Email Spam Filter:
jwSpamSpy
Try it for free!


About spam / "419" / Blog
jwSpamSpy
Recent spam domains
Spam domain blacklist

Software
Links
joewein.de
joewein.net
Contact
Google

 

Xenophobia, Spam and Viruses: The "German Spam"

Last revised: 2005-05-16

It was one year ago that a German Neo-nazi used computers infected by the Sober.G virus that he had created in order to spread nazi propaganda by email.

Now the same person appears to have struck again. Sober.P which infected numerous computers in recent weeks seems to have switched into spamming mode. It downloaded Sober.Q, which includes messages for spam emails. Since about 2005-05-15 00:35 UTC xenophobic, extremist spam is flooding into our mailboxes again (Note: An updated version of jwSpamSpy that stops Sober.Q spam has been available on our website since yesterday, 2005-05-15).

An important fact to remember with Sober.Q is that, like all current viruses, it spoofs sender addresses. Do not use the "Reply" function of your email program to contact the "sender" because you will reach an unrelated person. Most likely that person will also have received another copy of that spam using yet another email address. Even your own address could have been used as a fake spam sender address: You will know once you receive messages about failed deliveries. Read "How to trace senders of viruses" on how to locate and report virus sources. There is no way to prevent such abuse.

The quickest way to deal with the messages is to filter on the subject lines. If you happen to be running SpamAssassin on your mail server, you can use a rule set provided by Prolocation, a Dutch webhosting webhosting company.

Here are some examples of Sober.Q-spams.

Example #1:

Received: from gukca.fr (58.20.97-84.rev.gaoland.net [84.97.20.58])
	by boggle.pobox.com (Postfix) with SMTP id 9C2F410A60C;
	Sat, 14 May 2005 20:27:32 -0400 (EDT)
From: soizic-verstraete@voila.fr
To: joewein@pobox.com
Date: Sun, 15 May 2005 00:23:50 UTC
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
MIME-Version: 1.0
Message-ID: <4a3a.3e53fc01511aa37@voila.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Lese selbst:
http://brandenburg.rz.fhtw-berlin.de/poetschke.html

Example #2:

Received: from gyuyoutce.com (217-162-207-173.dclient.hispeed.ch [217.162.207.173])
	by lime.pobox.com (Postfix) with SMTP id 60D394BAF7B
	for ; Sat, 14 May 2005 20:33:25 -0400 (EDT)
From: support@xengames.com
To: e_smtp@pobox.com
Date: Sun, 15 May 2005 00:31:45 UTC
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Importance: Normal
X-Mailer: Outlook 5.12
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <df12a5a674d.77fde82@xengames.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Lese selbst:
http://brandenburg.rz.fhtw-berlin.de/poetschke.html

Example #3:

Received: from sbsevced.com (gateway11.ornis.com [194.133.14.20])
	by boggle.pobox.com (Postfix) with SMTP id 4828810BC8E;
	Sat, 14 May 2005 20:42:03 -0400 (EDT)
From: marianne.van.linstee@vopak.com
To: jwspamspy@pobox.com
Date: Sun, 15 May 2005 00:36:33 GMT
Subject: Trotz Stellenabbau
Importance: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <ff94.419708aecd0b@vopak.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Lese selbst:
http://www.spiegel.de/wirtschaft/0,1518,338652,00.html


Example #4:

Received: from avapcudf.com (58.20.97-84.rev.gaoland.net [84.97.20.58])
	by fence.pobox.com (Postfix) with SMTP id 8047438E;
	Sat, 14 May 2005 21:03:09 -0400 (EDT)
From: h_h_abboud@hotmail.com
To: MailBox@pobox.com
Date: Sun, 15 May 2005 00:59:29 GMT
Subject: Deutsche Buerger trauen sich nicht ...
Importance: Normal
X-Mailer: Outlook 2.48
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <8de52fbd3ae.fdf17175@pobox.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Auslaenderbanden terrorisieren Wahlkampf - deutsche Buerger trauen 
sich nicht ihre Meinung zu sagen!

Weiter auf:
http://www.npd-nrw.net/aktuelles/03_2005/ak_presse_nrw_1603.htm

Auslaender ueberfallen nationale Aktivisten:
http://www.npd.de/npd_info/meldungen/2005/m0505-13.html

http://www.npd.de/npd_info/meldungen/2005/m0505-14.html


Example #5:

Received: from xqmqfm.com (pcp0010402804pcs.plmthm01.pa.comcast.net [68.45.64.188])
	by boggle.pobox.com (Postfix) with SMTP id C142010A7C0;
	Sat, 14 May 2005 21:04:53 -0400 (EDT)
From: fbianchi@cutpasteandprint.com
To: mail-user@pobox.com
Date: Sun, 15 May 2005 00:49:42 GMT
Subject: Augen auf
Importance: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <ff3ae137cf86579f8dbe@cutpasteandprint.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

http://www.rocknord.de
http://www.aktivefrauenfraktion.tk
http://www.kopfmord.de
http://www.das-gibts-doch-nicht.de
http://www.zukunft-europa.info/index.html
http://www.geocities.com/scorpios2602/links.html
http://www.g-d-f.de
http://www.bewaeltigen.de
http://www.wk-institut.de
http://www.jungefreiheit.de
http://www.auslaendergewalt.ch
http://www.pro-koeln-online.de
http://www.leverkusener-aufbruch.com
http://www.buergerbewegungen.de/index.html
http://www.un-nachrichten.de
http://www.radio-freiheit.com


Example #6:

Received: from wflfebki.com (58.20.97-84.rev.gaoland.net [84.97.20.58])
	by icicle.pobox.com (Postfix) with SMTP id 7CB4867662;
	Sat, 14 May 2005 21:35:51 -0400 (EDT)
From: laetitia_tia_tia@msn.com
To: Recipient@pobox.com
Date: Sun, 15 May 2005 01:32:49 UTC
Subject: Trotz Stellenabbau
Importance: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <eae8.20e2bcb73eafad9@msn.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"


Lese selbst:
http://www.spiegel.de/wirtschaft/0,1518,338652,00.html


Example #7:

Received: from ggtktmobo.org (adsl-33-211-121.lft.bellsouth.net [67.33.211.121])
	by lime.pobox.com (Postfix) with SMTP id 21EF44A3A11;
	Sat, 14 May 2005 21:46:56 -0400 (EDT)
From: jferraro@americanbible.org
To: jwspamspy@pobox.com
Date: Sun, 15 May 2005 01:42:28 GMT
Subject: 60 Jahre Befreiung: Wer feiert mit?
Importance: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <5936ea7d12.bad4abd61@americanbible.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=149

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=54

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=55

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=56


Example #8:

Received: from bbbdorv.ch (217-162-207-173.dclient.hispeed.ch [217.162.207.173])
	by icicle.pobox.com (Postfix) with SMTP id 930C067698
	for <joewein@pobox.com>; Sat, 14 May 2005 22:02:48 -0400 (EDT)
From: p.baettig@freesurf.ch
To: E-Post@pobox.com
Date: Sun, 15 May 2005 02:00:51 UTC
Subject: Auf Streife durch den Berliner Wedding
Importance: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <e54ecb4.4ca4e05ec93f@freesurf.ch>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Lese selbst:
http://www.zdf.de/ZDFde/inhalt/7/0,1872,2222503,00.html

http://www.libasoli.de/2004/ethnoclans%20spiegel50_04.html


Example #9:

Received: from ucoocgmb.com (dsl-66-78-69-69.ipns.com [66.78.69.69])
	by kelvin.pobox.com (Postfix) with SMTP id 14AD83C020F;
	Sat, 14 May 2005 22:05:16 -0400 (EDT)
From: anuragchandra@mindspring.com
To: joewein@pobox.com
Date: Sun, 15 May 2005 01:56:52 UTC
Subject: 60 Jahre Befreiung: Wer feiert mit?
Importance: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Message-ID: <ab868ab5ee87.9f0b@mindspring.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=149

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=54

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=55

http://www.unserforum.com/aff/include.php?path=content/content.php&contentid=56


List of message subjects
These message subject seem relatively safe to filter on, especially if you qualify that by a message size of less than 3 KB (including headers):

  • "4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass"
  • "60 Jahre Befreiung: Wer feiert mit?"
  • "Armenian Genocide Plagues Ankara 90 Years On"
  • "Auf Streife durch den Berliner Wedding"
  • "Augen auf"
  • "Auslaender bevorzugt"
  • "Auslaenderpolitik"
  • "Blutige Selbstjustiz"
  • "Deutsche Buerger trauen sich nicht ..."
  • "Deutsche werden kuenftig beim Arzt abgezockt"
  • "Dresden 1945"
  • "Dresden Bombing Is To Be Regretted Enormously"
  • "Du wirst ausspioniert ....!"
  • "Du wirst zum Sklaven gemacht!!!"
  • "Gegen das Vergessen"
  • "Graeberschaendung auf bundesdeutsche Anordnung"
  • "Hier sind wir Lehrer die einzigen Auslaender"
  • "Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer"
  • "Multi-Kulturell = Multi-Kriminell"
  • "Paranoider Deutschenmoerder kommt in Psychiatrie"
  • "S.O.S. Kiez! Polizei schlaegt Alarm"
  • "Schily ueber Deutschland"
  • "The Whore Lived Like a German"
  • "Transparenz ist das Mindeste"
  • "Trotz Stellenabbau"
  • "Tuerkei in die EU"
  • "Verbrechen der deutschen Frau"


SOBER.H in 2004
From the early hours of the morning of 10-Jun-2004, thousands of extremist emails fllooded into mailboxes in Germany, other European countries and across the world. What appears to have been a cyber-attack by extreme rightists from Germany timed for the elections to the European Parliament reached servers as far as the United States, Brazil and Australia.

What is particularly remarkable about this spam is that it is closely linked to Sober.G, a virus circulating for a number of weeks before the spam attack. In fact, this has led the new spam to be dubbed Sober.H. Coincidentally with the outbreak of Sober.H nearly all mailings by Sober.G stopped. All evidence indicates that Sober.H is an add-on to Sober.G, which created the infrastructure for it. Sober.H carries no virus payload (i.e. infective executable), it relies entire on Sober.G to infect machines and then download an extension that then sends political spam.

Links between the spammer-scene and German neo nazis have been documented by Heise Verlag, a german publisher, before, same for links between virus authors and spammers (see "Aufgedeckt: Trojaner als Spam-Roboter"). Now for the first time all three elements have been combined.

Sober.G vs. Sober.H (Nazi-Spam-Mailer)

  • Both Sober.G and Sober.H use fake qmail-Message-IDs, e.g.
    Message-ID: <8c2f5064c35548.2c3e8.qmail@scooter-attack.com>
    Note: Genuine qmail MIDs do not have any lower case letters to the left of the ".qmail@" string :-)

  • Both Sober.G and Sober.G combine local address parts of known addresses with Domains of other addresses to produce more targets, but also large number of bounces, which go to faked sender addresses. They are normally received in bunches of 40 (see also: Provoking Non-Delivery Notifications (NDN) as a Denial-of-Service (DoS) attack).

  • Some spam-texts even contain a "comment by the author of Sober".

Infected hosts:
Since Sober.H uses existing Sober.G infections to spread its messages, Sober.H has been a worldwide problem.

Here are some examples:

#1:

Received: from p83.129.146.203.tisdip.tiscali.de ([83.129.146.203] helo=quuuwpmp.com)
	by epsilon.mc1.hosteurope.de with smtp (Exim 4.34)
	id 1BYGBM-0008CL-5I; Thu, 10 Jun 2004 05:24:48 +0200
From: name@domain
To: irgendeinname@meinedomain
Date: Thu, 10 Jun 2004 02:23:20 GMT
MIME-Version: 1.0
Subject: Auslaenderkriminalitaet steigt weiter!
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <5a79d076bc4299.61b3a.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#2:
Received: from p83.129.131.119.tisdip.tiscali.de ([83.129.131.119] helo=wxwykor.de)
	by zeta.mc1.hosteurope.de with smtp (Exim 4.34)
	id 1BYUMu-0002qg-8w; Thu, 10 Jun 2004 20:33:40 +0200
From: name@domain
To: name@meinedomain
Date: Thu, 10 Jun 2004 16:20:22 GMT
MIME-Version: 1.0
Subject: EU gibt Erwerbslosen volle Freizuegigkeit -2237-
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <f209ff7af39553.a7d0e.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#3:
Received: from p83.129.131.119.tisdip.tiscali.de ([83.129.131.119] helo=wydxnssru.com)
	by eta.mc1.hosteurope.de with smtp (Exim 4.34)
	id 1BYSIC-00062Z-Uw; Thu, 10 Jun 2004 18:20:41 +0200
From: name@domain
To: meinname@meinedomain
Date: Thu, 10 Jun 2004 16:20:22 GMT
MIME-Version: 1.0
Subject: Auslaendergewalt: Herr Rau, wo waren Sie?
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <8c2f5064c35548.2c3e8.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#4:
Received: from p83.129.131.119.tisdip.tiscali.de ([83.129.131.119] helo=hunvwyuhv.de)
	by epsilon.mc1.hosteurope.de with smtp (Exim 4.34)
	id 1BYTP1-0007ek-L1; Thu, 10 Jun 2004 19:31:47 +0200
From: name@domain
Date: Thu, 10 Jun 2004 16:20:22 GMT
MIME-Version: 1.0
Subject: Augen auf! (So sieht es aus!)
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <ca31f823648452.56c2d.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#5:
Received: from yhklpcy.de (p548090C6.dip.t-dialin.net [84.128.144.198])
     by mailin.webmailer.de (8.12.10/8.12.10) with SMTP id i5AJf2WV027556;
     Thu, 10 Jun 2004 21:41:03 +0200 (MEST)
From: name@domain
To: anderername@anderedomain
Date: Thu, 10 Jun 2004 19:39:13 GMT
MIME-Version: 1.0
Subject: Was Deutschland braucht, sind deutsche Kinder!
Importance: Normal
X-Mailer: Mail-SMTP V8.69
X-Priority: 3 (Normal)
Message-ID: <9d0cd761bd85b1.50018.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#6:
Received: from p83.129.131.119.tisdip.tiscali.de ([83.129.131.119] helo=opgjswrh.de)
	by epsilon.mc1.hosteurope.de with smtp (Exim 4.34)
	id 1BYVVe-0005hi-KB; Thu, 10 Jun 2004 21:46:46 +0200
From: name@domain
To: irgendeinname@meinedomain
Date: Thu, 10 Jun 2004 19:38:15 GMT
MIME-Version: 1.0
Subject: Neue Voelkerwanderung droht! -Id:9116-
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <78436bfac175f0.91e9b.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#7:
Received: from l1030p16.dipool.highway.telekom.at (HELO meuvguw.com) (62.46.192.176)
  by 192.168.43.10 with SMTP; 10 Jun 2004 22:00:13 +0200
From: meinname@meinedomain
To: irgendeinname@meinedomain
Date: Thu, 10 Jun 2004 20:00:04 GMT
MIME-Version: 1.0
Subject: Augen auf! (So sieht es aus!) -Key:2075-
Importance: Normal
X-Mailer: Mail-SMTP V8.8
X-Priority: 3 (Normal)
Message-ID: <b92b6ddf4c2fc5.866e2.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#8:
Received: from p83.129.131.119.tisdip.tiscali.de ([83.129.131.119] helo=abacnr.de)
	by epsilon.mc1.hosteurope.de with smtp (Exim 4.34)
	id 1BYX4H-0008NT-93; Thu, 10 Jun 2004 23:26:37 +0200
From: name@domain
Date: Thu, 10 Jun 2004 21:12:27 GMT
MIME-Version: 1.0
Subject: Wir haben die Auslaender doch geholt?! #Id:5502#
Importance: Normal
X-Mailer: Mail-SMTP V2.49
X-Priority: 3 (Normal)
Message-ID: <265e0016cf0881.86a24.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#9:
Received: from tikrw.com ([81.5.252.12])
	by mx3.eunet.at (8.12.8/8.12.8) with SMTP id i5AA0NZh003559;
	Thu, 10 Jun 2004 12:00:23 +0200
From: meinname@meinedomain
Date: Thu, 10 Jun 2004 09:50:07 GMT
MIME-Version: 1.0
Subject: Wir haben die Auslaender doch geholt?! '3662'
Importance: Normal
X-Mailer: Mail-SMTP V2.64
X-Priority: 3 (Normal)
Message-ID: <4accc7b3159751.cc055.qmail@meinedomain>
Content-Type: text/plain; charset="us-ascii"
Apparently-To: <name1@derstandard.at>
Apparently-To: <name2@derstandard.at>
...
Apparently-To: <name40@derstandard.at>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by
 thewall1.derstandard.at id i5AA0QEV006123
#10:
Received: from p83.129.131.119.tisdip.tiscali.de ([83.129.131.119] helo=gcwejb.de)
	by epsilon.mc1.hosteurope.de with smtp (Exim 4.34)
	id 1BYZAr-0006gB-C7; Fri, 11 Jun 2004 01:41:33 +0200
From: name@domain
To: anderename@meinedomain
Date: Thu, 10 Jun 2004 23:38:18 GMT
MIME-Version: 1.0
Subject: Skandal in Berlin
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <96990f9e0e62a6.9eee3.qmail@01019freenet.de>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#11:
Received: from a34b2.a.pppool.de(213.6.52.178) by
 neo.nbg.net via csmap (V6.0) id srcAAAX9ayYv; Fri, 11 Jun 04 09:09:03 +0200
From: meinname@meinedomain
Date: Fri, 11 Jun 2004 07:12:28 GMT
MIME-Version: 1.0
Importance: Normal
X-Mailer: Mail-SMTP V1.84
X-Priority: 3 (Normal)
Message-ID: <944d05173b7853.9bd87.qmail@meinedomain>
X-MIMETrack: Itemize by SMTP Server on NS78902/Sparkasse Bautzen(Release 
 5.0.11 |July 24, 2002) at11.06.2004 09:19:44,Serialize
 by Router on NS78902/Sparkasse Bautzen(Release 5.0.11 |July 24, 2002)
 at11.06.2004 09:19:47,Serialize complete at 11.06.2004
	 09:19:47
Subject: Mehr fuer Auslaender als fuer Deutsche tun!
 [=?iso-8859-1?Q?Virengepr=FCft_von_Sparkasse_Bautzen]?=
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
#12:
Received: from awlmd.com ([68.113.84.127]) by fisherman with
 Microsoft SMTPSVC(6.0.3790.0); Thu, 10 Jun 2004 19:56:46 -0700
From: meinname@meinedomain
To: anderername@anderedomain
Date: Fri, 11 Jun 2004 02:01:34 GMT
MIME-Version: 1.0
Subject: Nein zum Zuwanderungsgesetz !
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <1442bc92f5adff.98ce5.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
 charset="us-ascii"

Note: The mail in example #9 is from cable-68-113-84-127.alx.al.charter.com [68.113.84.127], a broadband host in Alabama, USA. #13:

Received: from 217-68-166-217.cable.primacom.net ([217.68.166.217]
helo=vfpywrh.com) by eta.mc1.hosteurope.de with smtp (Exim 4.34) id
1BYpHW-00057z-N4; Fri, 11 Jun 2004 18:53:31 +0200
From: webmaster@einedomain
To: einname@anderedomain
Date: Fri, 11 Jun 2004 14:30:48 GMT
MIME-Version: 1.0
Subject: Mehr fuer Auslaender als fuer Deutsche tun! -5304-
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <1014c1cb47e9c5.7c409.qmail@einedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Re #13: We received Sober.G-Virusmails from the same IP-adress on 09-Apr-2004 and 17-Apr-2004. This means, the machine was allowed to remain infected for two months even though we notified the provider (primacom.net) on 09-Apr-2004.

#14:

Received: from p83.129.130.28.tisdip.tiscali.de ([83.129.130.28]
helo=edaihsdp.de) by eta.mc1.hosteurope.de with smtp (Exim 4.34) id
1BYnJw-0004RV-Vh; Fri, 11 Jun 2004 16:47:53 +0200
From: name@t-online.de
Date: Fri, 11 Jun 2004 14:08:46 GMT
MIME-Version: 1.0
Subject: DEUTSCHES MAEDCHEN FAST VERGEWALTIGT 
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <5a58c0be4f36d2.50da5.qmail@t-online.de>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#15:
Received: from [217.185.13.213] (helo=oiboa.de) by mxng05.kundenserver.de
with smtp (Exim 3.35 #1) id 1BYezV-0002lO-00; Fri, 11 Jun 2004 07:54:14
+0200
From: name@domain
To: anderename@meinedomain
Date: Fri, 11 Jun 2004 05:52:25 GMT
MIME-Version: 1.0
Subject: Auslaendergewalt: Herr Rau, wo waren Sie? <3097>
Importance: Normal
X-Mailer: Mail-SMTP V5.64
X-Priority: 3 (Normal)
Message-ID: <1cb809d64a9e86.297e8.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#16:
Received: from npynpwcmt.de (v208-231.vps.tuwien.ac.at [128.131.208.231])
 by mx2.noc.eunet-ag.at (8.12.10/8.12.10) with SMTP id i5CBitoE011583;
 Sat, 12 Jun 2004 13:44:56 +0200
From: meinname@meinedomain
To: name@domain
Date: Sat, 12 Jun 2004 11:37:21 GMT
MIME-Version: 1.0
Subject: Geschrieben von Margrit am 07. April 2004 #9990#
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <e03502c0b6f9d8.6d629.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Re #16: This spam contains a "comment from the author of Sober", in which he incites to violence.

#17:

Received: from p213.54.28.90.tisdip.tiscali.de ([213.54.28.90]
helo=onvxyuhpl.de) by delta.mc1.hosteurope.de with smtp (Exim 4.34) id
1BZ73w-0006Dq-Iy; Sat, 12 Jun 2004 13:52:42 +0200
From: name@domain
To: irgendeinname@meinedomain
Date: Sat, 12 Jun 2004 08:34:54 GMT
MIME-Version: 1.0
Subject: Die Deform der sozialen Ordnung
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <a0fdb512f73785.2209c.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#18:
Received: from p213.54.5.134.tisdip.tiscali.de ([213.54.5.134]
helo=dbhpqbc.com) by epsilon.mc1.hosteurope.de with smtp (Exim 4.34) id
1BZ9Zk-0006Lv-Fu; Sat, 12 Jun 2004 16:33:42 +0200
From: name@domain
Date: Sat, 12 Jun 2004 14:13:16 GMT
MIME-Version: 1.0
Subject: Skandal in Berlin [Id:5229]
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <32934d08ddbed9.85de3.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#19:
Received: from [62.245.141.20] (helo=rsrtmjmci.de) by mxng09.kundenserver.de
 with smtp (Exim 3.35 #1) id 1BZDX2-0006DO-00 for
 webmaster@meinedomain; Sat, 12 Jun 2004 20:47:08 +0200
From: name@domain
Date: Sat, 12 Jun 2004 18:43:16 GMT
MIME-Version: 1.0
Subject: Polizei traute sich nicht, kriminellen Auslaender festzunehmen #Key:8230#
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <785528af962c87.18d96.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#20:
Received: from p213.54.15.48.tisdip.tiscali.de ([213.54.15.48]
 helo=vqgllkmfc.de) by delta.mc1.hosteurope.de with smtp (Exim 4.34)
 id 1BZE5g-0001BO-Ro; Sat, 12 Jun 2004 21:22:58 +0200
From: name@domain
Date: Sat, 12 Jun 2004 19:09:51 GMT
MIME-Version: 1.0
Subject: Bankrott des Gesundheitswesens durch Auslaender!
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <860be9008b024b.34b48.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#21:
Received: from dialin-212-144-133-215.arcor-ip.net ([212.144.133.215]
 helo=miucyq.com) by delta.mc1.hosteurope.de with smtp (Exim 4.34) id
 1BZbyj-0006Bj-Ku; Sun, 13 Jun 2004 22:53:23 +0200
From: name@domain
To: irgendeinname@meinedomain
Date: Sun, 13 Jun 2004 20:52:54 GMT
MIME-Version: 1.0
Subject: EU gibt Erwerbslosen volle Freizuegigkeit :4073:
Importance: Normal
X-Mailer: Mail-SMTP V10.60
X-Priority: 3 (Normal)
Message-ID: <14e10765290f60.74ae0.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#22:
Received: from 172.182.25.106  (HELO sdpljpxfp.de) (172.182.25.106)  by
mta276.mail.scd.yahoo.com with SMTP; Sun, 13 Jun 2004 04:33:38 -0700
From: name@domain
To: anderename@anderedomain
Date: Sun, 13 Jun 2004 11:27:02 GMT
MIME-Version: 1.0
Subject: Bin ich zu weltfremd? Ich glaube wohl kaum 
Importance: Normal
X-Mailer: Mail-SMTP V8.68
X-Priority: 3 (Normal)
Message-ID: <484643cc1ac099.72375.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#23:
Received: from [217.243.177.247] (port=3123 helo=kbfffh.de)
by mailbackup.inode.at with smtp (Exim 4.30)
id 1BZVO4-0007Yl-2v; Sun, 13 Jun 2004 15:51:04 +0200
From: meinname@meinedomain
To: name@domain
Date: Sun, 13 Jun 2004 13:48:05 GMT
MIME-Version: 1.0
Subject: Skandal in Berlin [Key:4078]
Importance: Normal
X-Mailer: Mail-SMTP V7.59
X-Priority: 3 (Normal)
Message-ID: <92c1e7760deaab.71163.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#24:
Received: from gqkpbynof.org (a077180.dialin.hansenet.de [213.191.77.180])
by smtp03do.de.uu.net (8.9.3p2/5.5.5) with SMTP id PAA14772;
Sun, 13 Jun 2004 15:32:31 +0200 (MET DST)
From: meinname@meinedomain
To: name@domain
Date: Sun, 13 Jun 2004 12:27:09 GMT
MIME-Version: 1.0
Subject: Das kann unmoeglich sein -Leserbrief-
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <650048ddc58b90.3349e.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#25:
Received: from unknown (HELO ucvocnm.com) ([80.228.133.211])
          (envelope-sender <joewein@pobox.com>)
          by mx06.ispgateway.de (qmail-ldap-1.03) with SMTP
          for name@domain; 14 Jun 2004 19:53:41 -0000
From: meinname@meinedomain
To: irgendeinname@domain
Date: Mon, 14 Jun 2004 19:34:47 GMT
MIME-Version: 1.0
Subject: Skandal in Berlin [Id:2326]
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <4dcb624e3c2627.51d8b.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#26:
Received: from p509179ad.dip.t-dialin.net ([80.145.121.173]
helo=nbtcefbnc.de) by epsilon.mc1.hosteurope.de with smtp
 (Exim 4.34) id 1BZq2C-0002f7-7M;
 Mon, 14 Jun 2004 13:53:53 +0200
From: name@domain
Date: Mon, 14 Jun 2004 11:49:07 GMT
MIME-Version: 1.0
Subject: EU gibt Erwerbslosen volle Freizuegigkeit
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <16100813df0405.24f53.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#27:
Received: from p213.54.1.117.tisdip.tiscali.de ([213.54.1.117] helo=mnjvkay.nl)
 by eta.mc1.hosteurope.de with smtp (Exim 4.34) id 1BZubb-0003bf-UX;
 Mon, 14 Jun 2004 18:46:45 +0200
From: name@domain
Date: Mon, 14 Jun 2004 16:43:35 GMT
MIME-Version: 1.0
Subject: Skandal in Berlin -Id:8112-
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <366590e329d4d2.d002e.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#28:
Received: from 62-2-125-208.dial-in.hispeed.ch ([62.2.125.208]
 helo=gycfnbbi.ch) by zeta.mc1.hosteurope.de with smtp (Exim 4.34)
 id 1BaHsF-00005x-6g; Tue, 15 Jun 2004 19:37:30 +0200
From: name@domain
To: irgendeinname@meinedomain
Date: Tue, 15 Jun 2004 17:33:11 GMT
MIME-Version: 1.0
Subject: Skandal in Berlin [Id:3933]
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <9093cae0541610.883c0.qmail@domain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#29:
Received: from [81.5.248.222] (helo=kpsqwfmq.com)
by patricia.utanet.at with smtp (Exim 4.12)
id 1BaUU5-0000Rb-00; Wed, 16 Jun 2004 09:05:21 +0200
From: meinname@meinedomain
To: name@domain
Date: Wed, 16 Jun 2004 07:04:21 GMT
MIME-Version: 1.0
Subject: EU gibt Erwerbslosen volle Freizuegigkeit
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <37992e6db19a0b.92665.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#30:
Received: from vgimh.de (dialin-80-228-132-137.ewe-ip-backbone.de [80.228.132.137])
 by pop.nmmn.net (Postfix) with SMTP
 id 898BEB8AA7; Wed, 16 Jun 2004 16:17:42 +0200 (CEST)
From: meinname@meinedomain
To: name@domain
Date: Wed, 16 Jun 2004 13:44:54 GMT
MIME-Version: 1.0
Subject: Wer an ein Tabu ruehrt, muss und darf vernichtet werden
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <8e5251fbfe749b.222fb.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#31:
Received: from otlkexlwd.de (drsd-d9ba6038.pool.mediaWays.net [217.186.96.56])
 by smtp03do.de.uu.net (8.9.3p2/5.5.5) with SMTP id AAA15051;
 Thu, 17 Jun 2004 00:13:06 +0200 (MET DST)
From: meinname@meinedomain
To: name@domain
Date: Wed, 16 Jun 2004 21:56:34 GMT
MIME-Version: 1.0
Subject: Geschrieben von Margrit am 07. April 2004 -Id:1155-
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <382a8d20749f9c.146c0.qmail@meinedomain>
Content-Type: text/plain; charset="us-ascii"
Note about #31: The receiving host sent us 40 individual Non-Delivery-Notifications with a total of 400 KB (each with a full quote of the nazi-spam). See: Provoking Non-Delivery Notifications (NDN) as a Denial-of-Service (DoS) attack.

#32:

Received: from drhywr.com (chello213047075032.14.vie.surfer.at [213.47.75.32])
	by giganetwork.com (8.9.3p2/8.9.3) with SMTP id NAA17224;
	Thu, 17 Jun 2004 13:18:39 +0300
From: meinname@meinedomain
Date: Thu, 17 Jun 2004 09:59:38 GMT
MIME-Version: 1.0
Subject: Auslaender erschleichen sich zunehmend Sozialleistungen
Importance: Normal
X-Mailer: Mail-SMTP V8.42
X-Priority: 3 (Normal)
Message-ID: <44ee431b40899a.e0c75.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#33:
Received: from hnclbnw.de (dialin-80-228-56-228.ewe-ip-backbone.de [80.228.56.228])
	by pdmailgate.presse-data.de (Postfix) with SMTP
	id 37A8F1B71; Thu, 17 Jun 2004 14:11:51 +0200 (CEST)
From: meinname@meinedomain
To: name@domain
Date: Thu, 17 Jun 2004 12:05:20 GMT
MIME-Version: 1.0
Subject: Libanesen in Berlin -Key:3218-
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <e14d0f584d3f32.66379.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#34:
Received: from cuyckxwf.de (pD95F0953.dip.t-dialin.net [217.95.9.83])
 by mailin1.informatik.tu-muenchen.de (Postfix) with SMTP id A04CC68;
 Thu, 17 Jun 2004 20:24:05 +0200 (MEST)
From: meinname@meinedomain
Date: Thu, 17 Jun 2004 18:15:57 GMT
MIME-Version: 1.0
Subject: Auslaendergewalt: Herr Rau, wo waren Sie? [Key:2936]
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <c6c84b103979d1.d5355.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients:;
#35:
Received: from gsbobheme.de (pD9E4BEA6.dip.t-dialin.net [217.228.190.166])
	by mailin2.informatik.tu-muenchen.de (Postfix) with SMTP id A751C2533;
	Sun, 20 Jun 2004 19:26:52 +0200 (MEST)
From: meinname@meinedomain
Date: Sun, 20 Jun 2004 17:16:16 GMT
MIME-Version: 1.0
Subject: Nein zum Zuwanderungsgesetz ! :5878:
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <ed7f5e2d48ad5e.9ea2d.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients:;
#36:
Received: from 123.191-200-80.adsl.skynet.be (HELO wquhe.com) (80.200.191.123)
  by mrelay2-2.pro.proxad.net with SMTP; 19 Jun 2004 10:29:27 -0000
From: meinname@meinedomain
To: name@domain
Date: Sat, 19 Jun 2004 08:42:34 GMT
MIME-Version: 1.0
Subject: Augen auf! (So sieht es aus!)
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <e2e4f48637fc69.a0b77.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#37:
Received: from uytjoo.com (unknown [203.214.145.105])
 by pico.pico (Efinity) with SMTP
 id E61D5105A3; Sun, 20 Jun 2004 07:34:37 +0200 (CEST)
From: meinname@meinedomain
To: name@domain
Date: Sun, 20 Jun 2004 05:32:53 GMT
MIME-Version: 1.0
Subject: Auslaender erschleichen sich zunehmend Sozialleistungen [9148]
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <59ffa0e64aa5ac.cf044.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Note about #37: The infect sender was in Australia, the bouncing recipient in Italy and the bounce was sent to my mailbox in the USA.

#38:

Received: from aukiihjc.de (ACB3F76D.ipt.aol.com [172.179.247.109])
	by mx01 (Postfix) with SMTP
	id 4330A3FE0A5; Mon, 21 Jun 2004 14:07:06 +0200 (CEST)
From: meinname@meinedomain
Date: Mon, 21 Jun 2004 11:35:04 GMT
MIME-Version: 1.0
Subject: Augen auf! (So sieht es aus!)
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <7094335b1563a9.e6c1f.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#39:
Received: from byrt-d9bb7f1e.pool.mediaways.net ([217.187.127.30] helo=wmqqqslh.com)
 by pam.utanet.at with smtp (Exim 4.12)
 id 1Bcqeq-0003Fc-00; Tue, 22 Jun 2004 21:10:12 +0200
From: meinname@meinedomain
To: name@domain
Date: Tue, 22 Jun 2004 17:25:05 GMT
MIME-Version: 1.0
Subject: Wer an ein Tabu ruehrt, muss und darf vernichtet werden (Key:3103)
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <4b6672d5691e37.b0511.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#40:
Received: from 217.239.74.134  (HELO dbgpwh.de) (217.239.74.134)
  by mta116.mail.sc5.yahoo.com with SMTP; Tue, 22 Jun 2004 12:32:28 -0700
From: meinname@meinedomain
Date: Tue, 22 Jun 2004 17:43:08 GMT
MIME-Version: 1.0
Subject: Das kann unmoeglich sein -Leserbrief- [7803]
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <a0149813c944f0.4fde0.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#41:
Received: from hjwjpmut.de (dialin-212-144-147-135.arcor-ip.net [212.144.147.135])
	by mail.uboot.com (Postfix) with SMTP;
	Tue, 22 Jun 2004 00:09:55 +0200 (CEST)
From: meinname@meinedomain
Date: Mon, 21 Jun 2004 22:03:42 GMT
MIME-Version: 1.0
Subject: Wer an ein Tabu ruehrt, muss und darf vernichtet werden (Id:8092)
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <136751a88e545e.e5690.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients: ;
#42:
Received: from malrypxq.de (pD9EF4A86.dip0.t-ipconnect.de [217.239.74.134])
	by mail.pgd.at (Postfix) with SMTP
	id A1C941809A; Tue, 22 Jun 2004 13:37:48 +0200 (CEST)
From: meinname@meinedomain
To: name@domain
Date: Tue, 22 Jun 2004 11:24:07 GMT
MIME-Version: 1.0
Subject: Richter unterstuetzt kriminelle Auslaenderin
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <933cd7c7034fb4.45653.qmail@meinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
#43:
Received: from nnmphl.com (chello213047075032.14.vie.surfer.at [213.47.75.32])
 by bak2smtp1.edc.dartmail.net (Postfix) with SMTP
 id 8A8272A852; Wed, 23 Jun 2004 18:51:32 +0100 (IST)
From: meinname@meinedomain
Date: Wed, 23 Jun 2004 17:34:27 GMT
MIME-Version: 1.0
Subject: Neue Voelkerwanderung droht! 
Importance: Normal
X-Mailer: Mail-SMTP V6.48
X-Priority: 3 (Normal)
Message-ID: <4347bf1a017f7c.9ea30.qmailmeinedomain>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
To: undisclosed-recipients:;


Links:
Rassistischer Spam und der Mail-Wurm Sober.G (heise.de, 10.06.2004 16:32)
Spam-Welle mit ausländerfeindlichen Inhalten (heise.de, 10.06.2004 12:52)
Aufgedeckt: Trojaner als Spam-Roboter