Is This A Spam Header

[bb28]

I received an email that looks very official but I'm suspicious because I've unsubscribed from them and I'm not sure if it's spam or not. Here are the headers, can someone tell me from looking at this?
Thanks!

Delivered-To: xxxxxx@gmail.com
Received: by 10.114.26.8 with SMTP id 8cs227055waz;
Sat, 9 Jan 2010 17:04:34 -0800 (PST)
Received: by 10.114.237.6 with SMTP id k6mr3103395wah.221.1263085474132;
Sat, 09 Jan 2010 17:04:34 -0800 (PST)
Return-Path: <returns@a.eb02.ebhost9.com>
Received: from a.eb02.ebhost9.com (a.eb02.ebhost9.com [216.240.181.4])
by mx.google.com with ESMTP id 13si39144933pzk.25.2010.01.09.17.04.32;
Sat, 09 Jan 2010 17:04:33 -0800 (PST)
Received-SPF: pass (google.com: domain of returns@a.eb02.ebhost9.com designates 216.240.181.4 as permitted sender) client-ip=216.240.181.4;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of returns@a.eb02.ebhost9.com designates 216.240.181.4 as permitted sender) smtp.mail=returns@a.eb02.ebhost9.com; dkim=pass (test mode) header.i=@eb02.ebhost9.com
Received: by a.eb02.ebhost9.com (Postfix, from userid 0)
id 439FC25838F; Sun, 10 Jan 2010 03:04:32 +0200 (SAST)
To: xxxxxxx@gmail.com
Subject: Your bonus is waiting for you
Message-ID: <1263085472_SectionID-619345_HitID-1263081954000_SiteID-78126_EmailID-73347773_DB-2@eb02.ebhost9.com>
List-Unsubscribe: <http://a.eb02.ebhost9.com//RWCode/subscribe.asp?Mode=unsubscribe&SiteID=78126&SID=1&Email=xxxxxx@gmail.com>
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=eb02.ebhost9.com; i=@eb02.ebhost9.com; q=dns/txt; s=gmmailerd; t=1263085446; h=From; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; l=0; b=ZLbOdFEvU2xxdFyUKlcdvn/vaMU9+7kv4gOwn/9d5APcCvsIpAlDZllCFzd07XE+2/klorsoUGnH1IC7ksMhLzVdbLcGvabNWDD59jCiKOODECR2V4E+BD6kfCg9R7L007Y+onkn0m6Tm5ORUquW6sDYY+ynu+gcbq0jtgChN08=
From: "Support" <support@rockbet.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="e548932d886a3fd0a368913bd0a0c83e"
Date: Sun, 10 Jan 2010 03:04:32 +0200 (SAST)

 

[RobWin]

That's most likely spam BB, usually authentic email from Rockbet comes from
"Message-Id: <20090606082023.2388F96C00D@nu.casinocontroller.com>"
____
____

 

[bb28]

Thanks Rob.

It's the most legit looking spam I think I've ever received. How can I get the aff ID off of it in firefox?

It's strange for another reason also, on the top of the email, it says this email was sent to myemailaddy@gmail by support@rockbet.com and if you click on the support@rockbet that is what comes up in the email address.

 

[AussieDave]

The originating IP is: 216.240.181.4

Which resolves to: ebhost9.com and is hosted at ixpres.com

Whereas

Rob pointed out all mailers from Rockbet are sent via casinocontroller.com

IP: 200.124.131.116

---------

I'd forward the complete headers above attached to the top of the spam you received and forward all that to: abuseATixpres.com


Cheers



Dave

 

[AussieDave]

How can I get the aff ID off of it?

You can't get the affiliate ID from the headers. You need to grab that from the email body.

Unless it's a direct link with the aff code included.

If not then you'll need to right click one of the links. I'd send the link along with a complaint to RockBet Affiliates or to the casino rep here.

He'll be able to suss out who is sending the spam and sort it out.


Cheers



Dave

 

[AussieDave]

It's strange for another reason also, on the top of the email, it says this email was sent to myemailaddy@gmail by support@rockbet.com and if you click on the support@rockbet that is what comes up in the email address.

Anyone can put anything there. Hell I can put cmATcasinomeister.com there if I wanted to but it doesn't mean it came from CM....get it


Cheers



Dave

 

[bb28]

Anyone can put anything there. Hell I can put cmATcasinomeister.com there if I wanted to but it doesn't mean it came from CM....get it


Cheers



Dave

LOL.........yeah I knew that, had a temporary blonde moment.

I've been around the block a few times but this one had me wondering if it was legit or not.

 

[winbig]

I just got one, too.

The page the link xxxhttp://c.eb02.ebhost9.com/sendlink.asp?HitID=1263081954000&StID=78126&SID=1&NID=619345&EmID=37219308&Link=aHR0cDovL3d3dy5yb2NrYmV0LmNvbS9zaWdudXAvc3BlY2lhbC1vZmZlci01MDBtYXRjaC5waHA%3D goes to:


xxxhttp://c.eb02.ebhost9.com/sendlink.asp@HitID=1263081954000&StID=78126&SID=1&NID=619345&EmID=37219308&Link=aHR0cDovL3d3dy5yb2NrYmV0LmNvbS9zaWdudXAvc3BlY2lhbC1vZmZlci01MDBtYXRjaC5waHA=

The content of this page is:

<script>
   document.location.href="xxxhttp://www.rockbet.com/signup/special-offer-500match.php"
</script>

The download link on the above page is xxxhttp://rockbet.com/get/wd/366506


So, there you go. It sure looks like an affiliate to me. Their ID is 366506, right? Do I get a cookie?

 

[RobWin]

The download link on the above page is xxxhttp://rockbet.com/get/wd/366506


So, there you go. It sure looks like an affiliate to me. Their ID is 366506, right? Do I get a cookie?

Yep, that's it and John has built them a special landing page as well!
____
____

 

[bb28]

Yep, that's it and John has built them a special landing page as well!
____
____

A special landing page???

It would be interesting to know who that is uh.

 

[winbig]

Yep, that's it and John has built them a special landing page as well!
____
____

Thanks for the confirmation, Rob. I wasn't sure if that was an internal promotion number, or a regular affiliate ID.

I'm in contact with RockBet via email right now (they answered me within 2 minutes of my sending them an email). They inferred that I actually signed up for such a list, but I let them know that in no certain terms that I had. I also noted that I'm sure RockBet doesn't condone spam, and hoped that they weren't dropping this matter and would look into it.

 

[alabama5150]

there is an area that says "Gmail" permitted

This typically means they are white listed and have not been associated with with spamming and the ip is free of complaints or worse in terms of spam.

Gmail is supposed to be really good as far as the identifying of spammers and spoof attempts.


Since it says approved or permitted, thus far they haven't anyway. Whitelist is only a possibility. It could also be "non blacklisted". i would be not too worried. But it is a good question ,wondering if everything looks good and passes checks , could you still be at risk?