Jump to content

spammer spoofing spamcop addresses?


MyNameHere
 Share

Recommended Posts

It looks like someone is sending spam using gmail but spoofing my SpamCop address. The bounces are being sent by gmail, but when I look at the headers of the "bounced" message, I see this line:

Received: from h216-45-119-187.dynamic.matriksdata.com (HELO [192.168.1.188]) (myaccount[at]spamcop.net[at]216.45.119.187)

by frontend9.matriksdata.com with SMTP

(f3fb9070-6e17-11e1-8f08-001143d827f1); Sat, 16 Jun 2012 09:48:08 -0500

Note that the 216... IP is a Canadian address and 192... is a special reserved private address block:

Addresses from this block can be used by

anyone without any need to coordinate with

IANA or an Internet registry. Addresses from

this block are used in multiple, separately

operated networks.

Is it reasonable for me to assume that I have nothing to do with these emails and that a spammer is spoofing my address?

Is there any point in reporting these bounces to anyone (gmail, for example)?

Thanks!

Link to comment
Share on other sites

If you didn't send them, gmail shouldn't be bouncing them to you. They need a heads up to fix that, if they're smart enough/motivated enough. If these are being bounced direct to your SC account you should be able to give them reports through SC (abuse[at]google.com). Bounces are reportable (to gmail), just don't attempt to extract the bounced message to report that to the origin's abuse address - that is gmail's problem. Have you tried SC reporting one of the bounces?

Link to comment
Share on other sites

The SpamCop parser found that the failure messages came from Google.

Here is one of the reports.

None of the recipients of bounced messages is from my contact list, so I don't think these have any connection to me other than a spammer's decision to forge a SpamCop address.

P.S. The failure messages were in my Inbox, not my Held Mail.

Edited by MyNameHere
Link to comment
Share on other sites

The SpamCop parser found that the failure messages came from Google.

Here is one of the reports.

None of the recipients of bounced messages is from my contact list, so I don't think these have any connection to me other than a spammer's decision to forge a SpamCop address.

P.S. The failure messages were in my Inbox, not my Held Mail.

You have to copy the www bit (can't access mailsc without your password)

Not that I disbelieve you just want to see it could be a compromised account.

Not had any Gmail spam for ages. A lot of spammers put a Gmail addy on the from

Why I blacklist all mail from Gmail.com, Yahoo.com, Hotmail.com, etc

Link to comment
Share on other sites

Thanks MyNameHere. I'm no great shakes at analysis but it looks to me like gmail had three possible sources in the original spam (77.52.252.42, 124.40.41.92 = AKAMAI/Spamcop via the munged domain/address - and 216.45.119.187) - and they unerringly picked the least justified and most easily spoofed of the lot when they picked you. Fair to say they had dropped the connection before they realised stevens_rt[at]192.101.80.17 was not a deliverable address and there is no way they should have tried to return the message (to anyone).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...