Reporting spam from my spoofed email address

[clivel]

Hello,
I have been experiencing a rather difficult problem over the last week or so and it is steadily getting worse. A spammer is sending out spam using my email address in the from field. As a result, all bounced emails come back to me.
Many of the bounced emails return the original email as an attachment which advertises an adult site http://veronyka.co.ua (always via one of the many domain shortening services).

As I seem powerless to put a stop to the flood of bounced emails I receive, at the very least I thought that I would report the attached emails to SpamCop Unfortunately these reports are rejected by SpamCop, presumably because my email address is in the from field, I get the following errror:

SpamCop v 4.8.2.018 © 2014 Cisco Systems, Inc. All rights reserved.
Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6027951760zfb7bdddfabbcac98282c6e14fe134696z
Mailhost configuration problem, identified internal IP as source
Mailhost:
Please correct this situation - register every email address where you receive spam
No source IP address found, cannot proceed.
Add/edit your mailhost configuration
Finding full email headers
Submitting spam via email (may work better)
Example: What spam headers should look like
Nothing to do.

How do I work around this? And if anyone has any ideas for shutting down the spammers or at the very least get them to remove my email address as the source, I would really appreciate it.
Thanks,
Clive

[turetzsr]

Hi, Clive,
&nbsp &nbsp&nbsp&nbsp&nbsp Sorry to hear of your problem.
&nbsp &nbsp&nbsp&nbsp&nbsp "Mailhost configuration problem, identified internal IP as source" generally indicates that the spam is not going out over the internet but rather directly from a fellow subscriber of your e-mail provider. There is also the chance that the spammer is not merely spoofing your account but has actually found a way to send e-mail from your account (this happened to my Yahoo!Mail account once). In either case, you should report the spam to your e-mail provider; in the latter case, you should also try to change your password and, if you can't, ask your provider to terminate that account and create a new one for you. Please consider using a "strong" password that includes upper case characters, lower case characters, digits and special characters if allowed by your e-mail provider. You can search the internet for more information about what constitutes a "strong" password and how to avoid the problem of their being easy for you to forget.
&nbsp &nbsp&nbsp&nbsp&nbsp There is no way for us "common" victims to shut down spammers or to stop them from spoofing whatever e-mail address they wish; only the e-mail providers can do that. The best we victims can do is to report spam and to promote education about spam and encourage e-mail providers to block or (better) filter suspected spam into a separate location than users' Inboxes so that we can review it, correct any "false positives" (non-spam that gets stored in the "suspected spam" folder) and report the spam.

[Lking]

Clive,

Although the original email returned to you in the misdirected bounce email is "spam" it is not "your spam", it is not spam originally sent to you and can not be reported by you. However, the bounce email incorrectly sent to you because your email was forged in the original email, is spam sent to you. See https://www.spamcop.net/fom-serve/cache/14.html scroll down to Messages which may be reported: where you will find "Misdirected bounces" listed.

I have also broken the link to the adult site. We wouldn't want to help their location in a search engine.

[clivel]

Lou and Steve T thanks very much for the responses.

For some fortuitous reason the bounces have almost completely dried up today. Only a few "Delayed Mail (still being retried)" coming through. I expect that I will continue to receive these for the next few days, but they will be reported to SpamCop.

Thanks,

Clive

[clivel]

Unfortunately I spoke to soon after a day or so the bounced spam started up again.

I am at my wits end, every day I receive dozens of bounced emails all spamvertising the site veronyka.co.ua via URL shortening services. This has been carrying on for over a month now and I seem powerless to stop it. I can only guess at just how many of these emails are going out in my name on a daily basis.

Reporting the bounced spam to SpamCop has a negligable effect, because the source of the spam is not reported only the server that bounced the message, nor is the URL of the domain shortening service reported. I was hoping that at the very least SpamCop would pick that up.

Actually, even if it was picked up by SpamCop, the shortening services would seem to be the weak link effectively insulating the spammer from any repercussions.

I really don't know what to do anymore, I have even considered writing to the criminals behind veronyka.co.ua to ask them to please stop using my email address, but unsurprisingly their registration information is not public

Any suggestions as how to put an end to this mess would be very much appreciated.

Thanks,

Clive

[Lking]

Clive,

I hate to say "welcome to the modern world."

I have been using one of my email addresses for over 20 years. Yes that email and domain are on lots of spam list. Every so often a spammer picks a mailbox in my domain to forge into the FROM: or Reply-To: for their spam barrage. For example last weekend I received an uncounted number (3-400) bounces all in Chinese. My email address was the FROM in the original spam.

The only answer is good filtering. I don't know how you get/handle your email, I use Thunderbird. With that I can direct all "Failed delivery" and other standard subjects, to their own folder. If you are confident, you could send them straight to the trash.

Your analysis is correct, reporting the bounces will not stop them. If your look like mine, most of the bounces are all from different ISPs. Besides you really don't want to block the ISP, you (we) really want to educate them to correctly send the bounce message to the real sender, by looking at the header in the same way as SC does.

On the other hand you don't want to, or have your ISP, block all bounce messages. In that way you will not know if one of the emails you sent are misaddressed.

[Farelf]

Hi Clive,

Bad news indeed. But the spambots seldom retain any particular spoofed sender address for long (unless you have REALLY upset someone) - that is counter-productive for them. Being a spoofed sender is usually fairly rare and truly random. But even random rare occurrences can (even more rarely) recur in close succession - or maybe there have been inbuilt delays for retry attempts as used by some networks.

The idea of reporting misdirected bounces is to educate the errant postmasters doing that bouncing. One way or another the situation does seem to have actually improved over the years. E-mail providers, depending on their resources, are able to filter out incoming misdirected non-delivery notices - perhaps that is the real reason for the general improvement, but education may have something to do with it as well. People with the bandwidth (and lack of flood control) used to get thousands of bounces an hour to the spoofed sender/return address for a few days. That doesn't happen any more.

If you use e-mail submissions for reporting, you can send whole batches of them in each submission which streamlines the process. Since analysis of the bounce message body is pointless, "Quick" reporting might be a useful further streamlining option - but note there are risks of reporting your own provider if your network configuration changes unexpectedly.

I see veronyka.co.ua is listed in the SURBL (real-time URI blacklists), which is probably one of the reasons for the reliance on "shortening" services. It will surely appear on other lists and reputation alerts as well (but not on the URIBL, the shortening services are working well in protecting that "spamvertized" website). Anyway, you can contribute to some of those lists and alerts since you possess evidence, even if it is not "your" spam directly. Also, some of those shortening services are amenable to complaints and will block attempts to abuse their services, Unfortunately bounce reporting doesn't involve content analysis of the original spam, that is something to be addressed, if at, outside of the SC reporting system.

Those are some things to consider if it persists unreasonably - but for most it does not last long (it just SEEMS like an outrageously long time while it is happening).

[lartingyou]

Wikipedia has some info about filtering misdirected bounces (aka backscatter): http://en.wikipedia.org/wiki/Backscatter_%28email%29#Filtering_backscatter

If it's Russian spam, you may be experiencing a kind of backscatter that seems to be a feature of a spammer's software, perhaps to improve chances of passing a filter (that checks to see if the "from:" field is a real address) or to make sure that bounced spam ends up in a real mailbox. See the discussion/analysis here: http://profs.etsmtl.ca/cfuhrman/backscatter/ -- As others have said, there's probably not anything you can do about it.

[clivel]

Thanks for the advice Lou, Farelf and lartingyou,

Fortunately the bounces seem to be slowing down again, only a half dozen or so in in the last day, so at the moment they are more of an irritation than anything. Yet for some irrational reason I still get so incensed by them, perhaps because I feel so powerless to put an end to it.

I have been forwarding many of the emails to the respective domain shortening services, most have been very helpful, unfortunately the two services most frequently used by this spammer mow.so & link.vpn.by have completely ignored all attempts to communicate with them.

Thanks again,

Clive

[Lking]

... unfortunately the two services most frequently used by this spammer mow.so & link.vpn.by have completely ignored all attempts to communicate with them.

There may be a direct cause and effect here. The spammer may know which domain shortening services "just don't care" or won't take any action.

[lartingyou]

There may be a direct cause and effect here. The spammer may know which domain shortening services "just don't care" or won't take any action.

Does anyone know if SURBL takes this phenomenon into consideration? That is, mow.so (or whatever lax shortener) will start to show up on block lists. That's how it's supposed to work, right?

EDIT: I just checked SURBL, and mow.so is on SURBL lists: JP SC

[Farelf]

Ah, good. Can't rely on SC reports adding to the SURBL (difficulty parsing URIs in the body sometimes, as we know, also "Quick" reports don't contribute) but it obviously does sort of work. More leverage, FWIW, on the lackadaisical/complicit shortening services and a tool to help divert/drop the mailbox spam load.

CleanTalk (https://cleantalk.org/blacklists) currently lists mow.so too - CleanTalk lists are mostly for comment spam IIUC.

[HzM]

I've been hit by the same problem.  My mail host reports nicely back on each undeliverable mail - in the thousands now.  As described above, the original mails (including the original headers) are appended to the "Mail delivery failed: returning message to sender" mails I get.  And, of course, it doesn't make sense to report my own mail host as spammer...

Using Thunderbird as mail client, I have developed a scri_pt which parses the Thunderbird INBOX file and extracts the original "Received: from" lines. Seems like there are to kinds:  

1. "Received: from mail.xxxx.com ([123.456.789.123]:<port number> helo=exploited.site.com)" 
2. "Received: from [123.456.789.123] (port=34176 helo=exploited.site)"

(mail.xxx.com would be the name of the mail server sending on behalf of the exploited site.)

It seems like - in my case - that they come in groups of up to 5, and then the source changes.  In a sample of 2070 there were a total of 782 unique IP sender addresses.

The text included in the original mail (spoofing my mail ID) varies sligthly - I've seen French, English, Polish, Italian texts, but more or less to the same adult point.  

Now, this is all very interesting, because now I have a view of the bot net used.

But then what to do next?  Since it's not doable to copy/paste each individual original header into some reporting tool - and since, in principle, the exploited domain owner should report the spam - can I then take this extracted information (mail server ID + IP address + exploited domain name) and report this on SpamCop or somewhere else?

Ideas?

/Per

[lisati]

Forwarding the offending emails as attachments to your Spamcop reporting account should be fine most of the time. One advantage is that you can send them in batches, and, depending on your settings, Spamcop will mung (disguise) your email address in any reports it sends out.

[Lking]

To be clear, the bounce email sent to you is spam sent to you. Although the email included in the bounce email is spam it is not your spam, and should not be reported by you (except as part of the bounce email).  If the original spam were to be separately sent to SpamCop by you, your mailhost settings would cause the submission to be rejected.   Unfortunately, that does not do what you intend. The SpamCop blocklist is a dynamic list of offending IP addresses that reflects resent/continuing spam from those IPs.  Historical, older evidence, is not used.  For example spam more than two days old is rejected by the parser.

See my earlier post in this thread.

[HzM]

I have a scheduled job going through the impacted mail file each hour, extracting the original sending server names, their IP address, their port and on behalf of whom they are sending.

So it's by no means "old data" - it's filtered out while the thing is happening.

It's pretty frustrating to have this detailled knowledge and not being able to put it to proper usage.  If each of the targets were to report, we should have maybe 10.000 real end users activated, which will not happen.  Instead, the spreadsheet with all the info collected in one spot is frawned upon.

True, I could forward the reponses (in bunches of, say 1000).  Maybe I should do so and then let the utility come to the same result as "my" list.

/Per

[lisati]

Am I to understand that you have a cron job on your server which you use to process unwanted email, and you then forward the processed data to Spamcop?