how do I block this?

[jchuzi]

My wife and I have been inundated with spam for the last few days (different spurious offers but always from the same source). Oddly, it started with both our email addresses; we rarely got spam before this. I suspect that our ISP has been hacked but I'll never know.

Our ISP (Spectrum, aka Time Warner) has an option in our webmail to block senders, but I don't know what to enter. It has to be an email address and I did enter the one in the Reply To field (see the default headers below). This has not been successful. What should I enter in our webmail preferences? Any other suggestions?

Reply-To: doxanam1@gtin.matarovilla.icu
Sender: ⁨marine-embassy-guard-association.promo4u.pro⁩
Content-Type: ⁨text/html⁩
X-Cmae-Envelope: ⁨MS4wfPux0ijNv8XlxypW1BFb5sIfOaroRK+6rU2FIH6MzrP0X2nDe4Kh1vYL3+Jy589cgsOJz5LJYhmBdUKOQ8W+gQVbLqKFCco/DXgEeQhfmDBIl/aBUZ32 d/x3COpWhJXe4OF82/ijgJDORc5UTQcoBKQIKM1Z4zshBA5Y+Ye9JZO0yAUmNuH9u3wasrF3aaOKb9wjIEJLR6Xq1Ww28Q0WoD5BIX4cUDb2DKCmqcD31rbP 2kwUaCDY6SzOIQ9YQVoct2yiEjulZZ9gpFZlcaWTNYIyukw0wyNmYcIF7I+23vg0v1LzEJD+qMr+OSROGUQndg==⁩
Received: ⁨from dnvrco-cmimta15 ([107.14.174.244]) by cdptpa-fep27.email.rr.com (InterMail vM.8.04.03.24 201-2389-100-172-20151028) with ESMTP id <20191130182805.SZPQ7378.cdptpa-fep27.email.rr.com@dnvrco-cmimta15> for <jonsemailaddy>; Sat, 30 Nov 2019 18:28:05 +0000⁩
Received: ⁨from orkxsh.silverbackflow.com ([13.58.63.206]) by esmtp with ESMTP id b7SuiA5Ech1Afb7TQirCjH; Sat, 30 Nov 2019 18:28:05 +0000⁩
Received: ⁨from mta2.email.ulta.com () by esmtp with ESMTP id ya22gUsOIqaEdya23gRlsg; Sat, 30 Nov 2019 18:52:51 +0100⁩
Return-Path: ⁨<>⁩
Return-Path: ⁨<>⁩
Return-Path: ⁨<jonsemailaddy>⁩
Return-Path: ⁨return@insidtimes.net⁩
Return-Path: ⁨<return@kalnearshow.club>⁩
⁨<20191130182805.SZPQ7378.cdptpa-fep27.email.rr.com@dnvrco-cmimta15>⁩

[kimmer]

I don't have an answer for you, but I did go in and remove your email address and replace it with:

jonsemailaddy

No need to add to your spam.

[jchuzi]

As an addendum, I just saw an email address (which I neglected to post) that comes from a specific company. I entered that with my webmail and we'll see what happens.

[Xairbusdriver]

I would assume your ISP would want the "promo4u.pro". Unless you don't want any 'promos 4 U'. Of course, these addy's can be spoofed, so you may never know where they actually originated.

Even if you are using SpamSieve, you could set up a Rule in Mail to 'Mark as read' and 'Move to someMailbox' (Trash/Junque/Spam/etc.). See image below.

I'd suggest starting with only the first one or two items and add more if needed. Just check the mailbox you send them to for a few days to be sure the Rule is not catching good messages from your good friend, doxanam1.

[Paddy]

Like spoofed phone calls, email spam is almost always spoofed too. The reply to/from fields are rarely, if ever real. In order to get that info easily, put the email through spamcop.net - that will give you the real from address.

But even if you have that - it's like playing whack-a-mole; they rarely use the same email address twice.

Use the filters in Mail (or whatever you're using) to specify other things - subject lines etc., in order to more effectively dump the spam in the spam folder. You'll have to play around with it to see what will work. The ISP option to block particular email addresses is generally not all that useful against spam of this sort, I'm afraid.

[jchuzi]

I found that the domain name (at least I think that it is the domain name) is marine-embassy-guard-association.promo4u.pro I entered that into my webmail and also created a rule in Mail. So, time will tell...

I used that marine-(etc.) name as a domain name, and the webmail site accepted it (it had rejected previous attempts that lacked @ something, but I hadn't tried this one). I set up a rule in Mail about this, so time will tell.

In the meantime, I took a look at some more info, but this time in Entourage. I have deleted my wife's email address. Maybe someone can interpret it:

Return-Path: <>
Received: from dnvrco-cmimta11 ([107.14.174.244])
          by cdptpa-fep23.email.rr.com
          (InterMail vM.8.04.03.24 201-2389-100-172-20151028) with ESMTP
          id <20191130192143.QSPY7310.cdptpa-fep23.email.rr.com@dnvrco-cmimta11>
          for <deleted by jchuzi>; Sat, 30 Nov 2019 19:21:43 +0000
Received: from jyimkurj.silverbackflow.com ([18.222.143.115])
   by esmtp with ESMTP
   id b8J2iyByCplz6b8JLiBjj4; Sat, 30 Nov 2019 19:21:43 +0000
Received: from mta2.email.ulta.com ()
    by esmtp with ESMTP
    id ya22gUsOIqaEdya23gRlsg; Sat, 30 Nov 2019 19:02:34 +0100
Reply-to: <doxanam1@gtin.matarovilla.icu>
Return-Path: <>
Return-Path: <deleted by jchuzi>
Return-Path: return@insidtimes.net
Return-Path: <return@kalnearshow.club>
Sender: marine-embassy-guard-association.promo4u.pro
Subject: =?UTF-8?B?SGF2ZSB5b3Ugb3IgYSBsb3ZlZCBvbmUgZGV2ZWxvcGVkIGNhbmNlciBhZnRlciB1c2luZyBSb3VuZHVwIHdlZWQga2lsbGVyID8/?=
To: cchuzi@hvc.rr.com
Date: Mon, 21 Dec 2899 23:59:59 +0000 (EDT)
From: =?UTF-8?B?LSBBRyBBdHRvcm5leXM=?=  <PEytBzf@zabiton.com>
Content-Type: text/html
X-CMAE-Envelope: MS4wfAbD02SfagEgVE4HlOVjT2LeyeSVvWq6QJc0gu/M2qcsi+qUefXGz8UyXkIjidpS91tUsY5lLc3wzaxo5nALkYCQUXjzJl9a7H4q1ArJD+66sIglEwjp
 9+PWLOOOFIruoi0QJ2FRBrtb36rXH/VDKpRpnoihn6xx1E+P/UJuU8Qj
Message-Id: <20191130192143.QSPY7310.cdptpa-fep23.email.rr.com@dnvrco-cmimta11>

[Xairbusdriver]

I agree with Paddy, pick something else in the message. My bad.

The advantage of something like SpamSieve is that it can 'remember' what is similar in any two messages that you mark as Spam. They aren't usually the obvious things like domain names or addys.

BTW, "promo4u" could be a domain name. But as Paddy reminds us it's likely to be spoofed. The whole thing, with the dot separaters cannot be a registered domain according to name rules (you cannot use "_" either).

[Paddy]

Jon, put the raw source email through spamcop.net - it's MUCH better at figuring out the real source than I've ever been. There are 4 different addresses in the reply to, return to, sent from addresses - it's definitely spoofed.

I did try it (had to put my email address in where you'd taken your wife's out) and added some random text from another email for the body, but all I got back was to submit the report to  abuse#amazonaws.com@devnull.spamcop.net  - which is just cloud based storage/hosting that boatloads of people use. There are undoubtedly links in the BODY of the email that are in fact, probably more valuable in determining who the spammer is. Again - those may be relayed all over the place, but SpamCop's algorithms are extremely good at ferreting them out.

That said, it won't help a whole lot in the attempt to block the spam; you'll need to come up with some commonalities that can be used for that. Subject lines (although they often garble those to prevent you from using them as blocking mechanisms...how many different silly ways can you spell "viagra") sometimes work.

[jchuzi]

I entered marine-embassy-guard-association.promo4u.pro in the Block field with my ISP and haven't received any spam since. Fingers crossed...

I assume that this is a domain name but I don't know how to tell from the  list that I posted earlier. BTW, what does "domain name" mean?

[Xairbusdriver]

As I understand it, the "marine.embassy.guard.association." may be a sub-domain of the actual "promo.pro". Top level domains are things like "com" or "org" or "net". But there are much more specialized combos as ICANN finds new ways to divide the web. I'd never heard of the "PRO" top level domain [TLD], but it is listed at this ICANN page. I can see how it could be useful for many companies.... or even a tech help site!

BTW, like email addy's, no capitols are needed or 'seen', domain names are case-INsensitive, "PRO" is the same as "Pro" is the same as "pro".

I was looking just a few weeks ago about using periods or hyphens to help make a domain name more human readable and found several links claiming they could not be used in registering a domain name. I did not pursue that scheme any further but did see that a sub-domain could use those marks.

A site I visit daily has a wiki site connected to the primary site. It's a site that developer has for a Mac weather collecting app. The main site's URL is trixology.com. The "wiki" sub-domain is wiki.trixology.com. Theoretically, one could block "trixology.com" and 'kill' both sites with one 'stone'. Adding all those extra words could possibly block only that one peculiar sub-domain.

[jchuzi]

For further reference:

Domain name
How To Read Email Headers
Email Header Analyzer

[Paddy]

promo4u.pro is the registered domain. The rest is subdomain/subfolders.

When looking at domain URLs, look for the "." AND a TLD extension (top level domain). IE: fredswhizbangwebsiteohlookitsabird.what.monkeysontypewriters.com/youthoughtthiswasreal/ - monkeysontypewriters.com is the domain. The first bit is a subdomain, the last bit is the page/file name.

A full list of TLDs can be found here: https://tld-list.com/tlds-from-a-z (there are a whole lot of them - and lots I've never seen before!)

And you can buy monkeysontypewriters.com for a mere $2695.