weird email stuck somehow? - ORF Forums

weird email stuck somehow? RSS Back to forum

1

I am receiving this email from this ip 64.12.233.222.
email subject: From Ms. Tina Liang - 31/03/2015

from aol.co.uk

I have received 846 of these in the last 72 hours

---
its already Blacklisted by the Sender Blacklist. Filter comment: "*@*.*.uk".
---
upon reporting this email to spamcop, it says

No reporting addresses found for 41.71.216.32, using devnull for tracking.
Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Tue, 31 Mar 2015 03:54:00 -0400

---

so it seems like a spam mail stuck in aol's outgoing mailbox replayed for infinity? or their inability to handle reject+tarpit error ?

---

Received: from oms-m06.mx.aol.com (64.12.233.222) by
Exchange2010.mydomain.com.sg (10.10.11.24) with Microsoft SMTP Server (TLS) id
14.3.224.2; Wed, 8 Apr 2015 11:38:17 +0800
Received: from omr-m4.mx.aol.com (omr-m4.mx.aol.com [64.12.226.25]) (using
TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate
requested) by oms-m06.mx.aol.com (AOL Outbound OMS Interface) with ESMTPS id
3991838000E76 for ; Tue, 31 Mar 2015 03:54:04 -0400
(EDT)
Received: from mtaout-maa02.mx.aol.com (mtaout-maa02.mx.aol.com
[172.26.222.142]) by omr-m4.mx.aol.com (Outbound Mail Relay) with ESMTP id
2D47C38000042 for ; Tue, 31 Mar 2015 03:54:02 -0400
(EDT)
Received: from hp-PC (unknown [41.71.216.32]) by mtaout-maa02.mx.aol.com
(MUA/Third Party Client Interface) with ESMTPA id C33473800008C for
; Tue, 31 Mar 2015 03:54:00 -0400 (EDT)
From: "Ms. Tina Liang"
Subject: From Ms. Tina Liang - 31/03/2015.
To:
Content-Type: multipart/alternative;
boundary="PDDvDz=_bKvijl9rVTOduDYW6UpObXiZax0"
MIME-Version: 1.0
Reply-To:
Date: Tue, 31 Mar 2015 08:53:59 +0100
X-Antivirus: avast! (VPS 150330-1, 03/30/2015), Outbound message
X-Antivirus-Status: Clean
x-aol-global-disposition: S
X-SPAM-FLAG: YES
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20140625; t=1427788442;
bh=ZvR+1zwc2yI896HUhYLZYdTkMG0h0XTFiLN3KV6KE4M=;
h=From:To:Subject:Date:MIME-Version:Content-Type;
b=nLkGYi+4ms6k9bKIUHeqwqhNxQkk4sTWiUylwfC2hR6//bs+2L/hSunnqOu1Q4A6D
1fl/Xk4vd0XC/5k8/6VGHiJJV4mg16Lk0QCzHxb1tIDe6wp+R/j5JZeibn7C4CwMYR
R4FLOvfKxM73F9qZAyh0KMJLZZ6Jecnf9uWhn558=
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1ade8e551a529862df
X-AOL-IP: 41.71.216.32
Message-ID:
Return-Path:
X-MS-Exchange-Organization-AuthSource: Exchange2010.mydomain.com.sg
X-MS-Exchange-Organization-AuthAs: Anonymous
X-Text-Classification: spam

by christopher.low 4 years ago
2

in case its not clear. I'm receiving a fresh mail that is somehow too old for spamcop to deal with. so its either very interestingly masquerading its age or is a bug

by christopher.low 4 years ago
3

@christopher.low: Hello,

I agree with your assessment, this looks like something stuck in AOL's systems. Normally, we could only trust the Received: headers added by your own network, but reverse DNS checks out for the next two Received: headers as well, so we can be reasonably sure this is coming from AOL. Based on that data, it was indeed submitted on March 31. Spamcop reporting, they probably check the Date: header or the very first Received: header, as opposed to the last one (i.e. they check when the email was sent and not when it was received).

As for how the email is stuck (assuming the AOL's systems are working OK) I can really think of only one thing that may cause this, which is your server taking too long to respond during the email transmission. You mentioned you use tarpitting -- how long is the delay you have configured? A very long delay (exceeding more than 1-2 minutes) may cause the sender to give up and attempt delivery later. If this happens at the On Arrival filtering point, the email will get delivered eventually, along with the re-attempted copies. Also, there is nothing you can do to control the timeout setting used by the sender, so using a conservative delay is your best option. Most servers will wait for a couple of minutes, but administrators are free to configure a lower timeout.

by Péter Karsai (Vamsoft) 4 years ago
(in reply to this post)

4

Can someone help me
I think my aol email was hacked maybe by a friend
I received a email from a friend with pictures of his artwork
He did send them I spoke to him before hand.
We emailed back and forth a few times within a 2 hour period.
I emailed form my ipad he emailed from his phone below are the view message source.
The first is his email with pic
Return-Path:
Received: from [192.168.1.3] (ool-18b80258.dyn.optonline.net [24.184.2.88])
(using TLSv1 with cipher AES128-SHA (128/128 bits))
(No client certificate requested)
by mtaout-mcd01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 1B87538000091
for ; Tue, 14 Apr 2015 01:22:59 -0400 (EDT)
Content-Type: multipart/mixed; boundary=Apple-Mail-1B8B6031-E940-4D94-900F-8BE410494D1C
Content-Transfer-Encoding: 7bit
From: Alfonso
Message-Id:
Date: Tue, 14 Apr 2015 01:22:58 -0400
To:
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D201)
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5600.1067/98281
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20140625; t=1428988984;
bh=N6m/7Gu2uZoZWNJub4hZ3mHYp9l6CBD0diC3ds3aems=;
h=From:To:Message-Id:Date:Mime-Version:Content-Type;
b=Q0AZt2C64Qqe8j5qPbg4pXibHNTCfFhqUCvQIs/Hs846GhU2lIQJPogIcuKysocjx
gqRv6IY+UkjIMNXNPSs3qjjFoK+YwVMSFb6D2CrYwA2OWuUnMQ/hPxNBC7V02jQMJM
PibE+0elDSK5XbSf9IZzheVGxdcGDkvCP8PtYNhI=
x-aol-sid: 3039ac1adfcd552ca43363ba
X-AOL-IP: 24.184.2.88


--Apple-Mail-1B8B6031-E940-4D94-900F-8BE410494D1C
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit




--Apple-Mail-1B8B6031-E940-4D94-900F-8BE410494D1C
Content-Type: image/jpeg;
name=photo.JPG

next is my reply:
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re:
References:
From: Robert
In-Reply-To:
Message-Id:
Date: Tue, 14 Apr 2015 23:00:45 -0400
To: Alfonso
Mime-Version: 1.0 (1.0)

Very nice

Sent from my iPad

> On Apr 14, 2015, at 10:00 PM, Alfonso wrote:
>
>
>
>
>
>
>
>
>
>
>
> Sent from my iPhone

Then his reply
Return-Path:
Received: from [100.106.24.147] (19.sub-70-199-68.myvzw.com [70.199.68.19])
(using TLSv1 with cipher AES128-SHA (128/128 bits))
(No client certificate requested)
by mtaout-mcd01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 6883B380000A2
for ; Tue, 14 Apr 2015 23:16:25 -0400 (EDT)
Subject: Re:
References:
From: Alfonso
Content-Type: text/plain;
charset=us-ascii
X-Mailer: iPhone Mail (11D201)
In-Reply-To:
Message-Id:
Date: Tue, 14 Apr 2015 23:16:24 -0400
To: Robert
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
s=20140625; t=1429067786;
bh=82ucVJHs9wYgnQRU7L00eRAjqk3JYAOWEtTy9enfvWw=;
h=From:To:Subject:Message-Id:Date:Mime-Version:Content-Type;
b=i0cWn5B+Ejql14eUit19EmPN6bvmR5NrBsRpv2+f+b/b0i6WIrETEai6Ti16GaO2Y
sFA66Pa7NldtbXPYriyPgX0Ad+uUsnpJDZ0fTIfAlePUaCHhjNRxVuXtC40CKxZvnk
XbYiB4a4Xn+jHKP/GWbBYAU5BYniK29PMP6gInBY=
x-aol-sid: 3039ac1adfcd552dd8094009
X-AOL-IP: 70.199.68.19

Yes I do

Sent from my iPhone

> On Apr 14, 2015, at 11:02 PM, Robert wrote:
>
> I like them
> Where do you make everything in your room.
>
> Sent from my iPad
>
>> On Apr 14, 2015, at 10:00 PM, Alfonso wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Sent from my iPhone

if you notice the ip address from the sender are not the same
Can anyone help me with this and explain.
I have had some phone and computer hacking issues and was wondering where I can go for someone to explain the these to me
Thanks

by Robert h 4 years ago
5

@Robert h: Hello Robert,

The email headers you posted look consistent with the use you described. The first email from Alfonso's iPhone was sent from 24.184.2.88 and the second one from 70.199.68.19. According to a Maxmind's GeoIP2 database (https://www.maxmind.com/en/geoip-demo), both IPs are New York-based, the first one is assigned to Verizon Wireless and the second one is assigned to Optimum Online. I guess what happened is that Alfonso used his mobile internet in the first case (Verizon) and then he connected to a WiFi hotspot operated by Optimum Online and sent the second email through that connection.

by Péter Karsai (Vamsoft) 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2