Getting Scammers' "Reply to" accounts deleted

[Basil]

Hi Everyone,

I couldn't find a reference to this, but my apologies if I missed a similar discussion.

SpamCop does an excellent job, but it doesn't supply the "Reply to" domain address. This puzzles me, as from the scammer's point of view, that account is vital for the majority of their cons, even if phone numbers are provided.

Phone calls have several disadvantages. A thick Nigerian accent isn't typical of a London Barrister or Merchant Banker! Intonation and hesitation arouse suspicion, which may lead to the scammer being asked what the nearest station is to his chambers or bank. Phone calls also cost money of course.

The first thing I do, is hit "Reply" and then cut the reply address, before cancelling the reply. This provides the *actual* reply addie, whether or not the displayed one was forged.

In the bottom box, I enter:

"Please delete this scammer's "Reply to" account: [paste in stored address]"

I then go to:

http://abuse.net/lookup.phtml

...and paste it in there too. The site only accepts the domain name, so delete "scammer[at]".

This will usually provide at least one abuse or report_spam address to forward my comment to.

All that's left is to copy and paste it into SpamCop's "Re: User Notification" box and send the report.

The abuse.net site has an option to add info when they have none. If anyone knows a complaint addie for "yahoo.gr", I'd be obliged if they'd provide it to them.

I've no idea if I'm simply wasting my time doing this or whether some of these accounts actually do get closed down.

Feedback would be very welcome. Either I'll stop wasting my time or know that I'm not wasting it after all.

[turetzsr]

Hi Everyone,

...Hi, Basil, and welcome!

<snip>

SpamCop does an excellent job, but it doesn't supply the "Reply to" domain address. This puzzles me, as from the scammer's point of view, that account is vital for the majority of their cons, even if phone numbers are provided.

...Depends on the scam, I would say. Yes, if the scammer relies on e-mail contact to benefit, such as so-called "419" scams. But I believe the number of such scams to be becoming a relatively small proportion of all the scams I've been seeing.

The first thing I do, is hit "Reply" and then cut the reply address, before cancelling the reply. This provides the *actual* reply addie, whether or not the displayed one was forged.

<snip>

...IIUC, this is not necessarily the case -- both "From" addresses and "Reply-to" addresses can be forged.

[Wazoo]

I couldn't find a reference to this, but my apologies if I missed a similar discussion.

The art, science, and black magic of "searching" .... in this case, what you'd want to look for is "forged" .. as in addresses used to stuff the From:, Reply-To: header lines. Apparently, you have not yet enjoyed your moment in thr sun when it's your address that's used n these lines. A few places to look, the SpamCop FAQ 'here' has the Why am I getting all these Bounces? .... the Wiki has numerous entries, a fair share of them entered by rconner .... again, the magic word is "forged"

Previous Topics/Discussions here and in the newsgroups tend to start with "I didn't send this e-mail" .... or complaining about all the "Misdirected Bounces" (yet another magic term that's to be found in multiple places)

[Miss Betsy]

There are some scammers who use email addresses as 'drop boxes' and there are some anti spammers who take the time to report them. Most of these addresses are found in the body of the email. Usually, the FROM and the 'return-path' are both forged so I think what you have been doing is probably not reaching any spammers and possibly annoying some innocent victims of having their email address forged.

I once received a fax with a 'drop box' email address at hotmail. That was almost impossible to report!! By the time that I convinced them what I was reporting, they probably had already killed the account.

The advantage of reporting the 'drop boxes' is that it reduces the chances of some gullible/greedy person replying. Spamcop no longer allows reporting of email addresses found within the body of the spam because there were too many innocent email addresses being reported. As someone else said, usually only the 419 scammers use email as a method of contact. Other spammers rely on luring the victim to a website.

Miss Betsy

[rconner]

Looks good, Basil

You can find the Reply-To address (if one exists) by looking at the full header of the message, this means you don't have to "reply" to the message.

If you want to go a level deeper, read the wiki page on reporting e-mail addresses.

I do get some occasional feedback from the major providers that they do close out these addresses. Don't know whether all of them get closed out, or how quickly this is done.

-- rick

[rconner]

Usually, the FROM and the 'return-path' are both forged so I think what you have been doing is probably not reaching any spammers and possibly annoying some innocent victims of having their email address forged.

419 scams may be one class of spam in which the forged-address assumption doesn't always apply. Based on my observations of the modus operandi of the 419 gangs, I believe they tend to provide reply-to-addresses that are genuine. Often the same address is provided in the body of the message as well. I suspect that the from-address is also genuine, but is used only to authenticate with the webmail service to send the message; it is purposely NOT used for replies (meaning that there will be little traffic coming back to this address, and thus little prospect of abuse complaints). In other words, the scammer has to log on with Yahoo (etc.) to send his or her 419 come-ons, and that address gets automatically put in the from-field. Presumably the scammer can fill in a reply-to field with whatever he or she likes.

So, I usually report addresses which I am specifically invited in the body to use, and reply-to addresses if these are given. I usually don't report from-addresses because as you point out these could be forgeries.

-- rick

[Farelf]

... I then go to:

http://abuse.net/lookup.phtml

...and paste it in there too. ...

You can paste an email address (complete) into the parser input box (use another window, ignore the 'unreported spam' link if you still have the main parse live) and get abuse addresses that way. SC doesn't use the functionality any more, as Miss Betsy notes, but it is still there in terms of getting an address for manual reporting or 'user notification'. And, as Rick said, better to get e-mail address from the report headers than by opening the e-mail. One day one of those things (not necessarily a 419) is going to bite you if you get into that habit.

Just beware this is an actual spammer address at a public domain that you're getting - the majority (for 419s) are hotmail, Yahoo, Gmail etc. and it's not so often you would get an unforged one from elsewhere necessitating the look up of an abuse addresses. Some/many ('ordinary' spam) are patently forged because there's a mismatch between the domain and the server but others might be more subtle. If it's the spammer's own/owned domain (as opposed to public) you will be giving away more information than you want to if you send anything to it, even to the abuse address. In just about all other spam except 419s the 'From:'s and 'Reply-to:'s are forged and you don't want to bother their owners.

Nothing to do with SC reporting, but for valuable for the insights into the type see the various pages at 419 eater, particularly the recurrent warnings "Under NO CIRCUMSTANCES give them ANY real private information about yourself."

[dra007]

If your goal is to shut spammers/scammers down that takes a lot of research and work and becomes impractical when you will start getting 1000 or more spam e-mails a day as most of us here have experienced.

Bottom line is that in order to be effective at shutting down criminals often times you have to escalate one level or two above that that protects the spammer's identity. That requires a bit more sophistication and insight than the reporting that SpamCop provides. SpamCop is only effective if your provider uses their information or you use their e-mail service.

[Basil]

...Hi, Basil, and welcome!...Depends on the scam, I would say. Yes, if the scammer relies on e-mail contact to benefit, such as so-called "419" scams. But I believe the number of such scams to be becoming a relatively small proportion of all the scams I've been seeing....IIUC, this is not necessarily the case -- both "From" addresses and "Reply-to" addresses can be forged.

Thank you for the welcome Turetzsr.

I was hoping for a nice simple answer, but you've all shown me that I had a very simplified impression of the subject. I used to report spam back in the Win3.1 days, when getting on the net depended on your ability to set up Trumpet WinSock, spammers didn't forge headers then and reporting was simple and effective.

I get mostly phishes, though the 419s usually have a pseudo-UK 070 number or the traditional +234. Nice to know that Festac Town is still thriving. ;-)

Wazoo, I come across my own addie on quite a few. I'd be well concerned if the source IP addie was one I use!

I've also been a victim of spam-bots. One particular 'friend' doesn't believe in anti-malware progs and puts his trust in Windoze' firewall. His machine is probably a zombie, sending out DOS attacks and harvesting addies. :-( I'm gonna take take your advice and read through everyone's suggested sources. Thanks to all.

Miss Betsy and RConner, Good points. Hitting "Reply" seems to achieve the same, but I'm now following your advice. These are always free, disposable ones like yahoo.com.hk, gmail, windowslive etc. To me, they're the most important ones to shut down. I think the actual source accounts are autogenerated, used for one batch and then abandoned.

Farelf and Dra007, A lot more food for thought! I do avoid reporting to anything that might be a domain name bought by the spammer. The thought of being mailbombed with 1,000 spams a day is pretty scary.

Thanks everyone for your input. I'll check out the links and try to get a better grasp of the technicalities.

At least the 419 mailing lists seem to have a half-life of 6 months or a year, so ignoring them may be a better long-term policy. spam farms like GTT Marketing, LV, Nevada are a bigger nightmare. They ignore the spam-Can Act and spam[at]uce.gov doesn't seem interested in doing anything against against them.

Thanks again!