Spam to comcast.net accounts only

[HankG]

Got an apparent spam today from a Sabrina Toleson to multiple Comcast
accounts. No subject. Body consisted on one line (link). Can't get a
valid whois on the name.

Wonder how widespread the spam is.

HankG

[VanguardLH]

Here's one way to tell:

http://www.rhyolite.com/dcc/
http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse

But you'll need an e-mail client, add-on, or proxy that supports
reporting and retrieving stats from the DCC list. Their database is
updated by users of DCC capable clients. A hash of each e-mail is
reported to their database. This allows tallying how many of the same
e-mails (or nearly the same e-mails using fuzzy logic) have been
received by how many users. DCC capable clients can then set a
threshold, like if you don't want an e-mail that has been reported 100
times, or more, then you can tag or filter it out.

Be aware that a LOT of non-spam messages will look [nearly] identical to
each other. For example, all those confirmation e-mails you get back to
register an account at some site will all look the same as sent by that
same site except for maybe the URL on which you click to complete the
registration process. As such, you'll find confirmation, newsletter, or
other subscribed e-mails will usually run afoul of DCC filtering.

By the way, I've not received any spam in my Comcast e-mail accounts for
so long that I don't remember when I last got spam through those
accounts.

WhoIs doesn't work on people names. They work on domain names.
Obviously no one here knows what is the domain name because you didn't
mention it. You also never gave an exhibit of the spam (with your
username only munged out in the headers and body) to see from just where
that spam was sourced.

[Frank]

Got me to checking spam folder and similar one was there.
No big deal as others point out. I quit messing with them and just
delete and never ever open their url's/

[VanguardLH]

"VanguardLH" wrote:

> "HankG" wrote:
>
>> Got an apparent spam today from a Sabrina Toleson to multiple Comcast
>> accounts. No subject. Body consisted on one line (link). Can't get a
>> valid whois on the name.
>>
>> Wonder how widespread the spam is.
>

> By the way, I've not received any spam in my Comcast e-mail accounts for
> so long that I don't remember when I last got spam through those
> accounts.

Qualification: I access my Comcast e-mail accounts via POP3 (Post Office
Protocol v3). POP has no concept of folders, just of one mailbox. That
means POP can only access the Inbox folder as seen in the webmail
client. Anything Comcast's anti-spam filtering puts into my account's
Spam folder will never reach my POP e-mail client.

You never mention HOW you access your Comcast e-mail account(s).

[Allodoxaphobia]

On Tue, 02 Oct 2012 18:51:01 -0400, Frank wrote:
> On 10/2/2012 3:22 PM, HankG wrote:
>> Got an apparent spam today from a Sabrina Toleson to multiple Comcast
>> accounts. No subject. Body consisted on one line (link). Can't get a
>> valid whois on the name.
>>
>> Wonder how widespread the spam is.
>

> Got me to checking spam folder and similar one was there.
> No big deal as others point out. I quit messing with them and just
> delete and never ever open their url's/

Probably VERY widespread for Comcast customers.

I got a copy today and the Cc: had 28 (!) @comcast.net email addy's --
no others. Also no Subject: here either.

The X-Mailer: YahooMailWebService/0.8.122.442
No doubt another cracked Yahoo email account -- all too frequent.

But, it is too much of a coincidence that ALL the parties spammed were
@comcast.net. Like Gibbs, I don't believe in coincidences.

My Comcast email addy is RARELY used and is composed of a convoluted
dotted userid. -- this is the FIRST spam I've seen in the 7+ years I've
had the Comcast account.

I don't believe in coincidences.

OBTW, I checked the URL with lynx and it was a 404 a couple of hours
ago.

Jonesy

[Ken Whiton]

*-* On Wed, 3 Oct 2012, at 02:45:13 +0000 (UTC),
*-* In Article <k4g8ro$iu5$1...@news.albasani.net>,
*-* VanguardLH wrote
*-* About Re: Spam to comcast.net accounts only

> "VanguardLH" wrote:

>> "HankG" wrote:

>>> Got an apparent spam today from a Sabrina Toleson to multiple
>>> Comcast accounts. No subject. Body consisted on one line (link).

I received a similar one, from a different sender. Comcast had
flagged it as spam and moved it to the Spam folder.

>>> Can't get a valid whois on the name.

>>> Wonder how widespread the spam is.

>> By the way, I've not received any spam in my Comcast e-mail
>> accounts for so long that I don't remember when I last got spam
>> through those accounts.

> Qualification: I access my Comcast e-mail accounts via POP3 (Post
> Office Protocol v3). POP has no concept of folders, just of one
> mailbox. That means POP can only access the Inbox folder as seen in
> the webmail client. Anything Comcast's anti-spam filtering puts
> into my account's Spam folder will never reach my POP e-mail client.

> You never mention HOW you access your Comcast e-mail account(s).

I'm not the OP, but I access my e-mail accounts via both webmail
and POP3. I use webmail as a "screening tool", including marking any
spam that Comcast misses. Anything that passes the screening gets
downloaded via POP3.

Ken Whiton
--
FIDO: 1:132/152
InterNet: kenw...@surfglobal.net.INVAL (remove the obvious to reply)

[Ken Whiton]

*-* On 3 Oct 2012, at 03:59:39 GMT,
*-* In Article <slrnk6ne1b.2j6g.k...@vps.jonz.net>,
*-* Allodoxaphobia wrote

*-* About Re: Spam to comcast.net accounts only

> On Tue, 02 Oct 2012 18:51:01 -0400, Frank wrote:
>> On 10/2/2012 3:22 PM, HankG wrote:
>>> Got an apparent spam today from a Sabrina Toleson to multiple
>>> Comcast accounts. No subject. Body consisted on one line (link).
>>> Can't get a valid whois on the name.

>>> Wonder how widespread the spam is.

>> Got me to checking spam folder and similar one was there.
>> No big deal as others point out. I quit messing with them and just
>> delete and never ever open their url's/

> Probably VERY widespread for Comcast customers.

> I got a copy today and the Cc: had 28 (!) @comcast.net email addy's
> -- no others. Also no Subject: here either.

The one I received had 29 "To:" names, no "CC:"s.

> The X-Mailer: YahooMailWebService/0.8.122.442

YahooMailWebService/0.8.121.434 here

> No doubt another cracked Yahoo email account -- all too frequent.

The originating IP address of the one I received resolves to a
location in Mexico. It was sent through Yahoo Singapore, apparently
with a mobile device.

I leave items in the Spam folder alone, letting Comcast and the
passage of time expire them, so the one I received is still there, and
I'm pasting the source below (after deleting the intended recipients'
addresses for privacy).

- - - Begin source of spam e-mail - - -

Return-Path: bryans...@yahoo.com
Received: from imta28.emeryville.ca.mail.comcast.net (LHLO
imta28.emeryville.ca.mail.comcast.net) (76.96.30.25) by
sz0084.wc.mail.comcast.net with LMTP; Tue, 2 Oct 2012 21:02:29 +0000
(UTC)
Received: from nm3-vm8.bullet.mail.sg3.yahoo.com ([106.10.148.119])
by imta28.emeryville.ca.mail.comcast.net with comcast
id 6M2N1k01Q2anvBe0UM2NgR; Tue, 02 Oct 2012 21:02:23 +0000
X-CAA-SPAM: F00001
X-Authority-Analysis: v=2.1 cv=HJd7oedv c=1 sm=1 tr=0 p=0HxWJWb54vEA:10
a=iDjJc0nU6ER3OH0oel9Pww==:117 a=ueJ1ztgYh6H+WVPHFagm6Q==:17
a=CjxXgO3LAAAA:8
a=C_IRinGWAAAA:8 a=f8_S3n9t2uQA:10 a=63vWRBJqAAAA:8
a=5alLsyucyTbWuNejMzIA:9
a=QEXdDO2ut3YA:10 a=8WJ8H5Xm4Ui6HOExR94A:9
Received: from [106.10.166.112] by nm3.bullet.mail.sg3.yahoo.com with
NNFMP; 02 Oct 2012 21:02:13 -0000
Received: from [106.10.151.171] by tm1.bullet.mail.sg3.yahoo.com with
NNFMP; 02 Oct 2012 21:02:13 -0000
Received: from [127.0.0.1] by omp1011.mail.sg3.yahoo.com with NNFMP;
02 Oct 2012 21:02:13 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 712923....@omp1011.mail.sg3.yahoo.com
Received: (qmail 62400 invoked by uid 60001); 2 Oct 2012 21:02:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com;
s=s1024; t=1349211733;
bh=kPQ5AOP+3fOrgzSbL+N66yqqjRwMa67povBEAJR2O+E=;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:To:MIME-Version:Content-Type;
b=w+V+VzDMdySdlWXo18AxfZfuP59xaIdy5FUSV0toMIM1T9qqQ5xHXrD8PIfn5WB2rihjtGrQRYNm61N7z82oEef99YiA2D5c/XtmZpbpcSnIsks607WqgBK9de3VHKslhFJ/f+J/4wZFv6sZInkYisfUZNdJU4E8ia+uYr+7HjE=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;

h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:To:MIME-Version:Content-Type;

b=S8o7DSq9oOmwaiFZP96rjcQDyz7W6uDChlmVUdKodUkKs5Ans+7NIqTkpQZzTmJurj4GyGGmNGz5fuSxuFiNGHFpS/gJK+e9/3yNpXJ5G059nLebKcObvkqoN6he+6g5CFZ1xqg2Dqgg7bOuBc4/E5M1hB2VbcDqBhVfl7JCojk=;
X-YMail-OSG: 8HZ7.5AVM1lq1Ztq0nj.cKHvtnTcM.TTvCOf3.TM7hEXhDC
2LIO7XEQUrDKKTTtV7yeAGWa2ub5oQ5JPb63xNg6gXa9fi54DF8mTXhnCpAm
uA2WRTVISwgx7o5IvwC6Szm5XsVhTibnEXesHmC8YI8tdH6w4pYPS10EGkC9
R8CLbDXLSauJ5Npc6RKaDCdFmr8CCcBdD7I3.4Ccu78Xk1MwAEMCtphFwmJA
4C6YlfQ_nBvm.35lfMJUuswDbulNHNoNcxRCn7PoxU.Jv5DWfaOOSf.ARjz6
98wvJCDoufCeTUoHqGZAjof58BwK9Jyl36ZdkGKjTzFiIPTqaM6_VBwf8MA4
7HIe_0qJ3LBgZtQ9OwWdqv1Kct8xfWHWhpBEeRl3P.eofdVaEtoID00IlpMy
grjRwCyleJNXsQm5XCElSH_c4uL6RPEj6PeTGoS26idBLDHVNdmqhHXaqBZs
go70Hqs1yH9rzS28eqOKIUnktWWX4Tx5xqlXp1HF1l19uh7JFhKSDbkbBWSz
2HxzLkchsRQn_s6YqS0yL
Received: from [201.157.4.234] by web190205.mail.sg3.yahoo.com via
HTTP; Wed, 03 Oct 2012 05:02:13 SGT
X-Mailer: YahooMailWebService/0.8.121.434
Message-ID: <1349211733.4109...@web190205.mail.sg3.yahoo.com>
Date: Wed, 3 Oct 2012 05:02:13 +0800 (SGT)
From: Bryan Siew <bryans...@yahoo.com>
To: [29 @comcast.net e-mail addresses deleted for privacy]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="-1337416751-1273365839-1349211733=:41099"

---1337416751-1273365839-1349211733=:41099
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<p><a
href=3D"http://greenstreetproduce.com/dancingdownward/neilwalker26/">=
http://greenstreetproduce.com/dancingdownward/neilwalker26/</a></p>=0A
---1337416751-1273365839-1349211733=:41099
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0"><tr><td
valign=3D"t=
op" style=3D"font: inherit;"><p><a
href=3D"http://greenstreetproduce.com/da=
ncingdownward/neilwalker26/">http://greenstreetproduce.com/dancingdownward/=
neilwalker26/</a></p>=0A</td></tr></table>
---1337416751-1273365839-1349211733=:41099--

- - - End source of spam e-mail - - -

I find it interesting that the plain text version includes HTML
tags.

[Allodoxaphobia]

On Wed, 03 Oct 2012 16:25:45 -0400, Ken Whiton wrote:
> *-* Allodoxaphobia wrote

>
>> I got a copy today and the Cc: had 28 (!) @comcast.net email addy's
>> -- no others. Also no Subject: here either.
>
> The one I received had 29 "To:" names, no "CC:"s.

My bad!! I don't know why I typed "Cc:". Like yours, it was a "To:".

> I find it interesting that the plain text version includes HTML tags.

heh... You expect slime-ball spammers to write well-planned,
well-developed, bug-free code? Hell, if Microsoft can't do it, why
should anyone else try. :-)

Have yet to see a subsequent related spam.

Jonesy

[VanguardLH]

If I get spam to my local e-mail client via POP, it got into my
webmail's Inbox folder since that's the only one that my POP client can
see. So, like you, I then use the webmail client to log into my account
and report that spam to Comcast to get their anti-spam filter updated.
Been so long since I got a spam into my webmail Inbox to get into my
local POP e-mail client that I can't remember when I had to do this last
time. I use to report spam to Spamcop, too, but now I only get about 1
a month, if that. I like not getting spam but it was actually fun to
report the crap.

However, I have added a few server-side rules (i.e., rules in the
webmail client), like:

- "discard - blacklist", action = discard (disappears from all folders)
These are repeat offenders from whom I don't want their e-mails.
Often they are from businesses I deal with that send me their spam,
like Tracfone who sends me offers, @news.efax.com who sends me offers
because I have a free eFax account, and @comcast.delivery.net which
are offers from Comcast (but the boobs don't even source it from their
domain and instead contract with delivery.net to send this crap). In
total, I have just 4 blacklisted senders which has stay consistent for
a couple years.

- "keep - passcode in Subject", action = e-mail stays in Inbox
If a special string (passcode) is in the Subject header, keep that
e-mail. This is a unique string that is very unlikely to ever appear
in any e-mail that I will receive. It is something I tell very
trusted senders to add into the Subject header to ensure they get past
my spam filters (server- and client-side). It's like giving those
senders a skeleton key. If anyone abuses that trust, I change this
rule to use a different password. The abuser can't use the old one
anymore, has to run the gauntlet of spam filters (assuming they get
past the blacklist rule since it's likely their abuse means e-mail
communications get cutoff from them).

- "keep - safe sender", action = leave in Inbox
Unlike many local e-mail clients that let you maintain a list of known
good (safe) senders, Comcast's webmail doesn't have that. So I have
to use a rule to list my safe senders.

- "trash - no @ in From", action = delete the e-mail
If the sender doesn't provide an e-mail address in the From header, I
don't want their e-mail. While RFC standards require an e-mail
address, rare few SMTP server bother to check syntax.

- "trash - me in From", action = delete e-mail
My account's e-mail address is in the From header. I don't send
myself any e-mails. Those are from spammers pretending to me sending
e-mails to myself.

I used to have the following server-side filter:

- "Subject is blank", action = move to Spam folder
Test for Subject header NOT to have any characters A-Z, 0-9. That was
an old spam trick to make you read the body of an e-mail since you
might have the Preview pane disabled. Too often the Subject divulged
it was spam even when they tried to use one that wasn't spammy.

However, it's been so long that spammers used that trick that I removed
this filter. More often I have good senders that wrote the body of
their e-mail and forgot to add a subject.

I don't want to add too many server-side filters as this becomes too
aggressive. I'd end up having to revisit the webmail client too often
checking for false positives. I have more rules in my local e-mail
client but those move suspect e-mails into the Junk or Deleted Items
folders. Basically I take a subset of the rules in my local e-mail
client to use server-side in the webmail service. By letting the server
do the work, I can disable those rules (instead of delete them since I
may want them later) so my local e-mail client runs faster because there
is a reduced number of rules to exercise against every received e-mail.

When possible, I let the e-mail server do as much filtering as possible
but not get so aggressive that I end up have to use the webmail client
to check for false positives. If I have to check for those, I need to
reduce or modify my server-side rules.

Of course, the best means to keep spam from hitting your Inbox is to NOT
dole out your e-mail address to every joker that asks for it. Use
aliases instead (e.g., Spamgourmet). I don't even have to log into
Spamgourmet to dole out an alias. I can make them up on-the-fly using
no software, just some basic syntax rules on how to compose an alias
that you give to an untrusted, unknown, or temporary sender. Use a
*unique* alias with each sender. Then if that alias gets abused with
spam, you know exactly who betrayed you. My aunt doles her Hotmail
address out to everyone that asks for an e-mail address. She gets lots
of spam. I rarely give out my true e-mail address (maybe a dozen people
have it) and almost always give out an alias. If the alias hasn't been
abused in 6-8 months then I'll consider updating my account or contact
info with the sender to give them my true e-mail address; however, I
have aliases that have been defined for years with the same senders
although they are known but not fully trustworthy. If an alias gets
abused or was only temporarily, I just login to Spamgourmet to delete it
(well, you cannot delete aliases there but you can zero out how many
more e-mails get through an alias - if the receive count is zero, any
further e-mails to that alias go to the bit bucket).

[Brian]

On Wed, 03 Oct 2012 15:21:50 -0500, Bill <no...@none.invalid> wrote:


>What's the point of "screening" via the web interface? In what
>meaningful way is that different from downloading and deleting
>locally? Besides being much slower and much less convenient, I mean.

Because that way it gets reported to Comcast.

[Steve Baker]

On Wed, 03 Oct 2012 22:12:04 -0400, Brian <drmorri...@comcast.net>
wrote:

Forwarding spam to misse...@comcast.net is supposed to have the
same effect as clicking on the Spam button. And you can send one email
which includes a bunch of spams as attachments.

--
Steve Baker

[Adam H. Kerman]

I wonder what Comcast does with it.

[Barry Margolin]

In article <k4j4gl$b0s$1...@news.albasani.net>,

It's added to the spam corpus used by the Bayesian filtering algorithm.

--
Barry Margolin
Arlington, MA

[HankG]

"VanguardLH" <V...@nguard.LH> wrote in message
news:k4g8ro$iu5$1...@news.albasani.net...

I believe it is a POP 3 account.

BTW, I didn't mean to imply that Comcast was responsible for
creating/managing the SPAM; just thought it strange that the 'TO' list
consisted of all CC accounts.

[Adam H. Kerman]

HankG <hg...@yahoo.com> wrote:

There is a wrapper around an email message called, appropriately, the
envelope, that contains the actual mailbox of the intended recipient.
Because of this, it's possible to receive a message with irrelevant
mailboxes on To and Cc headers. In an individual message, if you put
a mailbox on Bcc, it's required to be stripped out and would only
appear in ENVELOPE TO.

When large numbers of identical messages are sent between hosts, only
one actual message is sent, then expanded with the separate list of
intended recipients on that host who, again, may appear only on ENVELOPE TO.
Some expansions manage to put the intended recipient on the To header of
the message itself, as if it's been personalized for the recipient.

This bulk message technique has been in use since LISTSERV days, an
application written for large mailing lists and communication among mainframe
computers. Messages had to be bulked in this manner because trans-Atlantic
data communication was hideously expensive.

It's partly coincidence that you saw the other recipients on To or Cc,
but they didn't necessarily receive the same bulk message you received and,
quite frankly, could have been on other hosts or in another network.
Those are often random mailboxes, and can sometimes be fictional.

[Brian]

>I place zero value on that, but thanks. Obviously, some people are
>willing to spend far more time with spam than I am.

I report it and it goes away. Takes very little time.

[Norman Miller]

On Thu, 4 Oct 2012 14:11:00 -0400, HankG wrote:

> BTW, I didn't mean to imply that Comcast was responsible for
> creating/managing the SPAM; just thought it strange that the 'TO' list
> consisted of all CC accounts.

Back in the early days I would get spam to a galaxy of email domains. At
some point the spammers switched to all the same domain.

Multiple domain spam was usually sent via promiscuous SMTP relay; a
holdover from the early days of Arpanet, when it was "good manners" to
allow your SMTP server to relay for other entities. As the spam problem
grew, spammer's ISPs started adding "no spammng" to their ToSes; and
canceling spammer accounts. So spammers learned to abuse open SMTP relays
to deflect complaints, and avoid getting shut down. So email service
providers started closing the open relays.

Spammers needed a new method to spew their spam. And they found it in the
open proxy. A bit of social engineering and they could induce users to run
dubious installers which 'bot'd' their computers. But there was another
issue. Where an open relay would run an 'MX' lookup for each email domain,
and send the spam on, open proxies were sending directly to the target MX
servers, which would reject any recipient not in the MX server's email
domain. So to send through an open proxy to 'mx.comcast.com', all
recipients in the Cc: list must be in the 'comcast.net' domain. The Comcast
MX server will never accept email in the 'aol.net', 'pacbell.net', or
'hotmail.com' domains. It has been this way for around ten years, if not
more.

Now that more ISPs are blocking their users from outbound port 25 access,
spammers are using a new trick: "Phishing" for users' email account
details. If the spammer can't reach 'mx.comcast.net:25' from a compromised
AT&T DSL user's bot'd computer, he can relay through 'outbound.att.net' if
he can induce a hapless AT&T DSL user to submit his account login details.

Despite the spamfighters mantra that, "spammers are stupid", many are
actually very clever. They spend an inordinate ammount of time trying to
develop the next spamfilter busting technique.

--
Norman
~Oh, Lord, why have You come
~To Konnyu, with the Lion and the Drum

[Norman Miller]

On Wed, 03 Oct 2012 16:25:45 -0400, Ken Whiton wrote:

Broken "spamware", or spammer doesn't know how to use his tools.

[Norman Miller]

On 3 Oct 2012 03:59:39 GMT, Allodoxaphobia wrote:

> But, it is too much of a coincidence that ALL the parties spammed were
> @comcast.net. Like Gibbs, I don't believe in coincidences.

What do you think it means?