Finding out who...

[Caracal]

So I'm getting joejobbed by a spammer. Joygasm. It's been going on since February of this year and it's slowly gotten worse and worse, it's starting to piss me off.

Today's spammer pointed to a website of http://www.medz-store.com/s/?html , one of those blasted online pharmacy stores, which I eventually (and possibly inaccurately) traced to hanaro.com, which seems to be one of those problem ISPs.

What I want to find out is WHO is behind it. I can't get the full headers (and use spamcop) because the only reason I know I'm being joejobbed is I'm getting "cannot be delivered' bouncebacks to e-mail addresses that don't exist on my site falling into my catchall (which I can't turn off because then I won't get any regular e-mail for some reason, so I have to deal with it, blasted thing).

I don't know how to find out who my mystery spammer is and take some action (as much action as a poor 22 year old can).

Other spam related to the e-mail, including copies of it (but not with my domain in the return address) can be found here: http://groups.google.com/groups?q=Your%20f...off&sa=N&tab=wg

Unfortuantely, I don't know how to get enough info to link the above to someone in The Register of Known spam Operations. Does anyone out there in internet land know/been following/researched this particular spammer?

[dra007]

/snip

Today's spammer pointed to a website of http://www.medz-store.com/s/?html , one of those blasted online pharmacy stores, which I eventually (and possibly inaccurately) traced to hanaro.com, which seems to be one of those problem ISPs.

/snip

14770[/snapback]

Hanaro makes some 90% of the spam I get...some of it in Korean....it is the only source of spam I get that is not stopped or slowed by reporting...Perhaps your hypothesis is right...either they don't deal with the abuse or the whole thing is spoofed..

[DavidT]

one of those blasted online pharmacy stores, which I eventually (and possibly inaccurately) traced to hanaro.com, which seems to be one of those problem ISPs.

What an understatement! Virtually every one of my "Quick Reporting" summaries that I've been archiving mentions reports being sent to Hanaro...they are about as bad as they come.

What I want to find out is WHO is behind it. I can't get the full headers (and use spamcop) because the only reason I know I'm being joejobbed is I'm getting "cannot be delivered' bouncebacks to e-mail addresses that don't exist on my site falling into my catchall

Actually the IP sources in the spam headers probably won't do you any good, because I took a look at some of the many reported in "news.admin.net-abuse.sightings" and they resolve to compromised dynamic IPs, probably infected PC's with backdoor spamming trojans on them. You need to go after whoever runs the actual business being spamvertised, but I think they're in China...so....I think you're out of luck.

(which I can't turn off because then I won't get any regular e-mail for some reason, so I have to deal with it, blasted thing).

Oh, I'd recommend that you pursue turning your "catch all" off. I did that recently and I'm much happier now that I'm not getting all the Joe-Job bounces. Of course, I had to reconstruct specific aliases for about 75 different specific addresses I've made up at my domain over the years that I've had it...I'm sure I missed a few, but it was worth it.

dt

[DavidT]

Hanaro makes some 90% of the spam I get...some of it in Korean....it is the only source of spam I get that is not stopped or slowed by reporting...Perhaps your hypothesis is right...either they don't deal with the abuse or the whole thing is spoofed..

14777[/snapback]

Hanaro is both the source a LOT of spam and the host for many spamvertised sites, but I disagree with your comment that it "is the only source of spam I get that is not stopped or slowed by reporting" in that their IP addresses are going into SpamCop's BL and that's why I never saw their messages....they went straight into my Held Mail. If you had a SpamCop email account, you wouldn't be receiving those Hanaro messages, either.

dt

[Wazoo]

First of all, what you are describing is not a "joe-job" by definition. You are dealing with plain and simple forgery of the included addresses.

Strange that you post your complaint here today, as the same discussion is going on over in the newsgroups ... Merlyn posted this news article link ... though it doesn't say much, it says enough to highlight your point . http://english.chosun.com/w21data/html/new...0408040024.html

[DavidT]

First of all, what you are describing is not a "joe-job" by definition.  You are dealing with plain and simple forgery of the included addresses.

I think I disagree...here's a definition:

"A spam run forged to appear as though it came from an innocent party, who is then generally flooded by the bounces; or, the act of performing such a run."

From the mention by the OP that the spams are forged to come from many different addresses at their domain (the reference to their "catch-all"), I think this qualifies as what's currently referred to as a "joe-job" -- or why doesn't it, Wazoo?

dt

[Wazoo]

Just a guess that you snagged the first Google answer, try going another level down to http://www.everything2.com/index.pl?node=Joe%20Job which does a much better job of explaining what really happened .. and goes on to compare the forged From: line as compared to an actual Joe-job. The first definition (no date seen on the web page) sounds more like it was written by an individual with a much shorter "net" history that the original incident, and more and more folks are trying to slide to definition towards covering simple forgery ... I still see the term Joe-Job as carrying a much more sinister load. For example, the fake SpamCop e-mails that were the rage last year, advising folks that their sites were going to be shut down .. now that was a joe-job.

[DavidT]

I defer to the Grand Wazoo, you're right! I was using the term too loosely. What finally convinced me was when I read the definition from this URL:

http://www.spamfaq.net/terminology.shtml

It's Part 3 of the "news.admin.net-abuse.email" FAQ, with the specific reference being:

3.2.22 What's a "Joe Job"?

The act of faking a spam so that it appears to be from an innocent third party, in order to damage their reputation and possibly to trick their provider into revoking their Internet access. Named after Joes.com, which was victimized in this way by a spammer some years ago.

Thanks for the education...I should have known that term better, because I've been fighting spam on and off since at least December of 1995, when I helped to chase "Fred Sterling" (AKA "Willie Newell") of "Moneyworld.com" and the "Zygon Learning Machine" around the Internet, from provider to provider. I was actively reading Usenet groups back when Arizona lawyers Canter and Siegel perpetrated the biggest of the original spam attacks (back when "spam" was posting to zillions of newsgroups - not sending UCE) regarding the "Green Card lottery" -- that should date me.

dt

[Wazoo]

Nah .. what gave it away was the Zappa tie-in <g> ... I'm ruling out the likelihood that you were one of my BBS users ....

[DavidT]

I'm ruling out the likelihood that you were one of my BBS users ....

Probably not, if it was a long-distance call from central California, where I was using local BBS's and eventually CompuServe with a 1200 baud modem on my CPM-based Kaypro II computer with its 8-inch monochrome screen. I've still got that thing around here somewhere...

dt