Tim P Posted November 24, 2004 Share Posted November 24, 2004 http://www.spamcop.net/sc?id=z695881370z45...6a14a38261b625z I'm getting these "bounce" messages from spammer(/s) who do nothing but taunt SC reporters. They believe that by forging these...(who knows why?) they can hopscotch their bogus crap to the rest of us without impunity. No... it is not spam sent to someone else. It was deliberately sent to me. Has anyone run into this stupid spammer trick? Hard to imagine that this is unique at all. I can, and do, report these to the abuse desks on my own.....but I want to have reports sent directly from SC to these scumbags so they cant hide from their internet access providers (and thus avoid getting kicked offline). Isn't that part of what SC is designed for? Some of these same 'bouncers' are involved with the criminal fraud on the net. (I will not reveal any proof of that info here) I'm tired of obtaining : "message looks like a bounce, will not report. Do not report bounces as spam" :angry: Please fix this. http://dnsstuff.com/tools/mail.ch?domain=M...0ns.everzen.com Getting MX record for ns.everzen.com... Received an NXDOMAIN response. This means that the ns.everzen.com domain does not exist! No mail can be sent to it. Please fix the parser to detect these forgeries and generate reports as usual. It would add to the statistics and chase the spammer from hiding from his/her provider. Unless someone has a better idea?...... Link to comment Share on other sites More sharing options...
alien999999999 Posted November 24, 2004 Share Posted November 24, 2004 I'm receivind some of these as well, and also I'm receiving spam mails which have 2 links in the body, and nothing else, i'm receiving those constantly and they are reportable... I also get alot of hotmail-alike mails, they aren't spam, but I'm getting mails which appear not to be sent to me, but are deliberatly sent to me; they are the type of: "you changed your hotmail password successfully, your message can't be delivered by hotmail.com etc... spam is really too much, these days... Link to comment Share on other sites More sharing options...
Merlyn Posted November 24, 2004 Share Posted November 24, 2004 Received: from ns.everzen.com ([209.97.207.114]) Looks like: canonical name everzen.com. addresses 209.97.207.114 Resolved 209.97.207.114 to everzen.com. [everzen.com. has 1 MX record mail.everzen.com.(10)] (209.97.207.114) Last day 3.8 104% Last 30 days 3.8 93% Either they are bouncing the the fake "From" or the "Reply-To" address. The spamvertised site is http://www.pinkcasefile.com/ref62.html canonical name www.pinkcasefile.com. addresses 200.157.21.114 See: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20906 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL21097 Pondscum Ibragimov Ruslan / send-safe.com I would say everzen.com have their mail server set up poorly. They should be contacted. They are as bad as the spammers. Link to comment Share on other sites More sharing options...
turetzsr Posted November 24, 2004 Share Posted November 24, 2004 http://www.spamcop.net/sc?id=z695881370z45...6a14a38261b625z I'm getting these "bounce" messages from spammer(/s) who do nothing but taunt SC reporters. They believe that by forging these...(who knows why?) they can hopscotch their bogus crap to the rest of us without impunity. No... it is not spam sent to someone else. It was deliberately sent to me. Has anyone run into this stupid spammer trick? Hard to imagine that this is unique at all. I can, and do, report these to the abuse desks on my own.....but I want to have reports sent directly from SC to these scumbags so they cant hide from their internet access providers (and thus avoid getting kicked offline). Isn't that part of what SC is designed for? <snip> 20487[/snapback] ...Nope! Please see SpamCop FAQ: On what type of email should I (not) use SpamCop?. Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 24, 2004 Share Posted November 24, 2004 There are a number of people who would like spamcop to be VirusCop and BounceCop also, but so far spamcop admin prefers to stick to one mission. There is a good rationale for that because there would be different ways of handling spam, infected machines, and improper bounces so that if there were blocklists based on those criteria, there should be different algorithyms for listing and removal. Miss Betsy Link to comment Share on other sites More sharing options...
Tim P Posted November 24, 2004 Author Share Posted November 24, 2004 There are a number of people who would like spamcop to be VirusCop and BounceCop also, but so far spamcop admin prefers to stick to one mission. There is a good rationale for that because there would be different ways of handling spam, infected machines, and improper bounces so that if there were blocklists based on those criteria, there should be different algorithyms for listing and removal. Miss Betsy 20529[/snapback] Apparently this link is misleading then: http://dnsstuff.com/tools/mail.ch?domain=M...0ns.everzen.com I've seen forged bounces enough to know who and why... missed the ip (209.97.207.114) and didn't follow through when the "looks like a bounce" message came up. I made a mistake. However, there are others I have pursued, and they are forged bounces: http://forum.spamcop.net/forums/index.php?showtopic=2976 A response from Richard about another bounce message: http://www.spamcop.net/sc?id=z690869826z56...000f8264f51b2ez " It is a fake bounce, but not because of the reasons you cite. Bounces can go to two addresses if the envelope and from are different on the original mail.. However, I would expect a Yahoo bounce to come from a Yahoo server; and, I wouldn't expect to see an obviously forged received line in a bounce (from Yahoo):..." < snip > I had reasoned that bounces cannot go back to multiple recipients unless the same message was interpreted to come from multiple senders... This reads that two email addresses, one in the " from:" and one in the "reply to:" address, are notified. But this doesnt explain more than two recipients getting the bounce message. These forged bounce exploits should parse as spam and that has nothing to do with bounces and viruses. I was simply requesting a tweak to the parser to foil this exploit. Guess more forged bounces will get sent to deputies Link to comment Share on other sites More sharing options...
Jeff G. Posted November 25, 2004 Share Posted November 25, 2004 That appears to be a real bounce of a forged spam relay attempt. Was your address in the Return-Path or From Header Line, or both? Link to comment Share on other sites More sharing options...
Tim P Posted November 25, 2004 Author Share Posted November 25, 2004 Do you mean in this part in the other forged bounce?: ------------------------------------------------------------- . From: "Postmaster" <postmaster[at]yahoo.com> Reply-To: "Postmaster" <postmaster[at]yahoo.com> To: x, x, x, x, x, x, x, x, x, x, x . ------------------------------------------------------------- Let me dig up the original and see.... Yep....all are to separate recipients. Also, the *bounce* message doesn't have a copy of the original message containing any headers at all. Or in the bounced email sent back by MAILER-DAEMON[at]ns.everzen.com?: --------------------------------------------------------------------------------- . Return-Path: <x> Received: (qmail 20737 invoked from network); 24 Nov 2004 02:21:13 -0000 Received: from c-24-131-59-34.mw.client2.attbi.com (HELO compuserve.com) (24.131.59.34) by aote.net with SMTP; 24 Nov 2004 02:21:12 -0000 Date: Tue, 23 Nov 2004 08:21:55 +0000 From: 1pepper <x> . ---------------------------------------------------------------------------------- Checking the original now....It does indeed have both fields with my email address. The From fileld also does not have my real name (the name I use as a From name). I got a bit hasty to report this one. My mind must've been somewhere else at the time. BTW Happy Thanksgiving everyone! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.