Menu
Reply
louiscar
  • 198
  • 2
  • 11
Up to speed
1,106 Views
Message 1 of 24
Flag for a moderator

How does this spam get to me?

Hi, Can someone with a bit more knowledge tell me how to interpret this spam I'm getting on a regular basis ... or more to the point how does it end up coming to me.

For sake of not revealing any emails ....

The "To" address always points to [name i've never heard of ]@virginmedia.com.

It then gets sent to me "Delivered-to" [My no spam address]@ntlworld.com

The final address is the autoforward and obviously I don't need to know that: [autoforwarded to my main address]@ntlworld.com

1) So is the [name I've never heard of ]@virginmedia.com a real address

2) How does it end up being sent to my address that doesn't resemble the above in any way shape or form? Is it something to do with a list given via the envelope?

3) Given this header what is the best rule to catch this kind of spam so I can discard it.
The content btw shows nothing and that's because it appears that it's just a graphic (maliciious probably which is supressed by my emailer) .. something on the lines of (name has been changed so it can't be accidentally accessed here):

<img src="htt p://rtytrubnerter.diskstation.org/2/21449/84435/ CSdbNPITHgbNP.jpg"

Header follows:

Return-Path: <actisjbbdg@frolves.com>
Delivered-To: [autoforwarded to my main address]@ntlworld.com
Received: from md7.tb.ukmail.iss.local ([212.54.57.72])
	by mc13.tb.ukmail.iss.local with LMTP id WOK3F2BIs17/OgAA1nWJCQ
	for <[autoforwarded to my main address]@ntlworld.com>; Thu, 07 May 2020 01:29:36 +0200
Received: from smtpclienthelo ([212.54.57.72])
	by md7.tb.ukmail.iss.local with LMTP
	id kKWPF2BIs14VBAAAKMCudg
	(envelope-from <actisjbbdg@frolves.com>)
	for <[autoforwarded to my main address]@ntlworld.com>; Thu, 07 May 2020 01:29:36 +0200
Authentication-Results: ukmail.iss.as9143.net;
 spf=fail (212.54.57.96;frolves.com);
 dkim=none (nosigs);
 dmarc=none header.from=frolves.com (dis=no_record);
X-Env-Mailfrom: actisjbbdg@frolves.com
X-Env-Rcptto: [autoforwarded to my main address]@ntlworld.com
X-SourceIP: 212.54.57.96
X-CNFS-Analysis: v=2.3 cv=FYisOK26 c=1 sm=1 tr=0 cx=a_idp_d
 a=rKl3PZ0TtsH76cviVwgYBQ==:117 a=wq2Z/hoWpVKiPtzUGXrq5Q==:17
 a=nQ-YXP8VlB8A:10 a=kj9zAlcOel0A:10 a=sTwFKg_x9MkA:10 a=PrpRM141AAAA:8
 a=tzWKxGkgqY_axSgrHJAA:9 a=CjuIK1q_8ugA:10 a=Qn09J2JM2St7tfps9zDQ:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=QOGEsqRv6VhmHaoFNykA:22
Received: from smtpq1.tb.ukmail.iss.as9143.net ([212.54.57.96])
	by mx5.tb.ukmail.iss.as9143.net with ESMTP
	id WTTsjIIWcVxLrWTTsjKXDv; Thu, 07 May 2020 01:29:36 +0200
Received: from [212.54.57.81] (helo=smtp2.tb.ukmail.iss.as9143.net)
	by smtpq1.tb.ukmail.iss.as9143.net with esmtp (Exim 4.86_2)
	(envelope-from <actisjbbdg@frolves.com>)
	id 1jWTTs-0002S1-8O
	for [autoforwarded to my main address]@ntlworld.com; Thu, 07 May 2020 01:29:36 +0200
Received: from mc23.tb.ukmail.iss.local ([172.25.161.154])
	by smtp2.tb.ukmail.iss.as9143.net with ESMTP
	id WTTsjiIl3MqBUWTTsjYLU0; Thu, 07 May 2020 01:29:36 +0200
X-Env-Mailfrom: actisjbbdg@frolves.com
X-Env-Rcptto: [autoforwarded to my main address]@ntlworld.com
X-SourceIP: 172.25.161.154
X-CNFS-Analysis: v=2.3 cv=FoieA1jq c=1 sm=1 tr=0
 a=Pzx6MAsZ1EY5yFFnCnr3+A==:117 a=wq2Z/hoWpVKiPtzUGXrq5Q==:17
 a=nQ-YXP8VlB8A:10 a=kj9zAlcOel0A:10 a=sTwFKg_x9MkA:10 a=PrpRM141AAAA:8
 a=tzWKxGkgqY_axSgrHJAA:9 a=CjuIK1q_8ugA:10 a=Qn09J2JM2St7tfps9zDQ:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=QOGEsqRv6VhmHaoFNykA:22
X-Sieve: Pigeonhole Sieve 0.4.24.1 (dcfd6d4c)
X-Sieve-Redirected-From: [My no spam address]@ntlworld.com
Delivered-To: [My no spam address]@ntlworld.com
Received: from md4.tb.ukmail.iss.local ([212.54.57.69])
	by mc23.tb.ukmail.iss.local with LMTP id eK9rCGBIs15qJwAAWhTyXg
	for <[My no spam address]@ntlworld.com>; Thu, 07 May 2020 01:29:36 +0200
Received: from smtpclienthelo ([212.54.57.69])
	by md4.tb.ukmail.iss.local with LMTP
	id EG9BCGBIs14ABAAANIUTRA
	(envelope-from <actisjbbdg@frolves.com>)
	for <[My no spam address]@ntlworld.com>; Thu, 07 May 2020 01:29:36 +0200
Authentication-Results: ukmail.iss.as9143.net;
 spf=pass (51.15.159.167;frolves.com);
 dkim=none (nosigs);
 dmarc=none header.from=frolves.com (dis=no_record);
X-Env-Mailfrom: actisjbbdg@frolves.com
X-Env-Rcptto: [My no spam address]@ntlworld.com
X-SourceIP: 51.15.159.167
X-CNFS-Analysis: v=2.3 cv=atUp9RRV c=1 sm=1 tr=0 cx=a_idp_d
 a=wq2Z/hoWpVKiPtzUGXrq5Q==:117 a=wq2Z/hoWpVKiPtzUGXrq5Q==:17
 a=nQ-YXP8VlB8A:10 a=kj9zAlcOel0A:10 a=PrpRM141AAAA:8 a=tzWKxGkgqY_axSgrHJAA:9
 a=CjuIK1q_8ugA:10 a=Qn09J2JM2St7tfps9zDQ:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22
 a=QOGEsqRv6VhmHaoFNykA:22
Received: from frolves.com ([51.15.159.167])
	by mx2.tb.ukmail.iss.as9143.net with ESMTP
	id WTTmjlcg4kDeXWTTrjf4Rk; Thu, 07 May 2020 01:29:36 +0200
Subject: How To Really Get Rich From B!tcoins
From: "B!tcoin_Protocol" <jwISzjZfk@frolves.com>
Reply-to: <FndngmphQV@frolves.com>
To: [NAME I'VE NEVER HEARD  OF]@virginmedia.com
X-Originating-IP:  51.15.159.167
Content-Type: text/html; charset=us-ascii;
Content-Disposition: inline
Date: Wed, 06 May 2020 19:25:46 -0400
Message-ID: <IYpCGvDt@googel.com>
X-CMAE-Envelope: MS4wfEcIhEosm675Ia+SqVc8/slzBWu18NyKIIwmwfSve3FL92c6DqiJFjoTW0snNMQARF6KvS7rVJ9aV9yTuyDsfH5bD5ooZ1FX7G0zfVuJY6jHVi/E1HjX
 dZh18t+WxEKGKovAM/S9zbvu0EvEIhqA6RE0UynDtnQ2+6SJtR+ecey5zSDh0l2Qd2s1kzVGMaEAJTOKjCTwrJ+RmRftOh1b4tw=

 

 

0 Kudos
Reply
用心棒
  • 5.82K
  • 653
  • 2.02K
Very Insightful Person
Very Insightful Person
1,060 Views
Message 2 of 24
Flag for a moderator
Helpful Answer

Re: How does this spam get to me?


@louiscar wrote:


1) So is the [name I've never heard of ]@virginmedia.com a real address

If it is a real email address then, like you, they are a victim.


2) How does it end up being sent to my address that doesn't resemble the above in any way shape or form? Is it something to do with a list given via the envelope?

The miscreant is using BCC


3) Given this header what is the best rule to catch this kind of spam so I can discard it.
The content btw shows nothing and that's because it appears that it's just a graphic (maliciious probably which is supressed by my emailer) .. something on the lines of (name has been changed so it can't be accidentally accessed here):

AFAICS Virgin Media's spam filters are correctly identifying such email as spam.

To efficiently filter such emails would require matching text patterns within the email's source text, namely the image URL, however whilst this is easily achieved on the server it is not something webmail's Filter Rules can achieve (AFAIK).

 

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

  Use Kudos to say thanks

  Mark as Helpful Answer if I've helped

用心棒
  • 5.82K
  • 653
  • 2.02K
Very Insightful Person
Very Insightful Person
1,034 Views
Message 3 of 24
Flag for a moderator

Re: How does this spam get to me?

Correction to my previous post: it seems such image spam is still getting past the spam filters. If the problem persist please post back here and I will raise it with the forum team.

0 Kudos
Reply
louiscar
  • 198
  • 2
  • 11
Up to speed
1,033 Views
Message 4 of 24
Flag for a moderator

Re: How does this spam get to me?



3) Given this header what is the best rule to catch this kind of spam so I can discard it.
The content btw shows nothing and that's because it appears that it's just a graphic (maliciious probably which is supressed by my emailer) .. something on the lines of (name has been changed so it can't be accidentally accessed here):

AFAICS Virgin Media's spam filters are correctly identifying such email as spam.

To efficiently filter such emails would require matching text patterns within the email's source text, namely the image URL, however whilst this is easily achieved on the server it is not something webmail's Filter Rules can achieve (AFAIK).

 

Thanks for the answers .. didn't think of BCC.

The reason though that I posted is that VM is NOT stopping some of these from coming through.
I did go and look at the spam folder on  the Web UI for that account and indeed it has put some of them there. However, a bunch of these are getting through.

I have set up a filter to look at the to: field which quotes the [name I haven't heard of]@virginmedia.com. This is always the same so I hope this will catch that at least and today nothing came through. I'll see what happens in the next few days.

What is curious is how VM's spam filters are catching some and not others. I sandboxed the graphic links on some of the emails and indeed they are advert graphics for different things. eg. Bitcoin investments, porn or medical stuff, all bogus designed to make you go and sign up to something.

Thanks again for the clarifications

 

 

louiscar
  • 198
  • 2
  • 11
Up to speed
1,029 Views
Message 5 of 24
Flag for a moderator

Re: How does this spam get to me?


@用心棒 wrote:

Correction to my previous post: it seems such image spam is still getting past the spam filters. If the problem persist please post back here and I will raise it with the forum team.


It has persisted for well over a month.

0 Kudos
Reply
David_Bn
  • 4.93K
  • 226
  • 403
Forum Team
Forum Team
979 Views
Message 6 of 24
Flag for a moderator

Re: How does this spam get to me?

Good Morning louiscar,

 

Thanks for your post on our Community Forums and a very warm welcome to you!

 

Sorry to see you've been having issues with the spam E-Mails, with the filter not stopping all spam E-Mail from hitting your inbox. 

 

If you check out the purple envelope in the top right hand corner you'll see a PM from me

 

Kindest regards,

 

David

louiscar
  • 198
  • 2
  • 11
Up to speed
960 Views
Message 7 of 24
Flag for a moderator

Re: How does this spam get to me?

Thanks have replied to your PM

0 Kudos
Reply
louiscar
  • 198
  • 2
  • 11
Up to speed
865 Views
Message 8 of 24
Flag for a moderator

Re: How does this spam get to me?

This is really getting frustrating - 2 issues now . Another flurry of obvious spam NOT getting stopped by VM and several normal legit emails that VM insists on sending to the spam folder. I mean what is spam about a Greenpeace newsletter!?? Solutions like "VM email learns" is total rubbish and adding the addresses to the contact list is completely ignored. This is just driving me nuts. We aren't given the tools to do much else frankly.

This is the latest. They are all from the same people as it involves the same format with clickable image and all addresses are from and .eu address.

What is concerning is that my main email which to date hasn't been compromised is appears to have got to these people and they are writing to 3 of my addreses.

Return-Path: <ruudstoltenberg@mijnvoordeelkraampje.eu>
Delivered-To: MyAddress@ntlworld.com
Received: from md2.tb.ukmail.iss.local ([212.54.57.75])
	by mc13.tb.ukmail.iss.local with LMTP id KFqODTHL+17GZAAA1nWJCQ
	for <MyAddress@ntlworld.com>; Wed, 01 Jul 2020 01:30:57 +0200
Received: from smtpclienthelo ([212.54.57.75])
	by md2.tb.ukmail.iss.local with LMTP
	id cM5PDTHL+14mBAAAaJkqCg
	(envelope-from <ruudstoltenberg@mijnvoordeelkraampje.eu>)
	for <MyAddress@ntlworld.com>; Wed, 01 Jul 2020 01:30:57 +0200
Authentication-Results: ukmail.iss.as9143.net;
 spf=pass (217.78.252.72;mijnvoordeelkraampje.eu);
 dkim=pass header.d=mijnvoordeelkraampje.eu;
 dmarc=pass header.from=mijnvoordeelkraampje.eu (p=none sp=none dis=pass);
X-Env-Mailfrom: ruudstoltenberg@mijnvoordeelkraampje.eu
X-Env-Rcptto: MyAddress@ntlworld.com
X-SourceIP: 217.78.252.72
X-CNFS-Analysis: v=2.3 cv=ffM2N3YF c=1 sm=1 tr=0 cx=a_idp_d
 a=H9/Bak7EAJrNqq/YIU3wSw==:117 a=H9/Bak7EAJrNqq/YIU3wSw==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=8p0tEo9xVJgA:10 a=ZZnuYtJkoWoA:10
 a=d6EM4f4BAAAA:8 a=NLZqzBF-AAAA:8 a=A558oEyWCxzRESmyNJgA:9 a=QEXdDO2ut3YA:10
 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=wTlVZgVR_QGSmOSYYlIA:9
 a=IGjGrCNLNkFH0ORmfMlE:22 a=wW_WBVUImv98JQXhvVPZ:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22
 a=SsAZrZ5W_gNWK9tOzrEV:22
Received: from mariage.mijnvoordeelkraampje.eu ([217.78.252.72])
	by mx8.tb.ukmail.iss.as9143.net with ESMTP
	id qPd5jpUhPzUHhqPdVjpfEW; Wed, 01 Jul 2020 01:25:57 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
	d=mijnvoordeelkraampje.eu; s=s1024; l=2010; x=1594164356;
	i=@mijnvoordeelkraampje.eu; h=Message-ID:Date:Subject:From:To:
	Content-Type; bh=waUa4EwbMqCHTCmkmbFt9cVW1ZA=; b=hxUWyGc8XhTeYHt
	/8aDYMXTTOI8a3fWaHZdBJb47KN9rCmViXfuMGzHlkw8qa86VVIEb7R5wEtFN3pM
	1b3sKPWfZKse4ErHnqRiawMWvEngeQeM7M80y149ZGUUBJ3i3X7jzdb0llY/MPoM
	qGKgu0ykmnusYi1DqLnsI9IOd+1M=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=mijnvoordeelkraampje.eu;
  b=dXkhMnUbUnadXYu5/qZ4zVIxpK0W+HQ9OF7Fkmy36gM3bSiHE4ETGbYOuFZ8esB37mg+5C35rLDdB8yXvwU7mmiiaiUGvUzjUqLiYw5/tttLNBskFhCW8/Cf1YUlvrjzeMQSjeriuDyPkp0qk5LoyMPn703BOn6Gt6VsBrK8z84=;
Message-ID: <02bj5CZsJ3b3xGduB0YwNXa19GbP@mijnvoordeelkraampje.eu>
Date: Wed, 1 Jul 2020 01:25:28 +0100
Subject: Have you received my message
From: Ruud Stoltenberg <ruudstoltenberg@mijnvoordeelkraampje.eu>
To: MyAddress@ntlworld.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_=_5dca0f50f55b8dcfd41d4719efd02720";
X-CMAE-Envelope: MS4wfOWCnqmbXBCVDmVgeJwWQvu3M130a3psUau46wOuoZWR63FIPabYbHXMPDB05fJ5IKJcrsYo7gbgqJbOpoSe00dtd8zrNSjYhqjVjGebnFYgfKEcMUGT
 QzxyGDuaf1AdI3X7/ZkgdXloqpsF3CVvabmRjzZ23pcglPSSrKgPoYy+0LhE8oqBUKsk8cXegCERuwY4Wq0r/4G2O8GM9BvebjQ8TxTffRnI++KgZOJIkrcb

--_=_5dca0f50f55b8dcfd41d4719efd02720
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64

CiAgaHR0cDovL21pam52b29yZGVlbGtyYWFtcGplLmV1L25RQlFVQUVGVE5BSHhnRVFlTmxB
SXRsVmI1MVhUTkFTK3dRS1g5MUQyQVNHMzRGTGJvUUtXMEZEZFJTSDAweVdFd0FYZU4xQ04K
Cmh0dHA6Ly9taWpudm9vcmRlZWxrcmFhbXBqZS5ldS9uUUJRVUFFRlROQUh4Z0VRZU5sQUl0
bFZiNTFYVE5BUyt3UUtYOTFEMkFTRzM0Rkxib1FLVzBGRGRSU0gwMHlXRXdBWGVOMUNOCgpZ
b3UgY2FuIGNhbmNlbCB5b3VyIHN1YnNjcmlwdGlvbiB0byBvdXIgc2VydmljZSBzaW1wbHkg
YnkgY2xpY2tpbmcgaGVyZSBsb3Vpc3BjQG50bHdvcmxkLmNvbSBodHRwOi8vbWlqbnZvb3Jk
ZWVsa3JhYW1wamUuZXUvcmdBWEl3RkNQOWhjdFFGWEQ5a0hVZGtTSEowUVA5QlZpQVJOTE4w
RXF3VEJySUVNSFlSTktFRUVCaFRBb0V6UllBQlFDOTBGSwoK
--_=_5dca0f50f55b8dcfd41d4719efd02720
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: base64

PHAgc3R5bGU9InRleHQtYWxpZ246IGNlbnRlcjsiPjxhIGhyZWY9Imh0dHA6Ly9taWpudm9v
cmRlZWxrcmFhbXBqZS5ldS9uUUJRVUFFRlROQUh4Z0VRZU5sQUl0bFZiNTFYVE5BUyt3UUtY
OTFEMkFTRzM0Rkxib1FLVzBGRGRSU0gwMHlXRXdBWGVOMUNOIj4gPC9hPjwvcD4KPHAgc3R5
bGU9InRleHQtYWxpZ246IGNlbnRlcjsiPjxhIGhyZWY9Imh0dHA6Ly9taWpudm9vcmRlZWxr
cmFhbXBqZS5ldS9uUUJRVUFFRlROQUh4Z0VRZU5sQUl0bFZiNTFYVE5BUyt3UUtYOTFEMkFT
RzM0Rkxib1FLVzBGRGRSU0gwMHlXRXdBWGVOMUNOIj48aW1nIHNyYz0iaHR0cDovL21pam52
b29yZGVlbGtyYWFtcGplLmV1L2pBQlJRUUVFWGRBRzF3RVJZZGxCTTlsVWZwMVdYZEFUNmdR
TFR0MUN5UVNIem9GS2Y0UUxTa0ZDWkJTR3dreVhxaEFXYWQxREsiIGFsdD0iIiB3aWR0aD0i
NTQyIiBoZWlnaHQ9IjUxMyIgLz48L2E+PC9wPgo8cCBzdHlsZT0idGV4dC1hbGlnbjogY2Vu
dGVyOyI+PGEgaHJlZj0iaHR0cDovL21pam52b29yZGVlbGtyYWFtcGplLmV1L3JnQVhJd0ZD
UDloY3RRRlhEOWtIVWRrU0hKMFFQOUJWaUFSTkxOMEVxd1RCcklFTUhZUk5LRUVFQmhUQW9F
elJZQUJRQzkwRksiPllvdSBjYW4gY2FuY2VsIHlvdXIgc3Vic2NyaXB0aW9uIHRvIG91ciBz
ZXJ2aWNlIHNpbXBseSBieSBjbGlja2luZyBoZXJlIGxvdWlzcGNAbnRsd29ybGQuY29tPC9h
PjwvcD4KPGltZyBzcmM9Imh0dHA6Ly9taWpudm9vcmRlZWxrcmFhbXBqZS5ldS91UHMxRGI5
QVNZY2dLVHRGUlloVUdUQlVUQVZFUkloeFVsY2hNTVJFRnRzakFzVTBOMUZoTU5ZMEZHOWpC
dllEUWZjeFJGaEVFQiIgd2lkdGg9IjEiIGhlaWdodD0iMSI+Cg==
--_=_5dca0f50f55b8dcfd41d4719efd02720--

N

Tags (2)
0 Kudos
Reply
louij2
  • 141
  • 1
  • 13
Up to speed
857 Views
Message 9 of 24
Flag for a moderator

Re: How does this spam get to me?

I'm also getting a lot more spam recently that I never used to receive.

0 Kudos
Reply
Lisa_CC
  • 3.98K
  • 236
  • 445
Moderator
Moderator
822 Views
Message 10 of 24
Flag for a moderator

Re: How does this spam get to me?

Hi Louij2,

 

Sorry to hear that you're still receiving spam. Can I ask whether you've recently added your email address to any sites and are they from the same sender for example?

 

Thanks,

 

Lisa

0 Kudos
Reply