[nfbwatlk] Spam Message Analysis

Mike Freeman k7uij at panix.com
Tue Jan 24 03:50:52 UTC 2012 

Normally, I'd consider this off-topic. However, there has been a surfeit
lately of messages purporting to come from American Airlines, Fedex, the FBI
and a host of other more-or-less reputable institutions. They're all spam.

 

It's instructive to look at the Internet headers for such a message. I
reproduce those for a message to me purportedly coming from FedEx notifying
me of a shipment which I must verify, of course, by downloading a form in an
attachment which, of course, contains a virus or Trojan that probably turns
my computer into a "zombie" that sends out spam messages for some nefarious
soul.

 

Anyway, here are the Internet headers. I realize it may look and sound like
gobldygook but read carefully.

 

X-Vipre-Scanned: 0015CE37002CB60015CF84

>From rowdyismoi15 at us-cert.gov Mon Jan 23 11:28:54 2012

Lines: 3749

Return-Path: <rowdyismoi15 at us-cert.gov>

X-Original-To: k7uij at panix.com

Delivered-To: k7uij at panix.com

Received: from mail2.panix.com (mail2.panix.com [166.84.1.73])

                by mailbackend.panix.com (Postfix) with ESMTP id 7A5CA2EBE3

                for <k7uij at panix.com>; Mon, 23 Jan 2012 11:22:24 -0500 (EST)

Received: from host172-3-static.90-82-b.business.telecomitalia.it
(host172-3-static.90-82-b.business.telecomitalia.it [82.90.3.172])

                by mail2.panix.com (Postfix) with SMTP id E6D9638E4F

                for <k7uij at panix.com>; Mon, 23 Jan 2012 11:19:41 -0500 (EST)

Received: from [80.195.73.6] (helo=cnfntdkpo.dotsfvsherb.tv)

                by host172-3-static.90-82-b.business.telecomitalia.it with
esmtpa (Exim 4.69)

                (envelope-from )

                id 1MM7FV-6971wr-M0

                for <k7uij at panix.com>

Cc: <kadal at panix.com>,

                <7ku at panix.com>,

                <dwl at panix.com>,

                <epv at panix.com>; Mon, 22 Jan 2012 17:19:57 +0100

From: 'FedEx" <noreply at fedex.com>

To: <<k7uij at panix.com>

Cc: <kadal at panix.com>,

                <7ku at panix.com>,

                <dwl at panix.com>,

                <epv at panix.com>>

Subject: FedEx, Shipment Notification

Date: Mon, 22 Jan 2012 17:19:57 +0100

MIME-Version: 1.0

X-Priority: 3

X-Mailer: htxf 51

Message-ID: <2891133411.GV20DX18658185 at rxiwqvwyvmrfsau.jnwwmtlllcpzva.biz>

Content-Type: multipart/mixed;

  boundary="----=a__xrnwpayyra_55_10_35"

 

Now then: notice that my Internet security didn't necessarily catch this.
However, you see that the email was sent to my Panix account via an ISP in
Italy which was caused to send the email by an ISP with a domain in Tuvalu,
a Pacific island that a lot of spammers like to use. Also notice that while
the email itself doesn't show it was sent to others, in fact, it was sent to
several other people using Panix as their ISp.

 

Bottom line: if you didn't request it, buy it or otherwise solicit it or if
it seems to be too good to be true, it's spam and probably a scam of some
sort to boot.

 

Mike Freeman

More information about the NFBWATlk mailing list