I know a number of people really love the ability to bounce spam emails. Maybe this example might make you more cautious about doing so.
The email (below - placed in CODE) was instantly identified as a nasty by MWP. It's not so much that the spam was correctly tagged that's of interest, it's that this is an old (as in years) variation used by criminals to hijack your accounts ... Lads (criminals) are a lazy and tend to use the same scripts (or copy from others) with a few minor variations to suit the target. In my case, it was targeted to BIGPOND (my ISP) customers but it's been used for all forms of web mail services (GMAIL, Yahoo, Messenger etc) and other ISP's for years. In the body of the email was a code "VX2G99AAJ" which produced over 6,500 Google results. I don't know how (or if it's possible) to sort Google results by date but I noticed some went back to 2007. The scams are as varied as scams can be - but all have a common purpose: to steal your info. Old scams still work.
Some of the more recent variations might appear very convincing and include links to fake / hijacked websites that tempt people to just take a look - and unless you have strong security, then you risk catching a drive-by download nasty. Yes - just looking at a site can cause major harm to your system - zombie systems, kiddy porn servers etc. It's disgusting and real.
The header is spoofed (so far as I can tell) but if I bounced or replied in any way then this lets the lads know I exist - or I might be sending it to someone who doesn't yet know their account has been hijacked. Better to lie quiet, delete and apart from giving FA a 'heads' up' - let MWP do it's thing.
My point is (a) bouncing can be counter-productive and (b) it might be useful to look for something unusual in a message (like the 'security code' in mine) and add these to a filter (c) MWP works elegantly - deletes these things before they get to my PC: I'd rather walk around naked than go without this excellent tool.
I admit I am unimpressed that my ISP did not auto-detect this before it hit my inbox on their server, specifically because the email was pretending to be from BIGPOND.
Great job Firetust!
Code: Select all
Return-Path: <[email protected]>
Received: from nskntingx03p.mx.bigpond.com ([123.2.6.238])
by nskntmtas04p.mx.bigpond.com with ESMTP
id <20100904071234.OTVP12733.nskntmtas04p.mx.bigpond.com@nskntingx03p.mx.bigpond.com>;
Sat, 4 Sep 2010 07:12:34 +0000
Received: from relay03.mail-hub.dodo.com.au ([123.2.6.238])
by nskntingx03p.mx.bigpond.com with ESMTP
id <20100904071233.ZVWU4251.nskntingx03p.mx.bigpond.com@relay03.mail-hub.dodo.com.au>;
Sat, 4 Sep 2010 07:12:33 +0000
Received: from mail03.mail-hub.dodo.com.au ([123.2.6.233])
by relay03.mail-hub.dodo.com.au with esmtp (Exim 4.68)
(envelope-from <[email protected]>)
id 1OrmvO-0006BB-LY; Sat, 04 Sep 2010 17:12:30 +1000
Received: from [127.0.0.1] (helo=webmail.dodo.com.au)
by mail03.mail-hub.dodo.com.au with smtp (Exim 4.66)
(envelope-from <[email protected]>)
id 1OrmvO-0004Id-Iv; Sat, 04 Sep 2010 17:12:30 +1000
Recieved: from [87.106.143.132] with HTTP; Sat, 4 Sep 2010 17:12:30 +1000
Message-ID: <[email protected]>
Date: Sat, 4 Sep 2010 17:12:30 +1000
From: "BIGPOND ADMIN" <[email protected]>
Reply-to: "BIGPOND ADMIN" <[email protected]>
Subject: Update Your Bigpond Account(Over Quota)
X-Priority: 3
X-Mailer: Dodo Internet Webmail Server
X-Original-IP: 87.106.143.132
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1";
MIME-Version: 1.0
X-RPD-ScanID: Class unknown; VirusThreatLevel unknown, RefID str=0001.0A090203.4C81F162.000C,ss=1,fgs=0
--
Dear BIGPOND Account User,
This message is from admin messaging center for all e-mail account BIGPOND
owners.
We are currently upgrading our data base and e-mail/sms account. We are
deleting all unused e-mail account, creating more space for new accounts. To
complete upgrading of your account, you are requested to provide details
below immediately:
Name:
Username:
Password:
Mobile:
Contact address:
You can also check your e-mail address by logging into your account via
http://bigpond.com/, Failure to provide the above details we shall
deactivate your online Account with us. Make sure you use your valid
information requested above, A confirmation code will be sent to you.
Warning! Account holders that their account within seven days of receipt of
the update to this alert is to lose his/her account permanently.
Warning Code: VX2G99AAJ Thank you, Welcome to WebMail /
Email Webmaster.
Webmail Support
BIGPOND (C) 2010
________________________________________________
This message was sent
using Dodo Webmail - www.dodo.com.au
Doh! - well ... nope. Didn't occur to me. Just went to the Spamcop site and can't find any tools to look at the header. You are quite right though ... not all header analysis tools are equally useful. I used my trusty favourite