spoof of my address

[mattlamb]

What should I do, someone has figured out how to send me spam mail using my own E-Mail address as the return address?

If I report it I am reporting myself (already accidentally done that hope I don't get blocked)

[Farelf]

If I report it I am reporting myself (already accidentally done that hope I don't get blocked)

40286[/snapback]

Not to worry Matt - they are using your email address, not the quad IP address of the server you use which is the bit that goes in the block list. They spoof heaps of email addresses every second - just a matter of time before they pick on yours. They will move on in time, they continually need fresh addresses. Dig up the one you accidentally reported in your "Past Reports" - look at the ISP the report is going to. Not yours, is it? (Send yourself an email and look at the full headers if you're not sure how your real headers look). Report away, you are not reporting yourself/your service provider.

[StevenUnderwood]

If I report it I am reporting myself (already accidentally done that hope I don't get blocked)

40286[/snapback]

Taking you words at face value....Spamcop pays no attenton to the email addresses inside of reported messages. If you indeed reported yourself, it is because the messages came from your machine meaning you might be infected by a virus which is also sending to your email address.

[mattlamb]

Taking you words at face value....Spamcop pays no attenton to the email addresses inside of reported messages.  If you indeed reported yourself, it is because the messages came from your machine meaning you might be infected by a virus which is also sending to your email address.

40289[/snapback]

I am on a mac so its unlikely to be a virus, (never had one on my machine in the 11years of surfing the web).

Checked the IP on a Test E-Mail and does not appear to match the reported IP... phew

Why does the "held mail" show from "fred" rather than fred[at]nodomain.com?

[Jeff G.]

Why does the "held mail"  show from "fred"  rather than fred[at]nodomain.com?

40295[/snapback]

That is probably because the "From" field says "fred <fred[at]nodomain.com>" and Webmail is trying to be "friendly". One would have to look at the raw headers to be sure.

[btech]

What should I do, someone has figured out how to send me  spam mail using my own E-Mail address as the  return address? 

 

If I report it I am reporting myself (already accidentally done that hope I don't get blocked)

40286[/snapback]

Every now and then I'll see this in my held folder. From what I understand, it's not the spammer using your address, it only appears that way in a very ingenious spam message. More than likely, these messages are deleted by many users, rather than deleted, because they think reporting will report them... even when the message didn't come from their IP.

[C2H5OH]

Every now and then I'll see this in my held folder.  From what I understand, it's not the spammer using your address, it only appears that way in a very ingenious spam message.  More than likely, these messages are deleted by many users, rather than deleted, because they think reporting will report them... even when the message didn't come from their IP.

40403[/snapback]

Don't know whether it helps, but I do try to give a clue to the sender of the DNS. Below is an example of the standard format I use (some details munged) in an email to the DAEMON that "returned" "my" spam email. I address this email to whichever ISP sent me the DSN.

Thank you for your email, returned below, it has not really helped.

My domain name (xxx.co.uk) has obviously been forged by a Spammer.

I KNOW the Spammer was not ME

I CAN SEE from the headers that the spam was sent from a machine at 200.104.117.22, why can't you?

"Whois" confirms that 200.104.117.22 is a client of VTR BANDA ANCHA S.A. based in Santiago, Chile.

On receiving the spam, you could have;

1) Refused to accept it - the true sender would have seen a non-delivery status message. The spam would have died instantly.

or

2) Contacted the REAL sender's ISP; abuse[at]vtr.cl They may have been able to trace the Trojan sending machine or compromised account and have it blocked until fixed.

You should absolutely NOT send ME, an innocent third party, a failed-delivery notice. That does NOTHING to stop future repeat abuse, but simply adds to the tide of spam that the Internet must carry.

Here is a useful link that your postmaster might find enlightening; http://members.spamcop.net/fom-serve/cache/329.html#bounces

Thank you for your continued help in fighting spam,

Regards

This is the DSN you sent to me;

=============================================

Who knows whether this helps, but at least I feel I've done something....

C2H5OH

[Wazoo]

Don't know whether it helps, but I do try to give a clue to the sender of the DNS. Below is an example of the standard format I use (some details munged) in an email to the DAEMON that "returned" "my" spam email. I address this email to whichever ISP sent me the DSN.

.....

You should absolutely NOT send ME, an innocent third party, a failed-delivery notice. That does NOTHING to stop future repeat abuse, but simply adds to the tide of spam that the Internet must carry.

Here is a useful link that your postmaster might find enlightening; http://members.spamcop.net/fom-serve/cache/329.html#bounces

.......

This is the DSN you sent to me;

=============================================

40603[/snapback]

More than a bit confusing ....

start with DNS .... no explanation / definition

change to DSN ... no explanation / definition

change to 'failed-delivery notice' ... is that DNS or DSN?

Then you offer a link to a "members" URL, which means that most will get a nice screen asking them to login ....?????

Not sure if you're 'helping the cause' as much as you think you are ...????

[Miss Betsy]

My domain name (xxx.co.uk) has obviously been forged by a Spammer.

I KNOW the Spammer was not ME

I CAN SEE from the headers that the spam was sent from a machine at 200.104.117.22, why can't you?

"Whois" confirms that 200.104.117.22 is a client of VTR BANDA ANCHA S.A. based in Santiago, Chile.

On receiving the spam, you could have;

1) Refused to accept it - the true sender would have seen a non-delivery status message. The spam would have died instantly.

or

2) Contacted the REAL sender's ISP; abuse[at]vtr.cl They may have been able to trace the Trojan sending machine or compromised account and have it blocked until fixed.

You should absolutely NOT send ME, an innocent third party, a failed-delivery notice. That does NOTHING to stop future repeat abuse, but simply adds to the tide of spam that the Internet must carry.

Here is a useful link that your postmaster might find enlightening; http://members.spamcop.net/fom-serve/cache/329.html#bounces

Short and sweet is much more likely to be read:

You have sent me a spam because my email address was forged by a spammer in the return path. Please do not send me spam. I report all spam to spamcop.

Here is a useful link that your postmaster might find enlightening; http://members.spamcop.net/fom-serve/cache/329.html#bounces

Miss Betsy

[Telarin]

Use this link instead, that way anyone can access it:

http://www.spamcop.net/fom-serve/cache/329.html

or you could even go one further and take them right to the applicable section:

http://www.spamcop.net/fom-serve/cache/329.html#bounces

[Jeff G.]

See also my template at http://forum.spamcop.net/forums/index.php?...indpost&p=34082.

[punknubbins]

Alright gang,

I have enjoyed reading all of the messages related to the forging of domain names in message headers. I understand the "put up with it and it will eventually go away" argument, but this problem is costing me time, and my time is not free.

So the burning question is... Now that spammers are forging my domain name into the headers of messages, what recourse do I have against the spammers or the companies they seem to be representing?

To explain my situation; I am currently being inundated with undeliverable messages that fill up my mail box at a rate of ten to one hundred messages per day. Many of these undelivered messages include the original spam messages and attached files. I am also fielding calls from individuals who are upset because they have received spam messages, from there perspective, originating from my domain. This all constitutes man hours on my part to deal with the fall out from the unauthorized use of my domain.

If anyone has any experience with hunting down the true source of these spam messages, or better yet a legal contact that has worked in spam related disputes, please let me know. While I don't believe I can shut any of these spammers down, I would like to be compensated from my time, and for the use of my domain.

Trey S.

[dra007]

You can start some of that research on your own. SpamCop parser identifies the IP at the injection point of the spam e-mail, its header which you can extract from the spam e-mail in the bounce. Keep in mind that nowdays a lot of spammers use hijacked computers and /or disreputable ISPs who are happy to get their money. It is very hard to track them. Many are spamgangs in the former Soviet republics or who know where.... spam is international and goes beyond borders.. Finally depending where you are the laws against this type of spam business fallout are inexistent or inadequate. Not to descourage you, most of us who have experienced such bounce "attacks" have seen them go away in time.

[SpamCopAdmin]

hunting down the true source of these spam messages, or better yet a legal contact that has worked in spam related disputes

There's nothing you can do about spammer forgery but ride it out and hope he starts forging somebody else's domain pretty soon, which they usually do.

It would take months and big bucks to track down the spammer using private detectives, lawyers, and court orders to force the host to reveal his user, and even then you would probably find that the spammer used a fake name and address and a stolen credit card to set up the account. And that assumes that the spammer is sending the traffic himself, and that the spam isn't coming from trojan compromised zombied user machines all over the world.

- Don -

[Miss Betsy]

So the burning question is... Now that spammers are forging my domain name into the headers of messages, what recourse do I have against the spammers or the companies they seem to be representing?

As others have told you, there is no 'legal' recourse that is worth pursuing.

You can put a disclaimer (or explanation on your website) for those who don't understand. Lots of domain owners do and learn enough about how spam works to be good advocates for anti-spam education.

You can use a spam filter. Businesses like the spamcop email service because no email is ever 'lost' it ends up in a held mail folder. You can set up your own filters. Some people swear by spampal.

Reporting misdirected bounces via spamcop is useful to those who rely on spamcop blocklist for filtering because it does identify the source. In some cases, the server admin doesn't realize that 'bouncing' after acceptance is no longer considered good practice. In others, those trojanned computers are now blocked (or, again, in a few cases, reported to the owners by the server admins and cleaned up). So in a few cases, it is beneficial to report even if you don't use the scbl.

Miss Betsy

[Paranoid2000]

Finding the actual spam source isn't too difficult - most bounces will include a copy of the spam with full email headers which will reveal this (see Reading Email Headers on how to find this information - in my experience the *last* email header is normally forged so the second-from-last will show the actual source). However in most cases this source will be a compromised computer - mentioning its address and including the ISP responsible in your SpamCop report may help in getting it quarantined, but there are sadly too many ISPs who don't bother policing their networks for this to be a sure thing.

I'm going to disagree with Don here and say that you are likely to continue receiving such bounces indefinitely and at an increasing rate - it's a win-win tactic for spammers since they tie up spam reporters and ISP abuse desks at no cost to themselves, and it also increases the chance of blocklists like the SCBL affecting legitimate mail (thereby discouraging people from using them - another bonus for spammers).

You can (and should) ask your ISP/email provider to implement SPF and/or DomainKeys since this will allow others to identify emails forging your address but until the majority of email servers use them, this will have limited effect. The only real solution is to change your email address and to take extra steps to keep it out of spammers' hands (the best option is to use an alias system like SpamGourmet, SneakEmail or SpamMotel where possible).