Spam E-Mails

[ChuckR]

I have received 3 Spam E-Mails for my 2 bank accounts. I have taken no action so I am not in Security trouble. I am writing this to see if there is any information in the following source code that could be used to stop this kind of Spam. I would love to blast them somehow, but that would be Spam on Spam. Here is the code. Of course, they also had my e-mail account from somewhere.
Return-Path: alert apple.com
Delivered-To: 3 2626628
Received: from imap-director-5.dovecot.iad.rs.oxcs.net
[10.12.2.8]
by imap-backend-29.dovecot.iad.rs.oxcs.net with LMTP id
mDUzCc/Pp1sbeAAAwDIleQ
for 3 2626628 Sun, 23 Sep 2018 17:39:27 0000
Received: from xxx [10.12.2.8]
by imap-director-5.dovecot.iad.rs.oxcs.net with LMTP id
CHTuCM/Pp1vRcAAApzv4 w
Sun, 23 Sep 2018 17:39:27 0000
Received: from eastrmimpo110.cox.net
eastrmimpo110.cox.net [68.230.241.223]
by xxx Postfix with ESMTP id 42JF2R0MWqz5h0G0
for XXXXXX .net Sun, 23 Sep 2018 17:39:27 0000 [Edit Note: email address removed]
UTC
Received: xxx [70.169.134.211]
by eastrmimpo110.cox.net with cox
id f5fF1y00h4ZpiiE015fGCa Sun, 23 Sep 2018 13:39:22
-0400
X-Authority-Analysis: vequals2.3 cvequalsSokkF8G0 cequals1
smequals1 trequals0
aequalsVJe sJK68GOG4JxNUpDFDgequalsequals:117 aequalsVJe
sJK68GOG4JxNUpDFDgequalsequals:17
aequalsO76VCmqbo-wA:10 aequalsJBFolyDoGHsA:10
aequalsgaWx0J2o_UkA:10 aequalsD05rXRyk5x0A:10
aequalsYA1eSsJxD64A:10 aequalsBoWFyJiiAAAA:8
aequalsvquR50HvWIZObfEirfEA:9 aequalsOehsmYQrzN8A:10
aequalsstKrwtlwy0UA:10 aequalsz5t0wjVYXqeXrmZG__-N:22
aequalsy85AKpeX8sTgZG6YX2Fa:22
aequalsHH7FIXwXL_sUf1zzYxQd:22
X-CM-Score: 0.00
Authentication-Results: cox.net none
Received: from HELO 1hld2a [185.228.122.94] by Shop01 id
6632878-59688 Sun, 23 Sep 2018 12:30:45 -0600
Message-ID: 36nkeqk2j-xx-030$55w9 xqc.0d8.v2
From: Chase Notification alert apple.com
Reply-To: Chase Notification alert apple.com
To: XXXXXXXXX .net [Edit Note: email address removed]
Subject: Alert: Unusual Sign-in Attempt
Date: Sun, 23 Sep 18 12:30:45 GMT
X-Mailer: eGroups Message Poster
MIME-Version: 1.0
Content-Type: multipart/alternative
boundaryequals .D0F2AE.55
X-Priority: 1
X-MSMail-Priority: High


--.D0F2AE.55
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

A hrefequals3D https://beweisindia.com/q1w2.html IMG
srcequals3D https://beweisinequals
dia.com/q1w2.png /A .

--.D0F2AE.55--

 

[Corrine]

I edited your post to remove what appears to be your email address -- a sure target for more spam since public sites are the most frequent source of spammers' bots searching the web for email addresses. The second address removed was "just in case" it is a real person's name and not to the spammer.

Since the spam gave the appearance of being from your bank, it wouldn't hurt to check your account and consider changing the password as an extra caution, particularly since the email subject line reads "Alert: Unusual Sign-in Attempt". Your email provider has suggestions on how to deal with spam. It would be a good idea to check what they provide as well as their suggestions.

 

[ChuckR]

I took your advice and changed the password. Were you able to identify the source of these Spams? Is there anything we can do against them? It looks as if they come from what is a valid location, so I am not sure how COX can stop them without me losing legal e-mails from the banks.
Thanks again.

I just looked up 185.228.122.94 and found it is located in Spain. Is this what you found?

 

[Corrine]

The header can be examined at Email Header Analyzer - WhatIsMyIP.com®. Just copy/paste the header in the space provided and click "Analyze".

Recognizing email as spam is the best and first solution. Spammers use spoofed email addresses so the unwary/click-happy can get caught, which is the object of the spammers. Since the object of the email was to supposedly warn you about an unusual sign-in attempt on your account, clicking on the link would have resulted in asking for your sign-in credentials. The first thing to keep in mind is to never sign-in to a bank or credit card account from an email link. Always navigate to the site manually or from a saved/legitimate bookmark. You can also forward the email to the bank's abuse address (abuse at Chase dot com).

As to legitimate email being marked as spam, yes, that happens but you may want to consider a program such as MailWasher. The free program can only be used for one email account but the pro version works with multiple email accounts from multiple providers. I'll point Digerati to this thread because I know he has used MailWasher Pro for many years and may wish to add additional information.

 

[plodr]

Is there anything we can do against them?

People have been asking that for decades! In 2018, spam accounts for 48.16% of the email. I'm sure it will soon overtake legitimate email. This despite all the tools we have and sites use to try and filter out the spam.
Stay vigilant. NEVER click a link in a sensitive email, like from a bank.
Close the browser, open a new instance and type the bank url into the browser then go to the bank site and log in. I also never save my log in details to bank sites no matter how many times my browsers offer to save them.

 

[Digerati]

Thanks Corrine! :)

Yes, I am a big fan of MailWasher Pro, but I have to confess, that is mostly as a mail handler, rather than a spam blocker - though it is excellent at that too.

I would love to blast them somehow, but that would be Spam on Spam

Wise observation and smart decision on your part. The problem is spammers (and malware distributors) don't use their own email addresses in their emails. They "spoof" another email address in the message (telemarketers and robocallers do the same thing with Caller ID phone numbers). This makes it appear the spam is from a legitimate source, often someone you may know. It is another "social engineering" trick the bad guys use to get us to click on a malicious link.

There are ways to "bounce" the spam back to the sender to make it appear your email address is invalid. The problem is, because they use a spoofed email address, the bounce does not go back to the spammer. And worse, it often goes back to the legitimate email address holder, resulting in that "spam on spam" situation you noted. Be aware that many ISPs frown on bouncing emails and if done too often, they will close your account or blacklist your email address for sending spam! Not a good thing.

The best course of action we can take is exactly what you did - just delete the email.

For the record, I too have been receiving similar emails. Some "appear" to come from my bank. Others appear to come from banks I don't even have accounts with. See where I made a similar complaint about US Bank spam here.

Two days ago, I got this little gem:


I have a Wells Fargo account so yes, it got my attention, for about 2 seconds. MailWasher had already tagged it as spam, but the give-away was the poor grammar ("This to notify you..."). The non Wells Fargo email address for the sender and the link were clear give-aways too.

Just yesterday, I got the following, supposedly from Chase bank (I don't have any accounts there either):

As a part of our routine se curity manitoring, we noticed suspicious activities on your account on September-25-2018 from an unrecognized device. For your se curity your account require extra verifi cation process to ensure your identity is save and secured in our database.

Click here to update your account http ://0bc.xyz/91f

Sincerely

Chase Secu rity Support .

© 2018 JPMorgan Chase & Co.

Note that all the spaces were in the email, except the one I put after http.

If you don't have a spam blocker, I recommend checking out MailWasher Pro (MWP) - especially if you routinely receive emails through several emails accounts. For example, I use 6 emails accounts and receive ~50 - 60 emails every day. They are gmail accounts and those provided by my ISP. The vast majority of emails are forum notification emails. MWP, by default, goes to each of my accounts and views the first couple 100 lines. This is normally plenty to look at the entire header and first several lines of the actual email, then analyze that for spam content. It displays all those emails in one inbox. It tags known and suspected spam. It lets me tag (or untag) suspected spam. And it lets me "work" my forum notifications and other emails from there. I can delete, forward or reply to them from the MWP inbox - all without pulling a single email down on to my computer and without even starting my email client (Outlook 2016). Very nice!

So what MWP does is let me process the emails while they are still on the servers. It does not, by default, display any HTML code, nor does it download any attachments that may be attached (it does tell you is there is an attachment, however). This is totally different from most other spam blockers which do download the entire email and any attachments. To me, that is like inviting the potential stranger and bad guy into your home and then asking what he wants.

So when I am done "working" my emails for the day, I am typically left with just a small handful of "keepers" - emails I actually want to keep. So then I us MWP to start my email client so I can pull down on to my local computer what I already know are safe emails.

MWP also lets you help fight spam by letting you tag new spam and reporting it to SpamCop and/or other services.

BTW, "Spam" or "SPAM" is a meat product and considered an Hawaiian delicacy. Unwanted emails is "spam" and does not deserve to be capitalized - that is, there is nothing "proper" about it. It is just "spam" with a lower case "s".

 

[Digerati]

And then again today:

This one looks pretty good, but there are still several obvious punctuation and capitalization errors.

Other obvious clues:

It was addressed to "Undisclosed-Recipients:"
It came from "no1warrior@comcast.net"