???@postino.ch SPAM

Jensen · 2 Jun 2002, 01:59 PM

Since starting my account about a month ago. I've had about 3 spam emails that slipped into my inbox and a couple that were shunted to trash straight away.

Now its nothing I am overly concerned about. The emails were not addressed to me or any of my aliases specifically. What I did find strange that every spam email i have received so far is from some user @postino.ch (about 3-4 aliases in total).

I am debating whether to pursue it with @postino.ch. But I thought I would at least mention it here because it seems from the emails that it has been sent to numerous fastmail addresses (either using the doman name fastmail or one of the others on offer).

Has anyone else come across this postino.ch domain when it comes to spam? It seems to me that maybe some spammer from postino.ch is specifically targeting fastmail accounts.

???

Any thoughts appreciated.

nutmeg · 2 Jun 2002, 06:00 PM

Quote:

Originally posted by Jensen
Now its nothing I am overly concerned about. The emails were not addressed to me or any of my aliases specifically. What I did find strange that every spam email i have received so far is from some user @postino.ch (about 3-4 aliases in total).

I am debating whether to pursue it with @postino.ch.

What makes you think the spammer is hosted by postino?
(I have not seen the same spam and I'm only asking because you didn't say.. maybe you know all this)

The From: header is where all replies go. This one is usually forged, but might be used to collect valid e-mail addresses. The site is probably innocent though.

The envelope from is where all bounces go. This one is often forged too. It is possible that this site/victim dislike the spam a lot more than you do.

The most accurate way is to read the Received: headers. A common rule-of-thumb is to look at the last one, but the last one(s) can of course be forged, so be aware. The good thing is that they can't all be forged. Just be careful before you blame anyone.

In case you don't know how to read and interpret all these headers you could ask SpamCop (http://spamcop.net) to help you out. If you have never tried it before you will be amazed of how many of the obvious headers that contain nonsense and how many of those that makes no sense that contain real information.

Jensen · 2 Jun 2002, 11:21 PM

Nutmeg thanks, now you have spurred me on now. You were right in that postino have just been the return paths. My point is though it is the same person spamming fastmail.fm for the fact that all the return-path addresses go to postino.ch. I think its more than a coincidence. Anyway here are the details and my attempts to find him. FYI.

Here is an example of one of the spam messages sent. I have deleted any specific email accounts.

Return-Path: <XXXXXX@postino.ch>
Received: from www.fastmail.fm (server1.internal [10.202.2.132])
by server3.fastmail.fm (Cyrus v2.1.3) with LMTP; Mon, 20 May 2002 20:13:43 -0500
X-Sieve: CMU Sieve 2.1
Received: from www.fastmail.fm ([unix socket])
by www.fastmail.fm (Cyrus v2.1.3) with LMTP; Mon, 20 May 2002 20:13:43 -0500
Received: from www.fastmail.fm (localhost [127.0.0.1])
by localhost.localdomain (Postfix) with ESMTP
id 4793F6D9CF; Mon, 20 May 2002 20:13:42 -0500 (CDT)
X-Mail-from: XXXXXX@postino.ch
X-Spam-score: 10.3
Received: from sqlexch.freemanfox.com.au (unknown [202.147.65.67])
by www.fastmail.fm (Postfix) with ESMTP
id 93A1D6D9AE; Mon, 20 May 2002 20:13:20 -0500 (CDT)
Received: from mail.mailbox.hu ([62.215.249.3]) by sqlexch.freemanfox.com.au with Microsoft SMTPSVC(5.0.2195.4905);
Tue, 21 May 2002 08:57:28 +1000
Message-ID: <0000348402db$00005079$00000cdd@mail.mailbox.hu>
To: <XXXXXXXX@fastmail.fm>
From: "Jetta Fort" <XXXXXX@postino.ch>
Subject: Instant quote Life insuranceCIVDP
Date: Mon, 20 May 2002 16:04:08 -1900
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Priority: 1
X-Mailer: Microsoft Outlook, Build 10.0.3416
X-Msmail-Priority: High
X-OriginalArrivalTime: 20 May 2002 22:57:31.0562 (UTC) FILETIME=[B8FB40A0:01C20051]

Now correct me if I am wrong but the IP i should be concentrating on is the 62.215.249.3 on the first received line.

Which belongs to (thanks to samspade.org):

inetnum: 62.215.0.0 - 62.215.255.255
netname: KW-FAST-TELCO-20001218
descr: Fast Telecommunictions Company
descr: Provider Local Registry
country: KW
admin-c: SAUD1-RIPE
tech-c: AKS8-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20001218
source: RIPE

person: Saud A. Alghanim
address: P.O.Box 3204 Safat, Kuwait 13033
phone: +965-244-3419
fax-no: +965-241-0473
e-mail: sauda@nawasi.com.kw
nic-hdl: SAUD1-RIPE
remarks: Administrative Contact
notify: sauda@nawasi.com.kw
changed: sauda@nawasi.com.kw 20000609
source: RIPE

person: Ashwani Kumar Sharma
address: P.O.Box 3204 Safat
address: 13033 Kuwait
address: Kuwait
phone: +965 886666 Ext 138
fax-no: +965 2427290
e-mail: asharma@fasttelco.net
nic-hdl: AKS8-RIPE
notify: asharma@fasttelco.net
changed: asharma@nawasi.com.kw 20000919
changed: asharma@fasttelco.net 20020315
source: RIPE

Now I went back and checked the other spam emails listing @postino.ch emails on the reply line.

On the same received line in the next message, it is the following IP 203.172.3.113, which comes up to the Phillipines;
on the next one 200.49.105.106, which comes up to Peru
and on the next one 194.125.228.246, which comes up to the UK

While the originating IP's are different, all of these messages have the first forwarder as mail.mailbox.hu and they all have postino.ch domain names as replies, indicating to me that they are the one person spamming fastmail.fm.

Thanks.

2 Jun 2002, 01:59 PM	#1
Jensen Junior Member Join Date: May 2002 Posts: 4	???@postino.ch SPAM Since starting my account about a month ago. I've had about 3 spam emails that slipped into my inbox and a couple that were shunted to trash straight away. Now its nothing I am overly concerned about. The emails were not addressed to me or any of my aliases specifically. What I did find strange that every spam email i have received so far is from some user @postino.ch (about 3-4 aliases in total). I am debating whether to pursue it with @postino.ch. But I thought I would at least mention it here because it seems from the emails that it has been sent to numerous fastmail addresses (either using the doman name fastmail or one of the others on offer). Has anyone else come across this postino.ch domain when it comes to spam? It seems to me that maybe some spammer from postino.ch is specifically targeting fastmail accounts. ??? Any thoughts appreciated.

2 Jun 2002, 11:21 PM	#3
Jensen Junior Member Join Date: May 2002 Posts: 4	Spam Nutmeg thanks, now you have spurred me on now. You were right in that postino have just been the return paths. My point is though it is the same person spamming fastmail.fm for the fact that all the return-path addresses go to postino.ch. I think its more than a coincidence. Anyway here are the details and my attempts to find him. FYI. Here is an example of one of the spam messages sent. I have deleted any specific email accounts. Return-Path: <XXXXXX@postino.ch> Received: from www.fastmail.fm (server1.internal [10.202.2.132]) by server3.fastmail.fm (Cyrus v2.1.3) with LMTP; Mon, 20 May 2002 20:13:43 -0500 X-Sieve: CMU Sieve 2.1 Received: from www.fastmail.fm ([unix socket]) by www.fastmail.fm (Cyrus v2.1.3) with LMTP; Mon, 20 May 2002 20:13:43 -0500 Received: from www.fastmail.fm (localhost [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id 4793F6D9CF; Mon, 20 May 2002 20:13:42 -0500 (CDT) X-Mail-from: XXXXXX@postino.ch X-Spam-score: 10.3 Received: from sqlexch.freemanfox.com.au (unknown [202.147.65.67]) by www.fastmail.fm (Postfix) with ESMTP id 93A1D6D9AE; Mon, 20 May 2002 20:13:20 -0500 (CDT) Received: from mail.mailbox.hu ([62.215.249.3]) by sqlexch.freemanfox.com.au with Microsoft SMTPSVC(5.0.2195.4905); Tue, 21 May 2002 08:57:28 +1000 Message-ID: <0000348402db$00005079$00000cdd@mail.mailbox.hu> To: <XXXXXXXX@fastmail.fm> From: "Jetta Fort" <XXXXXX@postino.ch> Subject: Instant quote Life insuranceCIVDP Date: Mon, 20 May 2002 16:04:08 -1900 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 1 X-Mailer: Microsoft Outlook, Build 10.0.3416 X-Msmail-Priority: High X-OriginalArrivalTime: 20 May 2002 22:57:31.0562 (UTC) FILETIME=[B8FB40A0:01C20051] Now correct me if I am wrong but the IP i should be concentrating on is the 62.215.249.3 on the first received line. Which belongs to (thanks to samspade.org): inetnum: 62.215.0.0 - 62.215.255.255 netname: KW-FAST-TELCO-20001218 descr: Fast Telecommunictions Company descr: Provider Local Registry country: KW admin-c: SAUD1-RIPE tech-c: AKS8-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT changed: hostmaster@ripe.net 20001218 source: RIPE person: Saud A. Alghanim address: P.O.Box 3204 Safat, Kuwait 13033 phone: +965-244-3419 fax-no: +965-241-0473 e-mail: sauda@nawasi.com.kw nic-hdl: SAUD1-RIPE remarks: Administrative Contact notify: sauda@nawasi.com.kw changed: sauda@nawasi.com.kw 20000609 source: RIPE person: Ashwani Kumar Sharma address: P.O.Box 3204 Safat address: 13033 Kuwait address: Kuwait phone: +965 886666 Ext 138 fax-no: +965 2427290 e-mail: asharma@fasttelco.net nic-hdl: AKS8-RIPE notify: asharma@fasttelco.net changed: asharma@nawasi.com.kw 20000919 changed: asharma@fasttelco.net 20020315 source: RIPE Now I went back and checked the other spam emails listing @postino.ch emails on the reply line. On the same received line in the next message, it is the following IP 203.172.3.113, which comes up to the Phillipines; on the next one 200.49.105.106, which comes up to Peru and on the next one 194.125.228.246, which comes up to the UK While the originating IP's are different, all of these messages have the first forwarder as mail.mailbox.hu and they all have postino.ch domain names as replies, indicating to me that they are the one person spamming fastmail.fm. Thanks.