Strange piece of spam

[Zijyfe Duufop]

i got the following letter from the email address of a friend, who later told me that he hadn't used that address in years.  This led me to believe that he had been hacked.  However, when i looked at the headers, it showed this:

Received: by 10.220.40.71 with SMTP id j7cs40051vce;
        Mon, 9 May 2011 04:01:21 -0700 (PDT)
Received: by 10.224.186.5 with SMTP id cq5mr5706629qab.373.1304938881526;
        Mon, 09 May 2011 04:01:21 -0700 (PDT)
Return-Path: <hartley...@hotmail.com>
Received: from blu0-omc3-s32.blu0.hotmail.com (blu0-omc3-s32.blu0.hotmail.com [65.55.116.107])
        by mx.google.com with ESMTP id j3si12926560qcu.49.2011.05.09.04.01.21;
        Mon, 09 May 2011 04:01:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of hartley...@hotmail.com designates 65.55.116.107 as permitted sender) client-ip=65.55.116.107;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of hartley...@hotmail.com designates 65.55.116.107 as permitted sender) smtp.mail=hartley...@hotmail.com
Received: from BLU159-W7 ([65.55.116.73]) by blu0-omc3-s32.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Mon, 9 May 2011 04:01:18 -0700

i believe that this means that it was sent from another ip address and was messing with spf records.  Am i right, and if so, what can my friend do to fix it?

---------- Forwarded message ----------
From: Hartley Melamed <hartley...@hotmail.com>
Date: Mon, May 9, 2011 at 7:01 AM
Subject: yo,
To: bzth...@gmail.com

I was writing a comment on MSNBC's newsite last sunday and saw this work from home job where you income $3542per wk andd I didnt believe it though still had to give it a shot andd thank god I did since I earned $418 my very 1st day. I've already been paid it is the most amazing thing thats happend to me, seriously. Heres the page  here http://t.co/mif2iHz Everyone can do the job so I'm telling all my close friends andd family. I'd like you to start and make some income your self at the sametime send this webpage with everyone you know so that we can all get out of this economy night mare. If I can do it, you can too. It's incredibly simple. Do it now since they are discussing charging fees for it as soon as next week. let me know how it goes

[Freek de Kruijf]

Op dinsdag 10 mei 2011 19:59:38 schreef Zijyfe Duufop:

From the header I can only make the conclusion that it has been send from the
hotmail.com server. So it looks like the hotmail password has been hacked. So
maybe it is enough to change that password.

--
fr.gr.

Freek de Kruijf

[Zijyfe Duufop]

Now my mother's hotmail account is doing the same thing! headers:

Received: by 10.220.40.71 with SMTP id j7cs100564vce;
        Wed, 11 May 2011 08:14:47 -0700 (PDT)
Received: by 10.101.152.32 with SMTP id e32mr5681142ano.45.1305126886319;
        Wed, 11 May 2011 08:14:46 -0700 (PDT)
Return-Path: <rut...@hotmail.com>
Received: from bay0-omc3-s7.bay0.hotmail.com (bay0-omc3-s7.bay0.hotmail.com [65.54.190.145])
        by mx.google.com with ESMTP id f40si187582ani.154.2011.05.11.08.14.43;
        Wed, 11 May 2011 08:14:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of rut...@hotmail.com designates 65.54.190.145 as permitted sender) client-ip=65.54.190.145;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of rut...@hotmail.com designates 65.54.190.145 as permitted sender) smtp.mail=rut...@hotmail.com
Received: from BAY151-W40 ([65.54.190.189]) by bay0-omc3-s7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Wed, 11 May 2011 08:13:19 -0700
Message-ID: <BAY151-w40A6A5EFE...@phx.gbl>
Return-Path: rut...@hotmail.com

Is it just me, or is there some sort of connection?

--
Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training

To unsubscribe from this group, send email to
iscdshield+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/iscdshield?hl=en

[Brad Morgan]

> Return-Path: <rut...@hotmail.com>
> Received: from bay0-omc3-s7.bay0.hotmail.com
(bay0-omc3-s7.bay0.hotmail.com [65.54.190.145])
> by mx.google.com with ESMTP id
f40si187582ani.154.2011.05.11.08.14.43;
> Wed, 11 May 2011 08:14:46 -0700 (PDT)
> Received-SPF: pass (google.com: domain of rut...@hotmail.com designates
65.54.190.145 as
> permitted sender) client-ip=65.54.190.145;
> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
rut...@hotmail.com
> designates 65.54.190.145 as permitted sender)
smtp.mail=rut...@hotmail.com
> Received: from BAY151-W40 ([65.54.190.189]) by
bay0-omc3-s7.bay0.hotmail.com with Microsoft
> SMTPSVC(6.0.3790.4675);
> Wed, 11 May 2011 08:13:19 -0700
> Message-ID: <BAY151-w40A6A5EFE...@phx.gbl>
> Return-Path: rut...@hotmail.com

All this header indicates is that the SMTP server which sent the email is
authorized (by spf) to send messages from @hotmail.com. The relevant spf
text entries are:

hotmail.com. 3600 IN TXT "v=spf1
include:spf-a.hotmail.com include:spf-b.hotmail.com
include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"

spf-a.hotmail.com. 1912 IN TXT "v=spf1 ip4:209.240.192.0/19
ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15 ip4:157.56.0.0/14
ip4:157.60.0.0/16 ip4:167.220.0.0/16 ip4:204.79.135.0/24 ip4:204.79.188.0/24
ip4:204.79.252.0/24 ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all"

The match is ip4:65.52.0.0/14.

In my opinion, there are an awful lot of SMTP servers authorized to send
@hotmail.com email and the likelyhood of all of them being secured is
probably pretty low, even if they are within Microsoft's allocated IP
address space.

The machine that sent the message to this SMTP server is 65.54.190.189 (also
within the spf range). It has probably been compromised or the account
itself has been compromised.

Regards,

Brad

[Valdis.K...@vt.edu]

On Tue, 10 May 2011 13:59:38 EDT, Zijyfe Duufop said:

> Received: from BLU159-W7 ([65.55.116.73]) by
> blu0-omc3-s32.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
> Mon, 9 May 2011 04:01:18 -0700

ZOMG. Spammers abuse Hotmail's webmail servers to send spam. News at 11.

(The fact that Hotmail credentials are stored on a *lot* of Windows boxes means
that if a computer gets zombied for whatever reason, the spammer has access to
the credentials to send out spam via Hotmail's servers. Happens *all* *the*
*time*. Remember - Vint Cert said "140M compromised systems" and nobody argued
with it).

[resistance...@gmail.com]

Recently I've been chatting with someone claiming to be such and such, when I got curious as to where this person might be coming from, I decide to examine the source of the email using thunderbird, and found something that freaked me out and made me feel that my trust had been violated and had been majorly duped. This person claimed to be a high school drop out and other various things that made them seem like a dirt poor person who didn't know much. I stupidly did not get to know them better before drawing a conclusion that she, if it is a she, was telling the truth. But so, this is what the header says:

From - Mon Jan 21 20:41:58 2013
X-Account-Key: account15
X-UIDL: A5F82531-644C-11E2-AE15-00237DE3F118
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
x-store-info:SmXCjkY1Un5L3qlTmewTw3fvY0mBhNx7iaajE9F6MV2n+qehcPfCV0RE/1kEju9SgD791eA7P7XEq0aZR/ohTmN7atP5EiCD8tV1XILlW01NOeHanGbJa87PrbQ2TyGx4/dDwFfwBL0=
Authentication-Results: hotmail.com; spf=pass (sender IP is 65.55.116.107; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=x...@hotmail.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=hotmail.com; x-hmca=pass
X-SID-PRA: x...@hotmail.com
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MDtHRD0wO1NDTD0w
X-Message-Info: AuEzbeVr9u6ITJ84TuOjIpg6xkAjKSPt2G8pGc9QGK82bNiEJXeYJfGF7/VIzLgilsuef9TcVAeU9zFREjwfWLDNSIa52CFUG8E7YtTCfgY87oB9jFaEG/Gfw/+wc9qK/wPqChlyxsCVddcg7ElGQtevhjUQTtBV
Received: from blu0-omc3-s32.blu0.hotmail.com ([65.55.116.107]) by BAY0-MC1-F39.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Mon, 21 Jan 2013 20:31:59 -0800
Received: from BLU158-W58 ([65.55.116.74]) by blu0-omc3-s32.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Mon, 21 Jan 2013 20:31:58 -0800
X-EIP: [qXF7o7CFH55CiGeyQsm/d3dFnnc46IZ3]
X-Originating-Email: [x...@hotmail.com]
Message-ID: <BLU158-W582364BFF...@phx.gbl>
Return-Path: x...@hotmail.com
Content-Type: multipart/alternative;
	boundary="_3c8487b5-b02f-4a4c-bf5e-0df9180ca235_"
From: <x...@hotmail.com>

I xed out "her" email and removed her name. So, shouldn't this show a personal address if she's just some poor nobody? Instead, all I see are ips that go to Redmond. Do you think this person is an impostor rather than someone living at a private residency?

[Andy Patrick]

Those headers look absolutely identical to all the ones I have received recently from Hotmail accounts (and yes, I just now double-checked some very recent ones)....

I don't think Hotmail reveals the senders actual PC source IP address these days, I think you have to ask MS if you want to get that info now...

(and good luck with that!!)

-andinator-

--
Need IPv6 Training? See http://www.ipv6securitytraining.com . IPv6 Security Training
 
To unsubscribe from this group, send email to
iscdshield+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/iscdshield?hl=en

--
sent from my own Alternate Gmail Reality[tm]

[Carrots]

The X-EIP header is an encoded version of the X-Origin header, I don't actually know what the encoding or hash function is yet.