My Spam Mails

5th Spam Mail [Subject : P ay Pal Security Notification - Please Read [ref id: XRHEE]]

noreply@blogger.com (eDoDe) — Tue, 27 Apr 2010 07:27:00 +0000

This is quiet a different email, the Mailer wants me to think like the email is sent from PayPal Security. The mail is actually from different domain "@security-mail.com". Probably if anyone doesn't notice this domain on the sender, Will surely accept this as PayPal Security email, though the mailer did not include any authorized image of PayPal. Let me describe this email. The mail is sent from a website hosted to a French based Hosting site. There were two IP addresses in the email.

80.12.242.138	Europe		France		Orange	GMT+1
90.35.77.215	Europe		France		Moulineaux	GMT+1

######################Original Email###################################

                                                                                                                                                                                                                                                                Delivered-To: ***********7@gmail.com Received: by 10.216.185.3 with SMTP id t3cs40544wem;         Mon, 26 Apr 2010 11:51:57 -0700 (PDT) Received: from mr.google.com ([10.143.87.5])         by 10.143.87.5 with SMTP id ************************ (num_hops = 1);         Mon, 26 Apr 2010 11:51:56 -0700 (PDT) Received: by 10.143.87.5 with SMTP id ***************************;         Mon, 26 Apr 2010 11:51:56 -0700 (PDT) X-Forwarded-To: *************@gmail.com X-Forwarded-For: ++++++@gmail.com *************@gmail.com Delivered-To: +++++++gmail.com Received: by 10.142.233.8 with SMTP id f8cs81499wfh;         Mon, 26 Apr 2010 11:51:55 -0700 (PDT) Received: by 10.216.162.149 with SMTP id y21mr2132891wek.196.1272307914507;         Mon, 26 Apr 2010 11:51:54 -0700 (PDT) Return-Path:  Received: from smtp2a.orange.fr (smtp2a.orange.fr [80.12.242.138])         by mx.google.com with ESMTP id p18si5557448wbc.13.2010.04.26.11.51.50;         Mon, 26 Apr 2010 11:51:54 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning gzyqif@security-mail.com does not designate 80.12.242.138 as permitted sender) client-ip=80.12.242.138; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gzyqif@security-mail.com does not designate 80.12.242.138 as permitted sender) smtp.mail=gzyqif@security-mail.com Received: from me-wanadoo.net (localhost [127.0.0.1])  by mwinf2a02.orange.fr (SMTP Server) with ESMTP id 95E9480002E9;  Mon, 26 Apr 2010 20:51:50 +0200 (CEST) Received: from me-wanadoo.net (localhost [127.0.0.1])  by mwinf2a02.orange.fr (SMTP Server) with ESMTP id 880B880002E8;  Mon, 26 Apr 2010 20:51:50 +0200 (CEST) Received: from wanadoo.fr (APuteaux-155-1-94-215.w90-35.abo.wanadoo.fr [90.35.77.215])  by mwinf2a02.orange.fr (SMTP Server) with SMTP id 2662880002FC;  Mon, 26 Apr 2010 20:51:48 +0200 (CEST) X-ME-UUID: 20100426185148157.2662880002FC@mwinf2a02.orange.fr Reply-To: gzyqif@security-mail.com From: Support To: ebleich@gmail.com,ebm62980@gmail.com,ebogame@gmail.com,eboku01@gmail.com,ebolax@gmail.com,ebonds22@gmail.com,ebonyblake@gmail.com,ebonyseraphim@gmail.com,ebooks505@gmail.com,eboresow@gmail.com,eborge@gmail.com,ebossche7767@gmail.com,eboucher@gmail.com,eboxgj@gmail.com Subject: P ay Pal Security Notification - Please Read [ref id: XRHEE] Date: Mon, 26 Apr 2010 20:55:22 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative;  boundary="----=_NextPart_000_00C9_01C2A75B.1697F626" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-Id: <20100426185148.2662880002fc@mwinf2a02.orange.fr>  This is a multi-part message in MIME format.  ------=_NextPart_000_00C9_01C2A75B.1697F626 Content-Type: text/plain;  charset="Windows-1251" Content-Transfer-Encoding: 7bit  

Dear P ayP al member,

You have a new message concerning your online security.
In order to read it, please login to your account by clicking the link below:

http://www.paypalusa.com.cmd.irolessmass.eu.com/us/webscr/?id=XRHEE

Thank you for your co-operation.  ------=_NextPart_000_00C9_01C2A75B.1697F626 Content-Type: text/html;  charset="Windows-1251" Content-Transfer-Encoding: 7bit  

Dear P ayP al member,

You have a new message concerning your online security.
In order to read it, please login to your account by clicking the link below:

http://www.paypalusa.com.cmd.irolessmass.eu.com/us/webscr/?id=XRHEE

Thank you for your co-operation.   ------=_NextPart_000_00C9_01C2A75B.1697F626-- ####################################################################################

These were the records fetched from IPLIGENCE.COM. Also there is no such domain "security-mail.com" exists. Also the link is the email was blocked by Firefox as forgery site, i ignored that warning and the site leads to nowhere but an empty page. The domain was registered to German based domain provider. This is all i have about this email.

4th Spam Mail [Subject : Get travel gift coupon worth Rs 500 every month]

noreply@blogger.com (eDoDe) — Thu, 11 Jun 2009 10:19:00 +0000

Well, i first thought that this mail isn't a Spam Email even it arrived in my Spam Folder. Then i went on analyzing it. The mail content, says that i got a Travel Gift Coupon for Rs.500/- every month. This mail might have been sent by "Expedia.co.in" as famous Travel Website in India. But all the link in the mail will take me to "http://www.s2d6.com/x/?x=c&z=s&v=#######&k=bsm", a domain belonging to different website. But surprisingly there is no visible page hosting on this domain and the link take me to "Expedia.co.in". The Domain "s2d6.com" is hosted in "theplanet.com", a hosting website. I really don't understand the purpose of this email. May be the Emailer need to generate traffic to "Expedia.co.in" from a different domain. The image in the mail has some image attached from "trassenger.com"

###################################################################

Delivered-To: ###########@gmail.com Received: by 10.216.185.3 with SMTP id t3cs31569wem;         Mon, 26 Apr 2010 06:39:49 -0700 (PDT) Received: by 10.101.177.39 with SMTP id e39mr5164106anp.36.1272289188891;         Mon, 26 Apr 2010 06:39:48 -0700 (PDT) Return-Path:  Received: from ns1.silkflowers.co.in ([207.44.147.60])         by mx.google.com with ESMTP id 9si1788972gxk.1.2010.04.26.06.39.48;         Mon, 26 Apr 2010 06:39:48 -0700 (PDT) Received-SPF: neutral (google.com: 207.44.147.60 is neither permitted nor denied by domain of trassenger@gmail.com) client-ip=207.44.147.60; Authentication-Results: mx.google.com; spf=neutral (google.com: 207.44.147.60 is neither permitted nor denied by domain of trassenger@gmail.com) smtp.mail=trassenger@gmail.com Received: from mail pickup service by ns1.silkflowers.co.in with Microsoft SMTPSVC; 	 Mon, 26 Apr 2010 08:24:03 -0500 thread-index: AcrlQ6HdAAkIUanvQdKPrFM6vu+O1w== Thread-Topic: Get travel gift coupon worth Rs 500 every month From: "Sana Afreen"  To: #############@gmail.com> Subject: Get travel gift coupon worth Rs 500 every month Date: Mon, 26 Apr 2010 08:23:26 -0500 Message-ID: <10a46a156cd84f5f9da8506212020987@silkflowers.co.in> MIME-Version: 1.0 Content-Type: multipart/alternative; 	boundary="----=_NextPart_000_1D4FC_01CAE519.B90731C0" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 X-OriginalArrivalTime: 26 Apr 2010 13:24:03.0890 (UTC) FILETIME=[BD88A920:01CAE543]  This is a multi-part message in MIME format.  ------=_NextPart_000_1D4FC_01CAE519.B90731C0 Content-Type: text/plain; 	charset="iso-8859-1" Content-Transfer-Encoding: 7bit

UNABLE TO VIEW THIS EMAIL CORRECTLY? CLICK HERE      	 Dear Traveller,  Have you checked out Expedia.co.in   yet? For a limited time we're offering you a coupon worth Rs 500* when you sign-up for our email newsletter. Each month we'll bring you the best travel deals straight to your inbox. Be inspired to travel the world today with Expedia.co.in  , part of the world's leading online travel company.  Click Here To Sign Up Now !    Terms and Conditions    You are receiving this mail because you are registered on trassenger.com Or One of its group site. To stop receiving such mails click here       ------=_NextPart_000_1D4FC_01CAE519.B90731C0 Content-Type: text/html Content-Transfer-Encoding: 7bit  
 ------=_NextPart_000_1D4FC_01CAE519.B90731C0--

###################################################################

Be aware, if you get such message in your inbox or Spam folder.

3rd Spam Mail [Subject : This is my cellphone number]

noreply@blogger.com (eDoDe) — Tue, 09 Jun 2009 13:27:00 +0000

2nd Spam Mail [Subject : (no subject)]

noreply@blogger.com (eDoDe) — Sun, 07 Jun 2009 17:27:00 +0000

This is the 2nd Spam i wish to explain about. Like in the previous spam mail, The Spam mail is sent from the same server "NAC.NET". The Header of the original mail is given below:

----------------------------------------------------------------------------

Delivered-To: ##########@gmail.com
Received: by 10.229.91.76 with SMTP id l12cs43351qcm;
Thu, 4 Jun 2009 18:38:58 -0700 (PDT)
Received: by 10.224.11.72 with SMTP id s8mr3051526qas.185.1244165936130;
Thu, 04 Jun 2009 18:38:56 -0700 (PDT)
Return-Path:
Received: from ip48.reprohit.com (ip48.reprohit.com [64.21.165.48])
by mx.google.com with SMTP id 12si3315459qyk.29.2009.06.04.18.38.56;
Thu, 04 Jun 2009 18:38:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of n.267.5901807@reprohit.com designates 64.21.165.48 as permitted sender) client-ip=64.21.165.48;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of n.267.5901807@reprohit.com designates 64.21.165.48 as permitted sender) smtp.mail=n.267.5901807@reprohit.com
Date: Thu, 04 Jun 2009 21:26:06 -0400
From: "healthy legs"
To: ##########@gmail.com
Subject:
MIME-Version: 1.0
X-Mailer: xyf v8.3.4.1000.5901807
Reply-To: r.267.5901807@reprohit.com
Message-Id: <20090604180006.fnatipsdca@reprohit.com>
Content-Type: multipart/alternative;
boundary="=_23657ff2a4c51a224d3eddc716ae9305"
------------------------------------------------------------------------------

As per this Header, this email is sent from "REPROHIT.COM", but From DNSCHART IP Whois Report the IP Address "64.21.165.48" doesn't match with Domain. The actual Domain name of the IP address was "NAC.NET", Like i said in my previous email.

I determined the Location of the server by using DNSCHART.COM and IPLIGENCE.COM, Like i did in my previous post. Also my blog visitors can use the Header of the email to make a try to trace the Spammer location.

My First Spam mail -[Subject : Stop working long hours]

noreply@blogger.com (eDoDe) — Wed, 03 Jun 2009 17:16:00 +0000

The Above picture is the Spam Mail is wish to explain. Basically to trace the IP and location from which the Email has been sent is determined from the "Original Message" of the mail. The Header section of the Original Message of this Email is given Below.

---------------------------------------------------------------------
Delivered-To: #########@gmail.com
Received: by 10.229.91.76 with SMTP id l12cs41945qcm;
Thu, 4 Jun 2009 18:04:45 -0700 (PDT)
Received: by 10.224.74.16 with SMTP id s16mr3025851qaj.320.1244163851087;
Thu, 04 Jun 2009 18:04:11 -0700 (PDT)
Return-Path:
Received: from ip10.waspcom.com (ip10.waspcom.com [64.21.165.10])
by mx.google.com with SMTP id 12si3264373qyk.63.2009.06.04.18.04.10;
Thu, 04 Jun 2009 18:04:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of n.266.5901807@waspcom.com designates 64.21.165.10 as permitted sender) client-ip=64.21.165.10;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of n.266.5901807@waspcom.com designates 64.21.165.10 as permitted sender) smtp.mail=n.266.5901807@waspcom.com
Date: Thu, 04 Jun 2009 20:49:06 -0400
From: "robert allen"
To: ##########@gmail.com
Subject: Stop working long hours
MIME-Version: 1.0
X-Mailer: rws v8.3.4.1000.5901807
Reply-To: r.266.5901807@waspcom.com
Message-Id: <20090604170005.erzuendpwf@waspcom.com>
Content-Type: multipart/alternative;
boundary="=_4c4684c84d04d9efd613a810054472bf"
---------------------------------------------------------------------------

This is quiet difficult to get the IP location from the above Header. With the help of IPLIGENCE.COM, and copying this Header to the Email Tracer Text Box and Clicking on the "Trace" link will trace this email's IP address and Location of the server, which is used by the spammer. Though the Spammer's Location couldn't be determined, We can report about Abuse mail to the server, so that the server Admin can look after the Spammer and control them in accessing the server again.

After Getting the IP and Location of the server, I use the information to Trace the Domain Owner. From the above header "WASPCOM.COM" is the server used to Send this email. But with the help of DNSCHART.COM --> "IP Whois" Option, I found that the IP address and Domain doesn't match. The IP Address determined from the mail was "64.21.165.10", But the email was sent from "NAC.NET". This proves that this is a Spam email.

This Mail consists of Links in it, Which leads to Phishing Sites. Phishing sites were maily used to Steal Information from the Internet user. Due to unawarness among people, Many give out their personal details and get into trouble. To Create awarness among Internet Users, I pubished this Blog. If you have received such email, Be aware and report it to the server admin in Advance.

For More information on Phishing Websites, Visit these links:

http://edode.blogspot.com/2009/04/i-can-help-you-trace-email-spammer.html

http://edode.blogspot.com/2008/11/know-about-phishing-websites.html