MyNameHere Posted June 17, 2012 Posted June 17, 2012 It looks like someone is sending spam using gmail but spoofing my SpamCop address. The bounces are being sent by gmail, but when I look at the headers of the "bounced" message, I see this line: Received: from h216-45-119-187.dynamic.matriksdata.com (HELO [192.168.1.188]) (myaccount[at]spamcop.net[at]216.45.119.187) by frontend9.matriksdata.com with SMTP (f3fb9070-6e17-11e1-8f08-001143d827f1); Sat, 16 Jun 2012 09:48:08 -0500 Note that the 216... IP is a Canadian address and 192... is a special reserved private address block: Addresses from this block can be used by anyone without any need to coordinate with IANA or an Internet registry. Addresses from this block are used in multiple, separately operated networks. Is it reasonable for me to assume that I have nothing to do with these emails and that a spammer is spoofing my address? Is there any point in reporting these bounces to anyone (gmail, for example)? Thanks!
Farelf Posted June 17, 2012 Posted June 17, 2012 If you didn't send them, gmail shouldn't be bouncing them to you. They need a heads up to fix that, if they're smart enough/motivated enough. If these are being bounced direct to your SC account you should be able to give them reports through SC (abuse[at]google.com). Bounces are reportable (to gmail), just don't attempt to extract the bounced message to report that to the origin's abuse address - that is gmail's problem. Have you tried SC reporting one of the bounces?
MyNameHere Posted June 17, 2012 Author Posted June 17, 2012 I just now reported one. I added a note about why I reported it. I'll post if I get any response. Thanks!
SpamCopAdmin Posted June 17, 2012 Posted June 17, 2012 Please send me a complete copy of the bounce email so I can see all the details. service[at]spamcop.net Thanks! - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net -
petzl Posted June 17, 2012 Posted June 17, 2012 I just forwarded all six of them. Bounces are spam and doubt if Gmail would send them? A link of your spamcop report would be good like this one as example http://www.spamcop.net/sc?id=z5350763228z4...a05bb4572a7a4dz
MyNameHere Posted June 17, 2012 Author Posted June 17, 2012 The SpamCop parser found that the failure messages came from Google. Here is one of the reports. None of the recipients of bounced messages is from my contact list, so I don't think these have any connection to me other than a spammer's decision to forge a SpamCop address. P.S. The failure messages were in my Inbox, not my Held Mail.
petzl Posted June 17, 2012 Posted June 17, 2012 The SpamCop parser found that the failure messages came from Google. Here is one of the reports. None of the recipients of bounced messages is from my contact list, so I don't think these have any connection to me other than a spammer's decision to forge a SpamCop address. P.S. The failure messages were in my Inbox, not my Held Mail. You have to copy the www bit (can't access mailsc without your password) Not that I disbelieve you just want to see it could be a compromised account. Not had any Gmail spam for ages. A lot of spammers put a Gmail addy on the from Why I blacklist all mail from Gmail.com, Yahoo.com, Hotmail.com, etc
MyNameHere Posted June 17, 2012 Author Posted June 17, 2012 Sorry for my ignorance, but I submitted those by forwarding them to SpamCop reporting, not quick reporting via webmail, so I don't know how to get the WWW link. ???
Farelf Posted June 18, 2012 Posted June 18, 2012 You need to log into your reporting member page and pick it up from "Past Reports" - FAQ may help with the process: FAQ Entry: Getting a Tracking URL from a Report ID My member page looks like: http://img839.imageshack.us/img839/8061/reporterpage.png Yell if you have difficulty.
Farelf Posted June 18, 2012 Posted June 18, 2012 Thanks MyNameHere. I'm no great shakes at analysis but it looks to me like gmail had three possible sources in the original spam (77.52.252.42, 124.40.41.92 = AKAMAI/Spamcop via the munged domain/address - and 216.45.119.187) - and they unerringly picked the least justified and most easily spoofed of the lot when they picked you. Fair to say they had dropped the connection before they realised stevens_rt[at]192.101.80.17 was not a deliverable address and there is no way they should have tried to return the message (to anyone).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.