Tracking where spam is coming from with my email forged as the sender

[AmeliaG]

Someone has been sending mass spam from all of my addresses and just the returned bad addresses are driving me crazy, not to mention that I don't want people thinking I'm doing it. The following is the source from it. Can anyone here tell me where it is coming from please?

Thanks, Amelia G


Return-Path: <>
Delivered-To: [email protected]
Received: (qmail 876 invoked by uid 90); 31 Mar 2003 01:50:17 -0000
Delivered-To: [email protected]
Received: (qmail 871 invoked from network); 31 Mar 2003 01:50:17 -0000
Received: from unknown (HELO omr-m04.mx.aol.com) (64.12.138.5)
by mail.4ph.com with SMTP; 31 Mar 2003 01:50:17 -0000
Received: from str-m01.mail.aol.com (str-m01.mail.aol.com [172.21.28.97]) by omr-m04.mx.aol.com (v90_r2.6) with ESMTP id RELAYIN6-0330205746; Sun, 30 Mar 2003 20:57:46 1900
Received: from localhost (localhost)
by str-m01.mail.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id UAA09760;
Sun, 30 Mar 2003 20:57:46 -0500 (EST)
Date: Sun, 30 Mar 2003 20:57:46 -0500 (EST)
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="UAA09760.1049075866/str-m01.mail.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: 1049075417.878.gold.4ph.com

This is a MIME-encapsulated message

--UAA09760.1049075866/str-m01.mail.aol.com

The original message was received at Sun, 30 Mar 2003 20:29:43 -0500 (EST)
from rly-xb04.mail.aol.com [172.20.105.105]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<[email protected]>

----- Transcript of session follows -----
... while talking to air-xb02.mail.aol.com.:
>>> RCPT To:<[email protected]>
<<< 550 MAILBOX NOT FOUND
550 <[email protected]>... User unknown

--UAA09760.1049075866/str-m01.mail.aol.com
Content-Type: message/delivery-status

Reporting-MTA: dns; str-m01.mail.aol.com
Arrival-Date: Sun, 30 Mar 2003 20:29:43 -0500 (EST)

Final-Recipient: RFC822; [email protected]
Action: failed
Status: 5.1.1
Remote-MTA: DNS; air-xb02.mail.aol.com
Diagnostic-Code: SMTP; 550 MAILBOX NOT FOUND
Last-Attempt-Date: Sun, 30 Mar 2003 20:57:46 -0500 (EST)

--UAA09760.1049075866/str-m01.mail.aol.com
Content-Type: message/rfc822

Received: from rly-xb04.mx.aol.com (rly-xb04.mail.aol.com [172.20.105.105]) by str-m01.mail.aol.com (v92.16) with ESMTP id RELAYIN5-63e879a073a6; Sun, 30 Mar 2003 20:29:43 -0500
Received: from 219.145.221.115 ([61.166.65.195]) by rly-xb04.mx.aol.com (v92.16) with ESMTP id MAILRELAYINXB41-a13e8799f338d; Sun, 30 Mar 2003 20:29:27 -0500
Received: from [63.85.85.236] by smtp-server6.tampabay.rr.com with SMTP; Mar, 30 2003 7:01:12 PM +0300
Received: from anther.webhostingtalk.com ([88.58.121.118]) by da001d2020.lax-ca.osd.concentric.net with QMQP; Mar, 30 2003 6:03:06 PM +0700
From: fkyrjerkalert <[email protected]>
To: [email protected]
Subject: This thing is so cool! rtael
Sender: fkyrjerkalert <[email protected]>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Sun, 30 Mar 2003 20:29:22 -0500
X-Mailer: Microsoft Outlook Express 5.00.2615.200
Message-ID: <[email protected]>

<body bgcolor="#000000" text="#FFFFFF">
<p align="center"><a href="http://www.digitalpowerfilter.com">
<img border="0" src="http://www.digitalpowerfilter.com/images/4.gif"></a></p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">To be removed reply to: <a href="mailto:[email protected]">
[email protected]</a></p>
</body>
dcmr

yifnqgamyyvskgkwvqagleflplnn

--UAA09760.1049075866/str-m01.mail.aol.com--

[Juicy D. Links]

Show me your tits

[fnet]

http://www.counterpane.com/crypto-gram-0010.html#1

Do all of these say "Outlook Express" in the mail header?

[AmeliaG]

Quote:

Originally posted by juicylinks
Show me your tits

Hmm, in Los Angeles, if you ask for something, it means you must have the info I'm looking for . . .

[fnet]

Quote:

Originally posted by AmeliaG


Hmm, in Los Angeles, if you ask for something, it means you must have the info I'm looking for . . .

So, if I explain this, I get to see something?

[LadyMischief]

Are you running any formmail? Hackers can use you to spam with it if they know that they're doing.

[Mr.Teen]

<EMBED src="http://www.thetipsysheep.com/spam-song.wav" autostart=true loop=false volume=100 hidden=false>

[AmeliaG]

Quote:

Originally posted by LadyMischief
Are you running any formmail? Hackers can use you to spam with it if they know that they're doing.

I assumed they were just using my return address, but we do send newsletters from one of the domains this is being done to. Would that qualify as formmail or would that be like an autoresponse when someone joins a topsites?

Thanks!

--Amelia

[PornBroker]

Happened to us in February. Ukraine spammer sending out CP used one of our domains as the sender. Had to deal with 50,000 returns per day...we had to shut the domain email down.

[BritishTwinks]

That was happening to me yesterday - same spam ad for Cable TV. I think it's something to do with formmail on your server.

[fnet]

Quote:

Originally posted by AmeliaG



I assumed they were just using my return address, but we do send newsletters from one of the domains this is being done to. Would that qualify as formmail or would that be like an autoresponse when someone joins a topsites?

Thanks!

--Amelia

X-Mailer: Microsoft Outlook Express 5.00.2615.200

This is not a form -> cgi -> sendmail thing.

Looks like a Klez type worm to me.

[fiveyes]

Your problem is that someone is doing mass e-mailing through open e-mail relays using forged headers that point back to your domains. The use of open e-mail relays means the person originating the mailing is next to impossible to track, so forget about trying to cut off the source.

The only solution that I know of is to rewrite which User Names you will accept e-mail for at your virtual domain. You are most likely receiving all bouncebacks from the bad e-mail addresses in the list. This would be because you are using a wild card pattern in your e-mail recipe.

What is needed- figure out exactly what User Names are required for your web site's operation and limit yourself to only those, throwing everything else into the bit bucket. Contact your tech admin for your web site, explain the problem and they'll implement the required changes (which will vary according to the web server, the interface available to implement changes to the server and whether the mail is being relayed on to another account or is being accessed directly at the site).

[AmeliaG]

Quote:

Originally posted by fnet


X-Mailer: Microsoft Outlook Express 5.00.2615.200

This is not a form -> cgi -> sendmail thing.

Looks like a Klez type worm to me.

It is the same spam being sent from pretty much all of my domains that people know I have. I don't use Outlook and the mails are not random; they are all the same spam. I think that means it can't be a klez thing, but I'm not really sure.

[fnet]

Quote:

Originally posted by fiveyes
Your problem is that someone is doing mass e-mailing through open e-mail relays using forged headers that point back to your domains. The use of open e-mail relays means the person originating the mailing is next to impossible to track, so forget about trying to cut off the source.

The only solution that I know of is to rewrite which User Names you will accept e-mail for at your virtual domain. You are most likely receiving all bouncebacks from the bad e-mail addresses in the list. This would be because you are using a wild card pattern in your e-mail recipe.

What is needed- figure out exactly what User Names are required for your web site's operation and limit yourself to only those, throwing everything else into the bit bucket. Contact your tech admin for your web site, explain the problem and they'll implement the required changes (which will vary according to the web server, the interface available to implement changes to the server and whether the mail is being relayed on to another account or is being accessed directly at the site).

Yeah, spam. I didn't even think about the fact that these are all 550 errors. The outlook mail thing still seems weird.

What about contacting the open mail relay owners? Aren't they accessories?

Wouldn't writing a mail filter that looks for a string work just as well as the restrictions you mentioned?

[AmeliaG]

Quote:

Originally posted by fiveyes
Your problem is that someone is doing mass e-mailing through open e-mail relays using forged headers that point back to your domains. The use of open e-mail relays means the person originating the mailing is next to impossible to track, so forget about trying to cut off the source.

The only solution that I know of is to rewrite which User Names you will accept e-mail for at your virtual domain. You are most likely receiving all bouncebacks from the bad e-mail addresses in the list. This would be because you are using a wild card pattern in your e-mail recipe.

What is needed- figure out exactly what User Names are required for your web site's operation and limit yourself to only those, throwing everything else into the bit bucket. Contact your tech admin for your web site, explain the problem and they'll implement the required changes (which will vary according to the web server, the interface available to implement changes to the server and whether the mail is being relayed on to another account or is being accessed directly at the site).

Actually, I have had people do the [email protected] thing before, but this time it is bouncing back to all of our primary emails including my personal email, my customer service emails etc.

If this were standard spam, it would be surprising if they were not coming up with random email addresses. Because the addresses are not random, I kinda think it is someone who is trying to make me look like a spammer and trying to get my actual business addresses blocked and trying to crash my actual mailboxes with bad returns.

[AmeliaG]

Quote:

Originally posted by fnet


Yeah, spam. I didn't even think about the fact that these are all 550 errors. The outlook mail thing still seems weird.

What about contacting the open mail relay owners? Aren't they accessories?

Wouldn't writing a mail filter that looks for a string work just as well as the restrictions you mentioned?

The affiliate code for the spam appears to be dead, but it keeps coming, so I don't think they are trying to get paid on it. Is there a string one could pick which was not dependent on what the spam was?

[AmeliaG]

Quote:

Originally posted by AmeliaG


The affiliate code for the spam appears to be dead, but it keeps coming, so I don't think they are trying to get paid on it. Is there a string one could pick which was not dependent on what the spam was?

Oh wait, you mean like a string to send it to the trash. I'm concerned about people thinking Blue Blood is trying to sell this crap.

[fnet]

Quote:

Originally posted by AmeliaG

It is the same spam being sent from pretty much all of my domains that people know I have. I don't use Outlook and the mails are not random; they are all the same spam. I think that means it can't be a klez thing, but I'm not really sure.

Klez worm just uses the address list in Outlook Explorer to send the same spam & headers- for each new Outlook mailbox it hits, it scoops a new address list. It's distributed- each M$ user becomes a mailer.
<pre>
Start Here
\
\
<------@---------->
/\ ^ #
/ \ \ /
/ \ \/
@-----------@------>
/ \ / \
/ \ / \
/ \ #
@ \
/\ \
/ \
/ \

where @ = people with outlook 5.00x
</pre>

[Gemini]

https://www.paypal.com/cgi-bin/webscr
Get ahold of paypal and send them an inline forward and make sure you show the above link in your message to them... They will can his processing for spam...
*****************************************
Unless you deleted his affiliate code from your post, this guy looks to be working on his own for his own product. Best bet in any case is to deal with paypal, they might even give you his name etc., being that this could be construed as a criminal offense in some cases.
------------------------------------------------
His nameserver domain is a bogus setup and is the same as his temp cookie, simply with the word 'yo' on it
------------------------------------------------
You might want to email tucows to see if they will respond as well.
------------------------------------------------
Obviously it's his own domain digitalpowerfilter.com
------------------------------------------------
OR call his butt up and ask him he's fixed for lawyers fees.
----------------------------------------------
Registrant:
INDIVIDUAL
405 NORTH HEMING AVE
N/A
SARASOTA, FL 34237
US

Domain name: DIGITALPOWERFILTER.COM

Administrative Contact:
WILLIAMS, LEE [email protected]
405 NORTH HEMING AVE
N/A
SARASOTA, FL 34237
US
941-228-1801
Technical Contact:
WILLIAMS, LEE [email protected]
405 NORTH HEMING AVE
N/A
SARASOTA, FL 34237
US
941-228-1801


Registration Service Provider:
Domain Name Systems as low as $10 domain name registrations
http://www.domainnamesystems.com
This company may be contacted for domain login/passwords, DNS/Nameserver changes,
and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 13-Mar-2003.
Record expires on 26-Dec-2003.
Record Created on 26-Dec-2002.

Domain servers in listed order:
NS1.WEBMASTERDOMAINS.BIZ
NS2.WEBMASTERDOMAINS.BIZ
-----------------------------------------

[AmeliaG]

Well, the phone number was a Verizon cell refusing incoming calls, but I just filed a paypal spam complaint and pointed out that the guy is illegally spamming while illegally impersonating another person and business in order to illegally sell illegal products. Sheesh.

Thanks for all the help!

[AmeliaG]

Hey, that you all for the helpful advice. Looks like the first spam domain got shut down, but now I am getting another spam with my emails as the return address. It is looking more and more like a specific person or people with knowledge of me are doing this because all the different email addresses being used are used in pretty different places, but someone somewhat aware of me could find them all. Someone just using a bot on the net would not have this set however.


Return-Path: <>
Delivered-To: [email protected]
Received: (qmail 58268 invoked from network); 2 Apr 2003 09:49:45 -0000
Received: from unknown (HELO omr-d03.mx.aol.com) (205.188.159.1)
by mail.4ph.com with SMTP; 2 Apr 2003 09:49:45 -0000
Received: from str-d03.mail.aol.com (str-d03.mail.aol.com [172.18.149.3]) by omr-d03.mx.aol.com (v90_r2.6) with ESMTP id RELAYIN8-0402045723; Wed, 02 Apr 2003 04:57:23 -0500
Received: from localhost (localhost)
by str-d03.mail.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id EAJ06675;
Wed, 2 Apr 2003 04:57:22 -0500 (EST)
Date: Wed, 2 Apr 2003 04:57:22 -0500 (EST)
From: Mail Delivery Subsystem <[email protected]>
Message-Id: <[email protected]>
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="EAJ06675.1049277442/str-d03.mail.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: 1049276985.58276.gold.4ph.com

This is a MIME-encapsulated message

--EAJ06675.1049277442/str-d03.mail.aol.com

The original message was received at Wed, 2 Apr 2003 04:54:52 -0500 (EST)
from rly-zd02.mail.aol.com [172.31.33.226]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



----- The following addresses had permanent fatal errors -----
<[email protected]>

----- Transcript of session follows -----
... while talking to air-yc04.mail.aol.com.:
>>> RCPT To:<[email protected]>
<<< 550 MAILBOX NOT FOUND
550 <[email protected]>... User unknown

--EAJ06675.1049277442/str-d03.mail.aol.com
Content-Type: message/delivery-status

Reporting-MTA: dns; str-d03.mail.aol.com
Arrival-Date: Wed, 2 Apr 2003 04:54:52 -0500 (EST)

Final-Recipient: RFC822; [email protected]
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-yc04.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Wed, 2 Apr 2003 04:57:22 -0500 (EST)

--EAJ06675.1049277442/str-d03.mail.aol.com
Content-Type: message/rfc822

Received: from rly-zd02.mx.aol.com (rly-zd02.mail.aol.com [172.31.33.226]) by str-d03.mail.aol.com (v92.16) with ESMTP id RELAYIN8-93e8ab36ca6; Wed, 02 Apr 2003 04:54:52 -0500
Received: from 64.12.137.152 (evrtwa1-ar2-4-62-021-010.evrtwa1.dsl-verizon.net [4.62.21.10]) by rly-zd02.mx.aol.com (v92.16) with ESMTP id MAILRELAYINZD25-39d3e8ab33f1f7; Wed, 02 Apr 2003 04:54:26 -0500
Received: from [215.115.79.144] by 64.12.137.152 with ESMTP id RCRQAL; Wed, 02 Apr 03 04:36:17 +0400
Received: from [139.5.103.254] by 215.115.79.144 with ESMTP id VMBAEJ; Wed, 02 Apr 03 04:26:17 +0400
From: "Noreen Ball" <[email protected]>
Message-ID: <[email protected]>
To: [email protected]
Date: Wed, 02 Apr 03 04:26:17 GMT
X-Priority: 3
X-MSMail-Priority: Normal
Subject: Over 100,000 satisfied clients.... yPM
X-Mailer: eGroups Message Poster
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=TMSVGNPXQGBYTKVYIFIEU

This is a multi-part message in MIME format.

--TMSVGNPXQGBYTKVYIFIEU
Content-Type: text/html
Content-Transfer-Encoding: 7Bit

hahahahahaha>
<p align="center"><b>################################ ###############<br>
<br>
How to Increase Your <u>Penis Size</u> and <u>Self Esteem</u><br>
<br>
###############################################</b><br>
<br>
<font size="4">100% All Natural System That Really Will Enlarge Your
Penis!</font><br>
<br>
<a href="http://www.herbalpills.net/optin01/?WM_ID=7190"><font
size="5">Click
Here To Increase Your Penis Size Naturally</font></a></p>
<p align="center"><b>- - - - - - - - - - - - - - - - - - - - - - -<br>
<br>
LETS LOOK AT SOME FACTS:<br>
<br>
1. Most men who have troubles or difficulty with sexual performance,<br>
specifically loss of erection firmness, won't speak openly to their<br>
wives..girlfriends..etc..let alone their primary care doctor.<br>
<br>
2. The average penis size is 5.5&quot; according to the Kinsey study.<br>
<br>
3. 90% of men are unhappy with their current penis size and ability.<br>
<br>
4. Most men are interested in enlarging their penis.<br>
<br>
5. Most men currently believe the only way to &quot;really&quot; develop
a<br>
larger penis is through surgery.<br>
<br>
<a href="http://www.herbalpills.net/optin01/?WM_ID=7190"><font
size="5">Order
Today &amp; Get 25% Off Per Bottle</font></a></b></p>
<p align="center"><b>- - - - - - - - - - - - - - - - - - - - - -<br>
<br>
New Break-Through:<br>
<br>
DHG is the worlds most effective Male Enlargement Program, which<br>
is Doctor recommended, professionally formulated and made from the<br>
purest 100% natural botanicals.<br>
<br>
What makes our product unique is our natural ingredients that have been<br>
successfully tested for over 20 years. One of our potent DHG Penis<br>
Enlargement pills a day is all you need to increase your Penis Size<br>
Naturally.<br>
<br>
- - - - - - - - - - - - - - - - - - - - - <br>
<br>
BENEFITS OF THIS PRODUCT:<br>
<br>
- Increase the length of your penis by 1 to 4 full inches<br>
- Make your penis thicker, longer and harder<br>
- Boost your confidence level &amp; self-esteem<br>
- Don't have to make an embarrassing doctor visit<br>
- Satisfy your lover like never before<br>
<br>
- - - - - - - - - - - - - - - - - - - - -<br>
<br>
SATISFIED CUSTOMERS:<br>
<br>
- &quot;I've been using your product for 2 months now. I've increased
my<br>
length from 4&quot; to nearly 7&quot; . Your product has helped me give
a<br>
little extra to the love of my life.&quot;<br>
W.B., Washington D.C.<br>
<br>
- &quot;I was amazed at how effective it was at increasing length and
girth<br>
from 5&quot; to 6.5&quot; in just three weeks!!! Feel free to use this
letter<br>
in your future advertisements.&quot;<br>
V.W., Illinois<br>
<br>
- &quot;My girlfriend loves the results, but she doesn't know what I
do.<br>
She thinks it's natural!&quot;<br>
T.M., Oklahoma<br>
<br>
- - - - - - - - - - - - - - - - - - - - - -<br>
<br>
<a href="http://www.herbalpills.net/optin01/?WM_ID=7190"><font
size="5">Click
Here to Increase Your Penis Size Naturally</font></a></b></p>
<p align="center"><font size="5"><b>
<a href="http://www2.dailyherbals.com/optin02/?WM_ID=7190">Click Here to
Order
Viagra Discreetly!</a></b></font></p>

</body>

</html>

qSFbLNFZG
--TMSVGNPXQGBYTKVYIFIEU--


--EAJ06675.1049277442/str-d03.mail.aol.com--

[matty]

Its send-safe, show me your tits.

[AmeliaG]

Quote:

Originally posted by matty
Its send-safe, show me your tits.

What is send-safe and how can I track down the responsible party? Thanks, Amelia

[AmeliaG]