My address is being forged

[apache30]

HOW CAN I STOP MY EMAIL ADRESS BEING USED FOR SENDING OUT spam MAIL BY OTHERS

[Wazoo]

HOW CAN I STOP MY EMAIL ADRESS BEING USED FOR SENDING OUT spam MAIL BY OTHERS

1. Posted into the section Titled and described as;

FAQ Under Construction

Please do NOT post any general questions in this Forum. This Forum is to be used only by those who want to help build, add to, or correct the Forum version of the FAQ.

2. The single post entry that was "added" to has this existing paragragh;

For the people that somehow failed to grasp that the additional 5 pages of dialog after this first post was conversational data that occurred throughout the building of this FAQ, originally left in place so that folks could follow some of the development issues, some data entries, get a clue that their input was accepted, on and on .. all that dialog has now been moved to a "new" Topic so that the "confusion" should be eliminated. All that effort is now found at SpamCop FAQ (Forum version) development

So, even ignoring the "ALL CAPS" issue, even if one were to believe that this was intended to be a "helpful" item for developing the FAQ, it should then have been posted into SpamCop FAQ (Forum version) development

3. There are numerous postings within several sections of this Forum that addres this question, issue, scenario. One of my last can be seen at http://forum.spamcop.net/forums/index.php?...indpost&p=42799 ....

"From:" line forgery is an ancient spammer ploy .. to stop it, one would have to stop the spammer's fingers from touching the keyboard .... take away the microphone if he/she is working via voice control ... secure the ankles to prevent the use of toes from reaching the keyboard ... on and on ....

4. So if I am to believe that this was an attempt to have this added to the existing FAQ, exactly where would you have suggested it be placed so that you would have found it?

5. Because of the "ALL CAPS" in the only sentence offered as a question, this post was split out from the existing single-post single-page-access-point SpamCop FAQ here .. given a new Subject Line ... and upon further reflection, moved to the Lounge section ... if further discussion actually ensues .... ????

PM sent to advise of the split and move of this post.

[agsteele]

HOW CAN I STOP MY EMAIL ADRESS BEING USED FOR SENDING OUT spam MAIL BY OTHERS

I guess the simple answer that cannot achieve what you desire.

Once a spammer (or the software they use) has discovered or guessed your Email address then it is perfectly easy for them to send spam Email forging your Email address as the sender.

Sadly it happens all the time. Thankfully, this is usually only a short-term problem and after a day or two the flow stops. Typically the fall-out is that you start receiving all sorts of failed delivery messages. You simply have to take this problem on the chin and delete the unwated messages (you can report mis-directed bounces via SpamCop if you wish but this will not immediately stop the problem.

Andrew

[bogbrush]

I get this problem about two or three times a year. A speammer sends out a flood of messages with various addresses somename[at]mydomain.co.uk in the From: and Reply-To: headers. It usually lasts about a week, starting with maybe 100-200 bounces received per day for the first 2 or 3 days and then tailing off towards the end. It's very annoying but if you have patience you will find it doesn't last very long.

Since many of the bounce messages contain the original offending spam as an attachment I take the opportunity to forward as many as possible to SpamCop for analysis. As agsteele said, this won't have much impact on the problem but I'm happy to try to cause spammers as much grief as I can by getting abuse reports to their ISPs. I hope I can at least help shut down one or two or their web sites as a result of one of these floods.

[StevenUnderwood]

I get this problem about two or three times a year. A speammer sends out a flood of messages with various addresses somename[at]mydomain.co.uk in the From: and Reply-To: headers. It usually lasts about a week, starting with maybe 100-200 bounces received per day for the first 2 or 3 days and then tailing off towards the end. It's very annoying but if you have patience you will find it doesn't last very long.

Since many of the bounce messages contain the original offending spam as an attachment I take the opportunity to forward as many as possible to SpamCop for analysis. As agsteele said, this won't have much impact on the problem but I'm happy to try to cause spammers as much grief as I can by getting abuse reports to their ISPs. I hope I can at least help shut down one or two or their web sites as a result of one of these floods.

2 comments:

1. You can minimize the impact if you can turn off the blanket address feature and setup specific email addresses.

2. Reporting the bounces does NOT report the spammer. It reports the server that is bouncing the forged return address. I believe it is still against the rules to report the original spam inside the bounce.

[bogbrush]

1. You can minimize the impact if you can turn off the blanket address feature and setup specific email addresses.

This is true. I personally prefer to receive the mail if, for nothing else, curiosity. Disabling the blanket address feature also prevents a lot of original (non-bounced) spam getting through. Again, just a personal opinion, but I'd rather receive it and report it. Maybe I just have too much time on my hands

2. Reporting the bounces does NOT report the spammer. It reports the server that is bouncing the forged return address. I believe it is still against the rules to report the original spam inside the bounce.

From the FAQ

Messages which may be reported:

There are several types of responses to forged email that SpamCop has in the past prohibited. However, these messages have become a big enough problem that we now allow them to be reported as the spam that they technically are.

Examples of messages in this category:

1. Misdirected bounces

2. Misdirected virus notifications

3. Misdirected vacation emails

4. Misdirected challenges from challenge/response spam filtering systems

Presumably this is meant as a measure against sysadmins who bounce spam despite 99.99% of it having forged headers and not an action against the spammers. You are correct, however, that reporting the original spam extracted from a bounce (which I was doing) is against the rules. I stand humbly corrected. I suspect this won't work now anyway since registering my valid relay paths with SpamCop.

[quarterflash]

My email addrtess which uses my business web address is being used to spam people by http://www.broadcastemailcorporation.com . My company is Windmill Web Works how can I stop them from using it? Here is the mail header

Return-Path: <accounts[at]windmillwebworks.com>

Delivered-To: mail[at]windmillwebworks.com

Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (smtpin12l.livemail.co.uk [127.0.0.1])

by smtpin112.livemail.co.uk (Postfix) with SMTP id D9F2616803F

for <mail[at]windmillwebworks.com>; Fri, 16 Jun 2006 07:43:52 +0100 (BST)

Received: from 213.171.216.101 (unknown [125.22.240.183])

by smtpin112.livemail.co.uk (Postfix) with SMTP id 2DDC4168041

for <accounts[at]windmillwebworks.com>; Fri, 16 Jun 2006 07:43:49 +0100 (BST)

To: accounts[at]windmillwebworks.com

Message-Id: <20060616064349.2DDC4168041[at]smtpin112.livemail.co.uk>

Date: Fri, 16 Jun 2006 07:43:49 +0100 (BST)

From: accounts[at]windmillwebworks.com

X-Original-To: accounts[at]windmillwebworks.com

X-NAS-Language: English

X-NAS-Bayes: #0: 1; #1: 1.3176E-036

Subject: [Norton AntiSpam]

X-NAS-Classification: 1

X-NAS-MessageID: 1383

X-NAS-Validation: {CD57CDD6-03A9-4625-85A3-13F2546D5FE4}

[Miss Betsy]

My email addrtess which uses my business web address is being used to spam people by http://www.broadcastemailcorporation.com . My company is Windmill Web Works how can I stop them from using it? Here is the mail header

<snip headers>

There is no easy way to stop spammers from forging your email address in the spam they send.

You can report the 'bounces' via spamcop (ISPs should not be accepting email and sending an email to the return path; it is ok per RFC, but any responsible ISP knows that the return path can be forged and so does not accept emails and then send emails about undeliverable email, but rejects them at the server which goes back to the ISP that sent them).

The spammers use random email addresses to forge. It usually lasts a few days and then goes away.

No responsible ISP will think that you sent the spam. Responsible ISPs know that the IP address is the only reliable source of where the spam comes from.

A few ignorant people may send you nasty emails. I think that many people who have this happen to them put a disclaimer on their website.

Some more information:

Andrew (agsteele) [with edits since it is out of context]

It usually lasts about a week, starting with maybe 100-200 bounces received per day for the first 2 or 3 days and then tailing off towards the end. It's very annoying but if you have patience you will find it doesn't last very long.

bogbrush

1. You can minimize the impact if you can turn off the blanket address feature and setup specific email addresses.

2. Reporting the bounces does NOT report the spammer. It reports the server that is bouncing the forged return address. I believe it is still against the rules to report the original spam inside the bounce.

Steven P. Underwood, DNRC

Adapted From the FAQ

There are two kinds of bounces: SMTP rejects that go directly back to the server that sent the message and email bounces after accepting the message.

Email bounces are allowed by RFC (netiquette rules for the internet). Once email bounces were a very useful feature. The spammers spoiled it. Now the spam bounced with forged addresses is just a big a nuisance as the original spam.

Most mail servers do an SMTP reject, which means that any bounce message will come from the original sending mail server.

There are some mail server operators that claim that it is not practical to convert to SMTP rejects instead of bouncing.

These mail server operations must be bigger than AOL.COM which had several years ago announced on the spam-L mailing list that they recognized that such bounces where abusive to the rest of the internet

and were switching over to only using SMTP rejects.

AOL changed their policy because of the complaints they got.

I don't how you thought that this forum 'FAQ Under Construction' was the proper forum in which to post. Maybe you can tell us so that the next person uses the correct forum.

A moderator may move this post. (Moderator edit: topic has been moved and PM sent to quarterflash with a location link left in the original forum.)

Miss Betsy

[quarterflash]

I found the whole site confusing with numeresous links all overe the place. It needs simplifying big time.

Regards

Q

[dbiel]

I found the whole site confusing with numeresous links all overe the place. It needs simplifying big time.

Regards

Q

We are always trying to improve the system.

If you have any specific suggestions on what would make it simplier for you PLEASE let us know. We are open to all suggestions for impovement to the Forum

[Miss Betsy]

I found the whole site confusing with numeresous links all overe the place. It needs simplifying big time.

Regards

Q

I agree with you. But how would you make it simpler? Did you look at the big red Latest Announcements

and this announcement How to find what you are looking for without tearing your hair out in the process ? The links don't work, but does that sound like a better approach?

If you had seen that announcement and had followed the links (if they worked) to typical questions, you would have seen:

For people whose email address is the sender in spam: How do I stop spammers from using my email address?

OR

Why am I getting all these Bounces?

and the link you would have gotten for 'How do I stop...', would have been the 'more info' part of my reply to you. Was that helpful? The 'Why am I getting all these Bounces' is in the FAQ. Did you not find it? or did it not answer your question?

Any help would be appreciated - I know how frustrating it is to look for something and not find it! But we are too close to it to be able to see it with 'new' eyes. The next person to come who would be confused will really appreciate your thoughts!

Miss Betsy

[Snowbat]

My email addrtess which uses my business web address is being used to spam people by http://www.broadcastemailcorporation.com .

AKA thebroadcastemailcorporation.com/broadcastemailcorporation.org/broadcastemailcorporation.us

This spammer appears to change the From and Return-Path on each spam to match the victim's domain name - ie. your domain name was used only in spam sent to you.

The spam content and spamvertised domains have a Robert Soloway odor.

http://en.wikipedia.org/wiki/Robert_Soloway

[Wazoo]

I did a bit of an override on at least one of the Moderators here .... deleted a number of "moved" links ... moved/merged quarterflash's posting (and responses) into this existing Topic/Discussion. PM sent to advise of this move/merge.

I found the whole site confusing with numeresous links all overe the place. It needs simplifying big time.

And on the other hand, every time I see a comment like this, take the time to ask for "what do you suggest to actually fix it?" .... all I seem to end up with is either a "no response" or some tirade about the fact that I'm calling the user stupid ....

Your "confusion" bothers me in that you apprently originally posted into a Forum section that is defined with the words "Please do NOT post any general questions in this Forum. This Forum is to be used only by those who want to help build, add to, or correct the Forum version of the FAQ." So for starters, exactly how would you suggest that this be changed so it would have caught your attention before posting?

You could have tried using one of the multiple Search tools I've made available .. but also noting that even your own description of the issue "My email addrtess which uses my business web address is being used to spam people" doesn't include the phrase / word "forged" or even the too-often wrongly used 'slang' term "joe-job" ... so it's likely that your attempted search would have ticked you off even more .. but again, I have no power over what words you or others use to "describe" their issues (OK, ignoring the bad word filters, editing out certain terms, etc.) ....

On the other hand, you also didn't provide the "how you found out that someone is forging your address into the From:/Reply-To:/whatever lines" ... typically, the general recipient comes in with a complaint about receiving all kinds of "bounces" ... for which a SpamCop FAQ entry was created here to answer just that question ..."Why am I receiving all these Bounces?" .... but again, you didn't use these words, didn't apply them to a search, etc. ....

There is only so much stuff I can throw in front of "you" to try to steer "you" to an answer ... and yet, as in your remarks, some folks seem to feel that by removing all that stuff, all of a sudden everything would become crystal clear .... I'm having a hard time convincing myself that there's much truth in that ....

[Miss Betsy]

There is only so much stuff I can throw in front of "you" to try to steer "you" to an answer ... and yet, as in your remarks, some folks seem to feel that by removing all that stuff, all of a sudden everything would become crystal clear .... I'm having a hard time convincing myself that there's much truth in that ....

I don't think that removing all the different ways to access info is necessary or desirable. There are two menus at the top of the forum. There are pinned topics of particular interest in each forum plus pinned access to the FAQ. What is needed is a 'simple' way that is obvious for those who are skilled in searching online.

The problem is that finding information means wading through explanations that are not simple and finding items in a list that has very broad divisions. As you point out, there are a number of ways to describe the problem of forged return paths. Two of the most common for those who don't know exactly what they are looking for are 'Why am I getting all these bounces?' and 'How do I stop spammers from using my email address?' They are different questions, but the answers are very similar.

There is an entire forum designated 'Start Here..' but it doesn't make it 'simple' - it just puts you back to one of the already seen menu items after an explanation about spamcop (while interesting, doesn't answer any of the most common questions). Most of the suggestions that have been given is that the FAQ are 'too technical' or 'not in plain English' - other ways to my mind of saying 'not simple.'

Using the 'search' comes up with interesting items, but is not any easier to find a 'simple' answer.

And I bet that the OP didn't realize until after posting that he was in the FAQ under Construction Forum, but gave up trying to find an answer and decided to post - a good reason to put a link to the correct forum at the end of the individual FAQ - "if you didn't find the answer, post here."

And I don't understand why the 'old' information should still be in the FAQ. If history is important, it could be left in the edit note.

Miss Betsy

[Wazoo]

The problem is that finding information means wading through explanations that are not simple and finding items in a list that has very broad divisions. As you point out, there are a number of ways to describe the problem of forged return paths. Two of the most common for those who don't know exactly what they are looking for are 'Why am I getting all these bounces?' and 'How do I stop spammers from using my email address?' They are different questions, but the answers are very similar.

I really don't want to start yet another discussion in yet another Forum section covering this same ground.

There is an entire forum designated 'Start Here..' but it doesn't make it 'simple' - it just puts you back to one of the already seen menu items after an explanation about spamcop (while interesting, doesn't answer any of the most common questions). Most of the suggestions that have been given is that the FAQ are 'too technical' or 'not in plain English' - other ways to my mind of saying 'not simple.'

And again, this is already existing and covered in at least three or four ongoing discussions elsewhere ....

Using the 'search' comes up with interesting items, but is not any easier to find a 'simple' answer.

Search terms you used as compared to the words used by which posters .... that's a bit out of my or your control.. yet, add that to the list of your points above .. if folks used the "correct" teminology, the search results would be wonderful .. but .. that's not the real world .... yet, this is exaxctly what those "too technical" things attempt to do .. get folks to use the right words, the right definitions, the right concepts .....

And I bet that the OP didn't realize until after posting that he was in the FAQ under Construction Forum,

Even though the "Navigation" links are on the top of the screen? Once again, I'm not seeing where having to explain how to use a web browser and such is a part of the "job" here .... If it's a navigation issues, I've placed low-res layouts of the Forum construct in those links you basically call useless, the Description and definition are right on screen, on and on ... again, please someone explain how to make even more signposts and such ..... (oh yeah, and make things cleaner and simpler at the same time) ....

And I don't understand why the 'old' information should still be in the FAQ. If history is important, it could be left in the edit note.

Again, repeated conversation ... I don't understand your heartburn over the explanation text, yet pointing out that folks don't grasp that the single-pageaccess point includes the original .. and people still state "I've searched 'THE' FAQ" .. yet it turns out that the singe-page-access version (expanded, enhanced, etc., etc., etc.) is not the one item being discussed .... again, why is this conversation being repeated in yet another Forum section?

[Miss Betsy]

<snip>

Again, repeated conversation ... I don't understand your heartburn over the explanation text, yet pointing out that folks don't grasp that the single-pageaccess point includes the original .. and people still state "I've searched 'THE' FAQ" .. yet it turns out that the singe-page-access version (expanded, enhanced, etc., etc., etc.) is not the one item being discussed .... again, why is this conversation being repeated in yet another Forum section?

In case the OP comes back.

I asked specific questions. You brought up issues that regulars have discussed to solve his problem. I tried to demonstrate what some of the considerations were so that if s/he were so inclined to answer, there would be some information already known.

If the OP doesn't answer, there isn't any reason to continue the discussion.

Miss Betsy