Redirect Joe-job?

[Asterix]

Either I've annoyed a spammer or it's just my lucky week, but some scammer sending out a range of advance fee fraud emails is using the address Juancforero<at>cable.net.co as the sender.

I've no connection to that address or the ISP in question.

The problem is that it appears they have set the above address to automatically forward email to my account, namely the hundreds of bounces and out-of-office replies.

In a normal misdirected bounce situation, those emails are reportable as spam since the bouncing server should not be sending email to whatever address happens to have been forged in the 'from' field.

However with this apparent forwarding setup, bounces are apparently being legitimately sent but I've been reporting them through SpamCop and apparently annoying abuse desks.

Below is a sample reply to the SpamCop report:

Your address Juancforero[at]cable.net.co has sent us a large amount of mails from

the server ironport2.cable.net.co which seems to be your outgoing mailserver.

Please explain to me why you are reporting us for unsolicited bounces to that

when you get auto-replies to the mails sent. It looks to me like you should be

reported for spamming?

If we cannot resolve what it is you have misunderstood or have been a victim

of we will of course speak to spamcop regarding your false reports against our

servers instead.

Abuse [at] One.com

5514451308[at]reports.spamcop.net wrote:

> [ SpamCop V4.6.1.007 ]

> This message is brief for your comfort. Please use links below for details.

>

> Unsolicited bounce from: 91.198.169.249

> http://www.spamcop.net/w3m?i=z5514451308z4...9048b6f8aa9754z

> 91.198.169.249 appears to be sending unsolicited bounces, please see:

> http://www.spamcop.net/fom-serve/cache/329.html

>

> [ Offending message ]

> X-Apparently-To: x via 66.163.179.219; Wed, 25 May 2011 05:33:09 -0700

> Received-SPF: none (mta128.mail.sp2.yahoo.com: domain of

> autoresponse[at]mx-r.b-one.net does not designate permitted sender hosts)

> X-YMailISG: 00zzuaIcZApPI7wBZKmGyzpIWsSk2KnjeLZvttigTe5XuK_4

> 0Z8S6DIOdYg.IVfp4poRYWjm6sdUNz5GnUIbma0Ei2lo1Y4ovbF7Rhg8mGS1

> kzHh_JyKQf1cb1oP12wZR6Q.u_u79PNsuFIy4TuMDLNOItpSBso9756Dt8qI

> lVNbVOwya3205RP.FTZbVPyEbQHbgCNwyHAoJnPcj2oaqjhS5BcaXzrmemsw

> l2GC7xzwuSjjCEqtWLoFGaa6aWwPV4PucyecYR_v2gr1LwsuiVbN8AOghqNJ

> IUMXTY3suLkL5_4aM6FTbSrGz5JUW3tw62c.p6PJ78wgMBqigjgEicKSCx.Z

> x4Htz303zqRzSi8Y6ODUHaVdkozWCg5JSM1x9GkMOb21gFNzjHsaWe4yn4VD

> 7Z.sEBELpFdlfkpw3Xvv0.gEBq3KIdOtAmUU2.BwPcsnwqd1iMGok1oxlTjF

> CKFCPLqzn0crFBpJcWzOxsGxV_vRX5tD6HRz4G2n1dmM8Ir8V6d2wjlD1Zk5

> TRcugwJcIdbU32YF.2qcDZwJsmQ3otIWDDu0_L9Uo8fUyYs5nHLnRZsgr3G1

> kJkY7Kmq_ugTamYeuMaPfWOdO3n2aDIE1NugmqPBq_sugBb991IQ.2jI75vd

> d5kTx7DGX6ogoGV5zLByr8VEni5UG3xz7Ion56qRSvtIvt.xOR4uFq8aoQsO

> qX_FCsl89oVqRrUJZOjNYnJdvIwCkwY2sHARacDE8kxL5IUD27WhZFeYX2jE

> OCsWy0nk3pmMExmUkR0kWpQB.nLpnI5UutTi.Vv835OZCtpKYXxfWXMYCCs4

> zWxt1Ez0D3CknU6_tD5vw05IPOdKYnzaILtUj1wCQtKZD0eoZrZVfActJlsT

> czwxNymljYWHConBHYeOKcx5yP9xcvUz1651ZKl1JmB8GzmCHOuPLt2xblby

> HXhVMkRvhO5nXE41k73MNqeODABo0MQvRo79Q6YsR3n4K36nQBydglZqRsI1

> fVDw0S3A28J89YjB9MXtWJMkA3Vu6KC_BHKLUjg2IzODGZYdPrvRVL3iIA_Y

> Pxv8BQPYdd2AKhzzS3KXGYlIW0Nr_kH9d2jpgVjR8UTkwfzoy0hR0306l_FD

> SwMlpKWE6.iUBJT1_Dr7iI0rAb9cm9SLnqC5HGc_EFERTRblEkcg_Ku9TivC

> gM1Ijg_4NJNKyJcs_wSvvh7vs7UBQepIiL_euwNdp.m09nFlKrhQAWg_phvi

> LHP1XPinhh2W8TXFwS.fy9v8jSlCUxHdGTxchd5Bh7DzagnsiM8Fu_.2wptc

> M9_5R2fvWlQHMRKIE.GAflU-

> X-Originating-IP: [200.118.2.78]

> Authentication-Results: mta128.mail.sp2.yahoo.com from=hpvinfo.se;

> domainkeys=neutral (no sig); from=hpvinfo.se; dkim=neutral (no sig)

> Received: from 127.0.0.1 (EHLO ironport2.cable.net.co) (200.118.2.78)

> by mta128.mail.sp2.yahoo.com with SMTP; Wed, 25 May 2011 05:33:09 -0700

> X-IronPort-Anti-spam-Filtered: true

> X-IronPort-Anti-spam-Result:

> Ai4HAB323E2sHwID/2dsb2JhbACEXZNIjgV4iGmdbI4jkHyBK4NqgQcElQIJiiw

> X-IronPort-AV: E=Sophos;i="4.65,266,1304312400";

> d="scan'208";a="246377481"

> Received: from unknown (HELO vulcano.cable.net.co) ([172.31.2.3])

> by ironport2.cable.net.co with ESMTP; 25 May 2011 07:33:04 -0500

> Received: from ironport.cable.net.co ([200.118.2.77])

> by vulcano.cable.net.co (Sun Java System Messaging Server 6.1 HotFix 0.09

> (built Dec 14 2004)) with ESMTP id <0LLR001KM3QDYVI0[at]vulcano.cable.net.co>

> for

> x (ORCPT x); Wed,

> 25 May 2011 07:23:04 -0500 (COT)

> Received: from mx-r.one.com (HELO mx-r.b-one.net) ([91.198.169.249])

> by ironport.cable.net.co with ESMTP; Wed, 25 May 2011 07:33:03 -0500

> Received: by mx-r.b-one.net (Postfix, from userid 102) id F40E677A; Wed,

> 25 May 2011 14:33:05 +0200 (CEST)

> Date: Wed, 25 May 2011 14:33:05 +0200 (CEST)

> From: info[at]hpvinfo.se

> Subject: Auto: E-mail

> To: x

> Reply-to: info[at]hpvinfo.se

> Auto-submitted: auto-replied

> MIME-version: 1.0

> Content-type: text/plain; charset=UTF-8

> Content-transfer-encoding: 8BIT

> X-IronPort-Anti-spam-Filtered: true

> X-IronPort-Anti-spam-Result:

> AuwBAB323E1bxqn5mWdsb2JhbACEXZNIjhkBAQEBAQgLCwcUJohpnWyOI5B8gSuDaoEHBIoylQU

> X-IronPort-AV: E=Sophos;i="4.65,266,1304312400"; d="scan'208";a="578220753"

>

> Tack för ditt E-mail - vi återkommer.

>

New state of this ticket is : new

--

SpamCop reports for these bounces are being sent to abuse<at>cable.net.co (owner of IP 200.118.2.78) as well as the bounce originator. Separate email to that abuse address bounces with the message the mailbox is full.

So my questions:

1) Should reports be canceled for any reporting address other than that for IP address 200.118.2.78 (such as the Abuse [at] one.com complaining above)?

2) Is there anything further I can do to address the problem of the Juancforero<at>cable.net.co account automatically redirecting to my address?

Thanks for any suggestions.

[turetzsr]

Hi, Asterix,

...Please post the Tracking URL -- it will help us better understand what the SpamCop parser did and why. Thanks!

[Asterix]

Hi, Asterix,

...Please post the Tracking URL -- it will help us better understand what the SpamCop parser did and why. Thanks!

http://www.spamcop.net/sc?id=z5014916350z4...3156144d457d66z

I believe what is happening is that the spammer has access to the Juancforero[at]cable.net.co account and has it set up to automatically redirect to my Yahoo account.

Whether or not they are sending the spam from that account I think is secondary to the fact that bounces and out-of-office replies are being sent to it and thereby passed on to me.

In the message reported above, it looks like SpamCop is reporting one.com as the original sender and cable.net.co as the intermediary who is redirecting to me.

Is the abuse desk from one.com correct in getting upset at the SpamCop reports?

Should those reports only be going to cable.net.co?

Since abuse<at>cable.net.co is not accepting email, do I have any other recourse to stem this flood?

I can at least set up a Yahoo filter such that anything addressed to Juancforero[at]cable.net.co gets dumped directly to Trash, but that doesn't get to the root of the problem.

[turetzsr]

http://www.spamcop.net/sc?id=z5014916350z4...3156144d457d66z

...Thanks!

I believe what is happening is that the spammer has access to the Juancforero[at]cable.net.co account and has it set up to automatically redirect to my Yahoo account.

<snip>

In the message reported above, it looks like SpamCop is reporting one.com as the original sender and cable.net.co as the intermediary who is redirecting to me.

Is the abuse desk from one.com correct in getting upset at the SpamCop reports?

<snip>

...Ah, I see. I guess I would err on the side of caution and not report to one.com unless someone else comes up with a really good reason to continue to do so. You might consider seeking feedback from the SpamCop deputies (perhaps pointing them to this Forum "thread" so you can keep the e-mail to them brief) by writing to them at deputies[at]admin.spamcop.net.

...Good luck!

[Asterix]

You might consider seeking feedback from the SpamCop deputies (perhaps pointing them to this Forum "thread" so you can keep the e-mail to them brief) by writing to them at deputies[at]admin.spamcop.net.

Thanks. Contacted and got a reply.

It's quite possible Juancforero<at>cable.net.co is actually the one sending out the spam (wouldn't be the first time: http://www.google.com/search?q=Juancforero...ient=firefox-a) and all those bounces are legitimately being sent back to that account.

Only it is currently redirecting everything to me, unbeknownst to any bouncing server.

Doesn't help that abuse[at]cable.net.co is bouncing as well, so it appears no one at that ISP really cares.

[Snowbat]

FWIW, to see what was happening at the abuse address, I sent a problem note and a link to this thread to abuse[at]cable.net.co. It seems their abuse address aliases to multiple recipient addresses, four of which are bouncing for over-quota. Their alias list might contain other addresses that are not bouncing.

[Asterix]

Another similar situation - maybe I`ve pissed off a spammer and this is how he gets revenge.

I`m being inundated with thousands of advance fee fraud bounce messages.

It appears the scammer is using two email addresses from kku.edu.tr to send out their garbage but has also set those accounts to redirect back to my address. As a result, all the out-of-office or invalid address bounces are being redirected to my account.

Sample tracking URL:

http://www.spamcop.net/sc?id=z5422886939z6...39ae7cba37bfdcz

I`m on Yahoo and the `To` line is one of the two corrupted kku.edu.tr accounts.

Normally this would be relatively easily addressed by filing as many of these bounces with spamcop as possible such that the administrators of IP address 194.27.51.29 would be notified that one of their users is pumping out unwanted mail.

However, as can be seen from the tracking URL, the reporting address is going to devnull.

I`ve looked up contacts on the kku.edu.tr website and sent numerous samples of the bounces to their computer support address. When that failed to produce any action (or even any response) after over a week, I added addresses of other administrators, hoping that someone might direct their systems guys to simply disable the offending accounts.

Still no luck getting any sign of life.

Just wondering if there is anything further I can do to try and resolve this issue (and also check that my understanding of what is happening is correct).

I have been able to set up a filter in Yahoo mail such that anything addressed to either of the to offending kku.edu.tr addresses gets dumped to the Trash folder, but the fact that this stuff is now coming in at a rate of hundreds per hour is rather concerning.

I see from Spamcop stats that the IP address in question has a poor rating, so presumably others are reporting the original spam that isn`t getting bounced.

[turetzsr]

<snip>

I`m being inundated with thousands of advance fee fraud bounce messages.

<snip>

as can be seen from the tracking URL, the reporting address is going to devnull.

<snip>

Just wondering if there is anything further I can do to try and resolve this issue

<snip>

...If you can determine an "upstream," you could send a complaint there. Another possibility (not mutually exclusive) would be to ask your e-mail administrator to reject such bounces at the "handshake" stage so that they don't even make it into the e-mail system.

[Asterix]

...If you can determine an "upstream," you could send a complaint there. Another possibility (not mutually exclusive) would be to ask your e-mail administrator to reject such bounces at the "handshake" stage so that they don't even make it into the e-mail system.

I`m just a freebie Yahoo user, so I don`t know what the hopes are of asking an email administrator to reject things are.

But I don`t think that is really addressing things anyways since what I think is happening is that the two kku.edu.tr accounts are configured to redirect their email to my address.

It looks like those accounts are actually the ones sending out the spam, so for them to receive the bounces makes sense.

The servers sending the bounces have no way of knowing that the kku.edu.tr accounts are simply redirecting their email on to my Yahoo account. I have tried including those addresses in my previous email complaints and those messages eventually showed up back in my inbox (with me as the original sender), further supporting the theory the accounts are just redirecting mail.

I could be mistaken, so if this understanding is incorrect, feel free to explain where I`ve gone wrong.

When it comes to an `upstream` provider, I presume that would be whoever provides kku.edu.tr with their internet connection since ultimately it is a couple of kku.edu.tr accounts that are responsible for this flood. Any suggestions on determining this provider?

[turetzsr]

I`m just a freebie Yahoo user, so I don`t know what the hopes are of asking an email administrator to reject things are.

...Oh, there's no problem with asking but getting them to actually do it is, indeed, hopeless! <g>

But I don`t think that is really addressing things anyways since what I think is happening is that the two kku.edu.tr accounts are configured to redirect their email to my address.

It looks like those accounts are actually the ones sending out the spam, so for them to receive the bounces makes sense.

The servers sending the bounces have no way of knowing that the kku.edu.tr accounts are simply redirecting their email on to my Yahoo account.

<snip>

...True -- which is precisely why they should not be bouncing these to you!!!!!

When it comes to an `upstream` provider, I presume that would be whoever provides kku.edu.tr with their internet connection since ultimately it is a couple of kku.edu.tr accounts that are responsible for this flood. Any suggestions on determining this provider?

...Sorry, that I can't tell you but hopefully someone more knowledgeable than I will happen by here to provide some guidance. You could also use one of the two search tools on the SpamCop Forum web pages to search for previous posts on the subject of finding upstream providers. Actually, though, I would also suggest that you hit the upstream providers of the hosts that are improperly bouncing the rejects to you, not just kku's upstream.

[lisati]

...Oh, there's no problem with asking but getting them to actually do it is, indeed, hopeless!

... please don't get me started on Yahoo! I pretty much gave up on Yahoo several years ago. The solution I decided on for my own particular set of issues with Yahoo was to set up my own email server, and configure what amounts to a blanket ban on mail arriving from/via Yahoo. (Mail from legitimate sources that happen to come via Yahoo is fairly easily arranged via whitelisting.)

[Asterix]

Actually, though, I would also suggest that you hit the upstream providers of the hosts that are improperly bouncing the rejects to you, not just kku's upstream.

But again, I don't think those bounces are improper necessarily. They are being sent to the kku.edu.tr addresses that are apparently the spam originators.

The fact that those two accounts are configured to the redirect incoming email to my address is not determinable by any outside server responding to email sent from those two accounts.

My basic problem lies in trying to find someone responsible for those two accounts or the IP address 194.27.51.29 (presumably the same person) who can then disable them, making them unable to redirect anything further to me (to say nothing of being unable to send out the original spam in the first place).

SpamCop parsing of the IP address goes to devnull. Any contact remotely associated with computer support or administration at kku.edu.tr has not responded to multiple complaints over a couple of weeks.

[turetzsr]

But again, I don't think those bounces are improper necessarily. They are being sent to the kku.edu.tr addresses that are apparently the spam originators.

The fact that those two accounts are configured to the redirect incoming email to my address is not determinable by any outside server responding to email sent from those two accounts.

<snip>

...Again, true, and, again, that is why the admins who are bouncing to those addresses should not bounce! Rather, if they are going to take some action that hits someone outside their own network, they should reject the e-mail at handshake time; if they can't do that, they should not reply at all.

My basic problem lies in trying to find someone responsible for those two accounts or the IP address 194.27.51.29 (presumably the same person) who can then disable them, making them unable to redirect anything further to me (to say nothing of being unable to send out the original spam in the first place).

SpamCop parsing of the IP address goes to devnull. Any contact remotely associated with computer support or administration at kku.edu.tr has not responded to multiple complaints over a couple of weeks.

...Other than what you have already done, complaining to an upstream provider or ICANN registrar is all that I am aware you can do. I guess there is one other thing: switch to an e-mail provider who cares enough to allow you to use a blacklist to automatically toss the e-mail somewhere other than your inbox or, even better, reject it at handshake time.

[Farelf]

Robtex says

contact information for 194.27.51.29

hostmaster[at]kku.edu.tr (responsible for kku.edu.tr, 51.27.194.in-addr.arpa)

BUT: "hostmaster[at]kku.edu.tr is not a valid deliverable e-mail box address" (http://www.ipaddresslocation.org/email_lookup/check-email.php) - Recipient address rejected in SMTP session: kku.edu.tr

hostmaster[at]ulakbim.gov.tr (responsible for ulakbim.gov.tr, 27.194.in-addr.arpa)

NOTE: "hostmaster[at]ulakbim.gov.tr is a valid deliverable e-mail box address." - meaning MX responds to SMTP requests to send data to the address. Variable results - doesn't always confirm.

"Person" address for [at]ulakbim.gov.tr (RIPE) is

ipadmin[at]ulakbim.gov.tr

NOTE: "ipadmin[at]ulakbim.gov.tr is a valid deliverable e-mail box address." Variable results - doesn't always confirm.

None of those have specific abuse responsibility. Abuse.net says

abuse[at]ulakbim.gov.tr (for ulakbim.gov.tr)

NOTE: "abuse[at]ulakbim.gov.tr is a valid deliverable e-mail box address."

Report history shows a mixture of (mostly) straight spam and misdirected bounces.

Non-mailhosted parse of your spam is at

http://www.spamcop.net/sc?id=z5423041932z9...8dfab02bf1bcd3z

which punches down to helium.singnet.com.sg [165.21.74.7]

SC has no reporting address, APNIC can find only

hostmaster[at]singnet.com.sg (no abuse address)

NOTE: "hostmaster[at]singnet.com.sg is a valid deliverable e-mail box address."

Abuse.net says

abuse[at]magix.com.sg (for singnet.com.sg)

BUT: "abuse[at]magix.com.sg is not a valid deliverable e-mail box address." (Not convinced - no SMTP session offered in evidence, could be a DNS weirdness.) But there IS an MX in there somewhere:

C:\Documents and Settings\Admin>nslookup -type=mx magix.com.sg 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

magix.com.sg

primary name server = dnspri.singnet.com.sg

responsible mail addr = hostmaster.singnet.com.sg

serial = 2012013001

refresh = 3600 (1 hour)

retry = 900 (15 mins)

expire = 604800 (7 days)

default TTL = 3600 (1 hour)

C:\Documents and Settings\Admin>nslookup dnspri.singnet.com.sg 8.8.8.8

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

Name: dnspri.singnet.com.sg

Address: 165.21.10.11

C:\Documents and Settings\Admin>

[InvisiBill]

As turetzsr said, the mail server should either reject it during the transaction, or accept it. They shouldn't accept the email, then later send a bounce message back to the (claimed) sender. If they're sending out replies to garbage messages that should've been rejected from the start, that qualifies as spam by SpamCop's definition. In this regard, I see no problem with continuing to report the servers sending the misdirected bounce messages.

While it's just ignoring the problem rather than fixing it, the easiest solution may be to simply filter out all mail coming to your account from that mail server (assuming you don't expect to get any valid mail from them). I'm not sure exactly what filtering options Yahoo offers, but it would be best if you could set up a filter on the server in the headers combined with the bad addresses in the To field. This should allow you to discard any mail forwarded from that server for those problematic accounts, while still receiving any other good emails that may happen to come from that server (like if you were to actually get a response from their support team).

The emails that are annoying you should be relatively easy to spot, so it may be easiest for everyone just to discard them wholesale. It's not actually fixing the accounts that are sending spam (and redirecting emails to you) or the servers sending out misdirected bounce messages, other than "taking the high road" and simply ignoring all attempts at harassing you (which will hopefully lead to it stopping eventually, since it's not actually bothering you anymore).