Hi Simon, I have noticed this as well, in the last week or so I have seen dozens of these coming in on only a few accounts that I am monitoring. I can only assume that the sender is confirming because they are using some auto-responder. Unfortunately, while a huge majority of spammers will forge addresses so they don't get the challenge, doing it this way and using an auto-responder gets around that.
Of course, if the object of the message is to confirm that it reached a real account, then TMDA already confirmed that by sending the challenge. ----- Original Message ---- From: Simon Fishley <[EMAIL PROTECTED]> To: tmda-users@tmda.net Sent: Thursday, July 5, 2007 3:27:04 AM Subject: Bogus E-Card emails Greetings All I wonder if anyone else using TMDA has noticed that there has been a flood of new emails pretending to be E-Cards. The links go nowhere but I suspect if clicked they must be confirming activity on the account if the user is gullible enough to click the link. The interesting thing about this is that the sender of these messages is actually confirming the TMDA challenge email, something I have not come accross before. An example of one of these messages below: ________________________________________________________ Date: Sat, 30 Jun 2007 14:08:17 +0530 [30/06/07 10:38:17 SAST] From: "E-Cards.Com" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: You've received a greeting ecard from a friend! Good day. Your friend has sent you a greeting ecard from E-Cards.Com. Send free ecards from E-Cards.Com with your choice of colors, words and music. Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print. To view your ecard, choose from any of the following options: -------- OPTION 1 -------- Click on the following Internet address or copy & paste it into your browser's address box. http://86.145.88.66/?97b969c2b1c85da46 -------- OPTION 2 -------- Copy & paste the ecard number in the "View Your Card" box at http://86.145.88.66/ Your ecard number is 97b969c2b1c85da46 Best wishes, Mailer-Daemon, E-Cards.Com ____________________________________________________________ Now the Headers (I sanitised a bit): Received: * (qmail 4004 invoked by uid 5005); 4 Jul 2007 15:48:56 -0000 * (qmail 27640 invoked by alias); 30 Jun 2007 08:39:46 -0000 * (qmail 27637 invoked by uid 453); 30 Jun 2007 08:39:46 -0000 * from Unknown (HELO myserverhere) (192.168.250.10) by domain.com (qpsmtpd/0.32) with ESMTP; Sat, 30 Jun 2007 10:39:30 +0200 * (qmail 24261 invoked by uid 89); 30 Jun 2007 08:35:16 -0000 * by simscan 1.3.1 ppid: 24254, pid: 24255, t: 2.7150s scanners: attach: 1.3.1 clamav: 0.90.1-exp/m: spam: 3.1.8 * from unknown (HELO myserverhere2) (myiphere) by myserverhere with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 Jun 2007 08:35:14 -0000 * (qmail 28425 invoked by uid 107); 30 Jun 2007 08:46:11 -0000 * from 59.181.116.46 by Myserverhere2 (envelope-from <[EMAIL PROTECTED]>, uid 107) with qmail-scanner-1.24st (clamdscan: 0.88.7/2391. vexira: 6.30.0.2. spamassassin: 3.1.7. perlscan: 1.24st. Clear:RC:0(59.181.116.46):SA:0(3.4/4.0):. Processed in 1.177427 secs); 30 Jun 2007 08:46:11 -0000 * from unknown (HELO static-mum-59.181.116.46.mtnl.net.in) (59.181.116.46) by Myserverhere2 with SMTP; 30 Jun 2007 08:46:10 -0000 * from ezvw.ck ([53.146.136.194]) by static-mum-59.181.116.46.mtnl.net.in with Microsoft SMTPSVC(5.0.2195.6713); Sat, 30 Jun 2007 14:08:17 +0530 Received-SPF: * softfail (myserverhere: transitioning SPF record at spf01.biglobe.ne.jp does not designate myserverhere as permitted sender) * softfail (myserverhere: transitioning SPF record at spf01.biglobe.ne.jp does not designate 59.181.116.46 as permitted sender) Subject: You've received a greeting ecard from a friend! To: [EMAIL PROTECTED] X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4029.2901 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4029.2901 X-Old-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,NORMAL_HTTP_TO_IP autolearn=ham version=3.1.8 X-Priority: 3 X-Qmail-Scanner: 1.24st (Clear:RC:0(59.181.116.46):SA:0(3.4/4.0):. Processed in 1.177427 secs Process 28414) X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via dylan.o-s-s.co.za X-Spam-Check-By: hidden.com X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on myserverhere X-Spam-Level: X-Spam-Status: No, hits=2.8 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET,SPF_SOFTFAIL X-TMDA-Confirm-Done: 1183192786.27645.520ffe X-TMDA-Released: Wed Jul 4 17:48:56 SAST 2007 _____________________________________________________________ So TMDA challenged them but someone actually confirmed the challenge mesage. This means that a) the reply address [EMAIL PROTECTED] is valid and b) someone or something is reading the messages sent back. Does this signify a shift in Spammers approach to handling Challenge/Response systems or is it something else completely? Interested in what u guys think. Simon _____________________________________________ tmda-users mailing list (tmda-users@tmda.net) http://tmda.net/lists/listinfo/tmda-users ____________________________________________________________________________________ Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/
_____________________________________________ tmda-users mailing list (tmda-users@tmda.net) http://tmda.net/lists/listinfo/tmda-users
