Hidden code in emails.

lilguy43uk

Greylisted
I have been receiving emails from a relative who hasn't actually sent them. Embedded in the source is the hidden text set out below. There is a link (not clicked but the IP address is out of Phoenix). Can you tell me the significance of the block of text please? Incidentally I have changed several characters in the text until I know what I'm dealing with. Thanks.

From - Wed Jul 16 08:02:26 2014
X-Account-Key: account4
X-UIDL: AI0JDNkAAA8BU8YJYQAAAB0BWtE
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: j-porter@sky.com via 46.228.38.201; Wed, 16 Jul 2014 05:10:57 +0000
Received-SPF: pass (domain of hotmail.co.uk designates 65.55.111.76 as permitted sender)
X-YMailISG: sDEsPskWLDunAwtzLYRsv4oKwk8vAgnW8weBBBq2HBqdP7.o
dUGJyD.aTpy620Y2E6BYdOt0Ky9dwJWAi.AuEGRv4alnbLVRHZMvTh.fmur
zOmnio2iB7Q8MdmQLrheHk0sutziwV.LzzyYv0KhTUCX38.eWTvemElL1pMP
e59dkwGut_wFCHDx3hAlKFJ31KXSrLXNOvo4lX9adXRyfFA6YKSmvKu99WzZ
NpyIvZY4Cqreo_FXLcPEQerMF4mB5tEYL5ZDRPFyy2procN3EexBqk9Z9GB
iuq0NFexhgFyBxaUQi3ZZQ.DfNO62Rq6V6Lifu824rRMNkBpWLvUl.GDfQAP
s2nIvEFSEfU_27Anjd5w2Qr79HEVlPEVvkU8lppAlMafsFSSDBI3KPHJVWpm
dv18tbvhQfFdJF_T_u1sFu.XVcuR9OKzltyHpvqeTNr6ZTAv2nBhFOOHpOn6
q8qq3oVB3Hh55BNV_CAsUYrgJMgczSpEqWzoGmGBXLMUdjZuZsKIzrSARszw
zGfY.SPf7Ea5jrb4LmSuwel7nUYg.mWwdTba8MWceUnTGIoUOEAf7EmhC35
0q2Dc34IZWk2CtSIpXdooZ_FCN26mAzq7xf3IbSaKEzqBO6ZSDew5Y2v_CuQ
Erg3KSxyDnH9IiN6g31PFi_biGCxw.6bJ48oRCulZ_cRTDc8Hf0THuaH_gbc
8nAil4M.VaSn9nzm00eyXysxZl.j1pVdmKfxUifkMuaTNCBSSsrPqWrgZa9
KmSqfVXj6CR2F78wrc3.LL3oZ9aaFSEkCprDRr1ke9tQhws6iwkaUMVK0fg5
JP3j91tbu4dEG04FJzR_cUsOHSXV8D.uWicLj_iqPCP7oJP.IljXLhgfxC0S
L2k_FTzSf3itga38Vu8TfR.r3kmuSVnOOckag9n0fF6YhfuMrkfK1rYAdM_8
BY9QMgln8VcVBNwEsAScRhMkKzMmJ1HsbvYB5t_aozmGGtVR872Fm9ueIYgZ
t4Nz5H8YyNJA.6UZm6F54hdc5GUjqmCBwUtltbuM69GEas1sOBGC1.tRFL4w
R0YuHUwkVlBy1yAkT02V9HLCuFBidvE6fJQUy7Dqwa1XQIg.LPfyYyz3DDJT
neUQRWq2dYOmqgLbaGYoOPxvd2x4QZEoNP.BtSgjVODMeR.CITDj3cftNcsv
TQSnDnOXCLdjNdpp9SqbMl_LacW0jJNwWxB0VJSrbnp60NVIXuT4vum2UJOt
qLv5VDRaTLjXjaKjF8a5UWxceODVCvc3PtBe4tDQcstITOViWwyBirILNtji
KwVmZCi4OcKlYL_I08DjAdqlwR3887mdxHpnOt65DkKJU6660QJokD06mp9J
lQTxCwOef4lMBINF3eVOmgUFhBxD9igBUWl_js.DjA--
X-Originating-IP: [65.55.111.76]
Authentication-Results: mta1190.mail.ir2.yahoo.com from=hotmail.co.uk; domainkeys=neutral (no sig);

from=hotmail.co.uk; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO BLU004-OMC2S1.hotmail.com) (65.55.111.76)
by mta1190.mail.ir2.yahoo.com with SMTPS; Wed, 16 Jul 2014 05:10:56 +0000
Received: from BLU436-SMTP146 ([65.55.111.72]) by BLU004-OMC2S1.hotmail.com with Microsoft SMTPSVC

(7.5.7601.22712);
Tue, 15 Jul 2014 22:10:56 -0700
X-TMN: [WOzfh6smDPcwDvN0M34xK/6g40aJJnEZ]
X-Originating-Email: [sandrabailey@hotmail.co.uk]
Message-ID: <BLU436-SMTP146D59C638A4BEEE43DF22584F70@phx.gbl>
Received: from [192.168.1.1] ([92.21.22.17]) by BLU436-SMTP146.smtp.hotmail.com over TLS secured channel with

Microsoft SMTPSVC(8.0.9200.16384);
Tue, 15 Jul 2014 22:10:54 -0700
From: sandra bailey <sandrabailey@hotmail.co.uk>
Subject: Slashed
Date: Tue, 15 Jul 2014 22:15:11 +0000
To: j-porter@sky.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------efde9aba86926d57efc997fd"
X-OriginalArrivalTime: 16 Jul 2014 05:10:54.0498 (UTC) FILETIME=[51DC4020:01CFA0B4]
X-Antispam: clean, score=3
X-Antivirus: avast! (VPS 140715-1, 15/07/2014), Inbound message
X-Antivirus-Status: Clean

--------------efde9aba86926d57efc997fd
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<span style="VISIBILITY:hidden;display:none">columns topped with winged boars Harry saw two more towering hooded
 

EQ Admin

EQ Forum Admin
Staff member
Hello,

The extra text is usually random English words designed to help spam emails get past spam content filtering. I believe that is the case here. Also, I removed the spam link from the post to protect others viewing the discussions.

:welcome: to Email Questions!
 

lilguy43uk

Greylisted
Still getting these "ghost" emails from a relative despite her having changed her webmail password but I'm unable to discover where they are coming from other than North America. This time I've disabled the links but are you able to pinpoint the origin of these emails please?

From - Sun Jul 20 11:50:20 2014
X-Account-Key: account4
X-UIDL: AJ8JDNkAACLHU8ucvQAAAHqTk0E
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: j-po@sky.com via 46.228.38.191; Sun, 20 Jul 2014 10:40:59 +0000
Received-SPF: pass (domain of hotmail.co.uk designates 65.55.111.98 as permitted sender)
X-YMailISG: sIlsZkwWLDuhN.hRS5SRlYR1OmUx1SOjr.in2OOtM7sxmBEu
27g6IEHxUiTmgJomqOEclFRtM0T6yGPNsq6S_0B2iy8q6tUnTuy.iNoW_QJS
srtdjUioBMQvrXI1XiIc3pc6iFJOwlrHe8195.P4MNdpaPN.aooZmfILEb7u
J7k2POMM5ST7saiiquCOVFcdhMaD4snkkuTKBfKxHa0vex1FzJwXCoSUjg6C
VcSTrCyuxbKp.AMT.A6TgYUuWIvijeroE3LMXcfieEMsnEAb9_fI_5jOptiy
nJkHXQMRYZTf9uIHszrEzTWPsxdFQTrpDyIrGv.99yE3i3M9tkMEZF4V1DQc
v4KAGKiS50nOI5.NYKiBKcmnK97CqGQNxqtD4cT.wqhjob2gyY8.whFgOPUy
v4PG23uAFtmpXkmtO5hGx9htiO.1xKWiIknx58ZEcTE5gxhjdxrNjUztEOzu
ilDAqglaz02hgin1c4s7.Tp0BgxeANWP8EGPTsY4lTkZe7MTN9dXSJyIgE1R
3NLO5l_PqaOxqXtwgb8P6xwZ2QRB2HCe8y6a3z08zksdKZMzhoZ0J8Cz6jZl
NKywnzE2FBVPLECLmeyN7evJUS.ra.zAz7hcRixtDbEydaUv_gsrlH.4DrHx
T5bKbO1fo6S1ZTT_KygmPWWhEgDIQv3Ot54_12R3DR3iev3I0VkqQyMflNc5
5kJVqgihobQi0ZYTsgtkqVf6.W37N.YRzsyNcjkH0y0.NcaWQx7GWKnCkdBO
z1Ko0ZIcMcHREnrFN6JOST6IAVs3PLAbUtYnbm3zqk.1GXOMdHo8PUDkzyxb
S_XYLjeihuYgJ0zXbAs3TNEz0sTnF5FbcPRtzM2Q0eQEsfJO74ShHFUR0flw
JiUN9cE6iNHUqYNGYQl.KvM618u1T2KS0Se26G0SaM_W4fiFr4P39wSOT8u6
K8d7Hd6RLfk8FHJMKd07NkjEz.53Rf.PHvcqPWw2.OSsKsNhcu8XVsLTJ3WT
Qi5b2XKUeCxHrbkIKKAKDBvU_djPI2FdTbKnu0ui3bKT2NhdGBQd_5j14X9i
73ZqNpNIZ19flQ1ORGqs8MYKA..V2X5L.F_YX1HZR8y86w2LZYMB1fzqUMBZ
i0YpB9d4AgCskWARu4T8ICUCBjrbwXQM9kyJ2XJQs3IIX5t7GfIuYNO__M0h
_3YIzmD53panpdNuqAAm6auGsgKMO4d54reya7.kNXge12i25_vyWpLBpXAu
DwyGkAB1jLhRh5XfV1ygr5Z6CGG_883QVulRQCWl9rZgvWoUtLcXDtIOPo9a
Y3RSOP4I5HbkcKD0kDwgMBgIzsTGvV6wmaSOMD83hb100XJFqyToBH2r_yni
Vh2RcT0EWLnLiiEYVShLhivsUrr6lpQ-
X-Originating-IP: [65.55.111.98]
Authentication-Results: mta1176.mail.ir2.yahoo.com from=hotmail.co.uk; domainkeys=neutral (no sig); from=hotmail.co.uk; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO BLU004-OMC2S23.hotmail.com) (65.55.111.98)
by mta1176.mail.ir2.yahoo.com with SMTPS; Sun, 20 Jul 2014 10:40:59 +0000
Received: from BLU436-SMTP11 ([65.55.111.73]) by BLU004-OMC2S23.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712);
Sun, 20 Jul 2014 03:40:58 -0700
X-TMN: [Kr7q/nj2qACOTdx94fEQbU3RC5e91Ic+]
X-Originating-Email: [sandr@hotmail.co.uk]
Message-ID: <BLU436-SMTP110536AB1DF7220F70999084F30@phx.gbl>
Received: from [192.168.1.1] ([92.21.44.175]) by BLU436-SMTP11.smtp.hotmail.com over TLS secured channel with Microsoft SMTPSVC(8.0.9200.16384);
Sun, 20 Jul 2014 03:40:56 -0700
From: sa<sa@hotmail.co.uk>
Subject: Pr ofitable?
Date: Sun, 20 Jul 2014 03:40:56 +0000
To: j-@sky.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------b502dc25d4359c9745286a0b"
X-OriginalArrivalTime: 20 Jul 2014 10:40:56.0905 (UTC) FILETIME=[16AAC390:01CFA407]
X-Antispam: clean, score=59
X-Antivirus: avast! (VPS 140719-1, 19/07/2014), Inbound message
X-Antivirus-Status: Clean

--------------b502dc25d4359c9745286a0b
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
 

HWA

New Email
Hi. I've received the EXACT same email headers. My email received - I've won / inherited 10 million British pounds
It says AT&T as the originating IP - unsure if this is correct or not
Same IP as above
will I do a C&P here so people can see ?
Don't wish to do wrong entry etc

cheers ;-)
 

HWA

New Email
I see a Moderator will check this- so will do a C&P of the email headers (below) and have *** my email addy . I KNOW this is 100% scammers. I'm hoping to warn others to not get sucked into this sort of rubbish
email & headers below- I believe all links have been disabled. ( I believe) Hoping the Moderators check this and if Ok - post. Cheers :)



x-store-info:IwXGHBr6q6UEkAtdj5qSH2GJmjXGt+80
Authentication-Results: hotmail.com; spf=none (sender IP is 61.9.168.152) smtp.mailfrom=admin@qsls.com; dkim=none header.d=qsls.com; x-hmca=none header.id=admin@qsls.com
X-SID-PRA: admin@qsls.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MTtsPTE7YT0wO0Q9MDtHRD0wO1NDTD00
X-Message-Info: SYIGCxALW9OSMtUSASGvhjEGayQvP4qsVDfqDu4Jy0sdZEIg/iFUiS8gqkmZQHdSu8Vfj3V5MPvctRUoV1uy5REL6KCX12OL5x8fQNV/fyykZefUBbVZaagp0QGC+QC1aBF66a9YkIXXuEDSuR0ytTVSnI2j5P/c485O8J5L0HDp6ETyas8gDRn2LaoskqqA4MX2TdF3I/QINiJ4LDHBPuvdDy7w57232tSKE4JSWX8=
Received: from nskntmtas06p.mx.bigpond.com ([61.9.168.152]) by BAY004-PAMC2F1.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712);
Wed, 17 Sep 2014 18:23:20 -0700
Received: from nskntcmgw01p ([61.9.169.161]) by nskntmtas06p.mx.bigpond.com
with ESMTP
id <20140918012318.GQLU7536.nskntmtas06p.mx.bigpond.com@nskntcmgw01p>
for <h*****@bigpond.com>; Thu, 18 Sep 2014 01:23:18 +0000
Received: from mcu-server.mcu.local ([162.198.249.139])
by nskntcmgw01p with BigPond Inbound
id sRPH1o01p31CDyy01RPH7e; Thu, 18 Sep 2014 01:23:18 +0000
X-Authority-Analysis: v=2.0 cv=RJUx7ve+ c=1 sm=1 p=ANm1GqXM0noA:10
p=QUbE207oL9n_dtuK:21 a=SqIMgoRVrjkBMJrrzGQvQw==:17 a=Dyoqhi_TatcA:10
a=Iz5e6Rs4qg0A:10 a=reRN_k78R_QA:10 a=8EU9Q7FnrCoA:10 a=Cfj4BQAnxiAA:10
a=rsk6PgAwAAAA:8 a=K57tCgj2AAAA:8 a=PjQGnA2mZWO4txIoCWoA:9 a=Ft8UYL4EG9YA:10
a=-9S2lEYtG7JCMszI:21 a=SqIMgoRVrjkBMJrrzGQvQw==:117
Received: from User ([192.168.0.1]) by mcu-server.mcu.local with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 17 Sep 2014 20:21:15 -0500
Reply-To: <adsallaw@rediffmail.com>
From: "Admin Staff"<admin@qsls.com>
To: admin@qsls.com
Subject: Notice!!
Date: Thu, 18 Sep 2014 01:26:31 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Return-Path: admin@qsls.com
Message-ID: <MCU-SERVERngL6wxvw000000205@mcu-server.mcu.local>
X-OriginalArrivalTime: 18 Sep 2014 01:21:15.0718 (UTC) FILETIME=[D7814660:01CFD2DE]



Attn: Please,
We wish to notify you again that you were listed as a lawful heir/beneficiary to the total sum of Ten Million British Pounds.

The race is now on for heir locators to track down the often distant relatives in line for a windfall.

A regular mail was dispatched to you but no response from you. We request you to kindly acknowledge this email to enable us process your inheritance.

Yours truly,
Admin Staff.
QServices Uk. 18/9
*******************************************Disclaimer******************************************************
The information contained in this message is Confidential and Proprietary information and is intended only for the use of the recipient(s) above. If the reader of this message is not the intended recipient, he/she is hereby notified that any use, dissemination, distribution, or copying of this communication or any of its content is strictly prohibited. In such case, please advise the sender immediately and delete it from your system. Further acknowledge that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of QServices.
 

HWA

New Email
Hi. I've been getting them non stop - I did an unsubscribe with one or 2 and ended up with BAD spyware. They (whoever) managed to turn off my anti virus real time - It was a mess. I checked this email and I got this info below- not sure if it helps or not.
cheers:)
Traceroute for : 162.246.56.214

Executing IPv4 traceroute... (this can take up to three minutes)
HOP
Time (ms)
IP
Hostname
ISP
Location
1
3
213.239.245.221
core11.hetzner.de
AS24940
Hetzner Online AG
Germany (DE)
2
3
213.239.203.138
juniper4.rz2.hetzner.de
AS24940
Hetzner Online AG
Germany (DE)
3
3
77.109.135.101
r1nue1.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
4
17
77.109.140.253
r1lon1.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
5
88
77.109.140.194
r1nyc1.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
6
85
77.109.140.106
r1nyc2.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
7
1219
213.239.245.221
core11.hetzner.de
AS24940
Hetzner Online AG
Germany (DE)
8
5
213.239.203.138
juniper4.rz2.hetzner.de
AS24940
Hetzner Online AG
Germany (DE)
9
3
77.109.135.101
r1nue1.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
10
50
66.192.245.138
blt1-ar3-xe-2-0-0-0.us.twtelecom.net
AS4323
tw telecom holdings, inc.
United States (US)
11
0
77.109.140.253
r1lon1.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
12
0
199.227.4.198

AS4323
tw telecom holdings, inc.
Tampa, Florida, United States (US)
13
0
144.202.254.42

AS26094
Baltimore Technology Park, LLC
Baltimore, Maryland, United States (US)
14
0
77.109.140.194
r1nyc1.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
15
0
144.202.238.253
144-202-238-253.baltimoretechnologypark.com
AS26094
Baltimore Technology Park, LLC
Baltimore, Maryland, United States (US)
16
0
77.109.140.106
r1nyc2.core.init7.net
AS13030
Init Seven AG
Switzerland (CH)
17
0
144.202.225.5

AS26094
Baltimore Technology Park, LLC
Baltimore, Maryland, United States (US)
18
0
162.246.56.214
postbox.ausposte.com
AS26094
Baltimore Technology Park, LLC
West Chester, Pennsylvania, United States (US)

Trace completed
 
Top