runderwood Posted June 28, 2005 Share Posted June 28, 2005 Hello Spamcop team, I have a problem with some spammers that are using my domain name to send mass emails, I don't know how they do it because my server is not open for relaying also I have the spf record added in my DNS's servers, here is an email header: ===================================================== Return-Path: <info[at]pokerhost.com> Received: from pokerhost.com (62-101-48-157.sheab.net [62.101.48.157] (may be forged)) by mail.pokerhost.com (8.12.10/8.12.10) with SMTP id j5RGQ0GC001520 for <ray[at]pokerhost.com>; Mon, 27 Jun 2005 12:26:00 -0400 Message-Id: <200506271626.j5RGQ0GC001520[at]mail.pokerhost.com> From: info[at]pokerhost.com To: ray[at]pokerhost.com Subject: Your Account is Suspended For Security Reasons Date: Mon, 27 Jun 2005 18:31:11 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0001_9BDE0177.958D7408" X-Priority: 3 X-MSMail-Priority: Normal ===================================================== The user info doesn't even exist in my server but the user ray does, it says received from pokerhost.com by mail.pokerhost.com, which is not possible because the server listed at the begining is not our, please if you can help me with this problem, because I have tryed almost everything, I'm running out of ideas. Link to comment Share on other sites More sharing options...
Wazoo Posted June 28, 2005 Share Posted June 28, 2005 Deleted second/duplocate post. Edited the ton-load of white-space from this existing post. Moved this Topic/Discussion to the Lounge ... calculating that if this was acrually a "reporting" issue, the poster would already recognize that the e-mail didn't come from the described e-mail server, would/should have mentioned that a "bounce" was involved, and moreover, would have attempted to "report" this him/her-self. The Subject: line suggests one of the recent Virus output (see the "SpamCop Phishing entry in the Announcements section ...) ns2.inovasys.net reports the following MX records: Preference Host Name IP Address 10 mail.pokerhost.com 196.40.80.236 whois -h whois.ripe.net 62.101.48.157 ... inetnum: 62.101.48.0 - 62.101.51.255 netname: SHEB-NET descr: SHE BREDBAND AB descr: Sweden country: SE admin-c: EK565-RIPE tech-c: NOC78-RIPE abuse-mailbox: abuse[at]lidnet.net Link to comment Share on other sites More sharing options...
swingspacers Posted June 29, 2005 Share Posted June 29, 2005 Anybody can use your domain name to send out emails. They do not need to use your server at all. There is nothing you can do about it. Setting up SPF will not be of much help at this time. All the lines that you are confused about are forged: Return-Path: <info[at]pokerhost.com>Forged envelope-from. Received: from pokerhost.com (62-101-48-157.sheab.net [62.101.48.157] (may be forged))The identification pokerhost.com is forged, but you can see that the sending machine is 62-101-48-157.sheab.net with an IP address of 62.101.48.157. This machine is infected with a virus that sends out these messages. From: info[at]pokerhost.comForged From: address. The virus forges these elements to match the target email address. For example, if it sends itself to joe[at]example.com, it will use a Return-Path: and From: of info[at]example.com and pretend to come from a machine named example.com. We all get many of these viruses. The best way of handling them is to delete them with your email virus scanner and not worry about them. EDIT: Are we helping this online gambling site (in terms of Google ranking, etc.) by having its name all over the place? If yes, could this be the real reason behind the original post? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 29, 2005 Share Posted June 29, 2005 EDIT: Are we helping this online gambling site (in terms of Google ranking, etc.) by having its name all over the place? If yes, could this be the real reason behind the original post? 29733[/snapback] On principle, I have to trust Mr. Underwood Link to comment Share on other sites More sharing options...
Farelf Posted June 29, 2005 Share Posted June 29, 2005 On principle, I have to trust Mr. Underwood 29738[/snapback] SenderBase confirms an unusual activity level on 62.101.48.157 which tends to support (the OP) Mr Underwood's offering. spam is spam is spam, personally I would have no problem helping any victim. Organized "search engine optimizers" (with their cloaked sites, hidden link farms, hidden text etc. - all part of the "risks to business" of search engine operations) are more of a threat of biasing search engine ratings than would be posed by the odd post in assorted forums (remembering that a quick "Google" would unearth any such tactic). Link to comment Share on other sites More sharing options...
runderwood Posted July 19, 2005 Author Share Posted July 19, 2005 SenderBase confirms an unusual activity level on 62.101.48.157 which tends to support (the OP) Mr Underwood's offering. spam is spam is spam, personally I would have no problem helping any victim. Organized "search engine optimizers" (with their cloaked sites, hidden link farms, hidden text etc. - all part of the "risks to business" of search engine operations) are more of a threat of biasing search engine ratings than would be posed by the odd post in assorted forums (remembering that a quick "Google" would unearth any such tactic). 29740[/snapback] Well I'm just a Linux newbie, I was wondering if there was a problem with my mail server configuration, is not my intention to try put the name of a gaming site on this forum, Ill do it just for the feedback not for the search engines, as a matter of fact I think you are giving me a lot of help, but I still have a problem with that, but I don't know exactly what is the problem because I have smtp auth and I don't allow relaying. Thanks for your post. Link to comment Share on other sites More sharing options...
Wazoo Posted July 19, 2005 Share Posted July 19, 2005 I was wondering if there was a problem with my mail server configuration, Is this "your" server? Are "you" in charge of the configuration, traffic, and use of this server? Can you explain the following data? http://www.senderbase.org/?searchBy=ipaddr...g=62.101.48.157 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 0.0 ... -100% Last 30 days ... 2.5 ... 1364% Average ......... 1.4 Link to comment Share on other sites More sharing options...
Jank1887 Posted July 20, 2005 Share Posted July 20, 2005 Magnitude Vol Change vs. Average Last day ......... 0.0 ... -100% Last 30 days ... 2.5 ... 1364% Average ......... 1.4 30432[/snapback] What exactly do the volume change numbers mean? Is it an absolute or relative scale? Link to comment Share on other sites More sharing options...
Jeff G. Posted July 20, 2005 Share Posted July 20, 2005 They appear to mean approximately: Last day ......... 0.0 ... 1.34/day ... -100% Last 30 days ... 2.5 ... 424/day .... 1364% Average ......... 1.4 ... 34/day Reference: FAQ Entry: SenderBase's "Magnitude" Explained Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.