Thursday, June 11, 2009

4th Spam Mail [Subject : Get travel gift coupon worth Rs 500 every month]



Well, i first thought that this mail isn't a Spam Email even it arrived in my Spam Folder. Then i went on analyzing it. The mail content, says that i got a Travel Gift Coupon for Rs.500/- every month. This mail might have been sent by "Expedia.co.in" as famous Travel Website in India. But all the link in the mail will take me to "http://www.s2d6.com/x/?x=c&z=s&v=#######&k=bsm", a domain belonging to different website. But surprisingly there is no visible page hosting on this domain and the link take me to "Expedia.co.in". The Domain "s2d6.com" is hosted in "theplanet.com", a hosting website. I really don't understand the purpose of this email. May be the Emailer need to generate traffic to "Expedia.co.in" from a different domain. The image in the mail has some image attached from "trassenger.com"

###################################################################
Delivered-To: ###########@gmail.com Received: by 10.216.185.3 with SMTP id t3cs31569wem;         Mon, 26 Apr 2010 06:39:49 -0700 (PDT) Received: by 10.101.177.39 with SMTP id e39mr5164106anp.36.1272289188891;         Mon, 26 Apr 2010 06:39:48 -0700 (PDT) Return-Path:  Received: from ns1.silkflowers.co.in ([207.44.147.60])         by mx.google.com with ESMTP id 9si1788972gxk.1.2010.04.26.06.39.48;         Mon, 26 Apr 2010 06:39:48 -0700 (PDT) Received-SPF: neutral (google.com: 207.44.147.60 is neither permitted nor denied by domain of trassenger@gmail.com) client-ip=207.44.147.60; Authentication-Results: mx.google.com; spf=neutral (google.com: 207.44.147.60 is neither permitted nor denied by domain of trassenger@gmail.com) smtp.mail=trassenger@gmail.com Received: from mail pickup service by ns1.silkflowers.co.in with Microsoft SMTPSVC; 	 Mon, 26 Apr 2010 08:24:03 -0500 thread-index: AcrlQ6HdAAkIUanvQdKPrFM6vu+O1w== Thread-Topic: Get travel gift coupon worth Rs 500 every month From: "Sana Afreen"  To: #############@gmail.com> Subject: Get travel gift coupon worth Rs 500 every month Date: Mon, 26 Apr 2010 08:23:26 -0500 Message-ID: <10a46a156cd84f5f9da8506212020987@silkflowers.co.in> MIME-Version: 1.0 Content-Type: multipart/alternative; 	boundary="----=_NextPart_000_1D4FC_01CAE519.B90731C0" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 X-OriginalArrivalTime: 26 Apr 2010 13:24:03.0890 (UTC) FILETIME=[BD88A920:01CAE543]  This is a multi-part message in MIME format.  ------=_NextPart_000_1D4FC_01CAE519.B90731C0 Content-Type: text/plain; 	charset="iso-8859-1" Content-Transfer-Encoding: 7bit
UNABLE TO VIEW THIS EMAIL CORRECTLY? CLICK HERE      	 Dear Traveller,  Have you checked out Expedia.co.in   yet? For a limited time we're offering you a coupon worth Rs 500* when you sign-up for our email newsletter. Each month we'll bring you the best travel deals straight to your inbox. Be inspired to travel the world today with Expedia.co.in  , part of the world's leading online travel company.  Click Here To Sign Up Now !    Terms and Conditions    You are receiving this mail because you are registered on trassenger.com Or One of its group site. To stop receiving such mails click here       ------=_NextPart_000_1D4FC_01CAE519.B90731C0 Content-Type: text/html Content-Transfer-Encoding: 7bit  
 ------=_NextPart_000_1D4FC_01CAE519.B90731C0--
###################################################################

Be aware, if you get such message in your inbox or Spam folder.

Tuesday, June 9, 2009

3rd Spam Mail [Subject : This is my cellphone number]



This Spam mail is quiet different. This guy has used my own email id and sent me an email. As i said he didn't actually hacked into my Account but this method of fraudulent is called Spoofing. The texts inbetween the lines is the header of the Original Email as sent by the spammer.

---------------------------------------------------------------------------------------

Delivered-To: ##########@gmail.com
Received: by 10.229.88.19 with SMTP id y19cs182611qcl;
Sun, 7 Jun 2009 14:04:24 -0700 (PDT)
Received: by 10.210.61.8 with SMTP id j8mr5678864eba.22.1244408663519;
Sun, 07 Jun 2009 14:04:23 -0700 (PDT)
Return-Path: <##########@gmail.com>
Received: from pool-70-20-20-56.bstnma.fios.verizon.net (pool-70-20-20-56.bstnma.fios.verizon.net [70.20.20.56])
by mx.google.com with ESMTP id 12si4287938ewy.31.2009.06.07.14.04.20;
Sun, 07 Jun 2009 14:04:21 -0700 (PDT)
Received-SPF: neutral (google.com: 70.20.20.56 is neither permitted nor denied by domain of ##########@gmail.com) client-ip=70.20.20.56;
Authentication-Results: mx.google.com; spf=neutral (google.com: 70.20.20.56 is neither permitted nor denied by domain of ##########@gmail.com) smtp.mail=##########@gmail.com
Date: Sun, 07 Jun 2009 14:04:21 -0700 (PDT)
Message-ID: <587879334564759.advrbmntohacbua@pool-70-20-20-56.bstnma.fios.verizon.net>
From: "Randy" <##########@gmail.com>
To: ##########@gmail.com
Subject: This is my cellphone number
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

----------------------------------------------------------------------------------------------


First i tried to trace the location of the server that the Spammer used to send me an Email through IPLIGENCE.COM. I got this IP address: 70.20.20.56. This should have been an Email from Google Server but This IP address points the VERIZON.NET server as per WHOIS IP report of DNSCHART.COM. By this the Spammer used the option of Spoofing to send me an email, Like i have sent an email to myself. This Email consits of Various unknown links, which when visited can or may have a threat of downloading VIRUSES. So be careful if you receive such emails.

By Clicking the Above image file, The Picture document of the email that i received can be viewed clearly.

Sunday, June 7, 2009

2nd Spam Mail [Subject : (no subject)]


This is the 2nd Spam i wish to explain about. Like in the previous spam mail, The Spam mail is sent from the same server "NAC.NET". The Header of the original mail is given below:

----------------------------------------------------------------------------

Delivered-To: ##########@gmail.com
Received: by 10.229.91.76 with SMTP id l12cs43351qcm;
Thu, 4 Jun 2009 18:38:58 -0700 (PDT)
Received: by 10.224.11.72 with SMTP id s8mr3051526qas.185.1244165936130;
Thu, 04 Jun 2009 18:38:56 -0700 (PDT)
Return-Path:
Received: from ip48.reprohit.com (ip48.reprohit.com [64.21.165.48])
by mx.google.com with SMTP id 12si3315459qyk.29.2009.06.04.18.38.56;
Thu, 04 Jun 2009 18:38:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of n.267.5901807@reprohit.com designates 64.21.165.48 as permitted sender) client-ip=64.21.165.48;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of n.267.5901807@reprohit.com designates 64.21.165.48 as permitted sender) smtp.mail=n.267.5901807@reprohit.com
Date: Thu, 04 Jun 2009 21:26:06 -0400
From: "healthy legs"
To: ##########@gmail.com
Subject:
MIME-Version: 1.0
X-Mailer: xyf v8.3.4.1000.5901807
Reply-To: r.267.5901807@reprohit.com
Message-Id: <20090604180006.fnatipsdca@reprohit.com>
Content-Type: multipart/alternative;
boundary="=_23657ff2a4c51a224d3eddc716ae9305"
------------------------------------------------------------------------------

As per this Header, this email is sent from "REPROHIT.COM", but From DNSCHART IP Whois Report the IP Address "64.21.165.48" doesn't match with Domain. The actual Domain name of the IP address was "NAC.NET", Like i said in my previous email.

I determined the Location of the server by using DNSCHART.COM and IPLIGENCE.COM, Like i did in my previous post. Also my blog visitors can use the Header of the email to make a try to trace the Spammer location.

Wednesday, June 3, 2009

My First Spam mail -[Subject : Stop working long hours]



The Above picture is the Spam Mail is wish to explain. Basically to trace the IP and location from which the Email has been sent is determined from the "Original Message" of the mail. The Header section of the Original Message of this Email is given Below.

---------------------------------------------------------------------
Delivered-To: #########@gmail.com
Received: by 10.229.91.76 with SMTP id l12cs41945qcm;
Thu, 4 Jun 2009 18:04:45 -0700 (PDT)
Received: by 10.224.74.16 with SMTP id s16mr3025851qaj.320.1244163851087;
Thu, 04 Jun 2009 18:04:11 -0700 (PDT)
Return-Path:
Received: from ip10.waspcom.com (ip10.waspcom.com [64.21.165.10])
by mx.google.com with SMTP id 12si3264373qyk.63.2009.06.04.18.04.10;
Thu, 04 Jun 2009 18:04:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of n.266.5901807@waspcom.com designates 64.21.165.10 as permitted sender) client-ip=64.21.165.10;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of n.266.5901807@waspcom.com designates 64.21.165.10 as permitted sender) smtp.mail=n.266.5901807@waspcom.com
Date: Thu, 04 Jun 2009 20:49:06 -0400
From: "robert allen"
To: ##########@gmail.com
Subject: Stop working long hours
MIME-Version: 1.0
X-Mailer: rws v8.3.4.1000.5901807
Reply-To: r.266.5901807@waspcom.com
Message-Id: <20090604170005.erzuendpwf@waspcom.com>
Content-Type: multipart/alternative;
boundary="=_4c4684c84d04d9efd613a810054472bf"
---------------------------------------------------------------------------

This is quiet difficult to get the IP location from the above Header. With the help of IPLIGENCE.COM, and copying this Header to the Email Tracer Text Box and Clicking on the "Trace" link will trace this email's IP address and Location of the server, which is used by the spammer. Though the Spammer's Location couldn't be determined, We can report about Abuse mail to the server, so that the server Admin can look after the Spammer and control them in accessing the server again.

After Getting the IP and Location of the server, I use the information to Trace the Domain Owner. From the above header "WASPCOM.COM" is the server used to Send this email. But with the help of DNSCHART.COM --> "IP Whois" Option, I found that the IP address and Domain doesn't match. The IP Address determined from the mail was "64.21.165.10", But the email was sent from "NAC.NET". This proves that this is a Spam email.

This Mail consists of Links in it, Which leads to Phishing Sites. Phishing sites were maily used to Steal Information from the Internet user. Due to unawarness among people, Many give out their personal details and get into trouble. To Create awarness among Internet Users, I pubished this Blog.
If you have received such email, Be aware and report it to the server admin in Advance.

For More information on Phishing Websites, Visit these links:

http://edode.blogspot.com/2009/04/i-can-help-you-trace-email-spammer.html

http://edode.blogspot.com/2008/11/know-about-phishing-websites.html