I've been domain/email spoofed and am not sure what to do

[bsmith3051]

On November 29, 2006 some spammer(s) launched e-mail campaigns that look like messages sent by my domain. I have been researching this since then in the attempt to find out what can be done to stop the spammers from using my domain in their forged email headers which makes it appear as the spam email originated from me. It is very frustrating because the email headers are forged making it very difficult to trace the emails to their origin but I have not given up.

I have received thousands of bounced emails in the ten days since the spamming started. I have read that I need to be patient and it will stop after a short time of approximately a week. On day one I received 137 emails, day two netted 363 emails. It then slowed for five days and I thought it was over. Then on December 6-7 I was flooded with over 1000 emails. And the last two days have been relatively quiet so we'll see...

A couple of the emails contained the original email so I was able to see the spam and the link to the web sites where one could, if they so chose, could help put money in the spammers pockets by purchasing from these sites. The first one I checked, ht tp://advi zeh int.com/ , was no longer on-line. When I checked domain whois information on this web site I see it was registered on December 3, 2006 and suspended on December 7, 2006 - the date of the email. The second one I checked, ht tp://lar ysla rys.com/ , was still on-line at the time of this posting. When I checked domain whois information on this web site I see it was registered on December 4, 2006 and is still valid.

I started preparing this post on December 9, 2006 when the bounced emails had stopped for two days. It is December 10, 2006 and they have started up again. Another one came in containing the original email so I was able to see the spam and the link to the site. ht tp://de nsi tylo w.com/ was still on-line at the time of this posting. When I checked domain whois information on this web site I see it was registered on December 4, 2006 and is still valid.

These sites have forms for reporting spam but I was not sure if that would be the right choice. I'm beginning to pull my hair out trying to figure out the right course of action. I read so much about making sure that I post in the right forums, only do this, don't do that, that I get frozen in my tracks and start looking elswhere for answers. And then I don't know whether spamcop is right because the headers are forged to look like they were sent from my domain and that makes me think that my domain will be reported as the originator.

Should I post the header information here in the forum so someone can give me advise on how to proceed? Can something be done because we know the details of some of the web sites involved? They both point to a company in Utah that seems to have an anti-spam policy in place, contact information, and spam reporting form as well as stating they are Verisign complient but that information seems bogus as well as being out of date. Please don't ridicule as I don't have much more hair I can pull out. :angry: I'm just really pi***d off at these fu**wads for using my domain to line their sleazy pockets while discrediting my good name. And the more I read, the less hair I have, the more frustrated I become and I thank God I don't have a rifle and a clocktower nearby.

Please... some help

[Farelf]

... I'm beginning to pull my hair out trying to figure out the right course of action. I read so much about making sure that I post in the right forums, only do this, don't do that, that I get frozen in my tracks and start looking elswhere for answers. And then I don't know whether spamcop is right because the headers are forged to look like they were sent from my domain and that makes me think that my domain will be reported as the originator.

Should I post the header information here in the forum so someone can give me advise on how to proceed? Can something be done because we know the details of some of the web sites involved? They both point to a company in Utah that seems to have an anti-spam policy in place, contact information, and spam reporting form as well as stating they are Verisign complient but that information seems bogus as well as being out of date. Please don't ridicule as I don't have much more hair I can pull out. :angry: I'm just really pi***d off at these fu**wads for using my domain to line their sleazy pockets while discrediting my good name. And the more I read, the less hair I have, the more frustrated I become and I thank God I don't have a rifle and a clocktower nearby.Please... some help

Hi bsmith. We're just users of the various aspects of SpamCop here but we do share your disaffection with spam and with spammers. Your priority is to weather the storm ("they" usually move on in time, as you have read). Miss Betsy's FAQ entry covers this - How do I stop spammers from using my email address?, or Why am I getting all these bounces?

Ignorant people (even some server admins receiving stuff with your address spoofed) might believe you are to blame - but the majority will be well aware that most spam has fake from and reply to addresses. The SpamCop block list works on IP address (like 68.230.240.35) which is the part spammer can't forge. You are not going to get blocked anywhere just because your domain name is forged.

If you have a website you might post a notice there pointing out that your domain name is presently being forged as the originator of spam with which you have no association.

This does not seem to be a reporting matter - unless you have a SC reporting account? We would prefer a tracking URL (leading to a SC parse of a spam sample) to look at any reporting implications. If you don't have an account and can't supply the tracking URL then pasting a set of retrieved headers is the next best thing. Then maybe "we" can advise on further action you might take.

In the meantime, stay away from those supposed spam reporting forms - the websites you have nominated are unlikely to be hosted by responsible citizens of the internet. And keep away from clocktowers.

[dbiel]

I feel your pain. Wish I could give you some good news, but there is not a whole lot one can do.

Some suggestions, sign up for a free SpamCop reporting account and use it to help track down the source of the spam. Consider filing additional personal reports to the all the upstream providers where the email came from. Also consider filing personal reports to the upstream hosts of the advertised web sites.

As far as reporting issues with SpamCop regarding forged addresses, it is not a issue as SpamCop only deals with IP addresses not email addresses. Those who know how the internet works would never look to you as being the spammer simply because you email address / domain was used in a from or reply to entry. As you well know, those entries are forged far too often. You always want to be sure spam is not coming out of your system as the result of a spammer hacking into it and using your computers without your permission.

Hopefully it will end soon, but for some it continues for a long time.

Sorry to be of so little help.

Best wishes for surviving the attack.

You may want to look at the following topic: http://forum.spamcop.net/forums/index.php?showtopic=203 Post #2 might give you some useful information.

[Wazoo]

I have received thousands of bounced emails in the ten days since the spamming started.

See also the Wiki pages/FAQ entries on (Misdirected) Bounces .... that's the other half of the story here. Those other ISPs shouldn't be accepting e-mail that is not for their local customers, then deciding to later generate a non-delivery report and send that to the forged e-mail addresses. This behaviour was pergectly fine way back in the food old days .. but it's another function designed around the concept of "trusted users" that spammers have destroyed.

But, as noted, there is nothing in your query about an issue with the SpamCop.net Parsing & Reporting system (other than noting that you don't appear to be using it or the associated SpamCopDNSBL) .... so having to move this Topic/Discussion to the Lounge area ...

[Farelf]

... the websites you have nominated are unlikely to be hosted by responsible citizens of the internet. ...

I thought at least one of those had been discussed here recently but can't find the reference if so. We (well, Wazoo in this instance) tend to break the links and mung the names of spamvertized links here because we don't want to be giving those scum a "free ride". Which is very effective in making them practically disappear from "here". Note they are currently listed by the joewein.de spam domain blacklist

[bsmith3051]

If you have a website you might post a notice there pointing out that your domain name is presently being forged as the originator of spam with which you have no association.

Thanks! I have already posted an apologetic disclaimer on main pages of my web site.

This does not seem to be a reporting matter - unless you have a SC reporting account? We would prefer a tracking URL (leading to a SC parse of a spam sample) to look at any reporting implications.

Some suggestions, sign up for a free SpamCop reporting account and use it to help track down the source of the spam. Consider filing additional personal reports to the all the upstream providers where the email came from. Also consider filing personal reports to the upstream hosts of the advertised web sites.

But, as noted, there is nothing in your query about an issue with the SpamCop.net Parsing & Reporting system (other than noting that you don't appear to be using it or the associated SpamCopDNSBL) .... so having to move this Topic/Discussion to the Lounge area ...

I do have a spamcop reporting account but I was waiting for advice on how to proceed. I now have parsed two emails and post the tracking urls here. I will await further advise before reporting the spam to the various sources. I noticed in the output from the parsings that it stated that the web site links in the emails were discarded as fake but when I tried to go there they do exist. What does that mean?

http://www.spamcop.net/sc?id=z1162444575z1...77a763c5c04c4cz

http://www.spamcop.net/sc?id=z1162418962z2...12170b72191e9az

Thanks!!!

[Farelf]

... I now have parsed two emails and post the tracking urls here. I will await further advise before reporting the spam to the various sources. I noticed in the output from the parsings that it stated that the web site links in the emails were discarded as fake but when I tried to go there they do exist. What does that mean?...

I cancelled the second tracker since a "prankster" could hijack it to end your reporting career before it began. You can always re-parse and submit it (within the 48 hours allowed to report).

You have found two instances that were actually addressed to you? As distinct from the thousands of bounces you've been getting? Both types are reportable but the huge frustration for you will be that the bounces do not report the spammer (just the clueless person bouncing the spam to you). It is not permitted to trim the headers to "encourage" the parser to find the spamming source (which is often some trojanned PC whose owner is totally unaware). Those were not trimmed?

Reporting the bounces may eventually educate people (and their sometimes equally clueless ISPs) to stop sending abusing bounces. Reporting the actual spam may close some of the network used to send it (if its a botnet, the botmaster is undoubtedly recruiting at an even greater rate though).

SpamCop does not give priority to finding the spamvertized websites. Now that is what will really have you tearing your hair out, I guess. If the lookup takes too long SC will drop the attempt and that will often happen if the website is hosted on a botnet or a revolving series of host servers. It is no trick to resolve a website when SC cannot. Variable results at different times with different lookups (and their source caches) come into it, but particularly the volume is the factor (SC doing 10-30 per second, whatever).

You can always make your own reports ("manual reporting"). That's a very glib statement - there are of course all sorts of people you can report to and figuring out the most beneficial (or the least harmful) is the trick. I can't recommend my own reporting methods (I don't care if I get spammed, invite it even), maybe others here can get down to tin tacks on the detail of the spam sites you have unearthed.

[Miss Betsy]

Everyone who sees their domain name in the From of a spam or who receives misdirected bounces is outraged! (and would like to boil spammers in oil or drip email addresses on their heads or worse).

However, there is nothing one can do to a specific spammer. If this attack inspires you to become a spamcop reporter, welcome aboard!

But spamcop reporting has developed into mostly feeding the blocklist so that spam can be blocked by those who use the blocklist. Occasionally a server admin will make a mistake and be grateful for the spamcop report. Many admins who don't know that receiving email and then sending the NDR is now passe are educated because they end up on the spamcop blocklist. When a new spammer trick is developed, then spamcop usually acts as a 'heads up' to admins who do not keep up to date. It is too expensive (or illegal as in the case of rifles and oil) to actually track a spammer down and stop hir.

The problem with manual reporting is that you have to be very careful that the spammer does not get an email address from your domain. There is a lot of controversy about that, but most people seem to believe that even if a spammer will listwash you (take your address off his list so that you no longer can report), he will just turn around and sell it as an 'active' address and another spammer will start up shortly. At one time spammers did retaliate, but there are too many reporters now for that to be useful to them.

I am not a server admin, but one way to avoid getting as many bounces and/or spam is to turn off your catchall address, I believe. I didn't see that mentioned. Farelf wouldn't think of it since he wants to get spam to report - a real dedicated effort to put as many spammers as possible on the spamcop blocklist.

Miss Betsy

[bsmith3051]

Here are a couple more... ...still don't know what I'm looking at when they're parsed and don't kbow what if anything should be sent.

http://www.spamcop.net/sc?id=z1162784936zc...0565b48da72cbdz

http://www.spamcop.net/sc?id=z1162794688z0...bb0d04ae1a626az

[Wazoo]

Here are a couple more... ...still don't know what I'm looking at when they're parsed and don't kbow what if anything should be sent.

OK, you've totally missed the kid glove treatment. Here it is bluntly.

Based on your provided samples, you are "playing" with us, your alleged spam, and even the future of your Reporting Account.

1. Geeze, even after the above explanations, you leave more "parse result pages" live ....

2. Your storyline starts with "I'm receiving all this e-mail" .... yet none of your samples shows the "common" Received-By: address that would seem to be "your" ISP/server ... the easiest explanation of that is that your samples are the 'embedded' spam within those alleged bounced e-mails.

... makes it "not your spam"

... doesn't fall within the scope of reporting misdirected bounces

... means you are "materially altering" your submittals

... shows you have not read/understand the "Rules" that you 'agreed' to when you reigistered your Reporting Account

3. Those rules include the fact that "you" are responsible party/agent for deciding which reports go out and where they end up. If you truly can't figure out "what you are looking at" in reference to the Parser output .... see the above in reguards to the probable future of your Reporting Account.

Agree, spammers tick us all off, but ... misuse of the SpamCop.net toolset is on yet an even larger scale.

[turetzsr]

<snip>

1. Geeze, even after the above explanations, you leave more "parse result pages" live ....

<snip>

...In other words, after you have submitted the spam to the parser, navigate to the Tracking URL and click the Cancel button. We will still be able to see the information.

[bsmith3051]

I apologize for doing whatever it is I'm doing wrong... ...I have been reading pages day in and day out, here and elsewhere, trying to figure out if there is something I can do to try and end the domain/email spoofing that is going on with my web site. I know that I can turn the catch all off and then only the legitimate mail to my addy would come through. But, I'm trying to do a little more than that and that is why I have been trying to learn the best course of action to take. I've been reading till I'm blue in the face trying to understand all this and I've been trying very carefully not to do the wrong thing. That's why in my first post I asked questions before parsing.

I stated in that first post that:

On November 29, 2006 some spammer(s) launched e-mail campaigns that look like messages sent by my domain.

I have received thousands of bounced emails in the ten days since the spamming started.

A couple of the emails contained the original email so I was able to see the spam and the link to the web sites...

I cancelled the second tracker since a "prankster" could hijack it to end your reporting career before it began. You can always re-parse and submit it (within the 48 hours allowed to report).

I don't know what this means about a "pranskter" hijacking... ...I saw that I could reparse and submit... ...so I did.

OK, you've totally missed the kid glove treatment. Here it is bluntly.

I'm not a kid therefore I can take it bluntly. I've worked in the Computer Industry since 1976 an worked my way up from a computer operator trainee at Mesa Public School district when I was 18 to Project Manager, Information Services, Honeywell Aerospace in Tempe, AZ. Along the way I was taught or taught myself how to write in more computer languages than I can count on both hands, Basic, TEBOL, COBOL, COBOL II, Transform IMS, IMS DB, IMS DC, GCOS, JCL, MARKIV, PCB,s PSB,s DBD,s on Honeywell, DEC and IBM mainframes as well as learning some client server apps such Access, UNIX, ORACLE, Crystal Reports. I was major contributor to the Y2K conversion/migration. I was a major contributor and in house auditor to make our department ISO 9001 certified. - Right The First Time. Does this mean I know it all? Certainly not... ...So after researching for a 10 days I came to a place that I thought would have the answers... SpamCop.net. So I can take it bluntly if I'm doing something wrong. But I'm not doing it on purpose, I'm trying to learn. Have you ever had a hard time trying to make sure your going to do it right, or understanding what right is?

Based on your provided samples, you are "playing" with us, your alleged spam, and even the future of your Reporting Account.

I'm not playing anything... I'm very serious about this otherwise I would have just turn off my catch all and forgot about it. But someone is making it look like I'm spamming and that I take seriously. I've got close to 2000 "alleged" emails in the past 10 days.

1. Geeze, even after the above explanations, you leave more "parse result pages" live ....

I saw no place where I have read that "parse result pages" were live or that whatever live is is wrong. I left the original "parse result pages" available because:

QUOTE(Farelf [at] Dec 10 2006, 06:31 PM)

We would prefer a tracking URL (leading to a SC parse of a spam sample) to look at any reporting implications.

QUOTE(dbiel [at] Dec 10 2006, 06:37 PM)

Some suggestions, sign up for a free SpamCop reporting account and use it to help track down the source of the spam.

...the easiest explanation of that is that your samples are the 'embedded' spam within those alleged bounced e-mails.

I stated that in my first post:

On November 29, 2006 some spammer(s) launched e-mail campaigns that look like messages sent by my domain.

I have received thousands of bounced emails in the ten days since the spamming started.

A couple of the emails contained the original email so I was able to see the spam and the link to the web sites...

... means you are "materially altering" your submittals

Are you saying that I am changing the headers? If so, how the heck would I get to the bottom of this if the information I supplied was changed... ...I wouldn't even know what to change it to.

... shows you have not read/understand the "Rules" that you 'agreed' to when you reigistered your

Reporting Account

Your right, I don't understand... ...that's why I came to the forum to ask for help.

Those rules include the fact that "you" are responsible party/agent for deciding which reports go out and where they end up. If you truly can't figure out "what you are looking at" in reference to the Parser output .... see the above in reguards to the probable future of your Reporting Account.

Well, I came to learn but it looks as though I won't get that chance... ...any suggestions on where I can go and ask for help in understanding what I can do in this dillema of being domain/email spoofed.

Agree, spammers tick us all off, but ... misuse of the SpamCop.net toolset is on yet an even larger scale.

I was not trying to misuse anything... ...I read that this place was a great place from different sources... ...so I came here for help.

...In other words, after you have submitted the spam to the parser, navigate to the Tracking URL and click the Cancel button. We will still be able to see the information.

Thank you... ...I went and did that now.

[Wazoo]

how's this for starters ... ????

You receive an e-mail in your InBox. That is the "reportable" e-mail.

NOT reportable is the 'extracted' e-mail within an e-mail within an e-mail .....

[Miss Betsy]

What you can report to spamcop are emails that you declare are unsolicited that *you* have received in their *entirety* without making any changes . spamcop finds the proper abuse addresses and will also send an email for you (a spamcop report).

But, I'm trying to do a little more than that and that is why I have been trying to learn the best course of action to take.

I know that you are frustrated and want to do more, but give up trying to find a way to stop the spammer from targeting you. There is no place to find such information. Trying to find it is probably keeping you from understanding what is happening here at spamcop.

If you want to report spam and contribute to the spamcop blocklist,

If you want to learn how to read headers so that you can manually report spam (that means sending an email to an abuse desk on your own and not through spamcop),

If you want to join anti-spam fighters in other ways,

then there is information in this forum on how to do those things.

However, you must realize that you will not be 'catching' the spammers who are targeting your domain. You will be contributing to the overall fight against spammers. There are other avenues open to you that don't require reading headers or reporting spam in addition to reporting.

saw no place where I have read that "parse result pages" were live or that whatever live is is wrong. I left the original "parse result pages" available because:

QUOTE(Farelf [at] Dec 10 2006, 06:31 PM)

We would prefer a tracking URL (leading to a SC parse of a spam sample) to look at any reporting implications.

You are leaving the parse page 'live' if you neither *send* it or *cancel* it. Anyone who has access to that Tracking URL can go to the page and *send* it to any place they may want to - either as a joke or maliciously. Anyone with access to the internet has access to that page once you publish the Tracking URL. If you have sent it or cancelled it, then no one can alter it.

IIUC, what you are doing is trying to find the source of the original spam. You can use the parser to do so, but you cannot send the report because it is not 'your' spam. You will need to understand a lot more about headers and spamvertized sites before you can do anything close to effective with the information gained by a spamcop parse. And as I have stated before, most people see it as futile anyway. However, once you have learned, then you can make up your own mind.

Calm down a little, forget about stopping the spammer from using your name, and realize that you *can* educate those who are misdirecting the bounces, at least, by learning how to use the spamcop parser correctly.

Miss Betsy

[turetzsr]

<snip>

I know that you are frustrated and want to do more, but give up trying to find a way to stop the spammer from targeting you. There is no place to find such information.

<snip>

...As I understand it, that statement is a bit strong (but probably correct as to prescription -- don't bother). If you are patient and have lots of lots of time, money and/or political power, you may be able to find and stop the abuse. If you are in the US, a good place to start would be your State Attorney General (it's unlikely that you will have lost enough money to interest federal authorities in your case; that's probably true of your State's AG, as well, but you have a better chance there). He or she will probably reply with a form letter saying something like you've been the victim of a "Joe job" (as my AG did) and there's nothing that can be done, which basically means the AG hasn't the time or personnel to help. Another possible source of help is the local, regional or state lawyers association to get a reference to a lawyer who knows something about the esoterica of internet crime.

...SpamCop forum thread "BotNet scenario" has a discussion of someone who has done research above and beyond what SpamCop does.

...Good luck (but I'm not holding out much hope).

[Miss Betsy]

Steve, You are correct that there are ways to track down spammers. However, one needs to know a lot more about headers and other technical information to even begin to do so. And, as you point out, then you have to find a lawyer who also understands. Even abuse desk personnel often don't know as much about how email works as reporters do.

There are also ways to fight fire with fire - which is definitely not supported by the regulars here. spam fighters should not resort to abuse to fight spam. It defeats the whole purpose of netiquette on which the internet runs.

The OP needs to calm down and understand more about the technical aspect before he makes any decisions on what to do, IMHO.

Miss Betsy