Hidden code in emails.

Discussion in 'Help Desk' started by lilguy43uk, Jul 16, 2014.

  1. lilguy43uk

    lilguy43uk Greylisted

    Joined:
    Jul 16, 2014
    Messages:
    5
    Likes Received:
    0
    I have been receiving emails from a relative who hasn't actually sent them. Embedded in the source is the hidden text set out below. There is a link (not clicked but the IP address is out of Phoenix). Can you tell me the significance of the block of text please? Incidentally I have changed several characters in the text until I know what I'm dealing with. Thanks.

    From - Wed Jul 16 08:02:26 2014
    X-Account-Key: account4
    X-UIDL: AI0JDNkAAA8BU8YJYQAAAB0BWtE
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    X-Apparently-To: j-porter@sky.com via 46.228.38.201; Wed, 16 Jul 2014 05:10:57 +0000
    Received-SPF: pass (domain of hotmail.co.uk designates 65.55.111.76 as permitted sender)
    X-YMailISG: sDEsPskWLDunAwtzLYRsv4oKwk8vAgnW8weBBBq2HBqdP7.o
    dUGJyD.aTpy620Y2E6BYdOt0Ky9dwJWAi.AuEGRv4alnbLVRHZMvTh.fmur
    zOmnio2iB7Q8MdmQLrheHk0sutziwV.LzzyYv0KhTUCX38.eWTvemElL1pMP
    e59dkwGut_wFCHDx3hAlKFJ31KXSrLXNOvo4lX9adXRyfFA6YKSmvKu99WzZ
    NpyIvZY4Cqreo_FXLcPEQerMF4mB5tEYL5ZDRPFyy2procN3EexBqk9Z9GB
    iuq0NFexhgFyBxaUQi3ZZQ.DfNO62Rq6V6Lifu824rRMNkBpWLvUl.GDfQAP
    s2nIvEFSEfU_27Anjd5w2Qr79HEVlPEVvkU8lppAlMafsFSSDBI3KPHJVWpm
    dv18tbvhQfFdJF_T_u1sFu.XVcuR9OKzltyHpvqeTNr6ZTAv2nBhFOOHpOn6
    q8qq3oVB3Hh55BNV_CAsUYrgJMgczSpEqWzoGmGBXLMUdjZuZsKIzrSARszw
    zGfY.SPf7Ea5jrb4LmSuwel7nUYg.mWwdTba8MWceUnTGIoUOEAf7EmhC35
    0q2Dc34IZWk2CtSIpXdooZ_FCN26mAzq7xf3IbSaKEzqBO6ZSDew5Y2v_CuQ
    Erg3KSxyDnH9IiN6g31PFi_biGCxw.6bJ48oRCulZ_cRTDc8Hf0THuaH_gbc
    8nAil4M.VaSn9nzm00eyXysxZl.j1pVdmKfxUifkMuaTNCBSSsrPqWrgZa9
    KmSqfVXj6CR2F78wrc3.LL3oZ9aaFSEkCprDRr1ke9tQhws6iwkaUMVK0fg5
    JP3j91tbu4dEG04FJzR_cUsOHSXV8D.uWicLj_iqPCP7oJP.IljXLhgfxC0S
    L2k_FTzSf3itga38Vu8TfR.r3kmuSVnOOckag9n0fF6YhfuMrkfK1rYAdM_8
    BY9QMgln8VcVBNwEsAScRhMkKzMmJ1HsbvYB5t_aozmGGtVR872Fm9ueIYgZ
    t4Nz5H8YyNJA.6UZm6F54hdc5GUjqmCBwUtltbuM69GEas1sOBGC1.tRFL4w
    R0YuHUwkVlBy1yAkT02V9HLCuFBidvE6fJQUy7Dqwa1XQIg.LPfyYyz3DDJT
    neUQRWq2dYOmqgLbaGYoOPxvd2x4QZEoNP.BtSgjVODMeR.CITDj3cftNcsv
    TQSnDnOXCLdjNdpp9SqbMl_LacW0jJNwWxB0VJSrbnp60NVIXuT4vum2UJOt
    qLv5VDRaTLjXjaKjF8a5UWxceODVCvc3PtBe4tDQcstITOViWwyBirILNtji
    KwVmZCi4OcKlYL_I08DjAdqlwR3887mdxHpnOt65DkKJU6660QJokD06mp9J
    lQTxCwOef4lMBINF3eVOmgUFhBxD9igBUWl_js.DjA--
    X-Originating-IP: [65.55.111.76]
    Authentication-Results: mta1190.mail.ir2.yahoo.com from=hotmail.co.uk; domainkeys=neutral (no sig);

    from=hotmail.co.uk; dkim=neutral (no sig)
    Received: from 127.0.0.1 (EHLO BLU004-OMC2S1.hotmail.com) (65.55.111.76)
    by mta1190.mail.ir2.yahoo.com with SMTPS; Wed, 16 Jul 2014 05:10:56 +0000
    Received: from BLU436-SMTP146 ([65.55.111.72]) by BLU004-OMC2S1.hotmail.com with Microsoft SMTPSVC

    (7.5.7601.22712);
    Tue, 15 Jul 2014 22:10:56 -0700
    X-TMN: [WOzfh6smDPcwDvN0M34xK/6g40aJJnEZ]
    X-Originating-Email: [sandrabailey@hotmail.co.uk]
    Message-ID: <BLU436-SMTP146D59C638A4BEEE43DF22584F70@phx.gbl>
    Received: from [192.168.1.1] ([92.21.22.17]) by BLU436-SMTP146.smtp.hotmail.com over TLS secured channel with

    Microsoft SMTPSVC(8.0.9200.16384);
    Tue, 15 Jul 2014 22:10:54 -0700
    From: sandra bailey <sandrabailey@hotmail.co.uk>
    Subject: Slashed
    Date: Tue, 15 Jul 2014 22:15:11 +0000
    To: j-porter@sky.com
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="------------efde9aba86926d57efc997fd"
    X-OriginalArrivalTime: 16 Jul 2014 05:10:54.0498 (UTC) FILETIME=[51DC4020:01CFA0B4]
    X-Antispam: clean, score=3
    X-Antivirus: avast! (VPS 140715-1, 15/07/2014), Inbound message
    X-Antivirus-Status: Clean

    --------------efde9aba86926d57efc997fd
    Content-Type: text/plain; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit

    <span style="VISIBILITY:hidden;display:none">columns topped with winged boars Harry saw two more towering hooded
     


  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    Hello,

    The extra text is usually random English words designed to help spam emails get past spam content filtering. I believe that is the case here. Also, I removed the spam link from the post to protect others viewing the discussions.

    :welcome: to Email Questions!
     

  3. lilguy43uk

    lilguy43uk Greylisted

    Joined:
    Jul 16, 2014
    Messages:
    5
    Likes Received:
    0
    Thanks for that, I thought I'd mangled the links but must have forgotten.

    Regards
     
  4. lilguy43uk

    lilguy43uk Greylisted

    Joined:
    Jul 16, 2014
    Messages:
    5
    Likes Received:
    0
    Still getting these "ghost" emails from a relative despite her having changed her webmail password but I'm unable to discover where they are coming from other than North America. This time I've disabled the links but are you able to pinpoint the origin of these emails please?

    From - Sun Jul 20 11:50:20 2014
    X-Account-Key: account4
    X-UIDL: AJ8JDNkAACLHU8ucvQAAAHqTk0E
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    X-Apparently-To: j-po@sky.com via 46.228.38.191; Sun, 20 Jul 2014 10:40:59 +0000
    Received-SPF: pass (domain of hotmail.co.uk designates 65.55.111.98 as permitted sender)
    X-YMailISG: sIlsZkwWLDuhN.hRS5SRlYR1OmUx1SOjr.in2OOtM7sxmBEu
    27g6IEHxUiTmgJomqOEclFRtM0T6yGPNsq6S_0B2iy8q6tUnTuy.iNoW_QJS
    srtdjUioBMQvrXI1XiIc3pc6iFJOwlrHe8195.P4MNdpaPN.aooZmfILEb7u
    J7k2POMM5ST7saiiquCOVFcdhMaD4snkkuTKBfKxHa0vex1FzJwXCoSUjg6C
    VcSTrCyuxbKp.AMT.A6TgYUuWIvijeroE3LMXcfieEMsnEAb9_fI_5jOptiy
    nJkHXQMRYZTf9uIHszrEzTWPsxdFQTrpDyIrGv.99yE3i3M9tkMEZF4V1DQc
    v4KAGKiS50nOI5.NYKiBKcmnK97CqGQNxqtD4cT.wqhjob2gyY8.whFgOPUy
    v4PG23uAFtmpXkmtO5hGx9htiO.1xKWiIknx58ZEcTE5gxhjdxrNjUztEOzu
    ilDAqglaz02hgin1c4s7.Tp0BgxeANWP8EGPTsY4lTkZe7MTN9dXSJyIgE1R
    3NLO5l_PqaOxqXtwgb8P6xwZ2QRB2HCe8y6a3z08zksdKZMzhoZ0J8Cz6jZl
    NKywnzE2FBVPLECLmeyN7evJUS.ra.zAz7hcRixtDbEydaUv_gsrlH.4DrHx
    T5bKbO1fo6S1ZTT_KygmPWWhEgDIQv3Ot54_12R3DR3iev3I0VkqQyMflNc5
    5kJVqgihobQi0ZYTsgtkqVf6.W37N.YRzsyNcjkH0y0.NcaWQx7GWKnCkdBO
    z1Ko0ZIcMcHREnrFN6JOST6IAVs3PLAbUtYnbm3zqk.1GXOMdHo8PUDkzyxb
    S_XYLjeihuYgJ0zXbAs3TNEz0sTnF5FbcPRtzM2Q0eQEsfJO74ShHFUR0flw
    JiUN9cE6iNHUqYNGYQl.KvM618u1T2KS0Se26G0SaM_W4fiFr4P39wSOT8u6
    K8d7Hd6RLfk8FHJMKd07NkjEz.53Rf.PHvcqPWw2.OSsKsNhcu8XVsLTJ3WT
    Qi5b2XKUeCxHrbkIKKAKDBvU_djPI2FdTbKnu0ui3bKT2NhdGBQd_5j14X9i
    73ZqNpNIZ19flQ1ORGqs8MYKA..V2X5L.F_YX1HZR8y86w2LZYMB1fzqUMBZ
    i0YpB9d4AgCskWARu4T8ICUCBjrbwXQM9kyJ2XJQs3IIX5t7GfIuYNO__M0h
    _3YIzmD53panpdNuqAAm6auGsgKMO4d54reya7.kNXge12i25_vyWpLBpXAu
    DwyGkAB1jLhRh5XfV1ygr5Z6CGG_883QVulRQCWl9rZgvWoUtLcXDtIOPo9a
    Y3RSOP4I5HbkcKD0kDwgMBgIzsTGvV6wmaSOMD83hb100XJFqyToBH2r_yni
    Vh2RcT0EWLnLiiEYVShLhivsUrr6lpQ-
    X-Originating-IP: [65.55.111.98]
    Authentication-Results: mta1176.mail.ir2.yahoo.com from=hotmail.co.uk; domainkeys=neutral (no sig); from=hotmail.co.uk; dkim=neutral (no sig)
    Received: from 127.0.0.1 (EHLO BLU004-OMC2S23.hotmail.com) (65.55.111.98)
    by mta1176.mail.ir2.yahoo.com with SMTPS; Sun, 20 Jul 2014 10:40:59 +0000
    Received: from BLU436-SMTP11 ([65.55.111.73]) by BLU004-OMC2S23.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712);
    Sun, 20 Jul 2014 03:40:58 -0700
    X-TMN: [Kr7q/nj2qACOTdx94fEQbU3RC5e91Ic+]
    X-Originating-Email: [sandr@hotmail.co.uk]
    Message-ID: <BLU436-SMTP110536AB1DF7220F70999084F30@phx.gbl>
    Received: from [192.168.1.1] ([92.21.44.175]) by BLU436-SMTP11.smtp.hotmail.com over TLS secured channel with Microsoft SMTPSVC(8.0.9200.16384);
    Sun, 20 Jul 2014 03:40:56 -0700
    From: sa<sa@hotmail.co.uk>
    Subject: Pr ofitable?
    Date: Sun, 20 Jul 2014 03:40:56 +0000
    To: j-@sky.com
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="------------b502dc25d4359c9745286a0b"
    X-OriginalArrivalTime: 20 Jul 2014 10:40:56.0905 (UTC) FILETIME=[16AAC390:01CFA407]
    X-Antispam: clean, score=59
    X-Antivirus: avast! (VPS 140719-1, 19/07/2014), Inbound message
    X-Antivirus-Status: Clean

    --------------b502dc25d4359c9745286a0b
    Content-Type: text/plain; charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit
     
  5. HWA

    HWA New Email

    Joined:
    Sep 18, 2014
    Messages:
    3
    Likes Received:
    0
    Hi. I've received the EXACT same email headers. My email received - I've won / inherited 10 million British pounds
    It says AT&T as the originating IP - unsure if this is correct or not
    Same IP as above
    will I do a C&P here so people can see ?
    Don't wish to do wrong entry etc

    cheers ;-)
     
  6. HWA

    HWA New Email

    Joined:
    Sep 18, 2014
    Messages:
    3
    Likes Received:
    0
    I see a Moderator will check this- so will do a C&P of the email headers (below) and have *** my email addy . I KNOW this is 100% scammers. I'm hoping to warn others to not get sucked into this sort of rubbish
    email & headers below- I believe all links have been disabled. ( I believe) Hoping the Moderators check this and if Ok - post. Cheers :)



    x-store-info:IwXGHBr6q6UEkAtdj5qSH2GJmjXGt+80
    Authentication-Results: hotmail.com; spf=none (sender IP is 61.9.168.152) smtp.mailfrom=admin@qsls.com; dkim=none header.d=qsls.com; x-hmca=none header.id=admin@qsls.com
    X-SID-PRA: admin@qsls.com
    X-AUTH-Result: NONE
    X-SID-Result: NONE
    X-Message-Status: n:n
    X-Message-Delivery: Vj0xLjE7dXM9MTtsPTE7YT0wO0Q9MDtHRD0wO1NDTD00
    X-Message-Info: SYIGCxALW9OSMtUSASGvhjEGayQvP4qsVDfqDu4Jy0sdZEIg/iFUiS8gqkmZQHdSu8Vfj3V5MPvctRUoV1uy5REL6KCX12OL5x8fQNV/fyykZefUBbVZaagp0QGC+QC1aBF66a9YkIXXuEDSuR0ytTVSnI2j5P/c485O8J5L0HDp6ETyas8gDRn2LaoskqqA4MX2TdF3I/QINiJ4LDHBPuvdDy7w57232tSKE4JSWX8=
    Received: from nskntmtas06p.mx.bigpond.com ([61.9.168.152]) by BAY004-PAMC2F1.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712);
    Wed, 17 Sep 2014 18:23:20 -0700
    Received: from nskntcmgw01p ([61.9.169.161]) by nskntmtas06p.mx.bigpond.com
    with ESMTP
    id <20140918012318.GQLU7536.nskntmtas06p.mx.bigpond.com@nskntcmgw01p>
    for <h*****@bigpond.com>; Thu, 18 Sep 2014 01:23:18 +0000
    Received: from mcu-server.mcu.local ([162.198.249.139])
    by nskntcmgw01p with BigPond Inbound
    id sRPH1o01p31CDyy01RPH7e; Thu, 18 Sep 2014 01:23:18 +0000
    X-Authority-Analysis: v=2.0 cv=RJUx7ve+ c=1 sm=1 p=ANm1GqXM0noA:10
    p=QUbE207oL9n_dtuK:21 a=SqIMgoRVrjkBMJrrzGQvQw==:17 a=Dyoqhi_TatcA:10
    a=Iz5e6Rs4qg0A:10 a=reRN_k78R_QA:10 a=8EU9Q7FnrCoA:10 a=Cfj4BQAnxiAA:10
    a=rsk6PgAwAAAA:8 a=K57tCgj2AAAA:8 a=PjQGnA2mZWO4txIoCWoA:9 a=Ft8UYL4EG9YA:10
    a=-9S2lEYtG7JCMszI:21 a=SqIMgoRVrjkBMJrrzGQvQw==:117
    Received: from User ([192.168.0.1]) by mcu-server.mcu.local with Microsoft SMTPSVC(6.0.3790.4675);
    Wed, 17 Sep 2014 20:21:15 -0500
    Reply-To: <adsallaw@rediffmail.com>
    From: "Admin Staff"<admin@qsls.com>
    To: admin@qsls.com
    Subject: Notice!!
    Date: Thu, 18 Sep 2014 01:26:31 +0100
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Return-Path: admin@qsls.com
    Message-ID: <MCU-SERVERngL6wxvw000000205@mcu-server.mcu.local>
    X-OriginalArrivalTime: 18 Sep 2014 01:21:15.0718 (UTC) FILETIME=[D7814660:01CFD2DE]



    Attn: Please,
    We wish to notify you again that you were listed as a lawful heir/beneficiary to the total sum of Ten Million British Pounds.

    The race is now on for heir locators to track down the often distant relatives in line for a windfall.

    A regular mail was dispatched to you but no response from you. We request you to kindly acknowledge this email to enable us process your inheritance.

    Yours truly,
    Admin Staff.
    QServices Uk. 18/9
    *******************************************Disclaimer******************************************************
    The information contained in this message is Confidential and Proprietary information and is intended only for the use of the recipient(s) above. If the reader of this message is not the intended recipient, he/she is hereby notified that any use, dissemination, distribution, or copying of this communication or any of its content is strictly prohibited. In such case, please advise the sender immediately and delete it from your system. Further acknowledge that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of QServices.
     
  7. HWA

    HWA New Email

    Joined:
    Sep 18, 2014
    Messages:
    3
    Likes Received:
    0
    Hi. I've been getting them non stop - I did an unsubscribe with one or 2 and ended up with BAD spyware. They (whoever) managed to turn off my anti virus real time - It was a mess. I checked this email and I got this info below- not sure if it helps or not.
    cheers:)
    Traceroute for : 162.246.56.214

    Executing IPv4 traceroute... (this can take up to three minutes)
    HOP
    Time (ms)
    IP
    Hostname
    ISP
    Location
    1
    3
    213.239.245.221
    core11.hetzner.de
    AS24940
    Hetzner Online AG
    Germany (DE)
    2
    3
    213.239.203.138
    juniper4.rz2.hetzner.de
    AS24940
    Hetzner Online AG
    Germany (DE)
    3
    3
    77.109.135.101
    r1nue1.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    4
    17
    77.109.140.253
    r1lon1.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    5
    88
    77.109.140.194
    r1nyc1.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    6
    85
    77.109.140.106
    r1nyc2.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    7
    1219
    213.239.245.221
    core11.hetzner.de
    AS24940
    Hetzner Online AG
    Germany (DE)
    8
    5
    213.239.203.138
    juniper4.rz2.hetzner.de
    AS24940
    Hetzner Online AG
    Germany (DE)
    9
    3
    77.109.135.101
    r1nue1.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    10
    50
    66.192.245.138
    blt1-ar3-xe-2-0-0-0.us.twtelecom.net
    AS4323
    tw telecom holdings, inc.
    United States (US)
    11
    0
    77.109.140.253
    r1lon1.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    12
    0
    199.227.4.198

    AS4323
    tw telecom holdings, inc.
    Tampa, Florida, United States (US)
    13
    0
    144.202.254.42

    AS26094
    Baltimore Technology Park, LLC
    Baltimore, Maryland, United States (US)
    14
    0
    77.109.140.194
    r1nyc1.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    15
    0
    144.202.238.253
    144-202-238-253.baltimoretechnologypark.com
    AS26094
    Baltimore Technology Park, LLC
    Baltimore, Maryland, United States (US)
    16
    0
    77.109.140.106
    r1nyc2.core.init7.net
    AS13030
    Init Seven AG
    Switzerland (CH)
    17
    0
    144.202.225.5

    AS26094
    Baltimore Technology Park, LLC
    Baltimore, Maryland, United States (US)
    18
    0
    162.246.56.214
    postbox.ausposte.com
    AS26094
    Baltimore Technology Park, LLC
    West Chester, Pennsylvania, United States (US)

    Trace completed
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...