Like most casual sex invitations these contain a risk of infection.
The links in the spams frequently contain the following domains:

  • seminar-gos-zakaz3.ru
  • derbentmuzei.ru
  • seminar-gos-zakaz1.ru

We are blocking mail from those domains but the emails are actually coming from telco providers

The sender IP of the example on the right is 12.89.124.138 That IP address belongs to AT&T Services, Inc.

|

Response from abuse@att.com

Subject: Re: Russian sex spam from 12.89.124.138 [030119-134823-14979-00] All headers

THIS IS AN AUTO-RESPONSE MESSAGE – PLEASE DO NOT REPLY – AT&T WILL NOT SEE ANY REPLY SENT TO THIS MESSAGE

This message confirms that your report has been received by the AT&T Internet Services Security Center.

The AT&T Internet Services Acceptable Use Policy is located at
http://www.att.com/aup/.

AT&T ABUSE REPORTING

Please note that we can only take action on reports that implicate the AT&T network as a source of abuse. As we are unable to take
any action on reports not involving AT&T’s network, we recommend that you send those reports directly to the abuse address of the originating domain or service provider. You can identify the originator by reading the expanded e-mail headers. If you need help with reading headers, visit the following:

http://spamcop.net/fom-serve/cache/19.html

For any abuse report involving e-mail, it is essential that the report include the full original expanded headers containing the source IP address and time stamp, along with the complete unedited subject line and message. A report cannot be investigated without this information. Please send one report at a time, as combining multiple reports only detracts from our ability to address abuse issues.

For abuse reports involving security incidents, please include relevant log excerpts of the incident directly in the body of your message. Logs must be in plain text or ASCII format and include the time zone, source IP address, destination IP, timestamps, and port numbers.

For information on spam related issues please visit http://www.att.com/esupport/index.jsp and use the help search box to search for “spam” to locate Spam FAQs for your service type.

AT&T TARGETED SCAMS/PHISHING

AT&T will take appropriate action on any phishing reports that:

1. Appear to be from AT&T
2. Contain websites or services hosted on AT&T’s network
3. Target AT&T customer identity or personal information

For information on how to protect yourself from Internet scams, identity theft, and for the latest information on phishing & counterfeit AT&T Billing notices, refer to the following AT&T eSupport articles:

http://www.att.com/esupport/article.jsp?sid=KB409746#fbid=mU1ROpf459g
http://www.att.com/esupport/article.jsp?sid=KB415840#fbid=RhxDNBBBMZn

If you are an AT&T customer and you suspect that your AT&T email address(es) has been compromised refer to:

http://www.att.com/HackedID

If you think you have been a victim of potential identity theft, the U.S. Federal Trade Commission offers advice on its web site, which is located at http://www.consumer.gov/idtheft/

AT&T COPYRIGHT

For Copyright, Trademark, or DMCA allegations of Infringement,
please visit:

http://www.att.com/aup/

If your report involves a threat, please take steps to protect yourself and your property by reporting the incident to your local law enforcement agency. We will investigate your complaint and cooperate fully with any requests from law enforcement.

You will receive no further contact from us unless there are special circumstances, or we require additional information to complete our investigation.

AT&T Internet Services Security Center

Example email

Subject: get over here and f%ck me
Message: Whazap handsome. I’ve just, only looked through your profile. You’re very attractive. I am so, very tired 2day and I want to offer you chatting. My profile is here
 

— Headers —

From bitanig@grisfeliz.com  Fri Mar  1 06:39:58 2019
Return-Path: <bitanig@grisfeliz.com>
Received: from grisfeliz.com ([12.89.124.138])
by [redacted] your mail provider (8.13.8/8.13.8) with ESMTP id x21EdpZX023794
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for < [redacted] your email address > ; Fri, 1 Mar 2019 06:39:56 -0800
Message-ID: <CF357873F4200EDD01044DF034FE8E5A@grisfeliz.com>
From: “Terri” <bitanig@grisfeliz.com>
To: < [redacted] your email address >
Subject: get over here and f%ck me
Date: Fri, 1 Mar 2019 06:39:46 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_1375_01D4CFF9.8F99BA90″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
X-Scanned-By: MIMEDefang 2.67 on [redacted] your mail provider IP
X-UID: 424852
Status: RO
Content-Length: 330573

 

— End Headers —

NetRange: 12.89.120.0 – 12.89.127.255
CIDR: 12.89.120.0/21
NetName: ATTW-042909163741
NetHandle: NET-12-89-120-0-1
Parent: ATT (NET-12-0-0-0-1)
NetType: Reassigned
OriginAS:
Customer: CFWN Pool ATTCT-NMPL13 (C02215847)
RegDate: 2009-04-29
Updated: 2009-04-29
Ref: https://rdap.arin.net/registry/ip/12.89.120.0

CustName: CFWN Pool ATTCT-NMPL13
Address: 200 S. LAUREL AVE BLDG-A
City: MIDDLETOWN
StateProv: NJ
PostalCode: 07733
Country: US
RegDate: 2009-04-29
Updated: 2011-03-19
Ref: https://rdap.arin.net/registry/entity/C02215847

OrgTechHandle: IPSWI-ARIN
OrgTechName: IP SWIP
OrgTechPhone: removed phone number
OrgTechEmail: removed email address
OrgTechRef: https://rdap.arin.net/registry/entity/IPSWI-ARIN

OrgTechHandle: HKO3-ARIN
OrgTechName: KOSAL, HALUK
OrgTechPhone: removed phone number
OrgTechEmail: removed email address
OrgTechRef: https://rdap.arin.net/registry/entity/HKO3-ARIN

OrgTechHandle: ICC-ARIN
OrgTechName: IP Team
OrgTechPhone: removed phone number
OrgTechEmail: removed email address
OrgTechRef: https://rdap.arin.net/registry/entity/ICC-ARIN

OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone: removed phone number
OrgAbuseEmail: removed email address
OrgAbuseRef: https://rdap.arin.net/registry/entity/ATTAB-ARIN

OrgTechHandle: JB3310-ARIN
OrgTechName: Borkenhagen, Jay C.
OrgTechPhone: removed phone number
OrgTechEmail: removed email address
OrgTechRef: https://rdap.arin.net/registry/entity/JB3310-ARIN

RTechHandle: IAA17-ARIN
RTechName: IP Address Administration
RTechPhone: removed phone number
RTechEmail: removed email address
RTechRef: https://rdap.arin.net/registry/entity/IAA17-ARIN