Jump to content
Sign in to follow this  
lbaty

Spammer using my email address

Recommended Posts

My topic is similar to a previous topic ("Spoof of my address").

Background ...

I have been sucessfully been using SpamCop to diagonse and send reports to the spammer's hosting ISP and originating mailserver abuse addresses.

Links to the offending website address/es seem to change about once a week and old domains/addreses seem on longer accessable (I'm assuming the SpamCop reports are getting the domain names cut off).

I don't remember the name of the topics about spamvertised sites, but the primary purpose of spamcop is to identify the source of the spam. There is not much energy expended by spamcop on identifying the spamvertised web sites. As Wazoo said, the spammers regularly change websites to keep in business.

Problem ...

Without realising the implications, I updated my account to the "Mailhosts" system.

Now when I try to report, I get the message "Possible forgery. Supposed receiving system not associated with any of your mailhosts" (see here)

Questions ...

Should I revert back to the older system (pre mailhosts)?

How do I do that?

Can anyone suggest anything else?

Share this post


Link to post
Share on other sites
My topic is similar to a previous topic ("Spoof of my address").

Which of course had me asking "why a new Topic then?" .....

Links to the offending website address/es seem to change about once a week and old domains/addreses seem on longer accessable (I'm assuming the SpamCop reports are getting the domain names cut off).

Or that's how long the spammer decided to run that site/location .... ????

Without realising the implications, I updated my account to the "Mailhosts" system.

Terminology, really. You say 'update' .... as titled in the Forum section set up for this .... it is actually the "MailHost Configuration of your Reporting Account" .....

Now when I try to report, I get the message "Possible forgery. Supposed receiving system not associated with any of your mailhosts" (see here)

First question, as the answer isn't specifically spelled out ... was the MailHost Configuration of your Reporting Account successfully accomplished? Part of that 'verification' is checking the results of a parse .....

The questions that come next are all over the place, due to the above missing factoids ....

Did you ever get a successful parse of the 'MailHost Configuration" process?

Is this the 'actual bounce e-mail' ... or are you extracting the spam our of the bounce?

... which would mean that you need to have another food look at the reporting "Rules" ....

Is frontiernet.net your serving ISP?

Should I revert back to the older system (pre mailhosts)?

How do I do that?

Can anyone suggest anything else?

Hard to say, as there are too many inanswered questions about what is actually going on ....

And with thi spost, moving this to the MailHost Configuration of your Reporting Account Forum section .... plans are to even change the Sibject/Title after that move to better reflect the actual subject of the post ....

Share this post


Link to post
Share on other sites
I have been sucessfully been using SpamCop to diagonse and send reports to the spammer's hosting ISP and originating mailserver abuse addresses.

Links to the offending website address/es seem to change about once a week and old domains/addreses seem on longer accessable (I'm assuming the SpamCop reports are getting the domain names cut off).

I don't remember the name of the topics about spamvertised sites, but the primary purpose of spamcop is to identify the source of the spam. There is not much energy expended by spamcop on identifying the spamvertised web sites. As Wazoo said, the spammers regularly change websites to keep in business.

Problem ...

Without realising the implications, I updated my account to the "Mailhosts" system.

Now when I try to report, I get the message "Possible forgery. Supposed receiving system not associated with any of your mailhosts" (see here)

Questions ...

Should I revert back to the older system (pre mailhosts)?

How do I do that?

Can anyone suggest anything else?

As Wazoo suggested, it sounds as though you haven't completely finished the mailhost configuration. You are not supposed to report spam until the mailhost configuration is complete.

The only way that I know to revert back to the old system is to register with spamcop again with a new email address and don't configure mailhosts. However, since you have started mailhosts, you might as well find out what the problem is. Mailhosts does prevent you from inadvertently reporting your ISP.

Since you do read FAQ, re-read the Mailhosts ones and see if anything helps you either to fix the problem or to ask a question. (if you figure out how to fix the problem, please post so that others who have the same problem will know what they can do.) To find out the problem with Mailhosts, you need to detail what you have done (without publishing any secret codes, etc.) and what the response was. You also need to explain how many mail systems you are using.

Since you haven't listed precisely the 'bounces' you are getting under 'Problem' I am assuming that you understand from reading the FAQ that, even though you have identified the spammer, there is not much you can do about the situation - except to report the bounces which keeps the source IP on the blocklist. And to do that you need to get your mailhosts working.

Miss Betsy

Share this post


Link to post
Share on other sites

Thanks Wazoo and Miss Betsy.

I see I have made some mistakes in my posting.

Please don't hesitate to let me know if I have missed anything in my followup post ...

Additional information ...

I followed all the instructions for setting up the mailhosts configuration. I received and followed up on the account configuration email including pasting the mail header and special codes etc. into the relevant spamcop page.

The email messages I want to report are attached to bounces from various email servers (mail delivery failures). So the emails I am reporting have not directly been received by me. I.e. I have extracted the spam out of the bounced email. (I have been extremely careful to report only spam email messages.)

Additional Questions ...

Am I correct in assuming that If I report the bounced mail delivery failure itself, I am not reporting the spammer, but the mailserver which has rejected the spam?

I don't see how reporting these mail delivery failures or bounces helps anyone ???

If the "Rules" state that I can't or shouldn't report the extracted spam from the mail bounces, how can I stop or report this spammer for using my email address as the spoofed sender of his spam?

Is it against the spamcop "rules" to use spamcop analysis to find the necessary contact email addresses, etc. Then cancel the spam report in spamcop and send a spam report from my own email server?

Comments ...

I think the spamcop service is fantastic. If I have been breaking the rules by reporting the spam extracted from the bounced mail failures, I will stop doing so.

Share this post


Link to post
Share on other sites

The email messages I want to report are attached to bounces from various email servers (mail delivery failures). So the emails I am reporting have not directly been received by me. I.e. I have extracted the spam out of the bounced email. (I have been extremely careful to report only spam email messages.)

That is against the rules you agreed to when joining spamcop. Officially, that is someone else's spam. The bounce is your spam.

Additional Questions ...

Am I correct in assuming that If I report the bounced mail delivery failure itself, I am not reporting the spammer, but the mailserver which has rejected the spam?

I don't see how reporting these mail delivery failures or bounces helps anyone ???

Hopefully the poorly setup system will be changed so they will not redistribute the spam to innocent users.

If the "Rules" state that I can't or shouldn't report the extracted spam from the mail bounces, how can I stop or report this spammer for using my email address as the spoofed sender of his spam?

There is no way to do so. Likely reporting is not even getting to the spammer but to the administrator of a network where there are comprimised machines.

Is it against the spamcop "rules" to use spamcop analysis to find the necessary contact email addresses, etc. Then cancel the spam report in spamcop and send a spam report from my own email server?

No, that is perfectly legal.

Share this post


Link to post
Share on other sites

<snip>

I don't see how reporting these mail delivery failures or bounces helps anyone ???

If the "Rules" state that I can't or shouldn't report the extracted spam from the mail bounces, how can I stop or report this spammer for using my email address as the spoofed sender of his spam?

There is little point in reporting spammers to their providers because either they are using hijacked machines or the provider is collaborating with them. Most responsible ISPs do not need reports to take care of hijacked machines; the rest don't care because the hijacked machines are not mail servers.

Reporting the mail delivery failures alerts those who are 'bouncing' email after receiving it that this is as annoying as the original spam. The people who are sending emails stating non-delivery can stop doing it; they are just ignorant of how to run a mail server. If they are so incompetent that they can't stop or if they are helping the spammers by allowing spam to go through their systems, then if they are reported, they will be blocked by those who use the spamcop blocklist and those people will not have to look at them in their inbox.

Miss Betsy

Share this post


Link to post
Share on other sites

Thanks for your reply StevenUnderwood.

That is against the rules you agreed to when joining spamcop.

A rule I clearly missed or misunderstood when I signed up - I have been blocked from further reporting for this rule violation (and rightly so).

Officially, that is someone else's spam. The bounce is your spam.

Perhaps ... however I fear that others will not report this spam or worse will block my email address as the (falsely) identified source of the spam.

Hopefully the poorly setup system will be changed so they will not redistribute the spam to innocent users.

I agree this is a good long-term solution. However I'm still stuck for a solution that will help in the shorter-term.

There is no way to do so. Likely reporting is not even getting to the spammer but to the administrator of a network where there are comprimised machines.

Doesn't it seem worthwhile to assist the administrators of compromised machines to identify holes in their systems?

If these compromised systems are shut down or fixed, there will be less available for spammers to exploit.

No, that is perfectly legal.

Excellent - Thanks.

Share this post


Link to post
Share on other sites
There is no way to do so. Likely reporting is not even getting to the spammer but to the administrator of a network where there are comprimised machines.
Doesn't it seem worthwhile to assist the administrators of compromised machines to identify holes in their systems?

If these compromised systems are shut down or fixed, there will be less available for spammers to exploit.

<snip>

...FWIW, I agree with you. Others do not, for example Miss Betsy (the first paragraph in her reply). Splitting the difference, I would say that there is, at best, diminishing utility in reporting compromised as the admins who do not care, aren't competent or are in cahoots with the spammers are probably becoming a larger and larger proportion of all such admins. But I'm going to continue to do so.

Share this post


Link to post
Share on other sites

Thanks for your reply Miss Betsy,

There is little point in reporting spammers to their providers because either they are using hijacked machines or the provider is collaborating with them. Most responsible ISPs do not need reports to take care of hijacked machines; the rest don't care because the hijacked machines are not mail servers.

Reporting the mail delivery failures alerts those who are 'bouncing' email after receiving it that this is as annoying as the original spam. The people who are sending emails stating non-delivery can stop doing it; they are just ignorant of how to run a mail server. If they are so incompetent that they can't stop or if they are helping the spammers by allowing spam to go through their systems, then if they are reported, they will be blocked by those who use the spamcop blocklist and those people will not have to look at them in their inbox.

OK, I see your point.

However it seems there would be benefit in emailing an administrator who may not realise that they have a hijacked machine.

I can also see what you mean about reporting the mail delivery failures; This makes sense.

My other main concern is that others may falsely block or identify my email address as the source for this spam.

Share this post


Link to post
Share on other sites
<snip>

My other main concern is that others may falsely block or identify my email address as the source for this spam.

...No one who is knowledgeable would do that; I don't remember seeing anyone report in the SpamCop forums something like that happening. So I think you're most likely safe. :) <g>

Share this post


Link to post
Share on other sites

OK, it seems I have all the answers to my problems. (The remaining points seem to be a matter of opinion or personal preference)

If there are no other comments, I am happy for this thread to be closed.

Thanks to all who participated.

Summary ...

I will cease reporting extracted spam messages from email bounces (as per spamcop rules).

I will report only the mail delivery failures or bounces.

I will consider using the spamcop system to locate email appropriate abuse or administrator addresses for spam extracted from bounces (however will report them from my own mailserver, not using spamcop).

Share this post


Link to post
Share on other sites

Doesn't it seem worthwhile to assist the administrators of compromised machines to identify holes in their systems?

If these compromised systems are shut down or fixed, there will be less available for spammers to exploit.

<snip>...FWIW, I agree with you. Others do not, for example Miss Betsy (the first paragraph in her reply). Splitting the difference, I would say that there is, at best, diminishing utility in reporting compromised as the admins who do not care, aren't competent or are in cahoots with the spammers are probably becoming a larger and larger proportion of all such admins. But I'm going to continue to do so.

To report spam that you get is more and more to report to server admins of compromised systems and I agree it is a good thing to do - both to inform those who care and to block those who don't.

IMHO, it is not worth manually extracting the spam from a bounce to report - particularly if the intent is to stop a spammer from forging your domain name in the return path. You will not ever stop a spammer from forging your name and sending spam, no matter what you do (unless you want to abandon your present way of living and become an underground vigilante who tries to completely eliminate spammers from the earth).

And someone else will either report the actual spam or block that IP address so the server admin will know sooner or later if he cares. In fact, I bet the server admins who care, know exactly who to inform and who to block and will have done it much more quickly than any end user reporter.

If someone does think that your domain in the return path of spam is where the spam really comes from, then it would be much better to be doing something to educate them about spam, spam prevention, good internet use of email, etc.

Miss Betsy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×