Tuesday, June 26, 2012

Progressives Spamming

Almost daily I get progressive political spam that is essentially just leftist talking points.  It is well enough written that I suspect that it is put out one of the big organizations, but there is no way to unsubscribe, and it is always sent from a false email address.  Here's an example:


Subject:  What will happen if the Affordable Care Act is Ruled Unconstitutional?
From:  "Noreen Kimmons"
Date:  Tue, June 26, 2012 3:04 pm
To:  "clayton"
Priority:  Normal
Options:  View Full Header |  View Printable Version  | Download this as a file  | View Message details

What will happen if the Affordable Care Act ("Obamacare") is ruled unconstitutional or repealed by Congress? The rulling would have a negative impact on nearly every American.
Two hundred million Americans with private health insurance will again have to worry that their insurance may be canceled if they have a serious and expensive-to-treat illness, or that their benefits will be cut off if they exceed an annual or lifetime limit.
They once again will have copays and deductibles for preventive measures such as mammograms and colonoscopies, and many will not be able to afford the copays. Americans covered by insurance from their employer will know that if they lose their job they and their family will lose their insurance. If they are among the 50percent of adults with a chronic condition, it may prevent their qualifying for new health insurance and they will be wary of changing jobs.
The 52million Americans without health insurance will know they have lost their chance to purchase discounted insurance or to be covered by Medicaid if they have a very limited income.
It mostly goes into my spam folder, but not always, and I resent them wasting my bandwidth and disk space with this.  Can someone tell me how you determine the actual sender?  Here is the full header:



Return-Path: <briarley@msn.com>Delivered-To: clayton@claytoncramer.comReceived: (qmail 8902 invoked by uid 89); 26 Jun 2012 19:04:35 -0000Received: from unknown (HELO mx5.hrnoc.net) (216.120.237.53)     by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 26 Jun 2012 19:04:35 -0000Received-SPF: softfail (0: transitioning SPF record at _spf-ssg-c.microsoft.com does not designate 216.120.237.53 as permitted sender)Received: (qmail 5904 invoked by uid 89); 26 Jun 2012 19:04:35 -0000Received: by simscan 1.2.0 ppid: 5864, pid: 5879, t: 2.7193s     scanners: spam: 3.2.5X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on spamd1.hrnoc.netX-Spam-Level: *****X-Spam-Status: No, score=5.2 required=8.0 tests=FB_SAVE_PERSC,     FH_HELO_EQ_D_D_D_D,FREEMAIL_FROM,HELO_DYNAMIC_IPADDR,HTML_MESSAGE,MISSING_MID,     RDNS_DYNAMIC autolearn=disabled version=3.3.2Received: from ip-64-134-230-181.public.wayport.net (HELO ip-64-134-229-149.public.wayport.net) (64.134.230.181)     by 0 with SMTP; 26 Jun 2012 19:04:42 -0000Received-SPF: softfail (0: transitioning SPF record at msn.com does not designate 64.134.230.181 as permitted sender)From: "Noreen Kimmons" <briarley@msn.com>Subject: What will happen if the Affordable Care Act is Ruled     Unconstitutional?To: "clayton" <clayton@claytoncramer.com>Content-Type: multipart/alternative; boundary="uHn29Svoq38QuBEHAfCkJHHy5koO=_SNTF"MIME-Version: 1.0Content-Transfer-Encoding: 8bitDate: Tue, 26 Jun 2012 12:04:29 -0700
 The IP address 64.134.230.181 is in Austin, Texas, but this is probably not the actual sender.

4 comments:

Steve said...

I'm just winging this.

It looks like the email was sent from a WiFi connection at 64.134.230.181 (Received: from ip-64-134-230-181.public.wayport.net). I think the mail server may have beet at 64.134.229.149 (HELO ip-64-134-229-149.public.wayport.net).

The 64.134.x.x addresses belong to ATT, apparently for WiFi.

http://whois.arin.net/rest/net/NET-64-134-0-0-1/pft

There are a couple SPF checks, but they both result in softfails. They may just be for informational purposes. Mail servers can check the IP an email is coming from and hit the mail server for the associated domain in the email (msn.com in this case) to see if that IP is authorized to deliver mail for that domain.

A user on that network could have been compromised and the machine just blasting out spam. There's a good chance the email originated on that machine, but it could have been requested from anywhere.

hga said...

Based on your ISP (who's header lines we can trust), it came from an AT&T supplied Wi-Fi, www.wayport.net redirects to this page.

It could be as simple as someone going to an unsecured Wi-Fi hotspot where outgoing port 25 is not blocked and the sender's laptop spamming it out.

The SPF mumbling is about a facility to disallow this sort of thing, or at least to signal good sources of email. Don't know what's up with your ISP and Microsoft there, SPF is not something I ever seriously studied and my memory is fuzzy on the details.

Sean said...

Based on what I can see of the mangled-by-web-browser mail headers, the actual source of this email was:

216.120.237.53

an address owned by HostRocket Web Services. The IP address doesn't have a reverse DNS entry, so it's probably part of a block used for dynamic addresses (such as by a cable provider) or a co-location service. HostRocket's web site indicates that web hosting is their main business, so I'd vote for the latter.

If you want to pursue this, your best bet is to contact HostRocket.

Sean said...

Also you can get some good information if you submit the email (including all the mailer audit trails) to spamcop.net. Their software is pretty good at picking out forged From addresses, and they can match it with spam received by other people.