Help needed to stop electronic attackers

[cosmos2000]

I am receiving unusual SPAMs because electronic attackers use my proper email address, like:

FROM: myName[at]spam.com TO: myName[at]spam.com

They also use it to do mass-emailing and to attack my computer and website.

Once, I deleted it with attached infected file, but a computer crash following, so that I was obliged to reformat my hard disk.

If spammer uses a false email address, is there any way or any trick to eventually retrieve the spam submitter IP address?.

In order to maintain a whitelist of wanted email senders, do you know any blocking tool to tag and divert fake emails?

Thanks for help,

Titus

[Wazoo]

I am receiving unusual SPAMs because electronic attackers use my proper email address, like:

FROM: myName[at]spam.com TO: myName[at]spam.com

Simple forgery, you're not the first, surely not the last.

Once, I deleted it with attached infected file, but a computer crash following, so that I was obliged to reformat my hard disk.

Quite an extreme reaction, but there are a lot of other factors that mayhave been involved, which you didn't include.

If spammer uses a false email address, is there any way or any trick to eventually retrieve the spam submitter IP address?.

Learn to read e-mail headers, data is there. Whether it tracks back to a location that can be kicked/fixed/whatever is another issue.

In order to maintain a whitelist of wanted email senders, do you know any blocking tool to tag and divert fake emails?

As with most of the above, there is a FAQ here with lots of answers to what you asked and a whole bunch more ...

[cosmos2000]

Wazoo,

Thanks for reply.

My God, so I am not the first and surely not the last !!!

I think even SpamCop is useless in such situation.

Actually, if electronic attackers use my proper email address to sent mass-emailing what is my protection in face of SpamCop ?!? It is non-sense to pay for fake emails ...

Titus

[Wazoo]

I'm not sure I understand your last remarks. Repeating that the FAQ is available, and then pointing out the most obvious detail .. SpamCop's tool-set doesn't revolve around an e-mail address, rather as in your initial query, tracking down the IP address of the source of the spew. Yes, there are still the clueless that may give you some grief over seeing your address as the alleged sender, but ... rmember, these folks are clueless .. and could possibly end up being the spammer's next victim ..

[StevenUnderwood]

One thing for sure, do NOT whitelist your own email address as it is probably rare that an email you send to yourself (if at all) would proceed through the spamcop system.

[cosmos2000]

Thanks kindly to both Wazoo and StevenUnderwood.

Properly, in my last point, I am not speaking at all about an email I send to myself but rather about the spammer's fake mass-emails FROM: myName[at]spam.com TO: personA[at]spam.com, personB[at]spam.com … and personZ[at]spam.com

By illegal trick, Spammer just points me as alleged sender.

[StevenUnderwood]

By illegal trick, Spammer just points me as alleged sender.

I don't think there is anything "illegal" about it and it is simple. I amaze the people in my company (when they are interested) by sending them email "from" their home accounts while they look on. The field is easily forged and while the average end user might be confused or upset about it, and you might get some angry letters from people who hit the reply button or bounces that use that field, no ISP will be blaming you for spamming because of these forgeries.

[cosmos2000]

Hello StevenUnderwood,

Your conclusion is that «no ISP will be blaming you for spamming because of these forgeries».

However, it is not conform to the reality of nowadays.

For example, after such forgeries, fake mass-emails by annoying electronic attackers and complaints from Spamcops, the domain name http://www.666myth.co.nr has been prematurely suspended by the CO.NR Administration (admin[at]co.nr).

Innocently and gulliblely, the CO.NR policy is that forgery can not exist any way, no investigate spam complains, no provide any prior warnings, just act like automate about spam issue.

Full story at these 3 links:

1) Dec 27 2004 = http://www.forums.co.nr/index.php?showtopic=2769

(Urgent Issue, Account co.nr suspended)

2) Jan 08 2005 = http://www.bilderberg.org/pepis05.htm

(An all new 666 calculator machine …has been removed from the web under false pretences)

3) Jan 09 2005 = http://www.freespeechstore.com/Qresults.as...asp?record=2577

(Dirty Tricks take out 666 web Calculator)

Please take a look at them.

Thanks

[Wazoo]

Third link doesn't go anywhere.

Second link contains flawed data.

First link finally explains that the site termination had nothing to do with a forged e-mail address. And if one were to possibly agree that maybe "spamcops" might be spamcop.net, then it seems as if the complaint(s) were about being a spamvertised site in some spew ....

Google comes back with: Your search - www.666myth.co.nr - did not match any documents .... so apparently nothing in sightings to look at ..

SpamCop reports would have gone to:

Parsing input: www.666myth.co.nr

host 82.146.33.215 (getting name) = russian.com.ru

Cached whois for 82.146.33.215 : abuse[at]ispserver.com inet[at]ispserver.com

Using abuse net on abuse[at]ispserver.com

No abuse net record for ispserver.com

Using best contacts abuse[at]ispserver.com

01/13/05 03:44:22 whois co.nr

.nr is a domain of Nauru

(international dialing code 964)

I don't know of a whois server for nr, sorry

01/13/05 03:45:33 Slow traceroute www.666myth.co.nr

Trace www.666myth.co.nr (82.146.33.215) ...

194.7.46.70 RTT: 139ms TTL:240 (so-7-0-0.HR1.BRU5.ALTER.net ok)

194.7.46.74 RTT: 139ms TTL:240 (so-0-0-0.UR1.BRU5.ALTER.net ok)

194.7.46.134 RTT: 139ms TTL:240 (GW1-0.DS1.BRU5.ALTER.net bogus rDNS: host not found [authoritative])

194.7.27.18 RTT: 141ms TTL:240 (bru5-gw.iserco.org bogus rDNS: host not found [authoritative])

82.146.33.215 RTT: 138ms TTL: 41 (www.666myth.co.nr ok)

01/13/05 03:46:46 Browsing http://www.666myth.co.nr/

Fetching http://www.666myth.co.nr/ ...

GET / HTTP/1.1

Host: www.666myth.co.nr

HTTP/1.1 404 not found

Date: Thu, 13 Jan 2005 09:46:48 GMT

Free .CO.NR Domain Name: 666myth.co.nr - Suspended

<!-- PayPopup.com Advertising Code Begin -->

01/13/05 03:51:03 Fetching http://www.freedomain.co.nr/

Fetching http://www.freedomain.co.nr/ ...

GET / HTTP/1.1

Host: www.freedomain.co.nr

Free URL Redirection, No Ads! Short Free Domain Name (you.co.nr)

Register a free subdomain of .co.nr free domain name! No ads, plus free URL redirection (free URL forwarding), free URL cloaking & masking, path forwarding, META TAG & keywords support. Get your short free url today!

<a href="http://www.freedomain.co.nr/faq_basic.php">path forwarding</a>

and forward this free url (free domain name) to your real web address

Register your free domain name and receive such additional features as url cloaking (url masking), mail forwarding, free subdomains, free redirection, url forwarding, url redirect, free url, short url, no ads at all, free subdomain, subdomain, path forwarding, url forward, free email forwarding, free redirect url, url redirection, free url forwarding, sub domain, free sub domain, subdomains, redirection, redirect, and more.

This is your chance to get a free domain name with no ads at all and redirect this free short url with free url redirection and free email forwarding to your real website address. You can also take advantages of free url cloacking, free path forwarding, and a number of free subdomains

How Fast and Easy is it to signup?

It will take you 5-10 minutes to signup and your domain will be activated immediately. You only need a website to point your domain to it and you can begin using your free domain name!

What is Free Path Forwarding?

It means that e.g. http://www.yoursite.co.nr/subdir/ will be forwarded to http://www.yourhost.com/yoursite/subdir/

What is Free URL Redirection (URL Forwarding)?

You can host your website anywhere you wish and point your free domain name to your website. If you ever decide to change your hosting provider you can fastly and easily modify your free domain name to point it to your new hosting provider. Only 1 minute.

What is Free URL cloaking?

URL cloaking is used to mask your real website address (that might be long and difficult to remember) with your new Domain Name web address. So, your free domain name will always be in location bar of your website visitors.

What is the CATCH? Any hidden fees?

No hidden fees. The catch is that you should actually use your domain name. Domains inactive for more than a month will be deleted without any warning. Plus a link back to CO.NR website is REQUIRED to be placed on the main page of your website.

CO.NR : Basic Free Package Rules

3. CONDUCT

a ) No spam via public email, news, forums.

B ) No advertising by any kind of Newsletters.

4. TARGET URL (Your Real website address)

a ) Must be your web site.

h ) No websites that already have a domain name (what the heck does this mean?)

If you violate a single rule from the list above your account will be terminated without any notice.

It is not a joke - We DO review each and every account manually!

-=-=-=-=-=-=-=

After all of that, I'm not sure where all your anger is coming from. I've not done much but a quick look for a record of spam .. maybe someone else will dig deeper .. it's just that after seeing all the free re-directing stuff, it seems apparent that you do have a web-site somewhere else ... what's wrong with advertising/using that web-site? At this point, there seems to be some missing facts, beyond the yet-to-be-identified spam. I'm kind of stuck now, after seeing sates involved in your referenced links, discussions that went on weeks before your posting here, then seeing how long it took to go from a question of forged addresses in an e-mail to talking about a termination action by an ISP (?) ....

[cosmos2000]

Hello Wazoo,

Thanks kindly for your reply and nice technical investigation. I am just not able to do what you did.

Sorry for the mistake: the proper Third link is http://www.freespeechstore.com/Qresults.asp?record=2577

I don't understand what you mean by « Second link contains flawed data.»

On the contrary, I think this Second link [http://www.bilderberg.org/pepis05.htm] is flawless. It explains accurately the following:

«An all new 666 calculator machine (where you type in a name and see if it adds up to Revelation 13's number of ther beast 666) put together by Canadian Titus Nguiagain has been removed from the web under false pretences. This happened after disinformation was supplied by to www.freedomain.co.nr, Titus' service provider, by SpamCop.net . Read all about it here

http://www.forums.co.nr/index.php?showtopic=2769 »

Moreover, Freedomain.co.nr Administration confirms that the domain name http://www.666myth.co.nr has been suspended after complaints from Spamcops. According to the thesis of Conr [http://www.forums.co.nr/index.php?showtopic=2769 ] :

« The complaints were from spamcops, if that was a kind of mistake, I am sorry about that. However, we still can not deal with spam.»

Sorry Wazoo, but it is false to conclude that «First link finally explains that the site termination had nothing to do with a forged e-mail address.». I understand that you need and miss additional information.

Actually, termination action by CO.NR Administration is well linking to forged addresses in mass-email.

Here is COPY of fake email sample sent to CO.NR Administration (admin[at]co.nr) on Jan 06 2005. Attachment of this fake email was just not possible in the Forum [http://www.forums.co.nr/index.php?showtopic=2769 ]

####################################################

-------Message original-------

De : Cosmos2000

Date : 01/06/05 09:49:09

A : admin[at]co.nr

Sujet : Tr : Fake Email related to spam

NOTE: This Fake Email was pre-scanned before sending and attached virus deleted

Hi,

To confirm the problem of electronic attack explained on CO.NR. Forum [http://www.forums.co.nr/index.php?showtopic=2769 ] , please have a look at this new fake mail [from Cosmos2000[at]iquebec.com to Cosmos2000[at]iquebec.com !?! … rip-off still on].

Actually, I am an “IncrediMail” user so that I don’t know if the flaw for attack is from iquebec.com server or from IncrediMail server. May be my ultimate solution will be to delete my present email.

Thanks and Regards.

HAPPY new Year again.

Titus

-------------------------------------------------------------------------

-------Message original-------

De : cosmos2000[at]iquebec.com

Date : 01/01/05 07:25:28

A : cosmos2000[at]iquebec.com

____________________________________________________________________

Envie de discuter gratuitement avec vos amis ?

Téléchargez Yahoo! Messenger http://yahoo.ifrance.com

##################################################

In your report, among other good stuff, I notice 3 IP addresses:

Parsing input: www.666myth.co.nr

host 82.146.33.215 (getting name) = russian.com.ru

Cached whois for 82.146.33.215 : abuse[at]ispserver.com inet[at]ispserver.com

Trace www.666myth.co.nr (82.146.33.215) ...

194.7.46.70 RTT: 139ms TTL:240 (so-7-0-0.HR1.BRU5.ALTER.net ok)

82.146.33.215 RTT: 138ms TTL: 41 (www.666myth.co.nr ok)

Please can you tell me how you get them ???

Have a nice day

Titus

[StevenUnderwood]

I don't understand what you mean by « Second link contains flawed data.»

This happened after disinformation was supplied by to www.freedomain.co.nr, Titus' service provider, by SpamCop.net

Spamcop received a spam complaint that had a link to this web site and sent it to the provider. There was no disinformation.

Free service can not afford to spend money resolving spam issues, even most paid services do not do it novadays

This is incorrect for most services. There have been a few cases where this has happened, but not very often.

BTW, spam does not refer to your email address, as in that case iquebec.com would get the spam compliant.

The spam refers to www.666myth.co.nr being advertised in some mass emails, so we (CO.NR) got the complaint.

This is describing a spam that went out that had a link to your site in it not an email with a forgery. This is called spamvertizing, and any spamcop email related to spamvertizing is strictly to inform the ISP of the fact. It is entirely possible that some third party throught this was a cool site and included it in his email message which was sent to a purchased list and was then reported. The provider has the responsibility to do what they want with that information and it appears that the TOS/AUP you agreed to for that service states that any links found in any spam is grounds for termination.

You need to take it up with the provider. In my opinion, they are very quick on the trigger, but if that is their stated policy, you only have yourself to blame. You get what you pay for, in this case, nothing.

[cosmos2000]

Hello StevenUnderwood,

You say «BTW, spam does not refer to your email address».

Sorry to contradict you, but this is incorrect because a simple look to the following copy of the spam complaint, received from CO.NR Tech Support by Jan 07 20005, clearly indicate that some one somewhere, devil made, uses forgery, with links to my domain name and my email "Cosmos2000"with iquebec.com.

#####################################################

Hello Titus,

We appreciate if you let us know the results of your investigation

Best wishes in a New Year!

~Dimon

Here is a copy of the spam complaint that you requested:

Begin =====================================================

[ SpamCop V1.393 ]

This message is brief for your comfort. Please use links below for details.

Spamvertised web site: http://www.666myth.co.nr/

http://www.spamcop.net/w3m[skipped]

http://www.666myth.co.nr/ is 82.146.33.215; Sat, 25 Dec 2004 22:12:08 GMT

…

From: "Cosmos2000"

To:

Cc:

Subject: 666 Calculator for you

X-FID: 08197FA3-5C88-11D4-AF90-0050DAC67E11

X-Priority: 3

Disposition-Notification-To: "Cosmos2000"

if-filter0: N

…

TO: dontflameme.com=0D

FROM: Titus=0D

=0D

Hello,=0D

=0D

666 Calculation machine (http://huizen.dds.nl/~glage/666/666check.html)=0D

is out of order.=0D

But you can found a nice 666 calculator on my website at this URL:=0D

=0D

www.666myth.co.nr=0D

=0D

Have fun!=0D

=0D

Merry Christmass=0D

=0D

Titus=0D

=0D

=20

#####################################################

Moreover, I just notice that one of the 3 IP addresses provided before by Wazoo is also contained in ,

«host 82.146.33.215 (getting name) = russian.com.ru

Cached whois for 82.146.33.215 : abuse[at]ispserver.com inet[at]ispserver.com»

Thanks kindly for your reply and time given.

[StevenUnderwood]

Sorry to contradict you, but this is incorrect because a simple look to the following copy of the spam complaint, received from CO.NR Tech Support by Jan 07 20005, clearly indicate that some one somewhere, devil made, uses forgery, with links to my domain name and my email "Cosmos2000"with iquebec.com.

THe report still has NOTHING to do with your email address. It only has to do with your website being included in a message that was reported as spam.

The reason for the report:

This message is brief for your comfort. Please use links below for details.

Spamvertised web site: http://www.666myth.co.nr/

http://www.spamcop.net/w3m[skipped]

http://www.666myth.co.nr/ is 82.146.33.215; Sat, 25 Dec 2004 22:12:08 GMT

And the reason it is found as a spamvertived web site is your site is referenced within the message:

But you can found a nice 666 calculator on my website at this URL:=0D

=0D

www.666myth.co.nr=0D

Now, spamcop is not saying YOU sent this message. It is simply saying that a message was reported as spam that contained a link to your web site. If you did not send this message, then someone may have been trying (and succeeded) in getting your site closed down by sending spam with your webpage link in it. Again, this has NOTHING to do with the

From: "Cosmos2000"

line. It may have been the person who sent this message or the person who reported this spam who is causing you harm. If you had included the spamcop link, we could have seen the entire message source and helped you determine where the message actually came from. There are sopamcop penalties for filing malicious spam reports, if that is what happened.

[cosmos2000]

NOTE: missing words in my former post.

----------------------------------------------------------------------------------------

Please read:

Moreover, I just notice that one of the 3 IP addresses provided before by Wazoo is also contained in official copy of the spam complaint, received from CO.NR Tech Support ;

«host 82.146.33.215 (getting name) = russian.com.ru

Cached whois for 82.146.33.215 : abuse[at]ispserver.com inet[at]ispserver.com»

[cosmos2000]

Here is FULL copy of the spam complaint, forwarded by CO.NR Tech Support on Jan 07 20005

##################################################

Hello Titus,

We appreciate if you let us know the results of your investigation

Best wishes in a New Year!

~Dimon

Here is a copy of the spam complaint that you requested:

=== Begin =====================================================

[ SpamCop V1.393 ]

This message is brief for your comfort. Please use links below for details.

Spamvertised web site: http://www.666myth.co.nr/

http://www.spamcop.net/w3m[skipped]

http://www.666myth.co.nr/ is 82.146.33.215; Sat, 25 Dec 2004 22:12:08 GMT

[ Offending message ]

Return-Path:

Received: from mxsf37.cluster1.charter.net ([10.20.201.162])

by mtai03.charter.net

(InterMail vM.6.01.03.03 201-2131-111-105-20040624) with ESMTP

id <20041225152137.LILU27068.mtai03.charter.net[at]mxsf37.cluster1.charter.net>

for ; Sat, 25 Dec 2004 10:21:37 -0500

Received: from mxip20.cluster1.charter.net (mxip20a.cluster1.charter.net [209.225.28.150])

by mxsf37.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id iBPFI7KG032007

for ; Sat, 25 Dec 2004 10:21:37 -0500

Received: from b0506.ifrance.com (HELO b0506.idoo.com) (82.196.4.74)

by mxip20.cluster1.charter.net with SMTP; 25 Dec 2004 10:21:36 -0500

X-Ironport-AV: i="3.88,87,1102309200";

d="scan'217,208?jpg'217,208?gif'217,208,147"; a="603506850:sNHT33222996"

Received: from 216.239.94.46 [216.239.94.46] by b0506.idoo.com id 0412251503.11122d; Sat, 25 Dec 2004 15:03:20 GMT

MIME-Version: 1.0

Message-Id: <41CD_____________2592[at]YOUR-YB8KFRX4P4>

Date: Sat, 25 Dec 2004 10:20:41 -0500 (Est)

Content-Type: Multipart/related;

type="multipart/alternative";

boundary="------------Boundary-00=_HMAATSM1VA4000000000"

X-Mailer: IncrediMail (3001613)

From: "Cosmos2000"

To:

Cc:

Subject: 666 Calculator for you

X-FID: 08197FA3-5C88-11D4-AF90-0050DAC67E11

X-Priority: 3

Disposition-Notification-To: "Cosmos2000"

if-filter0: N

--------------Boundary-00=_HMAATSM1VA4000000000

Content-Type: Multipart/Alternative;

boundary="------------Boundary-00=_HMAAO2Q1VA4000000000"

--------------Boundary-00=_HMAAO2Q1VA4000000000

Content-Type: Text/Plain;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

TO: dontflameme.com=0D

FROM: Titus=0D

=0D

Hello,=0D

=0D

666 Calculation machine (http://huizen.dds.nl/~glage/666/666check.html)=0D

is out of order.=0D

But you can found a nice 666 calculator on my website at this URL:=0D

=0D

www.666myth.co.nr=0D

=0D

Have fun!=0D

=0D

Merry Christmass=0D

=0D

Titus=0D

=0D

=20

--------------Boundary-00=_HMAAO2Q1VA4000000000

Content-Type: Text/HTML;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

1">

f; FONT-SIZE: 12pt; MARGIN: 0px 10px 10px 30px; SCROLLBAR-HIGHLIGHT-COLOR=

: #ffffff; SCROLLBAR-SHADOW-COLOR: #ffffff; COLOR: #804000; SCROLLBAR-3DL=

IGHT-COLOR: #7b9ed6; SCROLLBAR-ARROW-COLOR: #4a6184; BACKGROUND-REPEAT: r=

epeat; FONT-FAMILY: Comic Sans MS; SCROLLBAR-DARKSHADOW-COLOR: #bebebe" t=

ext=3D#804000 vLink=3D#008080 aLink=3D#008080 link=3D#008080 bgColor=3D#d=

8ccbc background=3Dcid:A4A13DCB-A103-408F-BDA4-E0D0187503D0 scroll=3Dyes =

ORGYPOS=3D"0" SIGCOLOR=3D"0">

%" border=3D0>

; PADDING-BOTTOM: 0px; CURSOR: auto; PADDING-TOP: 0px" width=3D"100%">

TO: dontflameme.com

FROM: Titus

Hello,

http://huizen.dds.nl/~glage/666/666check.html"> c=

olor=3D#000000>666 Calculation machine 00>(

T color=3D#000000>http://huizen.dds.nl/~glage/666/666check.html

>)

is out of order.

But you can found a nice 666 calculator on my website at this URL:DIV>

www.666myth.co.nr

">http://www.666myth.co.nr/">www.666myth.co.nr

Have fun!

Merry Christmass

Titus

ABLE> f=3D"http://www.incredimail.com/index.asp?id=3D412〈=3D12"> al=

t=3D"" hspace=3D0 src=3D"cid:ADB2C5AC-BE8C-4C24-BA02-E624C61E3265" align=3D=

baseline border=3D0>

--------------Boundary-00=_HMAAO2Q1VA4000000000--

--------------Boundary-00=_HMAATSM1VA4000000000

Content-Type: image/gif;

name="IMSTP.gif"

Content-Transfer-Encoding: base64

Content-ID:

R0lGODlhDAJMAMQAAHYdAP/yACLVxP/7nAAo//AHy/7SAPy1AJ5IDPWYAP/93aA0Ad9xAfwMDP/5

eP///7Crm9rQvfejmv3Bav+D7ebh1K1zJv+uNP/6Mc2XAAqDg/tvaNewAL2NPgAAAAAAACH/C05F

VFNDQVBFMi4wAwEAAAAh+QQJHgAfACwAAAAADAJMAAAF/+AnjmRpnmiqrmzrvnAsz3Rt33iu73zv

==== End =====================================================

Thursday, January 6, 2005, 5:40:24 PM, you wrote:

cic> Tech Support Request from: Titus

cic> Domain Name: 666myth.co.nr

cic> Email Address: cosmos2000[at]iquebec.com

cic> The text of the Request:

cic> -----------------------------------------------------

cic> username = 666myth

cic> password = 666999

cic> --------------------------

cic> Hello,

cic> This email is related to a spam issue reported by CO.NR. Forum, in a merged topic entitled «Urgent Issue, Account co.nr suspended» [posted on Dec 27 to 31, 2004], under the following link:

cic> http://www.forums.co.nr/index.php?showtopic=2769

cic> Please, in order to eventually retrieve the spam submitter IP address, I really need the full copy of complaint and a careful follow up of my reply by CO.NR.

cic> To confirm the problem of electronic attack explained on CO.NR. Forum, I have transferred to admin[at]co.nr a new fake mail [from Cosmos2000[at]iquebec.com to Cosmos2000[at]iquebec.com !?! … rip-off

cic> still on].

cic> Actually, I am an “IncrediMail” user so that I don’t know if the flaw for attack is from iquebec.com server or from IncrediMail server. May be my ultimate solution will be to delete my present

cic> email.

cic> Thanks and Regards.

cic> HAPPY new Year again.

cic> Titus

cic> -----------------------------------------------------

--

Best regards,

CO.NR Support

http://www.co.nr - Free .CO.NR Domain Name mailto:support[at]co.nr

_____________________________________________________________________

Envie de discuter gratuitement avec vos amis ?

Tilichargez Yahoo! Messenger http://yahoo.ifrance.com

#################################################

[cosmos2000]

In the official copy of the spam complaint, there are 2 informations helpful to retrieve the person who initiate the saga: charter.net and dontflameme.com.

Incide 1:

«[ Offending message ]

Return-Path:

Received: from mxsf37.cluster1.charter.net ([10.20.201.162])

by mtai03.charter.net

(InterMail vM.6.01.03.03 201-2131-111-105-20040624) with ESMTP

id <20041225152137.LILU27068.mtai03.charter.net[at]mxsf37.cluster1.charter.net>

for ; Sat, 25 Dec 2004 10:21:37 -0500

Received: from mxip20.cluster1.charter.net (mxip20a.cluster1.charter.net [209.225.28.150])

by mxsf37.cluster1.charter.net (8.12.11/8.12.11) with ESMTP id iBPFI7KG032007

for ; Sat, 25 Dec 2004 10:21:37 –0500»

Incide 2:

«TO: dontflameme.com=0D

FROM: Titus=0D»

dontflameme.com points to http://www.dontflameme.com

and it seems that yetso[at]charter.net is the email of the webmaster of this site.

[StevenUnderwood]

OK, it looks like your provider has not provided YOU with the information I am looking for. The beginning of every spamcop report I have ever seen for a spamvertized site looks like this (from my most recent report):

[ SpamCop V1.401  ]

This message is brief for your comfort.  Please use links below for details.

Spamvertised web site: http://business.vsnl.com/open/ex.htm

http://www.spamcop.net/w3m?i=zpreviewz14ad...d4f3d0b8555992z

[ Additional links on business.vsnl.com: ]

http://business.vsnl.com/open/est.htm

http://business.vsnl.com/open/ex.htm

http://business.vsnl.com/open/sv.htm

http://business.vsnl.com/open/ib.htm

http://business.vsnl.com/open/es.htm

http://business.vsnl.com/open/ex.htm is 202.54.1.81; Thu, 13 Jan 2005 18:38:52 GMT

[ Offending message ]

That last line before the [ Offending message ] is the part I am after and that site would contain a link to the original email and why it parsed the way it did... Nayway, breaking out my rusty manula parsing skills (someone please check this as it was only a simple dns/rdns/helo name matching parse) I come up with the source being "host 216.239.94.46 = ip216-239-94-46.vif.net" and the reporting history for that IP shows only the one spam you posted:

Submitted: Saturday, December 25, 2004 5:12:00 PM -0500:

666 Calculator for you

1323129845 ( http://www.incredimail.com/index.asp?id=412&lan... ) To: ori[at]isdn.net.il

1323129843 ( http://www.666myth.co.nr/ ) To: abuse[at]ispserver.com

1323129842 ( http://www.666myth.co.nr ) To: abuse[at]ispserver.com

1323129838 ( http://huizen.dds.nl/~glage/666/666check.html ) To: sienema[at]io.nl

1323129835 ( http://huizen.dds.nl/~glage/666/666check.html ) To: harry[at]io.nl

1323129834 ( http://huizen.dds.nl/~glage/666/666check.html ) To: postmaster#io.nl[at]devnull.spamcop.net

1323129833 ( 216.239.94.46 ) To: spamcop[at]imaphost.com

1323129828 ( 216.239.94.46 ) To: abuse[at]vif.com

Perhaps the deputies<at>spamcop.net could provide you with a little more information or look into the reporter for you but someone reported that message with your website and your provider is very strict about that not happening.

[cosmos2000]

Thanks very much StevenUnderwood.

But now, beyond spam complaint and domain suspension, you are frightening me too much with your new informations ["host 216.239.94.46 = ip216-239-94-46.vif.net"]: not only some one somewhere, devil made, still use my private email address and do fake mass-emails and no-wanted spamvertizing with it, MOREOVER, it seems that electronic attackers are using also my computer and my Internet provider [vif.net], by some trick of remote control.

I am really afraid for another computer crash. Because by the end of 2004 I was obliged to reformat my hard disk, after receiving unusual fake spam from electronic attackers, using my proper email address, like: FROM: myName[at]iquebec.com TO: myName[at] iquebec.com.

May be my ultimate solution will be to delete my present email iquebec.com but I have no control of my Internet service provider vif.net.

Thanks and Regards.

[Christine]

This does not mean that someone is using your computer. It means that the person who sent the mail has the same provider as you, vif.net. I assume that vif.net has many customers.

The folks at vif.net can tell who actually sent the mail, but that doesn't mean they will tell you, or do anything about it.

Your website was not removed because the mail came from vif.net. It was removed because it was advertised in spam. I could send a spam from my own machine advertising any website I please. People can and do send spam advertising people they don't like in order to get the recipient in trouble with his internet provider. Because of this most providers will look carefully before taking down a site. Your provider does not look carefully. But they can do anything they want. They are a free provider, and don't have the time and money to look carefully.

The general term for sending spam which claims to be from an enemy of the real sender is "Joe job." You may have been the victim of a "Joe job," or you it may be that someone else who uses vif.net doesn't understand why you shouldn't spam.

The "From" line is like a return address on an envelope. You can put anything in it you like. If you got some malicious paper mail you would not assume the return address was correct.

vif.net is like your post office. The long numbers are like post marks, telling which post offices handled the mail. Many people send mail from your post office. Only the postman who took the mail can tell you which house it came from. If the malicious paper mail came from a post office far away from the return address on the envelope, you would doubt the return address. But it is easy enough to go to someone else's post office to post a malicious letter.

[StevenUnderwood]

Well, if 216.239.94.46 is (or was) your IP address, then your machine sent the original message. There are many viruses that allow some level of external control of the infected machine. That machine, right now, has the standard FTP port open. I did NOT do an extensive scan, however, just some of the standard ports.

Do you use incredimail? The incredimail footer is in the html version of the submitted spam.

With everything you are saying here, either:

1. You actually sent this message (possibly to only one person) and it was reported as spam.

or

2. Someone went to great lengths to create a fake message to look in every way like it came from you (IP address, return address, etc.) and reported it themselves. This would not be difficult to do if they had another email message from you (copy headers and modify the date/time/body to what they wanted). It would not even need to be sent anywhere, just created in a text editor and pasted into the spamcop webform.

This second item is strictly against spamcops rules and the reporter could be fined or banned from spamcop if it is proved. I would suggest following up to deputies<at>spamcop.net to see what they think of this situation. They have access to more details than you or I have.

[cosmos2000]

Christine and StevenUnderwood you are both really nice by providing me these useful stuff.

I am just a webmaster who only know HTML, java scri_pt, CSS, etc, but I am useless at IP, at FTP port and so on.

By warming me that « it is easy enough to go to someone else's post office to post a malicious letter» or «There are many viruses that allow some level of external control of the infected machine», I am learning that Internet is not safe at all.

In conclusion, because rift in Internet traffic, there is easy rip-off by riffraff.

Moreover, by Jan 07 2005, in a previous following up, I sent a message to the eventual spam reporter [yetso[at]charter.net , webmaster of dontflameme.com ], with a copy to CO.NR Administration (admin[at]co.nr) and a recall-email by Jan 10 2005, but we never get any reply from him.

However CO.NR Staff keep waiting for the results of my investigation ( See here Post #12 and Post #15).

[Christine]

Well, a virus is more like some stranger breaking into your house and putting out a letter for the postman. It is very important to secure your computers against these sorts of malicious attacks. The media make them sound very scary, but actually there is very little danger if you follow a few rules.

[cosmos2000]

Today's good news from CO.NR. Administration

The domain name http://www.666myth.co.nr have been re-activated

Anyone must really appreciate the understanding of CO.NR. Team. Frustrated surfers are now going to be happy! In their name, thanks kindly CO.NR.

Please take note that domain http://www.666myth.co.nr have been re-activated, after providing full results of my investigation which indicate clearly NO real spam report against 666myth.co.nr.

NOBODY, NO HUMAN BEING makes a spam report to spamcop.net against the domain http://www.666myth.co.nr ... The topic is now closed.

Actually, the so-called “spam complaint” to spamcop.net was just an AUTOMATIC message from mxip02.cluster1.charter.net (mxip02a.cluster1.charter.net [209.225.28.132]), using the filter http://antispam.yahoo.com/domainkeys

Moreover, in order to avoid such problems in future, CO.NR. Administration freely provide us this nice advice: «never publish your email address on your sites (you can use a "contact us" form instead) »

Another alternative is by using email encryption before posting on the Web.

Here are 2 links I found, contained tips and tricks to encrypt your email before posting on the Web.

1) http://www.dynamicdrive.com/emailriddler/index.htm

2)

http://java scri_pt.internet.com/miscellaneo...pam-e-mail.html

The 2 scripts are cross-browser (Works fine in MSIE, Netscape, Opera, etc.)

Dynamicdrive's Email Riddler is an online tool that encrypts and transform your email address into a series of numbers when displaying it, making it virtually impossible for spam harvesters to crawl and add your email to their list.

Email Riddler encrypts only the actual email address, leaving the rest of the HTML used to create the email link open for customization.

scri_pt extremely lightweight and efficient.

Easy customization of the HTML used to display the email (as they are not encrypted). Quickly change the email text, add a subject, apply CSS styling to the link etc.

Moreover, Tool supports encryption of multiple emails on the same page (no scri_pt conflicts).

Have a nice day.

Thanks and Regards.

Titus

[StevenUnderwood]

NOBODY, NO HUMAN BEING makes a spam report to spamcop.net against the domain http://www.666myth.co.nr ... The topic is now closed.

Actually, the so-called “spam complaint” to spamcop.net was just an AUTOMATIC message from mxip02.cluster1.charter.net (mxip02a.cluster1.charter.net [209.225.28.132]), using the filter http://antispam.yahoo.com/domainkeys

Did you report your findings to deputies<at>spamcop.net so they can take action against the PERSON that reported this non-spam message through their account? No matter what you say, a PERSON is responsible for ANY report that spamcop sends out for that PERSON. Automatic reporting is heavily discouraged any time the topic is brought up for this very reason.

[Merlyn]

Good to hear your site is back up but from the looks of it http://www.666myth.co.nr is just a big frame that holds http://www.chez.com/cosmos2000/Numbers/666.html.

I also thought you would like to see this info and maybe it will help you:

Resolved chez.com to 213.36.127.5

From another list here is some spam reported from 213.36.127.5

Sun Jan 9 21:26:29 2005 Received - Wi|| this MicroCap's Shares Go Higher?

Tue Jan 11 06:16:20 2005 Received - Have YOu Ever PrOfited Fr0m a Smal|cap?

Thu Jan 13 06:00:30 2005 Received - Is it A MicrO Cap Mirac|e?

Thu Jan 13 18:42:33 2005 Received - Half prce M1cr0soft Plus X'P

Thu Jan 13 19:54:00 2005 Received - neuro tests start december 3th

Thu Jan 13 19:54:41 2005 Received - help your husband with his pain

Fri Jan 14 17:38:40 2005 Received - P0werhOuse Gains POssible in Smal|Caps

Mon Jan 17 07:00:34 2005 Received - these Shares are acce|erating

Tue Jan 18 09:21:20 2005 Received - Trading RepOrt FOr MicrOCap

Hope this helps....