How do I report spam being forged to my email address???

[Elzar]

Starting about 4 months ago, I started receiving hundreds of NDRs daily from mail servers etc rejecting emails "from" my address for various reasons (like target email account addresses not existing on that server etc etc).

I found this odd since I had not sent any of the originating emails to those addresses in the first place. Digging further it appears that spammers (from India?) were sending out mucho spam forging my main yahoo email address as the "reply-to" field, thus that caused me to get their $*&ing NDRs.

This has been going on in spurts now every couple weeks. I'll get hundreds of NDRs in about a 48 hour period then it'll stop. Then a few weeks (or days) later it will all start up again.

What is the procedure for me to even begin to report this kind of thing? This Spamcop service seems designed to report on spam RECEIVED by you, not for reporting spam that is forging your email address.

Any help greatly appreciated. I really don't want to just give up and abandon that yahoo address, I use it for very many things that would be difficult to change & let people know etc. Besides, I would like to see these jerkoff spammers get shutdown.

[SpamCopAdmin]

>- What is the procedure for me to even begin to

>- report this kind of thing?

Just report it like you would any other spam. By "it" I mean the delivery failure notices.

>- This Spamcop service seems designed to report on spam

>- RECEIVED by you, not for reporting spam that is forging

>- your email address.

That is right. You may NOT cut the spam out of the delivery failure notices and try to report it. That is not your spam. You have no way to verify that the headers of the original spam are either complete or accurate.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

[turetzsr]

Hi, Elzar,

...Just so you, and anyone else perusing this SpamCop Forum "thread" in future, know, this topic is included in the SpamCop FAQ (see link near top left of every SpamCop Forum page) -- see the link labeled "Why am I getting all these bounces? Updated!" (be sure to read all the way to the end, changes were made after the early posts).

[Elzar]

Hi, Elzar,

...Just so you, and anyone else perusing this SpamCop Forum "thread" in future, know, this topic is included in the SpamCop FAQ (see link near top left of every SpamCop Forum page) -- see the link labeled "Why am I getting all these bounces? Updated!" (be sure to read all the way to the end, changes were made after the early posts).

Thanks (to both of you). I read that FAQ, am a bit confused as to how to do this but will try to muddle through. Most of the bounces sent to me include 2 msgs in them, one sent by the spammers to the unfortunate mail server on the other end and another one that looks like some kind of header status thing.

Just got like another 100 of these effin' bounces emails today. It is driving me crazy. Sigh. I have many important emails now getting obscured amongst all the noise.

[btw, I have the forum option set to "email me notification of replies" to my forum email ID (not the same as the one getting all this dreadful spam bounces) but I've received no notification of your folks replies. I only came back up here now to spend more time trying to figure out what to do & saw to my surprise that someone had replied!]

[Elzar]

Wow. I figured it out! Am happily reporting many of the spams now via the spamcop web interface. I have to feed it the full attachment part that is the spam from each msg. I see now that this is even far worse than I thought a few months ago. Back then they all looked like they were coming from one IP in India. These new ones are all over the world though. It is unbelievable. I am going to spend the next hour (& continue doing this every day for as long as I can stand it) to try to get these bastards stopped, reporting each and every message.

Also - forgot to say - in any case anyone else reads this - I was very confused at first by this - but the spamcop reporting page requires registering again, you need a DIFFERENT logon for that than this forum ID. I was thinking both were the same thing but found I could not login no matter what I tried. Eventually I decided to just try registering again and then I realized that the IDs are two different things.

Thanks again for the info & help up here!

[agsteele]

I am going to spend the next hour (& continue doing this every day for as long as I can stand it) to try to get these bastards stopped, reporting each and every message.

Hi Elzar,

Your reporting efforts are much appreciated but please remember that the main impact of reporting is that the sending mail server may get entered onto the SpamCop block-list. This allows users of the SCBL to filter spam so that it doesn't reach their mailboxes.

I'm not sure that there is such great evidence these days that reporting gets the spammers 'stopped'. Rather, if you use the SCBL, you will just not see their junk once the IP is on the SCBL.

In your case, you are reporting the bounce messages (correctly) and this reports the ISP sending the non-delivery report as a bounce. It does not affect the spammer.

So you may want to manage your reporting efforts to a less demanding amount of time.

Andrew

[Wazoo]

[btw, I have the forum option set to "email me notification of replies" to my forum email ID (not the same as the one getting all this dreadful spam bounces) but I've received no notification of your folks replies. I only came back up here now to spend more time trying to figure out what to do & saw to my surprise that someone had replied!]

You subscribed to this Topic using the "Delayed" mode. This Forum has the apparently unusual problem of folks responding too quickly at times. In this case, Don replied within a few minutes after you made your initial Post. The Forum/system saw you as 'still on-line' so no notification was sent. As this 'new (Reply) Post' went without a notification, the next Posts were also 'ignored' as the code 'assumed' that you already knew that there was at least one response. Changing the mode to "Immediate" will change the scenario to send you a notice when there is any new Post made into this Topic.

Of course, this is all moot if in fact you do find that your e-mail Host is actually moving these notifications into the spam/Bulk Folder and you haven't looked there to see them (noting that some folks took the extra step and set their spam/Bulk folders to automatically delete those e-mails, so it took some effort to convince those folks that an e-mail was really sent.)

Hmmmm .... one e-mail sent Nov 10 17:10:47 (assume Registration e-mail?), the next Nov 12 05:27:06. (server time GMT -5) looks like notification of agsteele's Reply.

Also - forgot to say - in any case anyone else reads this - I was very confused at first by this - but the spamcop reporting page requires registering again, you need a DIFFERENT logon for that than this forum ID. I was thinking both were the same thing but found I could not login no matter what I tried. Eventually I decided to just try registering again and then I realized that the IDs are two different things.

This situation is described at Why are there so many different account names/passwords needed?

[Elzar]

Your reporting efforts are much appreciated but please remember that the main impact of reporting is that the sending mail server may get entered onto the SpamCop block-list. This allows users of the SCBL to filter spam so that it doesn't reach their mailboxes.

I'm not sure that there is such great evidence these days that reporting gets the spammers 'stopped'. Rather, if you use the SCBL, you will just not see their junk once the IP is on the SCBL.

In your case, you are reporting the bounce messages (correctly) and this reports the ISP sending the non-delivery report as a bounce. It does not affect the spammer.

So you may want to manage your reporting efforts to a less demanding amount of time.

Ah, man. I am totally disappointed. I thought that with Spamcop something was being sent to the ISP contact admins to alert them that someone using their service was sending spam - to hopefully have them cut off that offender's access or terminate their account, if they were diligent and cared to do so.

If all this Spamcop reporting does is send some kind of report to Spamcop's blocklist (for users of that to benefit from it), then I am wasting my time. Yeah it is a worthy thing to do, but not worth me spending hours and hours on (like I've been doing).

What led me to Spamcop in the first place was asking on another forum if anyone knew of any way to "report" the spammers spoofing my email address to their ISP etc and someone there pointed me here. Sigh. My immediate goal is to get this crap STOPPED as best I can, cut off these jerks' internet access, at least temporarily.

[Elzar]

You subscribed to this Topic using the "Delayed" mode. This Forum has the apparently unusual problem of folks responding too quickly at times. In this case, Don replied within a few minutes after you made your initial Post. The Forum/system saw you as 'still on-line' so no notification was sent. As this 'new (Reply) Post' went without a notification, the next Posts were also 'ignored' as the code 'assumed' that you already knew that there was at least one response. Changing the mode to "Immediate" will change the scenario to send you a notice when there is any new Post made into this Topic.

Thanks! I just changed my setting for that (I think).

I did get that notice overnight (which led me back here now)...

Anyways, thanks for the efforts up here in general, and for answering my questions.

Interesting to note, from investigating the offending spams being sent out with my reply-to address, the msgs are considered to be "degree mill" spam. The modus operandi of these spammers is to spoof reply-to addresses (like mine) & I've found other people complaining about the same thing as is happening to me. Misery loves company I guess.

[Wazoo]

Ah, man. I am totally disappointed. I thought that with Spamcop something was being sent to the ISP contact admins to alert them that someone using their service was sending spam - to hopefully have them cut off that offender's access or terminate their account, if they were diligent and cared to do so.

Yes, notification is sent to the 'identified contact address' of the ISP concerned, but your own words (hi-lited) are the key. Not all ISPs/Hosts are of the 'have the need to maintain a good reputatuion' type.

[agsteele]

I thought that with Spamcop something was being sent to the ISP contact admins to alert them that someone using their service was sending spam - to hopefully have them cut off that offender's access or terminate their account, if they were diligent and cared to do so.

And you are correct in your thinking. But, sadly, the responses of ISPs vary immensely and, in my experience, many (most) spammers use unresponsive ISPs. The reports may get so-called botnets shutdown but that doesn't seem to have much impact on the general spam load.

In your case this is even more discouraging for you since you are reporting the bounce reports (not the original spam) so you may get the bouncing (sic) mail host to take action (so that the NDRs no longer reach you) but the real culprits (the spammers) are one step removed.

Andrew

[Elzar]

Thanks - good to know that Spamcop is FWDing those spam notices like I thought. It appeared to be doing that in the web interface so I was confused by what was said above, like that wasn't happening.

It is most likely for naught, but at least it feels like I am doing something, even if just ONE of the ISPs will take action against these jerks that is better than nothing. Most of the msgs seem to be coming from an ISP in brazil, about 30% from what I see. Maybe their admins will get tired of getting all these reports (if they even check their registered contact accounts that is). Just reported about another 50 of these damn things today....

(Btw, I did not receive any notifications of either of you guys' recent replying to the thread - I came up here to check for replies just in case and saw that there were two).

[Wazoo]

Thanks! I just changed my setting for that (I think).

(Btw, I did not receive any notifications of either of you guys' recent replying to the thread - I came up here to check for replies just in case and saw that there were two).

Database still shows you as subscribed to this Topic in a "delayed" mode.

[Elzar]

Database still shows you as subscribed to this Topic in a "delayed" mode.

I guess I can't change it then.

My "control options" are set to:

Enable 'Email Notification' by default?

If ticked, choose default type: Immediate Email Notification

Maybe since when I created this thread I was not set to "immediate", thus this particular thread is "delayed", regardless of my new default setting? I can't find a way to change the setting for the thread, only my account in general.

No biggie, but confusing.

[Farelf]

...I can't find a way to change the setting for the thread, only my account in general....

It's under the "Options" button at the top of the first post for the topic. Choose the first item "Track this topic". You can then select the "Immediate Email Notification" radio button. I'm not sure how it plays with the "My Controls" settings (I don't use notifications).

Ah, I see You are already subscribed to this topic or forum. if you try to use the topic "Options" "Track this topic" selection.

The default subscription notification is "Delayed" but that can be altered after subscription from the "My Controls" page, "Subscriptions" section "View Topics" item. Check the topic (checkbox) , use the drop-down menu to select "Immediate Email Notification" (default is "Unsubscribe") and hit the "with selected" button. At the bottom of the entry for the topic on that screen the confirmation will change from "Type: Delayed Emailed Notification " to "Type: Immediate Email Notification" Emphasising - the checkbox has to be set for the topic first.

The "Email Settings" "Board Preferences" setting you were looking at is over-arching for your whole account. If "Immediate" was your only option, that is probably indicating an offer to switch all your current subscription to that value - that is, it is confirming you presently have "Delayed" selected for all (the only) subscription(s) you have. I think.

Confusing? Well, since there are maybe several ways to change it within an adaptive suite of options it admittedly does give a fair imitation of "confusing" on first acquaintance.

[Elzar]

The default subscription notification is "Delayed" but that can be altered after subscription from the "My Controls" page, "Subscriptions" section "View Topics" item. Check the topic (checkbox) , use the drop-down menu to select "Immediate Email Notification" (default is "Unsubscribe") and hit the "with selected" button. At the bottom of the entry for the topic on that screen the confirmation will change from "Type: Delayed Emailed Notification " to "Type: Immediate Email Notification" Emphasising - the checkbox has to be set for the topic first.

Thanks! Was able to follow that and change the subscription for this topic.

[Farelf]

Thanks! Was able to follow that and change the subscription for this topic.

Darn, I must have just missed your post as you made it - we could have given the instant notification a try-out.

Back to the topic - you are disappointed that the misplaced bounces don't offer an opportunity to further hoe into the spammers who started the whole thing.

1. Well, standard SC reporting of the bounces then offers the chance to update ignorant mail administrators - in terms of sheer volume, misplaced bounces can be worse all but the most vicious mail DDoS/'denial attack' while there are so many clueless, so that's a worthy aim, as you have noted.
   
2. Usually the forged "From:" and "Reply-to:" addresses are just impartial picks from the spammer's 'mailing list' and used for maybe a single spam-run before being replaced. So, with most kinds of spam you do have the opportunity to report it when it is addressed to you rather than bounced to you (and other SC reporters are reporting it too*).
   • But you will be on many lists.
     

*It is common to receive spam addressed to you with your name as sender too - some spammers may even do that deliberately to try slipping through your filters on your whitelists.

• Whitelisting yourself is almost always a bad idea.
  

[*]Unless you are being deliberately targetted - Joe-jobbed or mail attacked - which is more a matter requiring legal redress.

Yes, mail DDoS still happens - http://www.itnews.com.au/News/239436,wa-ma...-on-police.aspx. Why are dumb Australian criminals so comprehensively stupid? It's embarrassing.

[Sandra]

>- What is the procedure for me to even begin to

>- report this kind of thing?

Just report it like you would any other spam. By "it" I mean the delivery failure notices.

>- This Spamcop service seems designed to report on spam

>- RECEIVED by you, not for reporting spam that is forging

>- your email address.

That is right. You may NOT cut the spam out of the delivery failure notices and try to report it. That is not your spam. You have no way to verify that the headers of the original spam are either complete or accurate.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Hello,

I would like to know how to report spam sent to myself by my own forged email address. So no bounced forged email spam bouncing back to me, but an original spam sent with my forged email address to my own email addresses.

Should I just copy and paste all of the header and body, including my own forged sender email address or should I take away this information of the header and body because I might get reported myself?

Many thanks!

[turetzsr]

Hi, Sandra,

...Sorry to hear of your problem!

...Do I understand correctly that someone has sent to you spam that appears to be "From" you and you are concerned that SpamCop might report your e-mail provider if you use it? There are three reasons that it is unlikely to be a problem:

1. If you didn't actually send the spam, the spam internet headers, which is what SpamCop uses to determine the source of the spam, will probably not point to your e-mail provider.
   
2. If somehow the spam was actually sent from your account, it is likely to appear to SpamCop to never have gone through the internet and SpamCop will tell you that it can find no source of the spam.
   
3. If somehow SpamCop still finds that your e-mail provider is the appropriate party to whom to send a complaint, you can always "uncheck" the box so that when you press "Send" the report is not sent. This will still result in your contributing to the statistics used by SpamCop to decide whether to place the spam source on the SpamCop blacklist.
   

...So I'd say give it a try and just be a bit careful to ensure that SpamCop does not try to send a complaint to your e-mail provider unless you are pretty certain that a different user of your e-mail provider can be clearly identified as the spammer.

...Note: if you edit the header of the spam you submit, please be sure you are complying with SpamCop's rules -- see the SpamCop FAQ articles labeled:

• Rules - everybody read! (recent changes made ... you may need to re-look)
  
• -----> Material changes to spam
  
• -------> Material changes to spam - Updated!
  
• -----> What if I break the rule(s)?