Jump to content

How to submit spam bounced back to me.


Quantumcat
 Share

Recommended Posts

Someone used my domain name to send out untold numbers of spam mail. All I am seeing of it is 1200+ bounced back emails for "failure notice, undeliverable, etc. I contacted the ISP for my website since they run the mail servers, etc but all I got was a reply from a "outsourced" tech whose English was a second language. All I got from his email was there was nothing they could do about it and a link to spamcop.net.

Many of the bounced back emails contained a copy of the original spam in a .eml format. I am unable to figure out how to get that file into the spamcop system. From what I can tell the original offender IP is 87.8.184.59. I didn't want to submit the spam wrong and get my own domain on a ban list. :o

Here is a sample of the Received: lines from one of the attachments.

Received: (qmail 6787 invoked from network); 8 Jan 2008 20:44:50 +0100

Received: from host59-184-dynamic.8-87-r.retail.telecomitalia.it (HELO host22-253-dynamic.8-87-r.retail.telecomitalia.it) (87.8.184.59)

by bcl00442.empresas.ya.com with SMTP; 8 Jan 2008 20:44:48 +0100

Received: from sempron3000 ([195.198.41.27]:6032 "EHLO sempron3000"

smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>)

by host22-253-dynamic.8-87-r.retail.telecomitalia.it with ESMTP id S22YSSKCMCJQNWJT (ORCPT

<rfc822;antiquingrecreation%granitosdelval.com[at]mail.granitosdelval.com>);

Tue, 8 Jan 2008 20:45:26 +0100

And a second:

Received: from host22-253-dynamic.8-87-r.retail.telecomitalia.it (localhost [127.0.0.1])

by barracuda2.g-o.be (spam Firewall) with ESMTP id 75D70AE40C0

for <annie.ict[at]rago.be>; Tue, 8 Jan 2008 20:42:44 +0100 (CET)

Received: from host22-253-dynamic.8-87-r.retail.telecomitalia.it (host59-184-dynamic.8-87-r.retail.telecomitalia.it [87.8.184.59]) by barracuda2.g-o.be with ESMTP id q8UoHvPbTLXoLKMo for <annie.ict[at]rago.be>; Tue, 08 Jan 2008 20:42:44 +0100 (CET)

Received: from sempron3000 ([193.160.150.198] helo=sempron3000)

by host22-253-dynamic.8-87-r.retail.telecomitalia.it ( sendmail 8.13.3/8.13.1) with esmtpa id 1BckVW-000GWV-Zi

for annie.ict[at]rago.be; Tue, 8 Jan 2008 20:43:27 +0100

Link to comment
Share on other sites

  • 5 weeks later...
... how they got back to me is a mystery.

Yep, me too! The only answer I have come up with is that it is just another way to get the spam past the filters. I got the clue from a bounce addressed to LKing[at]POP.ISPname.com Now that is an address that is never used (by me) but appears to be on some spam list.
Link to comment
Share on other sites

I don't think that you can see BCC either - many spammers have all the email addresses in the BCC.

Help me not get confused. There are two headers here 1) the spam header:

Subject: February 78% OFF

From: <x>

and 2) the bounce header:

Subject: Undelivered Mail Returned to Sender

To: x

A poorly managed mail app will bounce email to the forged From: <x> bouncing it To: x

All those x's are spamcop effort to hide the reporter's address.

Some of the bounces I have seen are different than this example, more like:

original spam

Subject: February 78% OFF

From: <some address ww[at]yy.de>

with a bounce header:

Subject: Undelivered Mail Returned to Sender

To: x

Hopefully no one has configured a server to bounce to an addy in the BCC list! (Is that what you meant Miss B?)

Link to comment
Share on other sites

I looked at 'View Entire Message' and the To and From had <x> for the name. I don't know if that's where your email address was.
...VERY likely, in my experience.
I don't think that you can see BCC either - many spammers have all the email addresses in the BCC.
...That is my understanding of how much of the spam gets to its victims.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...