Second Life Forums Archive - SecondLife Spam (the real thing this time)

Carnildo Greenacre

Flight Engineer

Join date: 15 Nov 2003

Posts: 1,044

05-03-2004 22:46

I just recieved the weirdest batch of e-mails. Most of them were spam, but some were things like a posting to a Gentoo Linux mailing list, or a church newsletter. The only things they had in common were that they were all sent to the e-mail address I use for SecondLife e-mail, and they all had a "return-path" that was a SecondLife IM reply address.

I've sent an e-mail to [email]support@lindenlabs.com[/email].

Has anyone else experienced this?

_____________________

perl -le '$_ = 1; (1 x $_) !~ /^(11+)\1+$/ && print while $_++;'

Ezhar Fairlight

professional slacker

Join date: 30 Jun 2003

Posts: 310

05-04-2004 08:09

Post the complete headers of one of them please.

_____________________

My Second Life stuff

Carnildo Greenacre

Flight Engineer

Join date: 15 Nov 2003

Posts: 1,044

05-04-2004 23:09

The key in the headers doesn't seem to resolve to a username.

Two example email headers:

From: someone

X-Auth-No:
Return-Path: <1af46bdc-5475-8d66-a643-cbdf7b1e1451@im.secondlife.com>
Received: from mpls-qmqp-04.inet.qwest.net not authenticated [63.231.195.115]
by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.87 $ on Novell NetWare;
Mon, 03 May 2004 10:50:40 -0600
Received: (qmail 67491 invoked by uid 0); 3 May 2004 15:50:27 -0000
Received: from mpls-pop-04.inet.qwest.net (63.231.195.4)
by mpls-qmqp-04.inet.qwest.net with QMQP; 3 May 2004 15:50:27 -0000
Received: from 63-231-107-164.clsp.qwest.net (HELO covenant-pres.org) (63.231.107.164)
by mpls-pop-04.inet.qwest.net with SMTP; 3 May 2004 15:50:26 -0000
Received: from pop.clsp.qwest.net ([63.231.195.31]) by covenant-pres.org ([127.0.0.1])
with DomainPOP (MDaemon.Standard.v6.0.7.R)
for <skolmetz@covenant-pres.org>; Mon, 03 May 2004 09:49:40 -0600
Delivered-To: [email]covenantpresbyt1@mail-clsp.uswest.net[/email]
Received: (qmail 33959 invoked by uid 0); 3 May 2004 15:48:05 -0000
Received: from unknown (HELO mpls-cmx-08.inet.qwest.net) (63.226.138.

by mpls-mailin-15.inet.qwest.net with SMTP; 3 May 2004 15:48:05 -0000
Received: (qmail 8550 invoked by uid 0); 3 May 2004 15:48:04 -0000
Received: from redwing.mail.pas.earthlink.net (207.217.120.246)
by mpls-cmx-08.inet.qwest.net with SMTP; 3 May 2004 15:48:04 -0000
Received: from dove-120.pocket ([10.4.120.210] helo=dove)
by redwing.mail.pas.earthlink.net with smtp (Exim 3.36 #1)
id 1BKffo-0004RX-00
for [email]covenantpresbyt1@qwest.net[/email]; Mon, 03 May 2004 08:48:04 -0700
Received: from omr2.netsolmail.com ([216.168.230.163])
by dove (EarthLink Mail Service) with ESMTP id 1bkFFNj63NZFmi0
for <skolmetz@covenant-pres.org>; Mon, 3 May 2004 08:48:03 -0700 (PDT)
Received: from ms8.netsolmail.com (IDENT:mirapoint@[216.168.230.180])
by omr2.netsolmail.com (8.12.10/8.12.10) with ESMTP id i43FlLZo004116;
Mon, 3 May 2004 11:47:21 -0400 (EDT)
Received: from Maxmillian (co-co-monumnt-u1-c5c-79.clspco.adelphia.net [68.168.159.79] (may be forged))
by ms8.netsolmail.com (Mirapoint Messaging Server MOS 3.2.2-GA)
with ESMTP id AYN91779;
Mon, 3 May 2004 11:47:59 -0400 (EDT)
Date: Mon, 3 May 2004 09:54:56 -0600
Message-ID: <001f01c43126$fbb5a400$c801a8c0@Maxmillian>
From: "Matthew Monberg" <mmonberg@adelphia.net>
To: "'AlPen Productions'" <alpen@adelphia.net>, [email]skolmetz@covenant-pres.org[/email]
X-MindSpring-Loop: [email]postmaster@covenant-pres.org[/email]
Subject: RE: Potential Special Session Meeting
MIME-Version: 1.0
Status: U
X-UIDL: 1083599285.33965.18841.mpls-mailin-15.inet.qwest.net
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0020_01C430F4.B11B3400"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
In-Reply-To: <4FFE28E8-9D10-11D8-AD35-00039390F224@adelphia.net>
X-DCC-Qwest.net-Metrics: mpls-cmx-08.inet.qwest.net 1211; Body=1 Fuz1=1

From: someone

X-Auth-No:
Return-Path: <1af46bdc-5475-8d66-a643-cbdf7b1e1451@im.secondlife.com>
Received: from nene not authenticated [200.234.36.198]
by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.87 $ on Novell NetWare;
Mon, 03 May 2004 07:56:32 -0600
Subject: microsoft.

Can you make any sense out of them?

_____________________

perl -le '$_ = 1; (1 x $_) !~ /^(11+)\1+$/ && print while $_++;'

Ezhar Fairlight

professional slacker

Join date: 30 Jun 2003

Posts: 310

05-05-2004 08:42

These mails didn't pass through any Second Life related system.

Your myrealbox.com address is indexed on google and thats likely where spammers harvested it. The im.secondlife.com address used as fake-sender could be from many sources, it could've been posted somewhere on the web or more likely, sold to spammers by a nasty provider that sells addresses found in their customers email.

The key in the address is a session-key, not an agents key. Mark Linden could probably shed some light on who the session this key was used for was with, and if it was a session you were involved in or two entirely unrelated people.

The pairing of your address with a faked sender from im.secondlife.com is indeed a bit puzzling, though some googling hints at relations between your myrealbox.com address, your hotmail.com address and second life. Thats a bit far-fetched though, even for todays spammers.

Why you got pastor Kolmetz' email I don't know, but you could just ask him.

_____________________

My Second Life stuff

Mark Linden

Funky Linden Monkey

Join date: 20 Nov 2002

Posts: 179

05-05-2004 09:33

Carnildo:

The im session ID is actually an active one that you were using at some point. Support may contact you with more details, but I won't go into them in the forums (privacy issue).

What has probably happened is that you, or the person you were talking to, has been infected with one of the many Windows worm/trojan horse/viruses that scan the local machine for email addresses, and act as spam relays, using those addresses as sources and/or destinations. There is currently very little we can do about that.

You should probably double check your anti-virus updates, and run a full scan just to be sure it wasn't your computer.

Carnildo Greenacre

Flight Engineer

Join date: 15 Nov 2003

Posts: 1,044

05-05-2004 21:52

From: someone

Originally posted by Ezhar Fairlight
These mails didn't pass through any Second Life related system.

That was pretty obvious from the start. The reason I posted here was that it looked like someone might have been trying to use SecondLife as a reply method for spam.

From: someone

Your myrealbox.com address is indexed on google and thats likely where spammers harvested it. The im.secondlife.com address used as fake-sender could be from many sources, it could've been posted somewhere on the web or more likely, sold to spammers by a nasty provider that sells addresses found in their customers email.

These 45 messages represent more unwanted e-mail than I've gotten in the years I've been using the address. I doubt it's on very many spam lists.

Further, I've had a chance to look through the messages. 30 of them are definitely spam, 12 are definitely not spam, and 3 are in foreign languages, but don't look like spam.

_____________________

perl -le '$_ = 1; (1 x $_) !~ /^(11+)\1+$/ && print while $_++;'

SecondLife Spam (the real thing this time)
Carnildo Greenacre Flight Engineer Join date: 15 Nov 2003 Posts: 1,044	05-03-2004 22:46 I just recieved the weirdest batch of e-mails. Most of them were spam, but some were things like a posting to a Gentoo Linux mailing list, or a church newsletter. The only things they had in common were that they were all sent to the e-mail address I use for SecondLife e-mail, and they all had a "return-path" that was a SecondLife IM reply address. I've sent an e-mail to [email]support@lindenlabs.com[/email]. Has anyone else experienced this? _____________________ perl -le '$_ = 1; (1 x $_) !~ /^(11+)\1+$/ && print while $_++;'
Ezhar Fairlight professional slacker Join date: 30 Jun 2003 Posts: 310	05-04-2004 08:09 Post the complete headers of one of them please. _____________________ My Second Life stuff
Carnildo Greenacre Flight Engineer Join date: 15 Nov 2003 Posts: 1,044	05-04-2004 23:09 The key in the headers doesn't seem to resolve to a username. Two example email headers: From: someone X-Auth-No: Return-Path: <1af46bdc-5475-8d66-a643-cbdf7b1e1451@im.secondlife.com> Received: from mpls-qmqp-04.inet.qwest.net not authenticated [63.231.195.115] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.87 $ on Novell NetWare; Mon, 03 May 2004 10:50:40 -0600 Received: (qmail 67491 invoked by uid 0); 3 May 2004 15:50:27 -0000 Received: from mpls-pop-04.inet.qwest.net (63.231.195.4) by mpls-qmqp-04.inet.qwest.net with QMQP; 3 May 2004 15:50:27 -0000 Received: from 63-231-107-164.clsp.qwest.net (HELO covenant-pres.org) (63.231.107.164) by mpls-pop-04.inet.qwest.net with SMTP; 3 May 2004 15:50:26 -0000 Received: from pop.clsp.qwest.net ([63.231.195.31]) by covenant-pres.org ([127.0.0.1]) with DomainPOP (MDaemon.Standard.v6.0.7.R) for <skolmetz@covenant-pres.org>; Mon, 03 May 2004 09:49:40 -0600 Delivered-To: [email]covenantpresbyt1@mail-clsp.uswest.net[/email] Received: (qmail 33959 invoked by uid 0); 3 May 2004 15:48:05 -0000 Received: from unknown (HELO mpls-cmx-08.inet.qwest.net) (63.226.138. by mpls-mailin-15.inet.qwest.net with SMTP; 3 May 2004 15:48:05 -0000 Received: (qmail 8550 invoked by uid 0); 3 May 2004 15:48:04 -0000 Received: from redwing.mail.pas.earthlink.net (207.217.120.246) by mpls-cmx-08.inet.qwest.net with SMTP; 3 May 2004 15:48:04 -0000 Received: from dove-120.pocket ([10.4.120.210] helo=dove) by redwing.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1BKffo-0004RX-00 for [email]covenantpresbyt1@qwest.net[/email]; Mon, 03 May 2004 08:48:04 -0700 Received: from omr2.netsolmail.com ([216.168.230.163]) by dove (EarthLink Mail Service) with ESMTP id 1bkFFNj63NZFmi0 for <skolmetz@covenant-pres.org>; Mon, 3 May 2004 08:48:03 -0700 (PDT) Received: from ms8.netsolmail.com (IDENT:mirapoint@[216.168.230.180]) by omr2.netsolmail.com (8.12.10/8.12.10) with ESMTP id i43FlLZo004116; Mon, 3 May 2004 11:47:21 -0400 (EDT) Received: from Maxmillian (co-co-monumnt-u1-c5c-79.clspco.adelphia.net [68.168.159.79] (may be forged)) by ms8.netsolmail.com (Mirapoint Messaging Server MOS 3.2.2-GA) with ESMTP id AYN91779; Mon, 3 May 2004 11:47:59 -0400 (EDT) Date: Mon, 3 May 2004 09:54:56 -0600 Message-ID: <001f01c43126$fbb5a400$c801a8c0@Maxmillian> From: "Matthew Monberg" <mmonberg@adelphia.net> To: "'AlPen Productions'" <alpen@adelphia.net>, [email]skolmetz@covenant-pres.org[/email] X-MindSpring-Loop: [email]postmaster@covenant-pres.org[/email] Subject: RE: Potential Special Session Meeting MIME-Version: 1.0 Status: U X-UIDL: 1083599285.33965.18841.mpls-mailin-15.inet.qwest.net Content-Type: multipart/alternative; boundary="----=_NextPart_000_0020_01C430F4.B11B3400" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <4FFE28E8-9D10-11D8-AD35-00039390F224@adelphia.net> X-DCC-Qwest.net-Metrics: mpls-cmx-08.inet.qwest.net 1211; Body=1 Fuz1=1 From: someone X-Auth-No: Return-Path: <1af46bdc-5475-8d66-a643-cbdf7b1e1451@im.secondlife.com> Received: from nene not authenticated [200.234.36.198] by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 3.87 $ on Novell NetWare; Mon, 03 May 2004 07:56:32 -0600 Subject: microsoft. Can you make any sense out of them? _____________________ perl -le '$_ = 1; (1 x $_) !~ /^(11+)\1+$/ && print while $_++;'
Ezhar Fairlight professional slacker Join date: 30 Jun 2003 Posts: 310	05-05-2004 08:42 These mails didn't pass through any Second Life related system. Your myrealbox.com address is indexed on google and thats likely where spammers harvested it. The im.secondlife.com address used as fake-sender could be from many sources, it could've been posted somewhere on the web or more likely, sold to spammers by a nasty provider that sells addresses found in their customers email. The key in the address is a session-key, not an agents key. Mark Linden could probably shed some light on who the session this key was used for was with, and if it was a session you were involved in or two entirely unrelated people. The pairing of your address with a faked sender from im.secondlife.com is indeed a bit puzzling, though some googling hints at relations between your myrealbox.com address, your hotmail.com address and second life. Thats a bit far-fetched though, even for todays spammers. Why you got pastor Kolmetz' email I don't know, but you could just ask him. _____________________ My Second Life stuff
Mark Linden Funky Linden Monkey Join date: 20 Nov 2002 Posts: 179	05-05-2004 09:33 Carnildo: The im session ID is actually an active one that you were using at some point. Support may contact you with more details, but I won't go into them in the forums (privacy issue). What has probably happened is that you, or the person you were talking to, has been infected with one of the many Windows worm/trojan horse/viruses that scan the local machine for email addresses, and act as spam relays, using those addresses as sources and/or destinations. There is currently very little we can do about that. You should probably double check your anti-virus updates, and run a full scan just to be sure it wasn't your computer.
Carnildo Greenacre Flight Engineer Join date: 15 Nov 2003 Posts: 1,044	05-05-2004 21:52 From: someone Originally posted by Ezhar Fairlight These mails didn't pass through any Second Life related system. That was pretty obvious from the start. The reason I posted here was that it looked like someone might have been trying to use SecondLife as a reply method for spam. From: someone Your myrealbox.com address is indexed on google and thats likely where spammers harvested it. The im.secondlife.com address used as fake-sender could be from many sources, it could've been posted somewhere on the web or more likely, sold to spammers by a nasty provider that sells addresses found in their customers email. These 45 messages represent more unwanted e-mail than I've gotten in the years I've been using the address. I doubt it's on very many spam lists. Further, I've had a chance to look through the messages. 30 of them are definitely spam, 12 are definitely not spam, and 3 are in foreign languages, but don't look like spam. _____________________ perl -le '$_ = 1; (1 x $_) !~ /^(11+)\1+$/ && print while $_++;'

Welcome to the Second Life Forums Archive

SecondLife Spam (the real thing this time)