Many years ago, I created both a 'hotmail' and 'gmail' account. Over time, the hotmail account seemed to attract more and more SPAM but gmail seemed to trim out more and more. So over time, progress was made. When email headers had to be validated, it got better. When hotmail forced everyone to go to outlook, well I never made that transition. But lately, about once a month, the gmail filters failed and a SPAM-turd showed up in my mailbox. So I took some time to see what is going on. Now e-mail has two text parts, the header and the body. Here is the header: Delivered-To: [email protected] Received: by 10.182.144.38 with SMTP id sj6csp857144obb; Fri, 13 Mar 2015 15:12:32 -0700 (PDT) X-Received: by 10.194.190.10 with SMTP id gm10mr101723305wjc.91.1426284751019; Fri, 13 Mar 2015 15:12:31 -0700 (PDT) Return-Path: <[email protected]> Received: from BAY004-OMC1S21.hotmail.com (bay004-omc1s21.hotmail.com. [65.54.190.32]) by mx.google.com with ESMTPS id u20si2388831wib.59.2015.03.13.15.12.29 for <[email protected]> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 13 Mar 2015 15:12:31 -0700 (PDT) Received-SPF: pass (google.com: domain of [email protected] designates 65.54.190.32 as permitted sender) client-ip=65.54.190.32; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 65.54.190.32 as permitted sender) smtp.mail=[email protected]; dmarc=pass (p=NONE dis=NONE) header.from=outlook.com Received: from BAY167-W132 ([65.54.190.61]) by BAY004-OMC1S21.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Fri, 13 Mar 2015 15:12:17 -0700 X-TMN: [pAensVTtI3Ub0i8f5aFSBkVhmJXmSXfV] X-Originating-Email: [[email protected]] Message-ID: <[email protected]> Return-Path: [email protected] Content-Type: multipart/alternative; boundary="_67971f19-0055-41fd-8657-f9641364fb40_" From: Jin Guilbault <[email protected]> To: <[email protected]> Subject: Bob Date: Fri, 13 Mar 2015 17:12:17 -0500 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 13 Mar 2015 22:12:17.0562 (UTC) FILETIME=[C48DB7A0:01D05DDA] Well I was surprised to see the 'hotmail.com' in the header by this bogus e-mail. Apparently the SPAMers have a hook into 'hotmail.com' and continue to use it. That will be an easy filter ... no more hotmail.com sourced. But that is not enough. Making a private email server is easy as many politicians have found out. Now the body of the message was more interesting: --_67971f19-0055-41fd-8657-f9641364fb40_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Bob=2C Are you ready to pay down high-rate balances on your credit cards? Or is no= w the time to kick-start that small business or home improvement project yo= u've been dreaming about? Make the smarter debt choice with a no-collateral= =2C fixed-rate loan that beats the competition. With a Prosper Loan you can borrow up to $35=2C000 with no teaser rates or = hidden fees=2C and it takes just minutes to get started. Start now...anima= lhide.com/s%69te/%72edirps%2ehtm?va%72s=3D%7C%7C%2f/J%2em%50./1H2Qoc8?0sxgf= gfoj The "=2C" is a ","; the "=" is a silent join, and; poison payload is: animalhide.com/s%69te/%72edirps%2ehtm?va%72s=3D%7C%7C%2f/J%2em%50./1H2Qoc8?0sxgfgfoj animalhide.com - this is the current, poison site. If used as a URL with the following qualifiers, it looks like a sales site with a bogus, 'available' domain. I only visit the site using a browser with cleared cache as I don't want them pulling up cookies or other info. "/s%69te ...." - this is the hex encoded direction to the redirection site. The "%69" is "i" so it starts "/site". This is what the browser sees: At one time, there was a group that created a list of poison sites to filter. It has been over 10 years since I was last spending time fighting the SPAMers but I'll see if I can pass this on to them ... if they are still in the business. One of the most effective techniques in the past was to stop routing IP networks that host SPAM sites. You don't whack the SPAMer but the ones who trud a blind eye to the abuse. So it looks like two filter strings: "hotmail.com" is compromised. Nothing of value comes from there. "animalhide.com" is the poison site but domain names and IP addresses are trivial and cheap. Playing 'whack a mole' is a pain so we'll see what shows up next. Bob Wilson ps. An excellent report on anti-SPAM technology: Stopping Spam
I appreciate your efforts. Alas, the last time I was involved in that kind of work it turned out that you could "fake" just about anything in an email header and you had to be VERY careful not to block traffic from a "victim" site. Don't know if or how much that still applies.
The April issue of Consumers Reports magazine suggests enrolling in Unroll.me. It is free and it helps to eliminate spam email. I have it and it works pretty good.
If that is anything like the National Do Not Call Registry, ......that is a joke. I think some telemarketers use it as a DO call list instead. These are cooks and criminals for the most part. You actually expect them to abide by the rules ???? If you are getting marketing solicitations from legitimate companies, ONE email or web visit should put a stop to that. One for each company, that is. And in those cases, YOU did something to start the messages in the first place and that is not considered SPAM.
To make the hotmail account usable, I adopted a 'white list' approach. Everything else went to junk folder. Bob Wilson
after 10+ years of exchange, i used to get hundreds of junk mails a day. since i switched to gmail, i haven't gotten a dozen since 10/01/14. is time against me?
No. The old mail servers just passed along EVERYTHING they got. Google and others now actively "spam test" and are able to filter out a HUGE part of it. Just pray that their spam filtering never breaks.
Well this little fecal matter showed upon my work, cell phone, an SMS message alert: You have been listed for an inheritance worth $6.6m,this is my second message to you, if this is your cellphone number please send your full names to this email only : royreimann####@outlook.com The first thing was to discover no 'traceback' or header. Apparently this has to be configured in an iPhone "Notifications". However the text "if this is your cellphone number" suggests a robot hitting any and/or all SMS phone numbers. So I'll share it with the carrier. It is sad to see Microsoft's outlook being complicit in SPAM, again. <SIGH> Bob Wilson
The e-mail account was and is already being hit on by the SPAMMers: Sorry, I forgot to mention this is the 'SPAM' folder that is automatically filled and deleted. I have to look inside to see the SPAM flow. My regular 'inbox' and supporting mailboxes are fairly clean. The SPAMMers sell lists and pretty much treat all e-mail as a 'free fire zone.' They are sociopaths who lie to themselves as much as anyone else. That is why I advocate the use of "white-lists.' It isn't perfect but it is good enough. In the original SPAM, they spoofed themselves as coming from a Microsoft hotmail server. The verification handshake let it through. So I'm OK with putting hotmail messages in a SPAM folder that automatically deletes it after a while. Bob Wilson
