Author Topic: Another Spam Scam?  (Read 3369 times)

Offline Mayo

  • TS Addict
  • *****
  • Posts: 3215
    • View Profile
    • http://
Another Spam Scam?
« on: February 08, 2004, 02:30:58 PM »
A few days ago I received the following message; the e-mail address has been changed to protect the innocent, if that should turn out to be the case.  I have also chopped-off the last half of the reply URL just in case clicking it would cause me problems...


Content-Type: text/html;

This is an automatic reply to your email message to nospam@earthlink.net

This email address is protected by EarthLink spamBlocker. Your email message has been redirected to a "suspect email" folder for nospam@earthlink.net. In order for your message to be moved to this recipient's Inbox, he or she must add your email address to a list of allowed senders.

Click the link below to request that nospam@earthlink.net add you to this list.

https://webmail.pas.earthlink.net/wam/addme? blahblahblah


I was suspicious of the e-mail because I was not familiar with the e-mail address.  I did a quick search of my Sent Mail folder in Eudora and the address did not turn up, so I doubt that I ever sent anything to it.

A spam report to Spamcop brought up a message that the e-mail is a "bounce" so no action was taken by Spamcop.

So am I paranoid or what???

Offline Paddy

  • Administrator
  • TS Addict
  • *****
  • Posts: 13550
    • View Profile
    • https://www.paddyduncan.com
Another Spam Scam?
« Reply #1 on: February 08, 2004, 04:52:26 PM »
My guess - probably generated when an email containing the MyDoom virus was sent to an Earthlink address. The return addresses are always spoofed - and yours was the lucky choice. Someone you know no doubt has a) you in his/her address book and B) is infected with MyDoom and c) the virus sent an email to an Earthlink address.

I've had 10 emails in the past 24 hours containing (blocked) MyDoom virus attachments or notices to the effect that something I tried to send to someone I've never heard of before has been bounced. I even got one email from someone I've never heard of before telling me that due to the number of virus-laden emails he's been receiving, he is de-activating his account. This was an auto-response...no doubt to yet another case of one of my email addresses being spoofed by the darn virus.

I think that Comcast is actually blocking the virus - everything that arrives that clearly started life as one of the virus-containing emails has "BlockedAtt.txt" as the attachment - a 1K (empty) text file, rather than the executable nasty that MyDoom sends out. The file extension is the giveaway here - it's not executable. Some of the virus emails have .txt extensions, but they always have an additional (real) extension for an executable file, like .exe or .pif or .bat.

So, the email you received was probably legit, but the reason it was sent wasn't. At least that's my guess. smile.gif
"If computers get too powerful, we can organize them into committees. That'll do them in." ~Author unknown

Offline ()

  • TS Addict
  • *****
  • Posts: 1102
    • View Profile
    • http://
Another Spam Scam?
« Reply #2 on: February 10, 2004, 10:22:54 PM »
I've often wondered wht the servers don't scan emails being sent to block these viruses.  Comcast, Earthlink, Verizon, AOL and all the others should do this as a service to their valued customers and clients.

 thumbup.gif

Offline sandbox

  • TS Addict
  • *****
  • Posts: 7825
    • View Profile
    • http://
Another Spam Scam?
« Reply #3 on: February 11, 2004, 02:37:56 AM »
Mayo
Earthlink has the option in WeBmail to filter everything that is not in the Address Folder on the Web Mail Server Side.

If you choose to select the highest filter rating, only the people that you select can get through. Someone has turned on the HIGH FILTER and didn’t include your address in the webmail address book. If you follow the instructions the the recipient will be contacted and told that s/he has blocked you, which at that time they can choose to allow you access or not.

Spamblocker has an option to set LOW< MED< HIGH, high only allows addresses in the address book.

 Check Mail
 Compose Message
 spamBlocker (MED)



If you have earthlink,open your webmail window and you can see the address book that needs to contain the allowed addy’s for the messages to pass.

 Address Book
 Preferences
 Find Message
 Help
 Sign Out

Give Your Feedback!
 B)

This info is found in a secure file, so I couldn't give you the link.
 
QUOTE
Selecting Your Level of spam Protection

spamBlocker features two levels of spam protection: Known spam Blocking and Suspect Email Blocking. Understanding how each level works will help you determine the best level of protection for your email address.

You can change your level of spam protection (or turn spamBlocker off altogether) through spamBlocker Settings.

Note: Certain email messages will always appear in your Inbox, regardless of your spamBlocker settings. These include Allowed Sender Requests and summaries sent by spamBlocker; most "bounced" email notices generated when you send messages to invalid email addresses; and messages from EarthLink regarding your account, Customer Support, and EarthLink products and services (you can stop receiving messages about products and services by following the unsubscribe instructions in those emails).

Known spam Blocking

Known spam Blocking is spamBlocker's basic level of protection. It is enabled by default on all EarthLink email addresses. (Known spam Blocking essentially works the same way that EarthLink's former anti-spam tool, spaminator, worked.)

spamBlocker is constantly being updated to recognize new spam circulating on the Internet. To identify junk email messages, spamBlocker uses a network of specially created email addresses that attract vast quantities of spam. It then analyzes any messages that appear to be bulk email, i.e., those that are sent to many of spamBlocker's email addresses.

spamBlocker examines these messages for forged headers, invalid unsubscribe information, and other telltale signs that a message is spam. If the message is spam, spamBlocker creates filters to keep it from reaching your Inbox.

Because spamBlocker analyzes messages sent to its own network of email addresses only, it doesn't see personal email sent directly to your email address.

When Known spam Blocking is active, spamBlocker checks each of your incoming messages to determine whether it matches any of the junk email that spamBlocker knows about.

If a message matches, spamBlocker intercepts it and stores it in your Known spam folder (which you can open by clicking the Known spam tab in the spamBlocker interface). If a message does not match, spamBlocker allows the message to reach your Inbox.

Note: Messages in your Known spam folder remain on EarthLink's incoming email server, but they don't count toward your 10MB mailbox storage limit. spamBlocker automatically deletes old Known spam messages periodically.

Known spam Blocking might provide all the protection you need. And because it requires no action on your part, it's the easiest option. However, you might receive messages in your Inbox that you consider to be spam, even though spamBlocker hasn't classified them as junk email. If this occurs, you can activate Suspect Email Blocking.

Suspect Email Blocking

Suspect Email Blocking is disabled by default, and includes Known spam Blocking. You must activate it yourself if you wish to use it.

With Suspect Email Blocking, spamBlocker examines any message that Known spam Blocking has not intercepted. If the sender's email address or Company (Domain) (i.e., the portion of the email address after the @ symbol, such as earthlink.net) appears in your Address Book, spamBlocker allows the message to reach your Inbox normally.

If the sender's address or Company (Domain) does not appear in your Address Book, spamBlocker does three things:

1.   Intercepts the message and stores it online in your Suspect Email folder (which you can open by clicking the Suspect Email tab in the spamBlocker interface).
2.   Automatically replies to the sender with instructions on how to ask to be added to your Address Book
3.   Notifies you about the intercepted message in a summary you'll receive periodically via email (see spamBlocker Settings for more about email summaries)


Note: Messages in your Suspect Email folder remain on EarthLink's incoming email server and count toward your 10MB mailbox storage limit. spamBlocker automatically deletes Suspect Email messages that are more than 14 days old.

Suspect Email Blocking practically ensures that your Inbox will be spam-free. To be effective, however, Suspect Email Blocking requires that you maintain a list of email addresses and Companies (Domains) you want to receive email from in your Address Book.

Suspect Email Blocking works in conjunction with Known spam Blocking. You cannot use Suspect Email Blocking by itself.

Return to spamBlocker Help
« Last Edit: February 11, 2004, 02:46:09 AM by sandbox »

Offline Mayo

  • TS Addict
  • *****
  • Posts: 3215
    • View Profile
    • http://
Another Spam Scam?
« Reply #4 on: February 11, 2004, 10:33:02 AM »
SB, the URL in the link doesn't look right to me...  Shouldn't earthlink.net be the first part of the address, instead of webmail.pas.earthlink.net?

I have a friend who uses Earthlink and whenever his filters have snagged an e-mail of mine I get an automatic message from Earthlink stating that HE has to tell the filter system to allow my mail through.  I don't recall ever getting a message with a link like that one...

Offline Diana

  • Super Duper Poster
  • ****
  • Posts: 412
    • View Profile
Another Spam Scam?
« Reply #5 on: February 11, 2004, 12:02:35 PM »
Hi Mayo,

Sandbox has explained Earthlink's service very well, but Paddy is most likely correct when it comes to your situation.

You didn't recognize the email address because you truly don't know that person. A virus was sent to that address from someone who has you and that person in their address book somewhere. The problem is that the virus was sent out with your address spoofed as the sender and the receiver, having opted for Earthlink's blocking service has returned the request for authentication to you, (this is automatically done by Earthlink)

You can safely ignore this. You're also running up against the hard wall we are facing when trying to decide how to handle spam. I hate spam/viruses as much as anyone, but these "challenge/response" systems are a pain...especially if the person challenged doesn't understand how to respond. Mostly I refuse to respond. If I really need to contact someone, I call them on the phone and ask them to add me to their whitelist. My own personal rebellion I guess..smile.gif

If one is running a business, the challenge/response option may cause one to lose alot of business. Local filters are probably a better option for people doing business.

see ya
Diana
Sysadmin Rule #14: If it's not on fire, it's a software issue.

Registered Linux user 290473
http://counter.li.org/
http://www.crestcomm.com/diana/gnupg.txt for GnuPG public key  

Offline sandbox

  • TS Addict
  • *****
  • Posts: 7825
    • View Profile
    • http://
Another Spam Scam?
« Reply #6 on: February 12, 2004, 02:04:44 AM »
My mistake Diana, I thought he was unfamiliar with the Earthlink address.

Mayo these are the short versions of Earthlink webmail, past here .JSP is # &more#

login. notice the httpS://
https://webmail.pas.earthlink.net/wam/login.jsp

inside
https://webmail.pas.earthlink.net/wam/index.jsp

Offline Diana

  • Super Duper Poster
  • ****
  • Posts: 412
    • View Profile
Another Spam Scam?
« Reply #7 on: February 12, 2004, 05:43:35 AM »
Hi Sandbox,

I'm sorry if I made you think I thought you made a mistake.. sad.gif  I thought your explanation was great...and useful...smile.gif

I should have spent my time explaining the "funny" URL that starts with webmail.pas.earthlink.net. But I'm not sure now if Mayo was asking why the webmail.pas came before earthlink.net or if it was the httpS thing...smile.gif

I'm confused. wacko.gif I'll speak again when I recover. doh.gif
Diana
Sysadmin Rule #14: If it's not on fire, it's a software issue.

Registered Linux user 290473
http://counter.li.org/
http://www.crestcomm.com/diana/gnupg.txt for GnuPG public key  

Offline sandbox

  • TS Addict
  • *****
  • Posts: 7825
    • View Profile
    • http://
Another Spam Scam?
« Reply #8 on: February 12, 2004, 01:53:32 PM »
O Hi up there, which is like OHiO only different. huh.gif

Being a Northerner you probably have a different perspective Diana. wink.gif

As a Buoy from Further South I look at thangs from a warmer climate, blinding light, and only after consulting with my Grouper Cheeks .  wacko.gif