Cox cable E-mail spam (is it a sting operation)?

[yellowvespa]

OK .. here's the scenario. I started getting stupid cable filter spam that drove me nuts. Since I use the extra e-mail addresses to make use of the web space and not the address itself I deleted 5 names and put 5 new ones into place 10 days ago. I HAVE NEVER SENT OR RECEIVED any e-mail on these addresses. Out of the blue last night I get spammed with THE SAME Pay per view cable filter spam as before on TWO of the new addresses, pushing something that allows you to steal PPV. Now I can understand that one address would be a fluke guess but I can't buy that the spammers guessed two of my new addresses in a single shot. I could hit a Lotto number easier.

I think that Cox Cable is running a sting operation to catch PPV program theft which is fine by me but before I go to the AG's office with the spam complaint I need to pose this question .... IS THERE ANY OTHER WAY FOR A SPAMMER TO GET TWO OF MY UNUSED ADDRESS?? I am up to date weekly with XP security and Nortons, Security settings are medium or higher always. I just have a feeling that that Cox is behind the spam (through a third party maybe) as all the recipients are cox addresses also.

What are your thoughts. Has my computer been compromised? Or are all the Cox addresses coming from the Cox database in a sting operation? Or has Cox been compromised?

 

[Saltin]

Spammers use scripts now that just generate random prefixs for an email addy and go.

You can verify this easily by doing what you've done. Set up a random email addy like ahjdhjsdu@hotmail.com and dont use it at all. It won't be long before the spam starts coming.

 

[bjc112]

Considering it was 2 names in one night, i would think its Cox also..

 

[Megatomic]

I've been getting these spams also. Very annoying. Here's my story: I have had cox digital telephone and cable internet but I was only getting basic non-digital cable. They called ME up one evening and offered me free digital cable. They said I was entitled to it since I had 2 of the 3 digital services. Wife says go for it, the kids will like some the channels we would get. And they (cox) assured me that it was going to be free, even the converter is rent-free. That sounds good so I accept the offer.

And not much more than a month later I start getting these spams. Hmmm, very interesting eh? Up until I accepted their offer I was incapable of getting PPV and never received a spam. Now that I can get PPV the spams start. I'm definitely inclined to believe that this is a sting op of some kind. Soon I'll take this to Cox personally. This is bullsh!t.

 

[yellowvespa]

A couple more tidbits. I don't have anything stored on either of the spammed accounts so they didn't grap the address from a picture URL. I have zone alarm also.

to Megatomic, I complained to Cox, both at the regular technical level and also to the special abuse telephone number and I know that they thought I was a CIA wanabe or something when I suggested that the spammed addresses were in fact from their own database or an operation on their part. They probably laughed and said to themselves "wow, what a nut" when the call ended but I think that if we get enough input on this from other users with Cox that there may in fact be something to Cox being the spammer.

 

[bsobel]

to Megatomic, I complained to Cox, both at the regular technical level and also to the special abuse telephone number and I know that they thought I was a CIA wanabe or something when I suggested that the spammed addresses were in fact from their own database or an operation on their part. They probably laughed and said to themselves "wow, what a nut" when the call ended but I think that if we get enough input on this from other users with Cox that there may in fact be something to Cox being the spammer.

You are a nut Many spammers use dictionary attacks. If the email address you used is in their dictionary (regardless of what domain it might be on), they'll try it at the domain they are attacking. As an example, I use bsobel@ my work address. That name has been harvested by spammers who I know try bsobel@ many domains they attack. So unless your two email addresses where so random as to have not been likely ever used before (by anyone, not just you), this explains why the two now valid addresses immediately got used.

Bill

 

[yellowvespa]

Bill, the addresses were obscure combinations that I picked for just this reason. Example: ca160red180 and us240blue700

There is no flippin way a spammer picked two of these out of the blue or from a numeric or alphabetic run, They were too different.

 

[bsobel]

Originally posted by: yellowvespa
Bill, the addresses were obscure combinations that I picked for just this reason. Example: ca160red180 and us240blue700
There is no flippin way a spammer picked two of these out of the blue or from a numeric or alphabetic run, They were too different.

Hmmmmmm. I have to admit, they do seem more random than not. And you've never used them anywhere else? Can you post the headers from one of the messages?
Bill

 

[yellowvespa]

Bill, the addresses have never been used by me before. Following are two of the headers. I have x's out or removed some of the actual addresses that it was sent to as I believe that they are good addresses, not random generations.

(note the return address on the top one ... "bone" as if to "throw a bone"

Titles are always different, actual message is always identical.

Header #1

Return-Path: <bone@telek.ru>
Received: from [68.6.19.3] ([61.150.98.35]) by fed1mtai09.cox.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20030620195012.OLFP7397.fed1mtai09.cox.net@[68.6.19.3]>;
Fri, 20 Jun 2003 15:50:12 -0400
Received: from lf.kzfeupl.com [80.180.186.14] by 68.6.19.3 id <4997721-12534>; Tue, 01 Jul 2003 20:26:31 +0200
Message-ID: <z4j9l5v40ed68@a3cwy6xt.lyp>
From: "Harry Dickerson" <bone@telek.ru>
Reply-To: "Harry Dickerson" <bone@telek.ru>
To: <bar@cox.net>, <asc@cox.net>, <mdu@cox.net>, <abe@cox.net>, <330@cox.net>, <sma@cox.net>, <abe@cox.net>, <mdu@cox.net>
Subject: Inexpensive Digital Cable Filter cllus xf eys
Date: Tue, 01 Jul 03 20:26:31 GMT
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="B0_0E.91A7_0986_"
X-Priority: 3
X-MSMail-Priority: Normal

*******************************************

Header #2

Return-Path: <gu0ysh@wanadoo.fr>
Received: from [65.57.210.94] ([81.31.175.109]) by lakemtai08.cox.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20030713001411.RMDG3265.lakemtai08.cox.net@[65.57.210.94]>;
Sat, 12 Jul 2003 20:14:11 -0400
Received: from [188.206.203.102]
by 65.57.210.94 id <2139218-35200>;
Thu, 24 Jul 2003 08:20:14 +0600
Message-ID: <m76kj43-61r$idu-3@8p1kcfxv156>
From: "Noemi Mahoney" <gu0ysh@wanadoo.fr>
Reply-To: "Noemi Mahoney" <gu0ysh@wanadoo.fr>
To: <61XXXXXX@cox.net>, <61XXa@cox.net>, <tereXXXX@cox.net>, <lzmXXXX@cox.net>, <tereXXXX@cox.net>, <clouXXX@cox.net>, <tereXXXXXX@cox.net>
Subject: Gadgets for the entire household grmytswudw uwq epx
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_02E6_81E3B.8EC8.60EAD"
Date: Sat, 12 Jul 2003 20:14:15 -0400

 

[Barnaby W. Füi]

Received: from [68.6.19.3] ([61.150.98.35]) by fed1mtai09.cox.net

68.6.19.3 is mx.west.cox.net, and that seems to be the originating mail server -- so as far as I can tell (I am not an email-headerologist ), cox sent the first one. Probably the second one too, but that IP doesn't resolve to anything.

Based on your story, I would agree that there is no way in hell that spammers would get those addresses so quickly. I had a short, non-whacky, visible email address (one in my profile) for half a year and NEVER got spam, even lately I only get perhaps a few per week. Getting spam at a new address that is unpublished in any way definitely supports the idea that cox is doing it.

The Reply-To addresses mean that cox people would have had to register those email addresses (bone@telek.ru and gu0ysh@wanadoo.fr), so it's quite a little scheme they have. edit: Actually, that's not necessarily true, they could just have something on their mail servers that checks for mail to those addresses and collects them.

Check out your service agreement and see if it mentions anything relevant to this situation.

 

[bsobel]

68.6.19.3 is mx.west.cox.net, and that seems to be the originating mail server -- so as far as I can tell (I am not an email-headerologist ), cox sent the first one. Probably the second one too, but that IP doesn't resolve to anything.

No, it's just being made to look that way. The received header is:

Received: from [68.6.19.3] ([61.150.98.35])

So 68.6.19.3 is the 'name' given to the helo command. The actual IP address of the remote connection is the second IP listed. From one message the actual address looks like it's in China, another in Iran. Thats not to say it couldn't be forged if it was Cox, but having the mx.west.cox.net address in there means nothing since many spammers use the remote IP as 'there' name.

Bill

 

[Barnaby W. Füi]

Originally posted by: bsobel

68.6.19.3 is mx.west.cox.net, and that seems to be the originating mail server -- so as far as I can tell (I am not an email-headerologist ), cox sent the first one. Probably the second one too, but that IP doesn't resolve to anything.

No, it's just being made to look that way. The received header is:

Received: from [68.6.19.3] ([61.150.98.35])

So 68.6.19.3 is the 'name' given to the helo command. The actual IP address of the remote connection is the second IP listed. From one message the actual address looks like it's in China, another in Iran. Thats not to say it couldn't be forged if it was Cox, but having the mx.west.cox.net address in there means nothing since many spammers use the remote IP as 'there' name.

Bill

Ah. I'm not sure why I only looked up one address and not the other.

And you mean "their" name