Like most casual sex invitations these contain a risk of infection.
The links in the spams frequently contain the following domains:
- seminar-gos-zakaz3.ru
- derbentmuzei.ru
- seminar-gos-zakaz1.ru
We are blocking mail from those domains but the emails are actually coming from telco providers
The sender IP of the example on the right is 12.89.124.138 That IP address belongs to AT&T Services, Inc.
Response from abuse@att.com
Subject: Re: Russian sex spam from 12.89.124.138 [030119-134823-14979-00] All headers
THIS IS AN AUTO-RESPONSE MESSAGE – PLEASE DO NOT REPLY – AT&T WILL NOT SEE ANY REPLY SENT TO THIS MESSAGE
This message confirms that your report has been received by the AT&T Internet Services Security Center.
The AT&T Internet Services Acceptable Use Policy is located at
http://www.att.com/aup/.
AT&T ABUSE REPORTING
Please note that we can only take action on reports that implicate the AT&T network as a source of abuse. As we are unable to take
any action on reports not involving AT&T’s network, we recommend that you send those reports directly to the abuse address of the originating domain or service provider. You can identify the originator by reading the expanded e-mail headers. If you need help with reading headers, visit the following:
http://spamcop.net/fom-serve/cache/19.html
For any abuse report involving e-mail, it is essential that the report include the full original expanded headers containing the source IP address and time stamp, along with the complete unedited subject line and message. A report cannot be investigated without this information. Please send one report at a time, as combining multiple reports only detracts from our ability to address abuse issues.
For abuse reports involving security incidents, please include relevant log excerpts of the incident directly in the body of your message. Logs must be in plain text or ASCII format and include the time zone, source IP address, destination IP, timestamps, and port numbers.
For information on spam related issues please visit http://www.att.com/esupport/index.jsp and use the help search box to search for “spam” to locate Spam FAQs for your service type.
AT&T TARGETED SCAMS/PHISHING
AT&T will take appropriate action on any phishing reports that:
1. Appear to be from AT&T
2. Contain websites or services hosted on AT&T’s network
3. Target AT&T customer identity or personal information
For information on how to protect yourself from Internet scams, identity theft, and for the latest information on phishing & counterfeit AT&T Billing notices, refer to the following AT&T eSupport articles:
http://www.att.com/esupport/article.jsp?sid=KB409746#fbid=mU1ROpf459g
http://www.att.com/esupport/article.jsp?sid=KB415840#fbid=RhxDNBBBMZn
If you are an AT&T customer and you suspect that your AT&T email address(es) has been compromised refer to:
http://www.att.com/HackedID
If you think you have been a victim of potential identity theft, the U.S. Federal Trade Commission offers advice on its web site, which is located at http://www.consumer.gov/idtheft/
AT&T COPYRIGHT
For Copyright, Trademark, or DMCA allegations of Infringement,
please visit:
http://www.att.com/aup/
If your report involves a threat, please take steps to protect yourself and your property by reporting the incident to your local law enforcement agency. We will investigate your complaint and cooperate fully with any requests from law enforcement.
You will receive no further contact from us unless there are special circumstances, or we require additional information to complete our investigation.
AT&T Internet Services Security Center
Example email
Subject: get over here and f%ck me
Message: Whazap handsome. I’ve just, only looked through your profile. You’re very attractive. I am so, very tired 2day and I want to offer you chatting. My profile is here
— Headers —
From bitanig@grisfeliz.com Fri Mar 1 06:39:58 2019
Return-Path: <bitanig@grisfeliz.com>
Received: from grisfeliz.com ([12.89.124.138])
by [redacted] your mail provider (8.13.8/8.13.8) with ESMTP id x21EdpZX023794
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for < [redacted] your email address > ; Fri, 1 Mar 2019 06:39:56 -0800
Message-ID: <CF357873F4200EDD01044DF034FE8E5A@grisfeliz.com>
From: “Terri” <bitanig@grisfeliz.com>
To: < [redacted] your email address >
Subject: get over here and f%ck me
Date: Fri, 1 Mar 2019 06:39:46 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_1375_01D4CFF9.8F99BA90″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
X-Scanned-By: MIMEDefang 2.67 on [redacted] your mail provider IP
X-UID: 424852
Status: RO
Content-Length: 330573
— End Headers —
NetRange: 12.89.120.0 – 12.89.127.255
CIDR: 12.89.120.0/21
NetName: ATTW-042909163741
NetHandle: NET-12-89-120-0-1
Parent: ATT (NET-12-0-0-0-1)
NetType: Reassigned
OriginAS:
Customer: CFWN Pool ATTCT-NMPL13 (C02215847)
RegDate: 2009-04-29
Updated: 2009-04-29
Ref: https://rdap.arin.net/registry/ip/12.89.120.0
CustName: CFWN Pool ATTCT-NMPL13
Address: 200 S. LAUREL AVE BLDG-A
City: MIDDLETOWN
StateProv: NJ
PostalCode: 07733
Country: US
RegDate: 2009-04-29
Updated: 2011-03-19
Ref: https://rdap.arin.net/registry/entity/C02215847
OrgTechHandle: IPSWI-ARIN
OrgTechName: IP SWIP
OrgTechPhone:
OrgTechEmail:
OrgTechRef: https://rdap.arin.net/registry/entity/IPSWI-ARIN
OrgTechHandle: HKO3-ARIN
OrgTechName: KOSAL, HALUK
OrgTechPhone:
OrgTechEmail:
OrgTechRef: https://rdap.arin.net/registry/entity/HKO3-ARIN
OrgTechHandle: ICC-ARIN
OrgTechName: IP Team
OrgTechPhone:
OrgTechEmail:
OrgTechRef: https://rdap.arin.net/registry/entity/ICC-ARIN
OrgAbuseHandle: ATTAB-ARIN
OrgAbuseName: ATT Abuse
OrgAbusePhone:
OrgAbuseEmail:
OrgAbuseRef: https://rdap.arin.net/registry/entity/ATTAB-ARIN
OrgTechHandle: JB3310-ARIN
OrgTechName: Borkenhagen, Jay C.
OrgTechPhone:
OrgTechEmail:
OrgTechRef: https://rdap.arin.net/registry/entity/JB3310-ARIN
RTechHandle: IAA17-ARIN
RTechName: IP Address Administration
RTechPhone:
RTechEmail:
RTechRef: https://rdap.arin.net/registry/entity/IAA17-ARIN