Join 3,512 readers in helping fund MetaFilter (Hide)

Tags:

Am I a bot?
June 20, 2012 1:26 PM   Subscribe

Am I spamming the universe right now?

Today I've gotten about a dozen spam emails from various addresses claiming they'd give me a job. Then early this afternoon I got one that has my email address listed as the sender. Now I've gotten another.

I immediately changed my password.

I haven't heard from any friends saying they got spam from me today, but is there any way to know if my email address is just being "spoofed" or if my email was actually hacked?

Here's the extended header. Wherever my actual email address appears, I've replaced it with "****@sbcglobal.net":
From: Felix <>
Subject: [Bulk] Database Management Position
Date: June 20, 2012 1:14:35 PM PDT
To: Felix <>
X-Apparently-To: ****@sbcglobal.net via 69.147.85.72; Wed, 20 Jun 2012 13:14:37 -0700
X-Yahoofilteredbulk: 186.108.160.213
Received-Spf: fail (domain of canaca.com does not designate 186.108.160.213 as permitted sender)
X-Ymailisg: rqZGH.0WLDt36jFvQJbSYEdxPN9lawDAw5wtTnQaSlmXfV5P nsVdQ6z5Rx9ANfopgo.w10GRR7bagpCYiBzn8n42a6wm.fB5zFKKnekA4DJb D3GJKHp8FTduNxwaCqB6CNHalfU5veWhSKvvee4_IUxl8cTZuRpYf5QPRmEW L3xyl5EdrWCYwze7cIYzeTLO6YGurV.R3hn8bjdsXngcMpZejCIhJREbtwke y_p3VO0Pqz1CoFqfaAS2D4_bIVTcAKtvDd5ACO9imRgSb6rtrUf.zX8nvYYv h98aTzSWsdsYtWr9eqhuM71DByQthsKT.Tox4XzPFTE405yQtQxvTb1L4xJR ussFEaOs79I0hiyeRI_cwbhRIqyNZzKSHsZ4ZLtujWzOvTkPcdOxQ9ZZPjbi 8b1ST0QrKTIlTXBuR0gC1VS8a2M.2ZFAzugPFpTu5CZGACj0itkqAV0JnjPi KT5P0ax3SRtD99UQj7JZLav8CQ7awMPuyn4bvgCFtSrd1HIxhTQqqZlwqOu0 xv5LmZ4Fl_LEKU1Uh81C2tH0bGf0wrGuARdK71fimEGa48lcOvGKBoJMkHlG uZZfFlvXAKXNYziFOHRCQCSGJ5g6kVWdH9exTjg6nZe8Y1h8p.tg0DiRzVcS 0CDGvvCtHWafo9Pj8qg2l7T8.CBPefZ7yz9BBWwsCwCtc6vcY_0ncgwY9hO_ IHHSVCPuhv3.3TZTMVwsfLbOh9x948l9m4pxXNVvx6GD7WtE8aeYLGqLYNKQ I3OjMC7F5yseJunQquEvdEd0VlphUwPnOv1Z1ZEBe4h4UJtvxYSdZdRGbTNw pB29zQBAv5IvwCaUGeQYakczp7w7aBzDa1rjzzZ_FYLIFkDiOcq3CPobcXRa AoeQsauGFG8XKKpuHlUZ4dhVrZipUZEtovqQXlIBNnKtmPbwlnQbwm7ToIFr KIcOM8yOrFGQu7tpF4dPN9_rmDmag2B4_shpePdavHqCs1O6mwld6JMhyiFM 8On5DUaJ8fS.GKuMZUWX78e8OkgPLe.mqBgaarat3tD47XAWAiSYqkxzTY8q PDIOCNOsgNGfYcMEuFbaeeqr6PVb2N6sNGJ2aWOgzDA-
X-Originating-Ip: [186.108.160.213]
Authentication-Results: mta1297.sbc.mail.gq1.yahoo.com from=sbcglobal.net; domainkeys=neutral (no sig); from=sbcglobal.net; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO 186.108.160.213) (186.108.160.213) by mta1297.sbc.mail.gq1.yahoo.com with SMTP; Wed, 20 Jun 2012 13:14:37 -0700
Received: from apache by sbcglobal.net with local (Exim 4.63) (envelope-from <>) id RTO020-KALP5C-EA for <>; Wed, 20 Jun 2012 17:14:35 -0300
Message-Id:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"

Here's the text of the spam (just for fun I guess):
I would like to take this time to welcome you to our hiring process
and give you a brief synopsis of the position's benefits and requirements.

If you are taking a career break, are on a maternity leave,
recently retired or simply looking for some part-time job, this position is for you.

Occupation: Flexible schedule 2 to 8 hours per day. We can guarantee a minimum 20 hrs/week occupation
Salary: Starting salary is $2000 per month plus commission, paid every month.
Business hours: 9:00 AM to 5:00 PM, MON-FRI, 9:00 AM to 1:00 PM SAT or part time (US time).

Region: United States.

Please note that there are no startup fees or deposits to start working for us.

To request an application form, schedule your interview and receive more information about this position
please reply to Callie@newusawork.com with your personal identification number for this position IDNO: 8307
posted by latkes to Computers & Internet (11 answers total) 1 user marked this as a favorite
 
Oh, html weirdness I guess: in the places that say, "Felix <>", it should have my email address, which I'm calling ****@sbcglobal.net
posted by latkes at 1:27 PM on June 20, 2012


It's a Joe job. Not your fault.
posted by scruss at 1:42 PM on June 20, 2012


The From: header is so frequently spoofed as to be useless if you have any doubt. You need to look at the Received: headers to follow the trail of where the thing actually came from.

SpamCop can be useful for figuring out the source of these things, even if you don't actually file a report with the host/transport.
posted by FlyingMonkey at 1:44 PM on June 20, 2012 [1 favorite]


The "received" header is a big pile of gobbledygook to my untrained eye. Is there a benefit to my trying to figure out where this came from? Should I take any follow up action?
posted by latkes at 1:52 PM on June 20, 2012


If your email provider exposes full headers (which yours seems to), you can sign up for Spamcop, which will ask you for the various addresses you receive mail through and send you a couple messages and ask you to enter them (so it knows what your normal received path looks like).

Then you can submit the gobbledygook and let the system figure it out; if Spamcop knows or can find an address to complain to, it will offer that option, as well as adding the offending system to a blocking list.
posted by FlyingMonkey at 1:57 PM on June 20, 2012


OK, sent it to Spamcop, FWIW!
posted by latkes at 2:24 PM on June 20, 2012


The IP that the email is originating from is 186.108.160.213, which is in Argentina. Unless you're in Argentina right now, you're not the one sending it. Judging from the "X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)" line, I'm guessing that someone took over a PHP installation on a server somewhere and starting sending out spam through it.
posted by zsazsa at 2:29 PM on June 20, 2012


It's just spam, sent from/via an Argentine IP address on behalf of this guy:
Domain name: newusawork.com

Registrant Contact:
   Bennie C. Anderson
   Bennie Anderson info@newusawork.com
   +1720-313-0364 fax: +1720-313-0364
   4741 Davis Lane
   Centennial CO 80112
   us
That's who is spamming you, if in fact the registration info is not fake. The 720 area code is indeed Denver, CO territory, so it's at least close. At the end of the day, and by the most charitable interpretation, this guy hired the spammers for his lame business that doesn't even have a website at that domain. Spammers aren't going to waste money on something like a website if they're just going to have to pull up stakes in a month. The various From addresses/names are just costumery.
posted by rhizome at 2:35 PM on June 20, 2012 [1 favorite]


I've been reading some Life Pro Tips lately, and one of them this week is that you should put an invalid email address into your email address book. This way, if you ARE (somehow) sending out spammy messages to all your contacts, that one will bounce back with an undeliverable message and you will be made aware of the activity.
posted by CathyG at 8:32 PM on June 20, 2012 [3 favorites]


Thanks all.

This has been a very weird day for spam. I have now received this same message about 15 or more times, with varying subject lines and sent from various email addresses, including my own.
posted by latkes at 9:09 PM on June 20, 2012


It's all just lines of text into a server, so they can just copy your address from the same list they're sending it to. I imagine they vary it so much in a misguided attempt to get around spam filters, if any. You're just getting a shotgun blast.
posted by rhizome at 10:53 PM on June 20, 2012


« Older I need recommendations for boo...   |  Is there a tactful way to tell... Newer »
This thread is closed to new comments.