logs or what? >>>> A combo of logs actually; NIS's Recent History and the Westell router >>>> logs for the more detailed stuff w/r to times/periods. >>> I don't know which Westell you have, but WallWatcher supports these >>> Westells and more I think: >>> Westell - Versalink 327W, 7500 (Verizon) >>> I really like the type of log analysis and graphic portrayal it does. >>> http://www.wallwatcher1.com/ collects, displays, and analyzes log >>> information from more than 135 Routers and firewalls >>>>> My cable modem has a standby function. >>>> Hmm, that would be handy; wonder if I have anything like it? >>> Mine is Motorola SB5101 >> Hmm, thanks, Mike. I'll check out wallwatcher1 and see what it looks like. >> I do have a Westell 327W. I've never had much luck with sniffers et al but >> this time I have a reason so maybe it'll make a difference. | I'm still curious as to how getting an emailed trojan can infect you unless | you open or run the attachment. You mean besides using HTML exploit code :-) -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From nobody at spamcop.net Tue Feb 9 18:44:58 2010 From: nobody at spamcop.net (bar0) Date: Tue Feb 9 18:45:07 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it In-Reply-To: References: Message-ID: "David H. Lipman" wrote in message news:hksr18$mpv$1@news.spamcop.net... > From: "bar0" > > > | "Twayne" wrote in message > | news:hksfpi$it1$1@news.spamcop.net... >>> In news:hksaal$h1p$1@news.spamcop.net, >>> Mike Easter typed: >>>> Twayne wrote: >>>>> Mike Easter > >>>>>> Are we talking about router logs or what? > >>>>> A combo of logs actually; NIS's Recent History and the Westell router >>>>> logs for the more detailed stuff w/r to times/periods. > >>>> I don't know which Westell you have, but WallWatcher supports these >>>> Westells and more I think: > >>>> Westell - Versalink 327W, 7500 (Verizon) > >>>> I really like the type of log analysis and graphic portrayal it does. >>>> http://www.wallwatcher1.com/ collects, displays, and analyzes log >>>> information from more than 135 Routers and firewalls > >>>>>> My cable modem has a standby function. > >>>>> Hmm, that would be handy; wonder if I have anything like it? > >>>> Mine is Motorola SB5101 > >>> Hmm, thanks, Mike. I'll check out wallwatcher1 and see what it looks >>> like. >>> I do have a Westell 327W. I've never had much luck with sniffers et al >>> but >>> this time I have a reason so maybe it'll make a difference. > > > | I'm still curious as to how getting an emailed trojan can infect you > unless > | you open or run the attachment. > > > You mean besides using HTML exploit code :-) I haven't seen any mailers that allow that to run for years, not without some kind of dialogue. From DLipman~nospam~ at Verizon.Net Tue Feb 9 19:04:17 2010 From: DLipman~nospam~ at Verizon.Net (David H. Lipman) Date: Tue Feb 9 19:05:09 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: From: "bar0" >> You mean besides using HTML exploit code :-) | I haven't seen any mailers that allow that to run for years, not without | some kind of dialogue. You don't "run" HTML, you interpret it. Even my favourite, Pegasus Mail interprets HTML. However it uses the Bear HTML interpreter. If the email client interprets HTML then it may be possible to exploit a vulnerability in the interpreter and cause an attachment execution or a file download and execution. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp From nobody at spamcop.net Tue Feb 9 19:52:52 2010 From: nobody at spamcop.net (Twayne) Date: Tue Feb 9 19:55:08 2010 Subject: [Scspamcop] Re: FYI Virus; 3rd time I've received it References: Message-ID: In news:hkslg6$ktq$1@news.spamcop.net, bar0 typed: > "Twayne" wrote in message > news:hksfpi$it1$1@news.spamcop.net... >> In news:hksaal$h1p$1@news.spamcop.net, >> Mike Easter typed: >>> Twayne wrote: >>>> Mike Easter >>> >>>>> Are we talking about router logs or what? >>> >>>> A combo of logs actually; NIS's Recent History and the Westell >>>> router logs for the more detailed stuff w/r to times/periods. >>> >>> I don't know which Westell you have, but WallWatcher supports these >>> Westells and more I think: >>> >>> Westell - Versalink 327W, 7500 (Verizon) >>> >>> I really like the type of log analysis and graphic portrayal it >>> does. http://www.wallwatcher1.com/ collects, displays, and >>> analyzes log information from more than 135 Routers and firewalls >>> >>>>> My cable modem has a standby function. >>> >>>> Hmm, that would be handy; wonder if I have anything like it? >>> >>> Mine is Motorola SB5101 >> >> Hmm, thanks, Mike. I'll check out wallwatcher1 and see what it looks >> like. I do have a Westell 327W. I've never had much luck with >> sniffers et al but this time I have a reason so maybe it'll make a >> difference. > > I'm still curious as to how getting an emailed trojan can infect you > unless you open or run the attachment. Like I said earlier, I dunno. I've read but not experienced that they can even use non-printing code in the Subject lines to execute starter scripts and the like. But I don't keep up with those kinds of details anymore. Things got to changing so fast I figured those better than me were welcome to it. One thing I think one shouldn't rule out, is that only HTML code will be used. There are a lot of code injection methods around, javascript being one favorite I've heard about. All I know for sure is to never say "never"! Given sufficient time, it makes for interesting research. Twayne -- -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From nobody at spamcop.net Tue Feb 9 21:10:13 2010 From: nobody at spamcop.net (bar0) Date: Tue Feb 9 21:15:08 2010 Subject: [Scspamcop] lottomugu spammer screwup Message-ID: mugu seems to have put all of his dropboxes instead of one on my Lotto win notification: From: "BMW Automobiles" Reply-To: sytpg@hotmail.com, umzyqo@hotmail.com, lixgwtq@hotmail.com, citx@hotmail.com, jwmkg@hotmail.com, spfvxqg@hotmail.com, trkwdub@hotmail.com, ixto@hotmail.com, aumh@hotmail.com, edawk@hotmail.com, qolbhkd@hotmail.com, wpkj@hotmail.com, bxag@hotmail.com, haktli@hotmail.com, dvmyow@hotmail.com, yuks@hotmail.com, 5q9y@hotmail.com, cqdqwnuoh@hotmail.com, bobvally@hotmail.com, shearsking@hotmail.com, billpreston45@hotmail.com, junglesu@hotmail.com, regularcommunications@hotmail.com, warriordimbat@hotmail.com, hughieweiner@hotmail.com, mekelly44@hotmail.com, nadiaalex00@hotmail.com, wanda_matos@hotmail.com, haroldvictor@hotmail.com, sandirs@hotmail.com, leetopgun@hotmail.com, christopherlovesjags@hotmail.com, kimsyman@hotmail.com, pacovm14@hotmail.com, sardog72@hotmail.com, feisink@hotmail.com, centrodedocumentacion@hotmail.com, moreldenis@hotmail.com, gilhitler@hotmail.com, comsat38@hotmail.com, ick34@hotmail.com, tucsoneric@hotmail.com, bpna@hotmail.com, unitextravel@hotmail.com, islababes@hotmail.com, paranoid_endjinn@hotmail.com, franco45@hotmail.com, mikejduncan@hotmail.com, ryck24_7@hotmail.com, tequillababe@hotmail.com, moransteven@hotmail.com, kingfido@hotmail.com, stripee@hotmail.com, smellybob@hotmail.com, john_hopkin68@hotmail.com, hose_pipe@hotmail.com, castles19@hotmail.com, forward72@hotmail.com, chamibi@hotmail.com, joanlansberry@hotmail.com, doron_amsterdam@hotmail.com, mandyfossey@hotmail.com, jeevess@hotmail.com, sonny_tan@hotmail.com, whopperpie@hotmail.com, whiteflamingos@hotmail.com, hecsr5@hotmail.com, coleford@hotmail.com, l49@hotmail.com, debgarrow@hotmail.com, habibi_jean@hotmail.com, clbreez@hotmail.com, peabody59@hotmail.com, laceplace@hotmail.com, compubear@hotmail.com, linka@hotmail.com, widgetwilk@hotmail.com, spk_yr_mnd@hotmail.com, harryesimpson41@hotmail.com, wontme78@hotmail.com, mchugh4@hotmail.com, helo.57@hotmail.com, anaamorim@hotmail.com, shimogie@hotmail.com, madhu_athreya@hotmail.com, healingrays28@hotmail.com, just_add_water@hotmail.com, vutterfly@hotmail.com, vseader3@hotmail.com, hotcuisine@hotmail.com, johnaryder@hotmail.com, dfarabaugh32@hotmail.com, magicmizzie@hotmail.com, sac_vball_chich13@hotmail.com, mgmike2@hotmail.com, rebeccaharlot@hotmail.com, joshuashanereeves@hotmail.com, specialkmcrae@hotmail.com, lil_bunny_foofoo@hotmail.com, muchopichu@hotmail.com, gscrafts@hotmail.com, uhoh_hotdog@hotmail.com, lucia_triana@hotmail.com, kudlock01@hotmail.com, pocha5@hotmail.com, newlandde@hotmail.com, goodtogo45@hotmail.com, dakotawoman93@hotmail.com, western43@hotmail.com, sellcar@hotmail.com, phenterminecheap@hotmail.com, bobthehitman@hotmail.com, butikjiu@hotmail.com, roofchic@hotmail.com, marcabrockbank@hotmail.com, lanckster@hotmail.com, archielewis12@hotmail.com, wbprocks@hotmail.com, legolas_loco@hotmail.com, r_o_cooper@hotmail.com, exotic_dinnerlady@hotmail.com, simonsairs@hotmail.com, ydx@hotmail.com, globetrotterworld@hotmail.com, genesisphil@hotmail.com, witz@hotmail.com, waseemshaban_net@hotmail.com, freedmoor@hotmail.com, ahmed17m@hotmail.com, heart_maker2@hotmail.com, aldame1@hotmail.com, pampaela55@hotmail.com, tososoto@hotmail.com, medhatharoun@hotmail.com, mafia2@hotmail.com, mafiaa2@hotmail.com, yassermag@hotmail.com, lalalalala_45@hotmail.com, ala_45@hotmail.com, al_faatena@hotmail.com, fotoledua@hotmail.com, mluminariu@hotmail.com, fesh7@hotmail.com, hnade@hotmail.com, usacool97@hotmail.com, deadly_spiders@hotmail.com, xx_alive_xx@hotmail.com, samihawara@hotmail.com, magnoon12@hotmail.com, ealton@hotmail.com From nobody at spamcop.net Wed Feb 10 10:05:19 2010 From: nobody at spamcop.net (Twayne) Date: Wed Feb 10 10:10:08 2010 Subject: [Scspamcop] Re: lottomugu spammer screwup References: Message-ID: In news:hkt4ia$q9i$1@news.spamcop.net, bar0 typed: > mugu seems to have put all of his dropboxes instead of one on my > Lotto win notification: > > From: "BMW Automobiles" > Reply-To: sytpg@hotmail.com, umzyqo@hotmail.com, lixgwtq@hotmail.com, ... Wow, that's funny! Did you send anything to hotmail? Twayne -- -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue. From tmcgraw at spamcop.net Wed Feb 10 16:10:53 2010 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Feb 10 16:15:08 2010 Subject: [Scspamcop] Re: lottomugu spammer screwup In-Reply-To: References: Message-ID: bar0 wrote: > mugu seems to have put all of his dropboxes instead of one on my Lotto win > notification: So let's just add to all those poor b*stards' spam load, eh? From jespersen.thomas at gmail.com Sat Feb 27 12:56:16 2010 From: jespersen.thomas at gmail.com (Thomas Jespersen) Date: Sat Feb 27 13:00:09 2010 Subject: [Scspamcop] Question about emails I get Message-ID: <30nio5dvuakeh6qcdj81nf8otjb45ghmij@4ax.com> Hi, I have a question about strange email I get. -They usually have no subject line -The body text is a long string of numbers Do anybody know what the purpose of such emails could be? I would have posted one here if I had one right now. And do I report them? They are not spam in the sense that they advertise anything. Would you people report it? From nobody at spamcop.net Sat Feb 27 13:15:01 2010 From: nobody at spamcop.net (Twayne) Date: Sat Feb 27 13:20:09 2010 Subject: [Scspamcop] Re: Question about emails I get References: <30nio5dvuakeh6qcdj81nf8otjb45ghmij@4ax.com> Message-ID: In news:30nio5dvuakeh6qcdj81nf8otjb45ghmij@4ax.com, Thomas Jespersen typed: > Hi, I have a question about strange email I get. > > -They usually have no subject line > -The body text is a long string of numbers > > Do anybody know what the purpose of such emails could be? I would have > posted one here if I had one right now. > > And do I report them? They are not spam in the sense that they > advertise anything. Would you people report it? I would. The spamcop parse should also give you a pretty good idea whether it might be legit or not, but the way I look at it, if I can't suspect it's from some friend of mine I can check with, I never asked for it, it's not an address (in the parse) I ever dealt with, I report. Especially if you're getting the same mail mutlitple times but from different sources, report it. And of course, never click on ANYTHING within the spam or open any attachments; great way to invite malware in. HTH, Twayne -- -- Life is the only real counselor; wisdom unfiltered through personal experience does not become a part of the moral tissue.