Baldur2630 Posted August 23, 2011 Share Posted August 23, 2011 We have our own GroupWise Mail servers and a smoothwall Firewall. We have most of the Blacklist Filters on the server and until yesterday, only the odd spam would get past the Blacklists. Yesterday we started to get spam from strange people, mainly with hotmail or AOL addresses, but others as well. Example : From: deananddean <deananddean[at]comcast.net> To: me[at]myemail address.com Message-ID: <569409654.489051.1314118335258.JavaMail.root[at]sz0049a.emeryville.ca.mail.comcast.net> Subject: Re: Richard, dont let that happen to Matt Hartman MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Auto-Submitted: auto-replied (zimbra; vacation) Precedence: bulk X-Mailer: Zimbra 6.0.10_GA_2709 Obviously my mail address is being forged and I'm getting flooded with this crap. I've reported some of them to Spamcop, but it's the same old rubbish over and over and over. Does anyone out there know what is going on and any way to stop this? Link to comment Share on other sites More sharing options...
turetzsr Posted August 23, 2011 Share Posted August 23, 2011 Hi, Baldur2630, ...If you could provide a Tracking URL for one of your parses, it would help us answer. However, don't expect to be able to stop this spam -- if anyone has found that answer, s/he wouldn't be here, s/he would be a billionaire retired to a private island. <g> I suppose if you could find a common element to these spam, you could put a rule in your server rules to reject it at handshake time. ...Since your question does not seem to match what seems to me to be the intent of the "Geek/Tech Things" forum, I have taken the liberty of moving it to the SpamCop Lounge Forum. Link to comment Share on other sites More sharing options...
Baldur2630 Posted August 23, 2011 Author Share Posted August 23, 2011 Hi, Sorry for putting it into the wrong place and thanks for fixing it! You said "If you could provide a Tracking URL for one of your parses..." what exactly do you want? I'm not sure what you mean by a Tracking URL. Most of the messages are 'Delivery failure from postmaster[at]hotmail.com, AOL etc. But I'm also getting AutoReplies 'Out of Office', so they are definitely forging my email address. The thread is the same : - "dont let that happen to - <a different name every time>, followed by a slightly different message and various URL's which I would be very careful NOT to click on, because it probably has malicious code. Some of them are http://anyart.info/head-is-shaved http://alias-632.nl/shaved-and-drunk http://tabletopshop.nl/gift-of-the-life http://abait.nl/no-hair I'm very concerned about this, because it isn't being relayed from my server but my email address is definitely being forged and I don't want to end up on some Blackist myself! Link to comment Share on other sites More sharing options...
turetzsr Posted August 23, 2011 Share Posted August 23, 2011 Sorry for putting it into the wrong place and thanks for fixing it!...No problem! It was a reasonable choice.You said "If you could provide a Tracking URL for one of your parses..." what exactly do you want?...That's why we have a Glossary (in drop-down list accessible by clicking "FAQs & Words, to right of "Other words..." near top left of almost all SpamCop Forum Pages) and SpamCop Wiki (link at the right of the top of all SpamCop Forum pages)! <g> See Glossary entry "Tracking URL" and/ or SCWiki entry "TrackingURL."<snip> I'm very concerned about this, because it isn't being relayed from my server but my email address is definitely being forged and I don't want to end up on some Blackist myself! ...But your forged e-mail address appears as the "To" line, right? I don't think anyone with any sense is going to conclude the spam/ malware is coming from you! Link to comment Share on other sites More sharing options...
Baldur2630 Posted August 23, 2011 Author Share Posted August 23, 2011 The spam itself isn't coming to me, What I am getting is mainly returned mail and the rest is AutoResponses. I started out reporting this but I realised that I'm reporting the wrong thing. I'm not getting the actual spam mail. What I am getting is the backlash because some malicious moron has forged my email address to send out spam. The poor sods who are getting this rubbish will think that I sent it, because when they get it, the From: is obviously ME, so when the user doesn't exist, I get the returned mail and when the mail DOES get through, they will block MY email address in their mail client and if the person has AutoRespond, I get that as well. Here is one of many :- A message from <me[at]myemailaddress.com> to: -> keane[at]keaneloans.com was considered unsolicited bulk e-mail (UBE). Our internal reference code for your message is 31322-06/5mbeE11z0UbM The message carried your return address, so it was either a genuine mail from you, or a sender address was faked and your e-mail address abused by third party, in which case we apologize for undesired notification. We do try to minimize backscatter for more prominent cases of UBE and for infected mail, but for less obvious cases of UBE some balance between losing genuine mail and sending undesired backscatter is sought, and there can be some collateral damage on both sides. First upstream SMTP client IP address: [209.5.159.9] server42.dayanadns.com According to a 'Received:' trace, the message originated at: [2.89.151.14], [2.89.151.14] port=1528 helo=networkingtechnology.org Return-Path: <me[at]myemailaddress.com> From: "Thao Nguyen" <me[at]myemailaddress.com> Message-ID: <20110823201858.1546C2BC1D7[at]brickhouse.cobaltmortgage.com> Subject: Keane, dont let that happen to Amy Nishimura Delivery of the email was stopped! Here is another Please read this entire message prior to sending a response. A message sent with your From address "me[at]myemailaddress.com" with the subject: "[AKO Content Violation - spam]steven.l.stites, dont let it happen to Kenichi Tsukagoshi" to the following recipient(s): steven.l.stites[at]us.army.mil was marked by the Army Knowledge Online (AKO)/Defense Knowledge Online (DKO) spam checker as spam and was not delivered to the intended recipient(s). It is possible that you were not the original sender of the message as spammers frequently forge the From address in an effort to get the recipient to read the message. Since they used your From address and we are required to notify the sender if a message is marked as spam, you are getting this message. The easiest way to understand this is to think of a postal letter - if it can't be delivered, the post office will return the message to the address written in the sender address area of the envelope, we are doing the same thing. Note: as with postal mail, the return address information on the inside of the letter may be different than the one on the outside of the letter for many reasons. If you did not send the above message, AKO recommends that you delete this message and we apologize for the inconvenience. If after carefully checking the subject and recipient information above, you did send the message and would like us to look into why the message was sent as spam, forward this message to ako.postmaster[at]us.army.mil and add "Please investigate why this was marked as spam" to the beginning of the subject. We will not always be able to determine why the message was marked as spam and may have to forward the message to our vendor - we need your permission to do this so please indicate in your message either "You may send the message to your vendor to determine why the message was marked as spam" or "Do not send my message to the vendor". AKO/DKO Postmaster (auto) MessageID: 58455613 Timestamp: 23 Aug 2011 18:58:54 -0000 X-AKO: 44989857:209.5.159.9:23 Aug 2011 18:58:54 +0000:$ACCEPTED:2.9 So the Trace URL will only give us the address of the mailserver of the intended recipient. The other ones are like this WTF.... NO MORE JUNK MAIL PLEASE!!z Fary Ashadi <me[at]myemailaddress.com> wrote: >Hola! > >El, please do something, dont let it happen! > >Kha-Tu Ngo wants to shave off, to become bald! > >...after Pipit Fitri Hartini did that.. > >El, look, how awful it looks: > >http://andrewennancy.nl/shaved-today > >Please, make a call or email, asap! > >Fary Ashadi > me[at]myemailaddress.com = This is a support site for local govenment and we have maximum security. This is why this is so disturbing. The IP Address in the first returned mail (2.89.151.14) certainly isn't mine! Link to comment Share on other sites More sharing options...
turetzsr Posted August 23, 2011 Share Posted August 23, 2011 The spam itself isn't coming to me, What I am getting is mainly returned mail and the rest is AutoResponses. I started out reporting this but I realised that I'm reporting the wrong thing. I'm not getting the actual spam mail. What I am getting is the backlash because some malicious moron has forged my email address to send out spam. ...Ah, I see! Besides the malicious moron who forged your e-mail address, you are a victim of irresponsible and/ or ignorant ESP (e-mail service providers) who don't understand how rude it is to bounce e-mail to the "From" address instead of rejecting it at the handshake phase or just filing it in the trash bin.The poor sods who are getting this rubbish will think that I sent it, because when they get it, the From: is obviously ME, <snip> ...Only the ignorant ones, who don't realize that a "From" address is trivial to forge. Note that one of your bounces says, correctly:It is possible that you were not the original sender of the message as spammers frequently forge the From address in an effort to get the recipient to read the message.But then they show their outrageous ignorance with:Since they used your From address and we are required to notify the sender if a message is marked as spam, you are getting this message. The easiest way to understand this is to think of a postal letter - if it can't be delivered, the post office will return the message to the address written in the sender address area of the envelope, we are doing the same thing. Note: as with postal mail, the return address information on the inside of the letter may be different than the one on the outside of the letter for many reasons. <snip> Stupid, stupid, stupid!!! :angry: Catch a clue, people! ...Oh, and it is acceptable (encouraged) to report these, so please continue, as your time and patience dictates. Link to comment Share on other sites More sharing options...
Baldur2630 Posted August 24, 2011 Author Share Posted August 24, 2011 Thanks for the info. I gather there is no way to track down these people who forge the email addresses. I guess that anyone who is crazy enough to click on one of those silly URLs will either add them to a bot-net or put some identity-stealing / Credit card sealing software on their computer. In the past 15 years we only had one previous spam problem and that was when some moron tried to use my mail-server as a relay and around 200,000 mails were rejected by the server. That was when I put a whole pile of Blacklist Filters on and since then, this is the first problem I've had. Bottom line seems to be just grin and bear it, whilst these criminals just get away scot free. Time to bring in the death penalty for spammers and hackers and I don't care what syndrome they claim to have. THEY ARE CRIMINALS Link to comment Share on other sites More sharing options...
Farelf Posted August 24, 2011 Share Posted August 24, 2011 Thanks for the info. I gather there is no way to track down these people who forge the email addresses. ...Reporting the bounces, as Steve T suggested, might - in time - achieve something, especially in those cases where it is the MTA doing the bouncing (they have the ability to dig out and blacklist the actual source IP address and, given a prod, might get off their fundaments and do just that - and isn't it is disturbing to see the US army included in that category?). Where it is just individuals hitting the "Reply-to:" or "From:" address the reports go to their provider who may (sometimes) or may not (most times) take some effort to educate them. The trouble is, some people are still imagining that spam is only a small proportion of total messages. It is not, it is an overwhelming majority. The sooner they understand that simple fact of life, the better. Alas, revenge1 against the original criminal spammers is fairly-well out of reach when it comes to the receiver of the bounce. But reporting moves it closer to the source and the possibility of them being wrinkled out. 1...Time to bring in the death penalty for spammers and hackers and I don't care what syndrome they claim to have.Ah, criminal justice authorities have long decreed that revenge is an unworthy object - long even before these days of "political correctness". Francis Bacon had it "Revenge puts the Law out of office," and he had good reason to know it. But fie on them I say, and you are likely entirely too merciful - I am a long-time advocate of the short sharpened stake. Link to comment Share on other sites More sharing options...
lisati Posted August 24, 2011 Share Posted August 24, 2011 Death to the hackers?????? I'm not sure about that: I frequent forums where the word "hackers" sometimes refers to the good guys, and where those that the media refers to "hackers" are sometimes referred to "crackers" in preference to some colourful name that probably shouldn't be repeated here. Link to comment Share on other sites More sharing options...
Farelf Posted August 25, 2011 Share Posted August 25, 2011 Individual submissions for clemency may be considered. That's the beauty of the short stake - it is slow enough for such. Link to comment Share on other sites More sharing options...
Baldur2630 Posted August 25, 2011 Author Share Posted August 25, 2011 NO clemency, NO extenuating circumstances. The guilty have two choices : - 1. Banned from ever owning or using a computer again for any reason AND a life sentence of hard labor with no possibility of parole and NO remuneration OR 2. Death by either the sharpened greasy pole, the rats and the copper cage, or the good old-fashioned method - hanging, drawing and quartering. All thoughts of kindness vanished yesterday evening after several hours of deleting bounced messages and auto-replies! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.