Jump to content
Sign in to follow this  
paul101

Spammer spoofing our Spamcop address

Recommended Posts

Something odd cropped up this morning. We received 80 bounced message reports regarding messages we didn't send. At first I thought it was a standard joe-job or spoof... that some spammer was using our domain name in forged headers to try getting around spam filters.

They all contain the same original message... all in Russian characters; since I don't read Russian, I have no idea what they say.

I looked over the (original spam) headers and discovered the forged return address is our Spamcop.net address (not our domain mail server). I can post a few samples here if that would help. I'm on a deadline today, so it might not be 'until later. Almost all of them also involve a domain called artbairdpottery.com and relays from all over the world (mostly Australia). The wave has subsided somewhat in the last hour, so maybe the attack is dying out.

I'm wondering if there's something that can be done on the Spamcop side to kill this stuff before it floods my inbox... or tips on how to blacklist it easily, without having to dig through each spam. I'm also wondering if I should take the time to forward them all to the reporting service -- or if that's just a waste of resources (your and ours).

Thanks,

Paul

Share this post


Link to post
Share on other sites

Provide a Tracking URL on one or two of them (at least) .... that may allow someone to point to a line that could be filtered on to at least move them out of your InBox .. but of course, that also brings up all those other nitbits on how you've got your account set-up, how you access it, etc., etc., ...

Share this post


Link to post
Share on other sites

Thanks. Here are four typical example tracking URLs. We've only received one more in the past few hours, so maybe the spammer has moved on to greener pastures. We'll look over our settings and see what we can do. Please let us know if more samples would be useful.

- Paul

http://www.spamcop.net/sc?id=z918270274z40...b8e54ac32be1f2z

http://www.spamcop.net/sc?id=z918271126z0d...9362520e49aa20z

http://www.spamcop.net/sc?id=z918271828z6f...3d9deea6be482ez

http://www.spamcop.net/sc?id=z918272956z73...b76079eee74cf4z

Share this post


Link to post
Share on other sites

The problem resurfaced this week and was especially bad today. 36 bounced message reports punched through to our 'real' pop email address, and 56 bounced message reports are currently sitting in our SpamCop held mail folder. Spammers are using our SpamCop address as the forged "from" address in their spew and we're receiving bounced mail reports from ISPs all over the planet. Any help from SpamCop admins would be greatly appreciated.

Sorting through the 'real' spam and the bounced message reports is time consuming and frustrating. Obviously, we don't want to report the bounces as spam (got a warning from Don at SpamCop admin when we accidentally reported legit ISP reports).

Questions:

1) Should we just delete the bounce reports in our held mail folder, or would a SpamCop admin like to look at them? If the latter, can a SpamCop admin look over our held mail folder directly? We'll be glad to supply whatever user info SpamCop might need.

2) Is there an address at SpamCop admin where we can forward them... in hopes that SpamCop can use them to refine the filters some how? Is there a contact phone number at SpamCop where we can discuss this in real time without the need for lots of back and forth emails or posts? That would save us all lots of time.

3) Changing our SpamCop address will be a real hassle. We've been using it for years and many clients, online accounts and acquaintances only know us through that address. Is there some way we can keep our current SpamCop address, or is it so polluted that we'll need to kill it and get a new one?

I don't want to vent here, but my boss is livid...I'm frustrated and in over my head. The purpose of the SpamCop address was to reduce the amount of spam (or at least make it easier to manage). I hope some one at SpamCop can go to bat for us. I could really use some help.

Thanks,

Paul

Share this post


Link to post
Share on other sites

There's basically nothing you can do about it. All you can do is ride it out and hope the spammer starts forging somebody else's address pretty soon, which they usually do.

If they're mostly all coming from the same source, you can put the MAILER-DAEMON "From" address on your SpamCop blacklist. Or just putting charter.net on the blacklist would do it. Unless you have pals writing from there. Using cluster1.charter.net might work.

Feel free to report the bounces along with your spam. SpamCop will send the host a notice that his server is sending unsolicited email to the innocent victims of spammer forgery.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites

PS and update... the latest attack doeas not appear to be related to the original bounces I talked about in my original post. I'm posting here to continue this thread, rather than start a new one. I should have mentioned that earlier. Sorry. Really slammed with this issue today, plus we're trying to conduct business (read: have a life).

I'll keep checking in here. I see Wazoo stopped by and a few other familiar user names. Note that if you call our phone number and you have caller ID disabled, we won't pick up. Please leave voicemail and we'll call back.

- Paul

Thanks, Don. Further, ever further.

- Paul

I just used 'Quick Reporting' to clear out our held mail folder. Thanks again, Don. My boss just told me his blood pressure went down a notch or two after reading your reply. (grin)

- Paul

Share this post


Link to post
Share on other sites

I saw Don here also, so went on to other queries eslewhere ... came back .. decided to offer something different ... and address other questions ...

The problem resurfaced this week and was especially bad today. 36 bounced message reports punched through to our 'real' pop email address, and 56 bounced message reports are currently sitting in our SpamCop held mail folder.

First question there would be about trying to figure out what the difference was between the 36 and 56 e-mails. I'll repeat your question there, why did some fly and why did some get Held? And the catch is, only you have the 36 to look at right now .....

Spammers are using our SpamCop address as the forged "from" address in their spew and we're receiving bounced mail reports from ISPs all over the planet. Any help from SpamCop admins would be greatly appreciated.

As noted around the world, this is a continuing issue .. a bit of the "luck of the draw" these days as to when "your" address gets put into use. Ton loads of rcommendations to use SPF and Domain-Key rcords and such, but .. they have their own issues, not everyone is using them, etc., etc., etc.

Two recent such attacks on some web-sites I support were handled by placing a notice on the front page of a temporary e-mail address to use (actually a scri_pt file that handled things in the background .. i.e. not exposing that address to the world) .... one 'attack' / spam run went on for three days, the other for almost a week ... then the spammer moved on to someoneelse's address (hmmm, maybe yours? <g>) ... returned the web-pages back to normal .....

As Don says, and I said in another post elsewhere, the only way to actually (easily?) stop this kind of crap these days is to somehow prevent the spammer from touching a keyboard .... yes, there are tools out there to do filtering, handling, management, but .... spammers also buy these same tools and spend the time figuring out how to 'break' them .... a recent FAQ entry here --> Software Development Life Cycle principles for spam

1) Should we just delete the bounce reports in our held mail folder, or would a SpamCop admin like to look at them?

The "SpamCop Rules" have been changed to allow the reporting of these things, but .... the ultimate answer deals with the specifics of each item .. some bounce with the original spam intact, some with a note, some just manage to screw it all up .... if the headers/content are valid, yes, they can be reported ....

If the latter, can a SpamCop admin look over our held mail folder directly? We'll be glad to supply whatever user info SpamCop might need.

Problem there is that there is only one person with that kind of access to the e-mail servers ....

Getting his time is a challenge <g> ... and from my perspective, the items that hit the Held folder seemed to have had things working as expected/designed .. it's the 36 that made it through the filtering process that would be of the most interest ... analyzing them, looking at your SpamCop.net e-mail account configuration, then trying to come up with a match to change something ... but as you've indicated, those 36 wouldn't still be on JT's servers ....????

I have in the past received account data from other users to climb into their accounts to troubleshoot something (and write-up some FAQ and How To .... entries) .... but that's a comfort issue thing ..

2) Is there an address at SpamCop admin where we can forward them... in hopes that SpamCop can use them to refine the filters some how? Is there a contact phone number at SpamCop where we can discuss this in real time without the need for lots of back and forth emails or posts?

Contact forms/address for Official staff are available in numerous places on this Forum . but again, there is only the one person with that kind of access to these specific servers ... and the primary applications in use have their own support spots/forums .... listed in the SpamCop FAQ here ....

I don't want to vent here, but my boss is livid...I'm frustrated and in over my head. The purpose of the SpamCop address was to reduce the amount of spam (or at least make it easier to manage). I hope some one at SpamCop can go to bat for us. I could really use some help.

To be fair, you have admitted that it is helping, i.e. only 36 made it through as compared to the whole 92 .....

The folow-on question may be on also configuring a few more filtering actions at the receiving end?

For example (and this said with no knowledge of the e-mail involved) .. a filter to move any and all "spamcop account" e-mail to another folder .... kind of going in that you're at the level where "all" e-mail arrives ..??? (working on how "the boss is livid" but you're the one asking for help ..so some assumptions are clouding my vision perhaps ???)

Long-winded, but ....???

Share this post


Link to post
Share on other sites

I saw Don here also, so went on to other queries elsewhere ... came back .. decided to offer something different ... and address other questions ...

Thanks, Wazoo, your reply is much appreciated. Lots to ponder here and I'll work up a better reply tonight or tomorrow (hopefully, something that will be useful to other SpamCop users who find themselves in this situation). It's been a long day and I'm turning off this silly box for a while.

- Paul

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×