Is This A Spam Header

bb28

Meister Member
Joined
Nov 18, 2006
Location
US
I received an email that looks very official but I'm suspicious because I've unsubscribed from them and I'm not sure if it's spam or not. Here are the headers, can someone tell me from looking at this?
Thanks!

Delivered-To: [email protected]
Received: by 10.114.26.8 with SMTP id 8cs227055waz;
Sat, 9 Jan 2010 17:04:34 -0800 (PST)
Received: by 10.114.237.6 with SMTP id k6mr3103395wah.221.1263085474132;
Sat, 09 Jan 2010 17:04:34 -0800 (PST)
Return-Path: <[email protected]>
Received: from a.eb02.ebhost9.com (a.eb02.ebhost9.com [216.240.181.4])
by mx.google.com with ESMTP id 13si39144933pzk.25.2010.01.09.17.04.32;
Sat, 09 Jan 2010 17:04:33 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 216.240.181.4 as permitted sender) client-ip=216.240.181.4;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 216.240.181.4 as permitted sender) smtp.mail=[email protected]; dkim=pass (test mode) [email protected]
Received: by a.eb02.ebhost9.com (Postfix, from userid 0)
id 439FC25838F; Sun, 10 Jan 2010 03:04:32 +0200 (SAST)
To: [email protected]
Subject: Your bonus is waiting for you
Message-ID: <1263085472_SectionI[email protected]eb02.ebhost9.com>
List-Unsubscribe: <http://a.eb02.ebhost9.com//RWCode/subscribe.asp?Mode=unsubscribe&SiteID=78126&SID=1&[email protected]>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=eb02.ebhost9.com; [email protected]; q=dns/txt; s=gmmailerd; t=1263085446; h=From; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; l=0; b=ZLbOdFEvU2xxdFyUKlcdvn/vaMU9+7kv4gOwn/9d5APcCvsIpAlDZllCFzd07XE+2/klorsoUGnH1IC7ksMhLzVdbLcGvabNWDD59jCiKOODECR2V4E+BD6kfCg9R7L007Y+onkn0m6Tm5ORUquW6sDYY+ynu+gcbq0jtgChN08=
From: "Support" <[email protected]>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="e548932d886a3fd0a368913bd0a0c83e"
Date: Sun, 10 Jan 2010 03:04:32 +0200 (SAST)
 

bb28

Meister Member
Joined
Nov 18, 2006
Location
US
Thanks Rob.

It's the most legit looking spam I think I've ever received. How can I get the aff ID off of it in firefox?

It's strange for another reason also, on the top of the email, it says this email was sent to [email protected] by [email protected] and if you click on the [email protected] that is what comes up in the email address.
 

AussieDave

Banned User
Joined
Dec 24, 2005
Location
Australia
The originating IP is: 216.240.181.4

Which resolves to: ebhost9.com and is hosted at ixpres.com

Whereas

Rob pointed out all mailers from Rockbet are sent via casinocontroller.com

IP: 200.124.131.116

---------

I'd forward the complete headers above attached to the top of the spam you received and forward all that to: abuseATixpres.com


Cheers

:)

Dave
 

AussieDave

Banned User
Joined
Dec 24, 2005
Location
Australia
How can I get the aff ID off of it?

You can't get the affiliate ID from the headers. You need to grab that from the email body.

Unless it's a direct link with the aff code included.

If not then you'll need to right click one of the links. I'd send the link along with a complaint to RockBet Affiliates or to the casino rep here.

He'll be able to suss out who is sending the spam and sort it out.


Cheers

:)

Dave
 

bb28

Meister Member
Joined
Nov 18, 2006
Location
US
Anyone can put anything there. Hell I can put cmATcasinomeister.com there if I wanted to but it doesn't mean it came from CM....get it :cool:


Cheers

:)

Dave

LOL.........yeah I knew that, had a temporary blonde moment.

I've been around the block a few times but this one had me wondering if it was legit or not. :eek2:
 

winbig

Keep winning this amount.
Joined
Mar 10, 2005
Location
Pennsylvania
I just got one, too.

The page the link xxxhttp://c.eb02.ebhost9.com/sendlink.asp?HitID=1263081954000&StID=78126&SID=1&NID=619345&EmID=37219308&Link=aHR0cDovL3d3dy5yb2NrYmV0LmNvbS9zaWdudXAvc3BlY2lhbC1vZmZlci01MDBtYXRjaC5waHA%3D goes to:


xxxhttp://c.eb02.ebhost9.com/[email protected]=1263081954000&StID=78126&SID=1&NID=619345&EmID=37219308&Link=aHR0cDovL3d3dy5yb2NrYmV0LmNvbS9zaWdudXAvc3BlY2lhbC1vZmZlci01MDBtYXRjaC5waHA=

The content of this page is:
Code:
<script>
   document.location.href="xxxhttp://www.rockbet.com/signup/special-offer-500match.php"
</script>


The download link on the above page is xxxhttp://rockbet.com/get/wd/366506


So, there you go. It sure looks like an affiliate to me. Their ID is 366506, right? Do I get a cookie? :D
 

RobWin

closed account
Joined
Apr 24, 2004
Location
A Vault!
The download link on the above page is xxxhttp://rockbet.com/get/wd/366506


So, there you go. It sure looks like an affiliate to me. Their ID is 366506, right? Do I get a cookie? :D

Yep, that's it and John has built them a special landing page as well!
____
____
 

winbig

Keep winning this amount.
Joined
Mar 10, 2005
Location
Pennsylvania
Yep, that's it and John has built them a special landing page as well!
____
____

Thanks for the confirmation, Rob. I wasn't sure if that was an internal promotion number, or a regular affiliate ID. :thumbsup:

I'm in contact with RockBet via email right now (they answered me within 2 minutes of my sending them an email). They inferred that I actually signed up for such a list, but I let them know that in no certain terms that I had. I also noted that I'm sure RockBet doesn't condone spam, and hoped that they weren't dropping this matter and would look into it. :D
 

alabama5150

Dormant account
Joined
Sep 27, 2009
Location
Lake Elsinore, California
there is an area that says "Gmail" permitted

This typically means they are white listed and have not been associated with with spamming and the ip is free of complaints or worse in terms of spam.

Gmail is supposed to be really good as far as the identifying of spammers and spoof attempts.


Since it says approved or permitted, thus far they haven't anyway. Whitelist is only a possibility. It could also be "non blacklisted". i would be not too worried. But it is a good question ,wondering if everything looks good and passes checks , could you still be at risk?
 
Top