Chris-Linfoot.net

Hello Clinfoot,

Thank you for writing to MSN Hotmail.

This is [name removed] and I'm writing in response to your complaint about the unsolicited e-mail that you have received.

The Hotmail account you reported is an active account. However, we did not find enough evidence (2) to prove that the said email originated from this account. If you have other documentation to prove that this account is indeed sending unsolicited e-mail, please send us a copy with the full message header (3) so we can re-evaluate your report.

From time to time, individuals may forge message headers in order to suggest that the message originated with MSN Hotmail. In addition, these "spammers" may use similar fake reply-to accounts, "remove me" accounts, and other types of drop boxes either in the headers or in the body of messages, on web pages, in web-forms or in postings such as newsgroups. (4)

If you receive unsolicited e-mail, don't respond with "Remove" to a Hotmail address. This only tells the sender that your e-mail address is valid and active and will result in your receiving even more spam. (4)

You may sometimes find that the spammer has added your e-mail address or account name, perhaps with another domain name, into the header to try and make it appear more authentic. (4)

To help you identify a forged header, note that Hotmail e-mail addresses which begin with numbers or which have additional information in the domain name ([at]hotmail.com) are not valid. (5)

If you see a posting on a newsgroup with a Hotmail address, it is most likely based on a forged account. Hotmail members cannot post directly to newsgroups but must go through an independent news-posting service or use another e-mail program. (4)

To learn more about reading message headers, please check this site: http://www.stopspam.org/email/headers/headers.html. This site provides clear instructions on how to track down the real sender of a message. (6)

If you have other concern, please e-mail us again and we will be glad to help you. (7)

Sincerely,

[name removed]
MSN Hotmail Technical Support

1. The full headers and start of the body of the email are below.

2. Did you look?

3. My original complaint, copied back to me in full at the end of this little gem includes complete headers and body.

4. No s**t Sherlock!

5. If you had bothered to exanine the email source I sent you, you would have found that it has neither of these characteristics.

6. Paging Grandma - Grandma to the white courtesy telephone. The institute for elementary egg sucking is holding for you.

7. Well, yes. I do have one or two concerns (see 1-6 above and the complete and compelling evidence of your spammer, which you have already received below). Just not sure it's worth my time bothering to point them out.

[Internet Explorer users - the quoted text below uses the <pre> tag. If it renders oddly, consider using a compliant browser.]

Here's the spam.

Received: from hotmail.com ([65.54.187.84]) 
     by our.domino.host (Lotus Domino Release 6.5.2) 
     with ESMTP id 2004090815260030-33411 ; 
     Wed, 8 Sep 2004 15:26:00 +0100 
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; 
     Wed, 8 Sep 2004 07:00:04 -0700 
Received: from 211.250.200.62 by by18fd.bay18.hotmail.msn.com with HTTP; 
     Wed, 08 Sep 2004 14:00:04 GMT 
X-Originating-IP: [211.250.200.62] 
X-Originating-Email: [shannonmdjnz76923[at]hotmail.com] 
X-Sender: shannonmdjnz76923[at]hotmail.com 
From: "SHANNON MELLAGE" 
To: [snipped long list of victims including our "Nadine" spam trap]
Subject: All Star Stocks 
Date: Wed, 08 Sep 2004 14:00:04 +0000 
Mime-Version: 1.0 
Message-ID: 
X-OriginalArrivalTime: 08 Sep 2004 14:00:04.0546 (UTC) 
FILETIME=[24149A20:01C495AC] 
Content-Type: text/html 


**News was released after the market close Friday** 

Aquagen International to Attend the Natural Products Expo East Trade Show 

Friday September 3, 4:35 pm ET close 

"This is an important milestone for us at 
Aquagen as we have never attended this show before. It is an important 
show for us this year as we now have brokers traversing the entire 
company, representing our products and anxious to place them in new retail 
locations. Attending this show exhibits our commitment to support our 
brokers and attract new customers," said Joanne Clinger, Aquagen's 
CEO.(Partial clip, go to yahoo or any financial site to read the entire 
news release) 

[snipped long and boring "hot stock" spiel.]

... and here's who sent it.

09/11/04 09:15:57 whois 65.54.187.84[at]whois.arin.net

whois -h whois.arin.net 65.54.187.84 ...

OrgName:    Microsoft Corp 
OrgID:      MSFT
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

NetRange:   65.52.0.0 - 65.55.255.255 
CIDR:       65.52.0.0/14 
NetName:    MICROSOFT-1BLK
NetHandle:  NET-65-52-0-0-1
Parent:     NET-65-0-0-0-0
NetType:    Direct Assignment
NameServer: DNS1.CP.MSFT.NET
NameServer: DNS2.CP.MSFT.NET
NameServer: DNS1.TK.MSFT.NET
NameServer: DNS1.DC.MSFT.NET
NameServer: DNS1.SJ.MSFT.NET
Comment:    
RegDate:    2001-02-14
Updated:    2002-12-05

TechHandle: ZM23-ARIN
TechName:   Microsoft Corporation 
TechPhone:  +1-425-882-8080
TechEmail:  noc[at]microsoft.com 

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse 
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse[at]hotmail.com

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName:   MSN ABUSE 
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse[at]msn.com

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName:   Abuse 
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse[at]microsoft.com

OrgNOCHandle: ZM23-ARIN
OrgNOCName:   Microsoft Corporation 
OrgNOCPhone:  +1-425-882-8080
OrgNOCEmail:  noc[at]microsoft.com

OrgTechHandle: MSFTP-ARIN
OrgTechName:   MSFT-POC 
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  iprrms[at]microsoft.com

# ARIN WHOIS database, last updated 2004-09-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

See also:
How to abuse Hotmail and get away with it
More on Hotmail and Personal Addresses

Category: Dumb and Dumber
Technorati: Dumb and Dumber

1. Chris LeRoy13/09/2004 13:17:37
Homepage: http://www.brainbent.com

This sure looks like a canned response to me.

2. Chris Linfoot13/09/2004 13:21:01

Yup. Abuse droid pressed the wrong button and sent the wrong boilerplate.

Sadly, while this seemed to have been improving recently with some actuual confirmed kills coming back from Hotmail, the improvement has not been sustained.

3. Mark13/09/2004 16:15:06
Homepage: http://www.gsw.com

Thanks - good post. Ever feel like noone is listening?
This makes me think twice when I recommend accepting IP validated hotmail.

4. Jerry Carter14/09/2004 20:23:05
Homepage: http://datatribesoftwerks.com

So, Clinfoot, what was your first hint they were asleep at the wheel?

This line is nice, call it the second clue. Makes you think, for a fraction of a second, a real person, somwhere in Redmond, gives a rip.

"This is [name removed] and I'm writing [right now, right this minute!] in response to your complaint about the unsolicited e-mail that you have received. "

Somebody went to Spammer School for writing compelling and personable text for form letters. How often do you write, in an email, "I'm writing you an email."

5. Mateo29/07/2005 02:42:11

Just stumbled into this thread -- nice post! GJ on that, how do they expect things to get any better if even informed people's input isn't accepted? How will the teeming masses have a chance??

6. Nicko05/02/2007 20:55:36

Too bad you did not even recognize that the actual sending ISP was NOT Microsuck. If anything, that would be under the x-originating field, which in this case is 211.250.200.62 and resolves to

inetnum: 211.232.0.0 - 211.255.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center

The ISP you are looking at is actually the last stop of the message route, where Macroscam picked up the message.

I hope that in the few years since this, we have all learned a bit more!

Cheers!

7. Chris Linfoot05/02/2007 21:21:07

You are a moron.

This was a complaint to Microsoft about a Hotmail account being abused, which it was. Of course the originating IP isn't Microsoft, but Microsoft relayed it having allowed the abuser to register a Hotmail account, probably via a stolen proxy server and with bogus credentials.

They failed to spot it and now you barge in here attempting to educate me in the correct way to read received headers.

You really should look more closely before making a fool of yourself.

8. Don23/02/2007 03:12:31
Homepage: http://comcast.com

[Removed] is harassing me and accusing my son of innapropriate behavior with sheep. How do I get him axxed off of the web? Email me back at [removed]. Thank you

9. abused female14/02/2008 23:39:01
Homepage: http://hhttp://www...hotmail.com

I spent 6 days trying to find out where to file a simple complaint to hotmail about abuse by a crazy dangerous man. F*** fotmail's circle of confusion that tells you everything but what you need to know. I had to use regular internet resources!

Unable to post a comment? Please read this for a possible explanation...