Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Is there any danger in opening spam?

Reply
Thread Tools

Is there any danger in opening spam?

 
 
Matty F
Guest
Posts: n/a
 
      11-05-2010
On Nov 6, 9:55 am, EMB <(E-Mail Removed)> wrote:
> On 6/11/2010 12:49 a.m., Matty F wrote:
>
>
>
> > On Nov 6, 12:28 am, EMB<(E-Mail Removed)> wrote:
> >> On 5/11/2010 5:32 p.m., Matty F wrote:

>
> >>> On Nov 5, 11:40 am, Allistar<(E-Mail Removed)> wrote:
> >>>> Matty F wrote:

>
> >>>>> Why can't XTRA check who was using that IP address at the time the
> >>>>> email was sent, and give them a call?

>
> >>>> They can, but you'd need to bitch to Xtra first.

>
> >>> Of course I have done that and not got a satisfactory result.

>
> >>>> And most likely the person
> >>>> responsible for the computer at the end of that IP address is not the one
> >>>> sending the spam - it's more likely that their computer (which is most like
> >>>> running a Microsoft operating system) is infected by malicious software.

>
> >>> Again, that is almost certain to be the case. I get one or more spam
> >>> emails from the same IP address each day. That IP address is on many
> >>> blacklists. Anyone unfortunate enough to be allocated that IP address
> >>> will have trouble sending emails to some ISPs.
> >>> Note that it is a dynamic IP address, but the user stays logged on for
> >>> days or weeks at a time.

>
> >>> "The Project Honey Pot system has detected behavior from the IP
> >>> address 210.54.141.252 that is consistent with that of a Mail Server
> >>> and Dictionary Attacker."

>
> >>> "554-mx.mailfilter6.ihug.co.nz 554 BLOCKED: The SenderBase reputation
> >>> of your ISP or corporate mail server is extremely bad.
> >>> Received: from mta03.xtra.co.nz ([210.54.141.252])'"

>
> >>> "210.54.141.252 is listed in cblless.anti-spam.org.cn and four other
> >>> blacklists"

>
> >> Learn to read email headers Matty - that is NOT a user IP address.

>
> > Of course it is. Over the last three years 210.54.141.252 has been
> > assigned to 58 people who have emailed me.

>
> It is still NOT a user IP address. The hint is in the /mta03/ part you
> quote. That is a mail server belonging to Xtra.


In that case Xtra should fix it. But I fear they are technically
incapable of that.
 
Reply With Quote
 
 
 
 
Enkidu
Guest
Posts: n/a
 
      11-06-2010
On 05/11/10 21:43, Allistar wrote:
> Matty F wrote:
>
>> On Nov 5, 9:11 pm, Allistar<(E-Mail Removed)> wrote:
>>> Matty F wrote:
>>>> On Nov 5, 11:40 am, Allistar<(E-Mail Removed)> wrote:
>>>>> Matty F wrote:
>>>
>>>>>> Why can't XTRA check who was using that IP address at the time the
>>>>>> email was sent, and give them a call?
>>>
>>>>> They can, but you'd need to bitch to Xtra first.
>>>
>>>> Of course I have done that and not got a satisfactory result.
>>>
>>>>> And most likely the person
>>>>> responsible for the computer at the end of that IP address is not the
>>>>> one sending the spam - it's more likely that their computer (which is
>>>>> most like running a Microsoft operating system) is infected by
>>>>> malicious software.
>>>
>>>> Again, that is almost certain to be the case. I get one or more spam
>>>> emails from the same IP address each day. That IP address is on many
>>>> blacklists. Anyone unfortunate enough to be allocated that IP address
>>>> will have trouble sending emails to some ISPs.
>>>> Note that it is a dynamic IP address, but the user stays logged on for
>>>> days or weeks at a time.
>>>
>>>> "The Project Honey Pot system has detected behavior from the IP
>>>> address 210.54.141.252 that is consistent with that of a Mail Server
>>>> and Dictionary Attacker."
>>>
>>>> "554-mx.mailfilter6.ihug.co.nz 554 BLOCKED: The SenderBase reputation
>>>> of your ISP or corporate mail server is extremely bad.
>>>> Received: from mta03.xtra.co.nz ([210.54.141.252])'"
>>>
>>>> "210.54.141.252 is listed in cblless.anti-spam.org.cn and four other
>>>> blacklists"
>>>
>>> Do you use client side spam filtering? If not, I recommend it. Mine hides
>>> a lot of spam from me fairly effectively. An issue is that spam still
>>> appears on devices that don't have the ability to filter them out, such
>>> as an iPhone and an iPad.

>>
>> I can easily decide on Yahoo's webmail whether something is spam or
>> not, without opening the email.
>> Recognising spam is not the problem.The problem is that someone using
>> IP address 210.54.141.252 has an infected machine,and Xtra should do
>> something about that because it's one of their customers.
>> That customer gets a new IP address sometimes and thus a bunch of Xtra
>> IP addresses are being blacklisted. Sometimes I am allocated one of
>> them, thus my emails may bounce.

>
> Yes, that stinks. The ISP should do something about it.
>

On the other hand, the whole address range should be blacklisted.

Cheers,

Cliff

--

The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

The end excuses any evil - Sophocles
 
Reply With Quote
 
 
 
 
Enkidu
Guest
Posts: n/a
 
      11-06-2010
On 05/11/10 21:55, Matty F wrote:
> On Nov 5, 9:13 pm, Enkidu<(E-Mail Removed)> wrote:
>> On 05/11/10 11:40, Allistar wrote:> Matty F wrote:
>>
>>>> I've been told by a helpdesk that we mustn't open spam emails or
>>>> our machines could be infected by malware etc etc. Surely if I
>>>> don't click on any links in the email I'm safe?

>>
>>> That would depend on your mail client I suppose. But I would say that
>>> simply viewing a spam email is perfectly safe.

>>
>> No, it isn't. Some email clients will run the scripts in some emails
>> when you open them.

>
> So there appears to be no way that I can check the originating IP
> address on Yahoo Webmail without opening the email. There is no option
> to show plain text instead of HTML.
>

If you have SPAM and virus protection and something like AdAware you
should be OK. If you don't the HelpDesk is correct. There is a risk.

Cheers,

Cliff

--

The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

The end excuses any evil - Sophocles
 
Reply With Quote
 
Enkidu
Guest
Posts: n/a
 
      11-06-2010
On 06/11/10 00:49, Matty F wrote:
> On Nov 6, 12:28 am, EMB<(E-Mail Removed)> wrote:
>> On 5/11/2010 5:32 p.m., Matty F wrote:
>>
>>
>>
>>> On Nov 5, 11:40 am, Allistar<(E-Mail Removed)> wrote:
>>>> Matty F wrote:

>>
>>>>> Why can't XTRA check who was using that IP address at the time the
>>>>> email was sent, and give them a call?

>>
>>>> They can, but you'd need to bitch to Xtra first.

>>
>>> Of course I have done that and not got a satisfactory result.

>>
>>>> And most likely the person
>>>> responsible for the computer at the end of that IP address is not the one
>>>> sending the spam - it's more likely that their computer (which is most like
>>>> running a Microsoft operating system) is infected by malicious software.

>>
>>> Again, that is almost certain to be the case. I get one or more spam
>>> emails from the same IP address each day. That IP address is on many
>>> blacklists. Anyone unfortunate enough to be allocated that IP address
>>> will have trouble sending emails to some ISPs.
>>> Note that it is a dynamic IP address, but the user stays logged on for
>>> days or weeks at a time.

>>
>>> "The Project Honey Pot system has detected behavior from the IP
>>> address 210.54.141.252 that is consistent with that of a Mail Server
>>> and Dictionary Attacker."

>>
>>> "554-mx.mailfilter6.ihug.co.nz 554 BLOCKED: The SenderBase reputation
>>> of your ISP or corporate mail server is extremely bad.
>>> Received: from mta03.xtra.co.nz ([210.54.141.252])'"

>>
>>> "210.54.141.252 is listed in cblless.anti-spam.org.cn and four other
>>> blacklists"

>>
>> Learn to read email headers Matty - that is NOT a user IP address.

>
> Of course it is. Over the last three years 210.54.141.252 has been
> assigned to 58 people who have emailed me.
>

No, it is Xtra's mail server (or at least one of them). The Received
header just says that the mail server sent some mail on to another mail
server. The last Received header should show the originating host. Why
not post the whole set of headers?

Cheers,

Cliff

--

The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

The end excuses any evil - Sophocles
 
Reply With Quote
 
Enkidu
Guest
Posts: n/a
 
      11-06-2010
On 06/11/10 10:47, Matty F wrote:
> On Nov 6, 9:55 am, EMB<(E-Mail Removed)> wrote:
>> On 6/11/2010 12:49 a.m., Matty F wrote:
>>
>>
>>
>>> On Nov 6, 12:28 am, EMB<(E-Mail Removed)> wrote:
>>>> On 5/11/2010 5:32 p.m., Matty F wrote:

>>
>>>>> On Nov 5, 11:40 am, Allistar<(E-Mail Removed)> wrote:
>>>>>> Matty F wrote:

>>
>>>>>>> Why can't XTRA check who was using that IP address at the time the
>>>>>>> email was sent, and give them a call?

>>
>>>>>> They can, but you'd need to bitch to Xtra first.

>>
>>>>> Of course I have done that and not got a satisfactory result.

>>
>>>>>> And most likely the person
>>>>>> responsible for the computer at the end of that IP address is not the one
>>>>>> sending the spam - it's more likely that their computer (which is most like
>>>>>> running a Microsoft operating system) is infected by malicious software.

>>
>>>>> Again, that is almost certain to be the case. I get one or more spam
>>>>> emails from the same IP address each day. That IP address is on many
>>>>> blacklists. Anyone unfortunate enough to be allocated that IP address
>>>>> will have trouble sending emails to some ISPs.
>>>>> Note that it is a dynamic IP address, but the user stays logged on for
>>>>> days or weeks at a time.

>>
>>>>> "The Project Honey Pot system has detected behavior from the IP
>>>>> address 210.54.141.252 that is consistent with that of a Mail Server
>>>>> and Dictionary Attacker."

>>
>>>>> "554-mx.mailfilter6.ihug.co.nz 554 BLOCKED: The SenderBase reputation
>>>>> of your ISP or corporate mail server is extremely bad.
>>>>> Received: from mta03.xtra.co.nz ([210.54.141.252])'"

>>
>>>>> "210.54.141.252 is listed in cblless.anti-spam.org.cn and four other
>>>>> blacklists"

>>
>>>> Learn to read email headers Matty - that is NOT a user IP address.

>>
>>> Of course it is. Over the last three years 210.54.141.252 has been
>>> assigned to 58 people who have emailed me.

>>
>> It is still NOT a user IP address. The hint is in the /mta03/ part you
>> quote. That is a mail server belonging to Xtra.

>
> In that case Xtra should fix it. But I fear they are technically
> incapable of that.
>

Fix what? That header just says that the server forwarded email on to
somewhere else. That's normal MTA processing. Every ISP's MTA receives
mail from the ISP's customers and sends it on.

Cheers,

Cliff

--

The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

The end excuses any evil - Sophocles
 
Reply With Quote
 
Dave Doe
Guest
Posts: n/a
 
      11-06-2010
In article <4cd3bc4e$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)
says...
>
> On 05/11/10 11:36, Dave Doe wrote:
> > In article<5ffabea0-8375-4be6-880b-473ec5b4b288
> > @s12g2000prs.googlegroups.com>, (E-Mail Removed) says...
> >>
> >> I've been told by a helpdesk that we mustn't open spam emails or our
> >> machines could be infected by malware etc etc.
> >> Surely if I don't click on any links in the email I'm safe?
> >> On webmail the images are blocked automatically.
> >> Or I could allow the email spam into my machine and tell my firewall
> >> to stop all traffic before I open the email. But surely that is not
> >> necessary.
> >>
> >> Most of the spam comes from a single Xtra IP address, that is why I
> >> want to look at the headers.
> >> Why can't XTRA check who was using that IP address at the time the
> >> email was sent, and give them a call?

> >
> > I think your helpdesk folk are just trying to play it safe. You can't
> > be infected unless you *run* something - and they don't want you (maybe)
> > seeing emails that look like the real thing, and users being duped into
> > running malicious software from a site (that also looks like the real
> > thing).
> >

> That's not true. Opening some emails in some email client *will* run
> scripts.


Such as? What modern/latest email client will do that?

--
Duncan.
 
Reply With Quote
 
Dave Doe
Guest
Posts: n/a
 
      11-06-2010
In article <4cd3cab8$(E-Mail Removed)>, (E-Mail Removed) says...
>
> Matty F wrote:
> > I've been told by a helpdesk that we mustn't open spam emails or our
> > machines could be infected by malware etc etc.
> > Surely if I don't click on any links in the email I'm safe?

>
> not if you are using Microsoft software


What MS software would that be? Something 10 years old. **** off!

--
Duncan.
 
Reply With Quote
 
Squiggle
Guest
Posts: n/a
 
      11-06-2010
On 6/11/2010 3:00 p.m., Dave Doe threw some characters down the intarwebs:
> In article <4cd3bc4e$(E-Mail Removed)>, (E-Mail Removed)
> says...
>>
>> On 05/11/10 11:36, Dave Doe wrote:
>>> In article<5ffabea0-8375-4be6-880b-473ec5b4b288
>>> @s12g2000prs.googlegroups.com>, (E-Mail Removed) says...
>>>>
>>>> I've been told by a helpdesk that we mustn't open spam emails or our
>>>> machines could be infected by malware etc etc.
>>>> Surely if I don't click on any links in the email I'm safe?
>>>> On webmail the images are blocked automatically.
>>>> Or I could allow the email spam into my machine and tell my firewall
>>>> to stop all traffic before I open the email. But surely that is not
>>>> necessary.
>>>>
>>>> Most of the spam comes from a single Xtra IP address, that is why I
>>>> want to look at the headers.
>>>> Why can't XTRA check who was using that IP address at the time the
>>>> email was sent, and give them a call?
>>>
>>> I think your helpdesk folk are just trying to play it safe. You can't
>>> be infected unless you *run* something - and they don't want you (maybe)
>>> seeing emails that look like the real thing, and users being duped into
>>> running malicious software from a site (that also looks like the real
>>> thing).
>>>

>> That's not true. Opening some emails in some email client *will* run
>> scripts.

>
> Such as? What modern/latest email client will do that?
>


Probably none, but given Matty F is known to still run win 98 on at
least one machine it is good advice.
 
Reply With Quote
 
Dave Doe
Guest
Posts: n/a
 
      11-06-2010
In article <ib2eo1$9ab$(E-Mail Removed)-september.org>,
(E-Mail Removed) says...
>
> On 6/11/2010 3:00 p.m., Dave Doe threw some characters down the intarwebs:
> > In article <4cd3bc4e$(E-Mail Removed)>, (E-Mail Removed)
> > says...
> >>
> >> On 05/11/10 11:36, Dave Doe wrote:
> >>> In article<5ffabea0-8375-4be6-880b-473ec5b4b288
> >>> @s12g2000prs.googlegroups.com>, (E-Mail Removed) says...
> >>>>
> >>>> I've been told by a helpdesk that we mustn't open spam emails or our
> >>>> machines could be infected by malware etc etc.
> >>>> Surely if I don't click on any links in the email I'm safe?
> >>>> On webmail the images are blocked automatically.
> >>>> Or I could allow the email spam into my machine and tell my firewall
> >>>> to stop all traffic before I open the email. But surely that is not
> >>>> necessary.
> >>>>
> >>>> Most of the spam comes from a single Xtra IP address, that is why I
> >>>> want to look at the headers.
> >>>> Why can't XTRA check who was using that IP address at the time the
> >>>> email was sent, and give them a call?
> >>>
> >>> I think your helpdesk folk are just trying to play it safe. You can't
> >>> be infected unless you *run* something - and they don't want you (maybe)
> >>> seeing emails that look like the real thing, and users being duped into
> >>> running malicious software from a site (that also looks like the real
> >>> thing).
> >>>
> >> That's not true. Opening some emails in some email client *will* run
> >> scripts.

> >
> > Such as? What modern/latest email client will do that?
> >

>
> Probably none, but given Matty F is known to still run win 98 on at
> least one machine it is good advice.


I gather this is his work workstation? (helpdesk staff told him not
to...)

--
Duncan.
 
Reply With Quote
 
Matty F
Guest
Posts: n/a
 
      11-06-2010
On Nov 6, 2:40 pm, Enkidu <(E-Mail Removed)> wrote:

> No, it is Xtra's mail server (or at least one of them). The Received
> header just says that the mail server sent some mail on to another mail
> server. The last Received header should show the originating host. Why
> not post the whole set of headers?


So, X-Originating-IP doesn't actually mean originating IP?
I would take it to mean the IP address that initially sent the email.
How come that is Xtra's mail server? Does that mean that the chain of
computers that the email has been through is not included in the
header or has been altered or lost or deleted?

Here's the header:

Saturday, 6 November, 2010 8:27 AM
From National Bank of New Zealand Fri Nov 5 19:27:39 2010
X-Apparently-To: (E-Mail Removed) via 124.108.96.103; Thu, 04 Nov
2010 12:39:18 -0700
Return-Path: <(E-Mail Removed)>
Received-SPF: none (mta1000.tnz.mail.aue.yahoo.com: domain of
(E-Mail Removed) does not designate permitted sender hosts)
X-YMailISG: zl5_ErscZAr.qEy9xco2ExTIbVnvfO3byVHr94DjG8LtkEKW
hhOAAh1dAqPof6glpr9A_kcDBPdY8w2F8VJdTuC78.Q1FqAWDQ rsxNwt2hKy
6X49IRsUjlXnCjR4omHUPfGftGPmwK2TYZx2zKg0mfgVspmWyr 8tGW2iHssA
ey9M9kpKbYgEVJA.EbAsi3GbH64010FNIxe_9GDIP3s5nc1Izs ug.zNTWVKZ
KzsYNMBjrfXFZZlcRg8suL7.N8iDD10E.s24LKeIa54u3CTiY8 y8Wy8QQjAK
14BF64tWezzTtCLQyNQGdyp1HwQoODOHHpzOYDVevZ.UutuExc VbA7pXSfvd
y_tKO2fl5.GwuBU.OfDMXls1Q3Vs0oPh3xc_UCP6RiHUYvIYRp xNNmCCsTu.
2P8fy.G5NeB46zRblvOU.bNFBimnGZ0HQxcM0Ie1Ri_WbdByCx aDyURH9IBZ
Beh58jvFiuXhORGJAXn4CWvWksmnOipq_pFI7uZ_PNyFJUkESl lxtwcsBhza
stF4qF2DnhBKtjKiCXUGEX64P6VtpYkykQf8ugAdbwzDdT6Pa4 5eJSIQSQYr
4.s5IFR1eQ--
X-Originating-IP: [210.54.141.252]
Authentication-Results: mta1000.tnz.mail.aue.yahoo.com
from=secure.com; domainkeys=neutral (no sig); from=secure.com;
dkim=neutral (no sig)
Received: from 210.54.141.252 (EHLO mta03.xtra.co.nz)
(210.54.141.252) by mta1000.tnz.mail.aue.yahoo.com with SMTP; Thu, 04
Nov 2010 12:39:17 -0700
Received: from Usasfasb4 ([210.86.29.182]) by mta03.xtra.co.nz with
SMTP id <20101104193916.TDUB11283.mta03.xtra.co.nz@Usasfas b4>; Fri, 5
Nov 2010 08:39:16 +1300
Reply-To: (E-Mail Removed)
From:
National Bank of New Zealand<(E-Mail Removed)>
Add sender to Contacts
Subject: Your internet banking access has been suspended !
Date: Sat, 6 Nov 2010 08:27:39 +1300
MIME-Version: 1.0
Content-Type: text/html; charset="shift_jis"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20101104193916.TDUB11283.mta03.xtra.co.nz@Usasfas b4>
Content-Length: 183
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DANGER DANGER THIRD DAY CPU FAN FAILURE DANGER DANGER Skybuck Flying Windows 64bit 9 04-01-2010 10:33 PM
Danger Danger Will Robinson Vista SP1 Lloyd Sheen ASP .Net 2 03-19-2008 05:58 PM
501 PIX "deny any any" "allow any any" Any Anybody? Networking Student Cisco 4 11-16-2006 10:40 PM
Is there a danger opening WMV files in XP? Andy Computer Security 167 05-30-2006 04:55 AM
C++ danger to break due to its weight, fragmentation danger - C++0x Ioannis Vranos C++ 14 04-21-2004 12:19 AM



Advertisments