Jump to content

Spammers use my domain name


runderwood

Recommended Posts

Posted

Hello Spamcop team, I have a problem with some spammers that are using my domain name to send mass emails, I don't know how they do it because my server is not open for relaying also I have the spf record added in my DNS's servers, here is an email header:

=====================================================

Return-Path: <info[at]pokerhost.com>

Received: from pokerhost.com (62-101-48-157.sheab.net [62.101.48.157] (may be forged)) by mail.pokerhost.com (8.12.10/8.12.10) with SMTP id j5RGQ0GC001520 for <ray[at]pokerhost.com>; Mon, 27 Jun 2005 12:26:00 -0400

Message-Id: <200506271626.j5RGQ0GC001520[at]mail.pokerhost.com>

From: info[at]pokerhost.com

To: ray[at]pokerhost.com

Subject: Your Account is Suspended For Security Reasons

Date: Mon, 27 Jun 2005 18:31:11 +0200

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----=_NextPart_000_0001_9BDE0177.958D7408"

X-Priority: 3

X-MSMail-Priority: Normal

=====================================================

The user info doesn't even exist in my server but the user ray does, it says received from pokerhost.com by mail.pokerhost.com, which is not possible because the server listed at the begining is not our, please if you can help me with this problem, because I have tryed almost everything, I'm running out of ideas.

Posted

Deleted second/duplocate post. Edited the ton-load of white-space from this existing post. Moved this Topic/Discussion to the Lounge ... calculating that if this was acrually a "reporting" issue, the poster would already recognize that the e-mail didn't come from the described e-mail server, would/should have mentioned that a "bounce" was involved, and moreover, would have attempted to "report" this him/her-self. The Subject: line suggests one of the recent Virus output (see the "SpamCop Phishing entry in the Announcements section ...)

ns2.inovasys.net reports the following MX records:

Preference Host Name IP Address

10 mail.pokerhost.com 196.40.80.236

whois -h whois.ripe.net 62.101.48.157 ...

inetnum: 62.101.48.0 - 62.101.51.255

netname: SHEB-NET

descr: SHE BREDBAND AB

descr: Sweden

country: SE

admin-c: EK565-RIPE

tech-c: NOC78-RIPE

abuse-mailbox: abuse[at]lidnet.net

Posted

Anybody can use your domain name to send out emails. They do not need to use your server at all. There is nothing you can do about it. Setting up SPF will not be of much help at this time.

All the lines that you are confused about are forged:

Return-Path: <info[at]pokerhost.com>
Forged envelope-from.

Received: from pokerhost.com (62-101-48-157.sheab.net [62.101.48.157] (may be forged))
The identification pokerhost.com is forged, but you can see that the sending machine is 62-101-48-157.sheab.net with an IP address of 62.101.48.157. This machine is infected with a virus that sends out these messages.

From: info[at]pokerhost.com
Forged From: address.

The virus forges these elements to match the target email address. For example, if it sends itself to joe[at]example.com, it will use a Return-Path: and From: of info[at]example.com and pretend to come from a machine named example.com.

We all get many of these viruses. The best way of handling them is to delete them with your email virus scanner and not worry about them.

EDIT: Are we helping this online gambling site (in terms of Google ranking, etc.) by having its name all over the place? If yes, could this be the real reason behind the original post?

Posted
EDIT: Are we helping this online gambling site (in terms of Google ranking, etc.) by having its name all over the place? If yes, could this be the real reason behind the original post?

29733[/snapback]

On principle, I have to trust Mr. Underwood ;)

Posted
On principle, I have to trust Mr. Underwood ;)

29738[/snapback]

SenderBase confirms an unusual activity level on 62.101.48.157 which tends to support (the OP) Mr Underwood's offering. spam is spam is spam, personally I would have no problem helping any victim. Organized "search engine optimizers" (with their cloaked sites, hidden link farms, hidden text etc. - all part of the "risks to business" of search engine operations) are more of a threat of biasing search engine ratings than would be posed by the odd post in assorted forums (remembering that a quick "Google" would unearth any such tactic).

  • 3 weeks later...
Posted
SenderBase confirms an unusual activity level on 62.101.48.157 which tends to support (the OP) Mr Underwood's offering.  spam is spam is spam, personally I would have no problem helping any victim.  Organized "search engine optimizers" (with their cloaked sites, hidden link farms, hidden text etc. - all part of the "risks to business" of search engine operations) are more of a threat of biasing search engine ratings than would be posed by the odd post in assorted forums (remembering that a quick "Google" would unearth any such tactic).

29740[/snapback]

Well I'm just a Linux newbie, I was wondering if there was a problem with my mail server configuration, is not my intention to try put the name of a gaming site on this forum, Ill do it just for the feedback not for the search engines, as a matter of fact I think you are giving me a lot of help, but I still have a problem with that, but I don't know exactly what is the problem because I have smtp auth and I don't allow relaying. Thanks for your post.

Posted
I was wondering if there was a problem with my mail server configuration,

Is this "your" server? Are "you" in charge of the configuration, traffic, and use of this server? Can you explain the following data?

http://www.senderbase.org/?searchBy=ipaddr...g=62.101.48.157

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 0.0 ... -100%

Last 30 days ... 2.5 ... 1364%

Average ......... 1.4

Posted
Magnitude Vol Change vs. Average

Last day ......... 0.0 ... -100%

Last 30 days ... 2.5 ... 1364%

Average ......... 1.4

30432[/snapback]

What exactly do the volume change numbers mean? Is it an absolute or relative scale?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...