[Resolved] spam mail question

[jcbradley]

Hi there,

Not sure where to post this general question so thought i would do it here.

I have been receiving 3-4 emails per day with an attachment and it states its coming from ... admin[at]mydomain.com or support[at]mydomain.com'

i checked the headers and it also states that from the return and to paths it shows the same from admin or support. im not sure if spammer is actually able to block this or has access to our email account since it shows this way. Just curious to see if i should be concerned or not.

Thanks,

Chris

[Jeff G.]

Those appear to be worms. Please see Ellen's sage advice in her Announcement SpamCop is not sending you attachments. Thanks!

[jcbradley]

Hi Jeff,

I wasnt saying spamcop was sending attachments, i meant it was coming from my own domain. So it looks like i am sending theseemails from our admin or support email account to my personal one. Just curious if someone could have actual access to my email accounts or if they able to spoof the actual headers in the return and "to path".

Chris

[turetzsr]

Hi Jeff,

I wasnt saying spamcop was sending attachments, i meant it was coming from my own domain.  So it looks like i am sending theseemails from our admin or support email account to my personal one. Just curious if someone could have actual access to my email accounts or if they able to spoof the actual headers in the return and "to path".

Chris

32515[/snapback]

Hi, Chris,

...Taking a leap by "speaking" for Jeff G (and I'm sure he'll correct me if I'm wrong <g>), I don't think he was saying that you were saying that SpamCop is sending these e-mails. I think he was saying that you seem to be in the same position as SpamCop was at the time -- that is, a worm or virus (like bagle/beagle/bagel) is sending e-mails masquerading as coming from you. Apparently, it is possible to spoof the header fields you are viewing. You can only trust headers from reliable servers.

[Lking]

Chris,

One way to checkout which part of the header is spoofed and what is real is to report one of these emails "from: you To: you" to SpamCop. After the parseing look at the results. You should be able to tell if the email really came from your domain OR if all the header parts your looking at are spooffed. If you are the sourse, cancle the reports (You don't want to report your self!) and then go after the worm.

[jcbradley]

i'm not exactly sure if i am looking at the right spot in the report to determine this. is there anyone in can copy and paste and message the report to so you can take a look at it before i report it. last thing i want to do is report myself again. lol

thanks,

chris

[StevenUnderwood]

i'm not exactly sure if i am looking at the right spot in the report to determine this.  is there anyone in can copy and paste and message the report to so you can take a look at it before i report it. last thing i want to do is report myself again. lol

32533[/snapback]

If you would cancel the report (so nobody else can report it) and post the tracking URL here, we could look at it and be more specific then you could make your decision. If you wish to report, you could always resubmit it.

[jcbradley]

here is the tracking url...

http://www.spamcop.net/sc?id=z804520881ze7...1b4bf1ef460d97z

thanks,

chris

[StevenUnderwood]

here is the tracking url...

32535[/snapback]

If reported today, reports would be sent to:

Re: 70.118.116.7 (Administrator of network where email originates)

abuse[at]rr.com

This message came from a computer on the rr.com network (RoadRunner Cable customer). That machine seems to be sending large numbers of message to the internet right now (~7000% above their daily average).

It was received by the server:

Parsing input: web30.thehostingnet.com

host web30.thehostingnet.com (checking ip) = 216.31.178.6

host 216.31.178.6 (getting name) = web30.thehostingnet.com.

Report routing for 216.31.178.6: spamcop[at]pajo.com

I assume this is your server/ISP/MSP.

I hope this helps. Let us know of any additional questions you may have.

[Jeff G.]

I agree with StevenUnderwood, but I am concerned that the referenced attachment didn't make it into the Report. Was the attachment in the information you pasted into the submit form or forwarded? Was it attached to the original message? Did the spammer forget to include it? Thanks!

[jcbradley]

Thanks, thats what i needed to know. im sure getting quite abit of these this week with attachments.

chris

[rooster]

Thanks, thats what i needed to know. im sure getting quite abit of these this week with attachments.

chris

32538[/snapback]

I'm not sure what is contained in the attachments, but it appears virbl.dnsbl.bit.nl

has identified: "6 x Worm.Mytob.GH", and responded to the problem.

[OTHER (rbl.completewhois.com) whois information for 70.118.116.7 ]

Listed in country-rirdata: US - United States

Listed in xbl.spamhaus.org: http://www.spamhaus.org/query/bl?ip=70.118.116.7

Listed in dnsbl.sorbs.net: Dynamic IP Addresses See: http://www.dnsbl.sorbs.net/lookup.shtml?70.118.116.7

Listed in cbl.abuseseat.org: Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=70.118.116.7

Listed in virbl.dnsbl.bit.nl: 70.118.116.7 --> 6 x Worm.Mytob.GH. Last seen 2005-09-11 08:18:02.017696 CET. Virus infected host, see http://virbl.bit.nl/