Have Spammers found a new way to irritate people?

[Baldur2630]

We have our own GroupWise Mail servers and a smoothwall Firewall.

We have most of the Blacklist Filters on the server and until yesterday, only the odd spam would get past the Blacklists.

Yesterday we started to get spam from strange people, mainly with hotmail or AOL addresses, but others as well.

Example :

From: deananddean <deananddean[at]comcast.net>

To: me[at]myemail address.com

Message-ID: <569409654.489051.1314118335258.JavaMail.root[at]sz0049a.emeryville.ca.mail.comcast.net>

Subject: Re: Richard, dont let that happen to Matt Hartman

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: 7bit

Auto-Submitted: auto-replied (zimbra; vacation)

Precedence: bulk

X-Mailer: Zimbra 6.0.10_GA_2709

Obviously my mail address is being forged and I'm getting flooded with this crap. I've reported some of them to Spamcop, but it's the same old rubbish over and over and over.

Does anyone out there know what is going on and any way to stop this?

[turetzsr]

Hi, Baldur2630,

...If you could provide a Tracking URL for one of your parses, it would help us answer. However, don't expect to be able to stop this spam -- if anyone has found that answer, s/he wouldn't be here, s/he would be a billionaire retired to a private island. <g> I suppose if you could find a common element to these spam, you could put a rule in your server rules to reject it at handshake time.

...Since your question does not seem to match what seems to me to be the intent of the "Geek/Tech Things" forum, I have taken the liberty of moving it to the SpamCop Lounge Forum.

[Baldur2630]

Hi,

Sorry for putting it into the wrong place and thanks for fixing it!

You said "If you could provide a Tracking URL for one of your parses..." what exactly do you want? I'm not sure what you mean by a Tracking URL. Most of the messages are 'Delivery failure from postmaster[at]hotmail.com, AOL etc. But I'm also getting AutoReplies 'Out of Office', so they are definitely forging my email address.

The thread is the same : -

"dont let that happen to - <a different name every time>, followed by a slightly different message and various URL's which I would be very careful NOT to click on, because it probably has malicious code. Some of them are

http://anyart.info/head-is-shaved

http://alias-632.nl/shaved-and-drunk

http://tabletopshop.nl/gift-of-the-life

http://abait.nl/no-hair

I'm very concerned about this, because it isn't being relayed from my server but my email address is definitely being forged and I don't want to end up on some Blackist myself!

[turetzsr]

Sorry for putting it into the wrong place and thanks for fixing it!

...No problem! It was a reasonable choice.

You said "If you could provide a Tracking URL for one of your parses..." what exactly do you want?

...That's why we have a Glossary (in drop-down list accessible by clicking "FAQs & Words, to right of "Other words..." near top left of almost all SpamCop Forum Pages) and SpamCop Wiki (link at the right of the top of all SpamCop Forum pages)! <g> See Glossary entry "Tracking URL" and/ or SCWiki entry "TrackingURL."

<snip>

I'm very concerned about this, because it isn't being relayed from my server but my email address is definitely being forged and I don't want to end up on some Blackist myself!

...But your forged e-mail address appears as the "To" line, right? I don't think anyone with any sense is going to conclude the spam/ malware is coming from you!

[Baldur2630]

The spam itself isn't coming to me, What I am getting is mainly returned mail and the rest is AutoResponses.

I started out reporting this but I realised that I'm reporting the wrong thing. I'm not getting the actual spam mail. What I am getting is the backlash because some malicious moron has forged my email address to send out spam. The poor sods who are getting this rubbish will think that I sent it, because when they get it, the From: is obviously ME, so when the user doesn't exist, I get the returned mail and when the mail DOES get through, they will block MY email address in their mail client and if the person has AutoRespond, I get that as well.

Here is one of many :-

A message from <me[at]myemailaddress.com> to:

-> keane[at]keaneloans.com

was considered unsolicited bulk e-mail (UBE).

Our internal reference code for your message is 31322-06/5mbeE11z0UbM

The message carried your return address, so it was either a genuine mail

from you, or a sender address was faked and your e-mail address abused

by third party, in which case we apologize for undesired notification.

We do try to minimize backscatter for more prominent cases of UBE and

for infected mail, but for less obvious cases of UBE some balance

between losing genuine mail and sending undesired backscatter is sought,

and there can be some collateral damage on both sides.

First upstream SMTP client IP address: [209.5.159.9] server42.dayanadns.com

According to a 'Received:' trace, the message originated at: [2.89.151.14],

[2.89.151.14] port=1528 helo=networkingtechnology.org

Return-Path: <me[at]myemailaddress.com>

From: "Thao Nguyen" <me[at]myemailaddress.com>

Message-ID: <20110823201858.1546C2BC1D7[at]brickhouse.cobaltmortgage.com>

Subject: Keane, dont let that happen to Amy Nishimura

Delivery of the email was stopped!

Here is another

Please read this entire message prior to sending a response.

A message sent with your From address "me[at]myemailaddress.com" with the subject:

"[AKO Content Violation - spam]steven.l.stites, dont let it happen to Kenichi Tsukagoshi" to the following recipient(s):

steven.l.stites[at]us.army.mil

was marked by the Army Knowledge Online (AKO)/Defense Knowledge Online

(DKO) spam checker as spam and was not delivered to the intended

recipient(s).

It is possible that you were not the original sender of the message as

spammers frequently forge the From address in an effort to get the

recipient to read the message. Since they used your From address and we

are required to notify the sender if a message is marked as spam, you

are getting this message. The easiest way to understand this is to

think of a postal letter - if it can't be delivered, the post office

will return the message to the address written in the sender address

area of the envelope, we are doing the same thing. Note: as with postal

mail, the return address information on the inside of the letter may be

different than the one on the outside of the letter for many reasons.

If you did not send the above message, AKO recommends that you delete

this message and we apologize for the inconvenience.

If after carefully checking the subject and recipient information above,

you did send the message and would like us to look into why the message

was sent as spam, forward this message to ako.postmaster[at]us.army.mil and

add "Please investigate why this was marked as spam" to the beginning of

the subject. We will not always be able to determine why the message

was marked as spam and may have to forward the message to our vendor -

we need your permission to do this so please indicate in your message

either "You may send the message to your vendor to determine why the

message was marked as spam" or "Do not send my message to the vendor".

AKO/DKO Postmaster (auto)

MessageID: 58455613

Timestamp: 23 Aug 2011 18:58:54 -0000

X-AKO: 44989857:209.5.159.9:23 Aug 2011 18:58:54 +0000:$ACCEPTED:2.9

So the Trace URL will only give us the address of the mailserver of the intended recipient.

The other ones are like this

WTF.... NO MORE JUNK MAIL PLEASE!!z

Fary Ashadi <me[at]myemailaddress.com> wrote:

>Hola!

>

>El, please do something, dont let it happen!

>

>Kha-Tu Ngo wants to shave off, to become bald!

>

>...after Pipit Fitri Hartini did that..

>

>El, look, how awful it looks:

>

>http://andrewennancy.nl/shaved-today

>

>Please, make a call or email, asap!

>

>Fary Ashadi

>

me[at]myemailaddress.com = This is a support site for local govenment and we have maximum security. This is why this is so disturbing.

The IP Address in the first returned mail (2.89.151.14) certainly isn't mine!

[turetzsr]

The spam itself isn't coming to me, What I am getting is mainly returned mail and the rest is AutoResponses.

I started out reporting this but I realised that I'm reporting the wrong thing. I'm not getting the actual spam mail. What I am getting is the backlash because some malicious moron has forged my email address to send out spam.

...Ah, I see! Besides the malicious moron who forged your e-mail address, you are a victim of irresponsible and/ or ignorant ESP (e-mail service providers) who don't understand how rude it is to bounce e-mail to the "From" address instead of rejecting it at the handshake phase or just filing it in the trash bin.

The poor sods who are getting this rubbish will think that I sent it, because when they get it, the From: is obviously ME,

<snip>

...Only the ignorant ones, who don't realize that a "From" address is trivial to forge. Note that one of your bounces says, correctly:

It is possible that you were not the original sender of the message as spammers frequently forge the From address in an effort to get the recipient to read the message.

But then they show their outrageous ignorance with:

Since they used your From address and we are required to notify the sender if a message is marked as spam, you are getting this message. The easiest way to understand this is to think of a postal letter - if it can't be delivered, the post office will return the message to the address written in the sender address area of the envelope, we are doing the same thing. Note: as with postal mail, the return address information on the inside of the letter may be different than the one on the outside of the letter for many reasons.

<snip>

Stupid, stupid, stupid!!! :angry: Catch a clue, people!

...Oh, and it is acceptable (encouraged) to report these, so please continue, as your time and patience dictates.

[Baldur2630]

Thanks for the info. I gather there is no way to track down these people who forge the email addresses. I guess that anyone who is crazy enough to click on one of those silly URLs will either add them to a bot-net or put some identity-stealing / Credit card sealing software on their computer.

In the past 15 years we only had one previous spam problem and that was when some moron tried to use my mail-server as a relay and around 200,000 mails were rejected by the server. That was when I put a whole pile of Blacklist Filters on and since then, this is the first problem I've had.

Bottom line seems to be just grin and bear it, whilst these criminals just get away scot free. Time to bring in the death penalty for spammers and hackers and I don't care what syndrome they claim to have. THEY ARE CRIMINALS

[Farelf]

Thanks for the info. I gather there is no way to track down these people who forge the email addresses. ...

Reporting the bounces, as Steve T suggested, might - in time - achieve something, especially in those cases where it is the MTA doing the bouncing (they have the ability to dig out and blacklist the actual source IP address and, given a prod, might get off their fundaments and do just that - and isn't it is disturbing to see the US army included in that category?). Where it is just individuals hitting the "Reply-to:" or "From:" address the reports go to their provider who may (sometimes) or may not (most times) take some effort to educate them. The trouble is, some people are still imagining that spam is only a small proportion of total messages. It is not, it is an overwhelming majority. The sooner they understand that simple fact of life, the better.

Alas, revenge¹ against the original criminal spammers is fairly-well out of reach when it comes to the receiver of the bounce. But reporting moves it closer to the source and the possibility of them being wrinkled out.

¹...Time to bring in the death penalty for spammers and hackers and I don't care what syndrome they claim to have.

Ah, criminal justice authorities have long decreed that revenge is an unworthy object - long even before these days of "political correctness". Francis Bacon had it "Revenge puts the Law out of office," and he had good reason to know it. But fie on them I say, and you are likely entirely too merciful - I am a long-time advocate of the short sharpened stake.

[lisati]

Death to the hackers?????? I'm not sure about that: I frequent forums where the word "hackers" sometimes refers to the good guys, and where those that the media refers to "hackers" are sometimes referred to "crackers" in preference to some colourful name that probably shouldn't be repeated here.

[Farelf]

Individual submissions for clemency may be considered. That's the beauty of the short stake - it is slow enough for such.

[Baldur2630]

NO clemency, NO extenuating circumstances. The guilty have two choices : -

1. Banned from ever owning or using a computer again for any reason AND a life sentence of hard labor with no possibility of parole and NO remuneration OR

2. Death by either the sharpened greasy pole, the rats and the copper cage, or the good old-fashioned method - hanging, drawing and quartering.

All thoughts of kindness vanished yesterday evening after several hours of deleting bounced messages and auto-replies!