Thanks for all the good advice. In this case there was no problem
recognizing the messages as spam, with subject of "Re:" and only a
shortened link in the body. My main concern was determining whether the
friend's computer had malware vs. the from address being spoofed. The
friend is in TN, and Comcast is the provider. The
whatismyemailaddress.com/trace-email analysis shows this:
Source:
The source host name is "resmail-po-385v.sys.comcast.net" and the source
IP address is 162.150.177.140.
Geo-Location Information
Country United States
State/Region TX
Should the different state source location indicate that the source is
not my friend's computer?
Should the friend contact Comcast support about this?
I already recommended that the friend do malware scans of the computer,
using multiple applications.
NFN Smith wrote:
Cecil Bankston wrote:
I am receiving spam or scam messages, consisting of only a shortened
link, from the e-mail address of a friend. If the messages actually
originate in the friend's computer, should they always be found in the
friend's sent folder? If the from address is being spoofed, is there an
easy way to distinguish that?
As noted separately, if your friend is in the habit of sending links,
encourage him to include text that will positively identify himself. And
if there's no identification, he should know that you will assume that
they're spam (even if legitimate).
I suppose you could go the route of replying to the message, quoting
verbatim (although munging the URL slightly, so that it can't be clicked
on, if it's malicious), with a query of "is this from you?"
It's not impossible that your friend could be malware-infected, but when
that kind of thing happens, malware normally uses its own infrastructure
to send. Unless it's something like the LoveBug worm of years ago,
where Outlook was automatically executing scripts (and replicating by
scanning the victim's address book and sending to all those addresses),
malware is very unlikely to actually touch the victim's mail client.
One of the things that I see a lot is where a message has a distribution
list of about 10-12 addresses, in alphabetic order. Often, several of
the addresses may be ones that I recognize, and may even have some in my
address book. When that happens, it's likely that either the purported
sender (or somebody that that person knows) has gotten malware-infected,
and that the malware has harvested the victim's contact lists. From
there, the sending mechanism segments the harvested list into batches of
about 10 addresses each. By not using Bcc: addressing, that helps with
delivery in several ways: recipients who work from servers where an
address in an address book is whitelisted, recipients who recognize
other addresses in the distribution list, and getting around servers
that may stall or reject messages that have no distribution lists (i.e.,
all the addresses are Bcc:). For actual sending, use of botnets is
common, where there are multiple victims. The mailing is sent to the
first victim's contacts, but where the actual point of injection to the
Internet begins with additional victims, whose computers are in botnets
that include rogue mail servers.
It's generally pretty easy to identify a spoof -- all you have to do is
to use CTRL-U to look at the message headers, and see Received: lines
from domains that don't match the domain in the From: line. For the
major freemail providers, Gmail, Yahoo and AOL all have DKIM signatures.
Hotmail/Outlook/MSN isn't currently using DKIM, but a message that shows
an Outlook.com return address will have Received: headers that show
hotmail.com.
In this layout, you may see a message that purports to show your
friend's email address in a From: line (say, at Yahoo), and where
distribution list may include several people or addresses you recognize.
However, a check of the message headers shows no indication of Yahoo
servers (especially Yahoo's DKIM signature), and that the message
traveled through a server in Poland or South Korea.
If you're really into digging, it's not hard to find the IP address of
where the message was injected, and if you know how to run a Whois check
or a traceroute, you can identify the ISP where the message originated.
For the messages that are junk (or you suspect are junk), mark them as
Junk, and let Seamonkey put them into the Junk folder.
For junk handling, it's important to understand that the filtering
system is based on Bayesian logic (where, if something is designated as
junk, other stuff that's sufficiently similar is also designated as junk
-- and the same way for not junk). The Mozilla implementation of
Bayesian is not nearly as elaborate as with SpamAssassin, but it's
generally workable.
The other thing to know is that if a message has been designated as junk
or not junk, that's based on the entire message, the combination of
headers, body and attachments, not just the From: line. Thus, if you
designate a forged message that has your friend's email address as junk,
a legitimate message will be sufficiently different that it's unlikely
to get tagged as junk.
From there, you do have to pay attention to the Junk folder. Bayesian
filters get better if they have more examples of knowing what's junk and
what's not. Therefore, if you find a legitimate message in the junk
folder, make sure you tag it as not junk, rather than just moving it
back to your inbox. That will help the filters learn how to
differentiate between what you consider to be junk and what you consider
to be legitimate.
Smith
--
C. Bankston
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
