What the fuck?! Someone spammed FOR me for a program I haven't launched?!

[Brad Mitchell]

Oh my god

so I come home from lunch and open outlook

some motherfucker spammed disguising the from address as "[email protected]" the x's represent random numbers when it really didn't come from my mailservers. Whoever it is obviously is being malicious because they spammed with this message:

"Attention Webmasters make money with us today!


http://www.sinempire.com/index2_sinbucks.html

http://www.sinempire.com/index2_sinbucks.html"

I haven't even launched SinBucks all this is is a URL of a "Coming Soon" page on my corporate b2b website. SO, I have 5000 returned E-mails in my outlook and presumably more on the way.

Whoever the fuck you are I'm going to hunt you down and I can guarantee your goal of attempting to cause trouble for me will fail miserably.

Brad

[Brad Mitchell]

If anyone can help me nail the perpetrator with certainty I'll offer a $1000 reward.

Brad

[Mr.Fiction]

Post the headers of the message(s) if you want help finding them.

Spammer!

[Brad Mitchell]

I'm getting thousands of returned emails and I *think* this is the original header:

Received: from thor.valueweb.net ([216.219.254.23]:53004 "EHLO thor.valueweb.net") by relay04.valueweb.net with ESMTP id <S139999AbSGTQ2K>; Sat, 20 Jul 2002 12:28:10 -0400
Received: from 201.190.252.64.snet.net ([64.252.190.201]:25639 "HELO regionalymca.org") by thor.valueweb.net with SMTP id <S354772AbSGTQ2F>; Sat, 20 Jul 2002 12:28:05 -0400
Received: from onemails6477.com [194.212.27.115] by regionalymca.org [127.0.0.1] with SMTP (MDaemon.v2.7.SP4.R) for <[email protected]>; Sat, 20 Jul 2002 12:23:51 -0700
From: [email protected]
To: [email protected]
CC: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected], [email protected]
Date: Sat, 20 Jul 2002 11:28:42 -0600
Subject: Make the $$ Opportunity
MIME-Version: 1.0
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-MDaemon-Deliver-To: [email protected]
X-Return-Path: [email protected]
Message-Id: <[email protected]>

[reddawg]

Them scumbags ain't easy to catch, but I hope you do

[Brad Mitchell]

I'm working on it with Verio as we speak. I've never even done bulk E-mail.

Brad

[quiet]

damn. that's really fucked up.

[Brad Mitchell]

I mean, what the fuck... All that I can speculate is that either:

A) An underhanded hosting company is pissed at me for taking some of their business.

B) I cancel SinTalk affiliates all the time for non-performance. Recently I've cancelled a few foreign webmasters for breaking marketing rules and being non-revenue producing.

Whatever their reason obviously someone else is jealous or hell-bent about something and has a desire to cause harm to my network.

Brad

[XXXPaysiteDesign]

don't lie, SPAMMER!


(before you get all pissy I'm j/k Brad)

[Theo]

64.252.190.201 is an open relay that the spammer found recently. 90% it's not an anonymous one

Static ADSL Pool - MRDNCT Rback6 (NETBLK-SBC064252190000020418)
2701 W. 15th St. PMB 236
Plano, TX 75075
US

Netname: SBC064252190000020418
Netblock: 64.252.190.0 - 64.252.191.255

Coordinator:
Southwestern Bell Internet Services (ZS44-ARIN) [email protected]
888-212-5411

Contact [email protected] first of all and inform him that his mail server is abused. He might
be helpful and check who used his mail server today. (expect me while i was testing it two min ago hehe).
There's a possibility to have been abused from 100 spammers though which will make things harder.

[nocostporn]

damn thats weird,hope you get it worked out....or else you can go to hell spammer!

[Mr.Fiction]

Quote:

Originally posted by Soul_Rebel
64.252.190.201 is an open relay that the spammer found recently. 90% it's not an anonymous one

Static ADSL Pool - MRDNCT Rback6 (NETBLK-SBC064252190000020418)
2701 W. 15th St. PMB 236
Plano, TX 75075
US

Netname: SBC064252190000020418
Netblock: 64.252.190.0 - 64.252.191.255

Coordinator:
Southwestern Bell Internet Services (ZS44-ARIN) [email protected]
888-212-5411

Contact [email protected] first of all and inform him that his mail server is abused. He might
be helpful and check who used his mail server today. (expect me while i was testing it two min ago hehe).
There's a possibility to have been abused from 100 spammers though which will make things harder.

[Theo]

just a sec, ithink i got a mistake!

[CharlieBrown]

it was i who did it, can i have the 1000 bucks now? :)

[Fletch XXX]

I like the word THOR. (216.219.254.23)

CyberGate, Inc. (NETBLK-GATE-CIDR-3)
3250 W. Commercial Blvd. Suite 200
Ft. Lauderdale, FL 33309
US

Netname: GATE-CIDR-3
Netblock: 216.219.128.0 - 216.219.255.255
Maintainer: CYBG

Coordinator:
Administrator, CyberGate Network (CN313-ARIN) [email protected]
954-334-8080

[Theo]

oh its return mail?
then its ok
this is your ip 216.219.254.23 right?

[Mr.Fiction]

Did anyone reading this thread get the spam?

[Brad Mitchell]

that 216.219..... IP range is not mine.

Brad

[Theo]

hm from the above IPs only 64.252.190.201 is an open relay
this means you can put it in your outlook as smtp server and send mail from it without having to login at all.

[quiet]

wow soul, i'm going to have to contract you out the next time i want to track something down. good work :)

[hyper]

you paid your spammer well

[Theo]

the secure way to get the real ip is to mail all these people asking them to copy/paste you (not forward) the headers of the mail they received


you should see then
Return-Path: <[email protected] >
Received: from [domain] (IP)

check to whom the IP belongs and contact him,the IP is the open relay the spammer used. The admin of this relay maybe will be able to help you. I still believe it's the 64.252.190.201 but in order to be sure.

Give him the money to make him search for the IP of the sender. I think it will take him long time (if there's such log file)

[Brad Mitchell]

lol

Verio should hire Soul_Rebel it sounds like he's quicker then they are.

Christ, if I did send out spam it would be counter-intuitive to promote a "coming soon" page on my business to business website. Any rational person would have put a paysite or circle jerk or something. Besides which, this obviously didn't go to a webmaster list it looks like the general public was the recipients.

Brad

[Theo]

Quote:

Originally posted by quiet
wow soul, i'm going to have to contract you out the next time i want to track something down. good work

thanks, it's pretty simple, but at the end it only depends on the admin of the abused server. In some cases the spammers are using their isp smtp server but this is very rare since they'll close them within a day.

[Mr.Fiction]

Quote:

Originally posted by SinEmpire
lol

Verio should hire Soul_Rebel it sounds like he's quicker then they are.

Christ, if I did send out spam it would be counter-intuitive to promote a "coming soon" page on my business to business website. Any rational person would have put a paysite or circle jerk or something. Besides which, this obviously didn't go to a webmaster list it looks like the general public was the recipients.

Brad

Do you have a cat? Maybe he was fucking with your keyboard while you were sleeping. They are tricky little animals.

[Brad Mitchell]

Christ, it looks like I should turn my catch-all off for SinEmpire.

Here's some more shit from 'returned' mail:

-----Original Message-----
From: Mail Delivery Subsystem [mailto:MAILER-DAEMON@polaris]
Sent: Saturday, July 20, 2002 2:59 PM
To: [email protected]
Subject: Warning: could not send message for past 4 hours


**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Sat, 20 Jul 2002 07:46:58 -0700
from kirchhoff.Stanford.EDU [171.64.162.60]

----- The following addresses had transient non-fatal errors -----
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>

----- Transcript of session follows -----
451 <[email protected]>... uyccable.uucp.netcom.com: Name server timeout
451 <[email protected]>... ixks.net: Name server timeout
<[email protected]>... Deferred: Connection refused by memphispharaohs.com.
<[email protected]>... Deferred: Connection refused by mailer.tightrope.it.
<[email protected]>... Deferred: Operation timed out with mx.pld.net.
... while talking to chaos.access-one.com.:
<<< 550 This system is configured to reject mail from 64.169.97.36 [64.169.97.36] (Host blacklisted - Found on Realtime Black List server 'relays.ordb.org')
... while talking to apollo.access-one.com.:
>>> QUIT
<<< 550 This system is configured to reject mail from 64.169.97.36 [64.169.97.36] (Host blacklisted - Found on Realtime Black List server 'relays.ordb.org')
<[email protected]>... Deferred: Connection reset by apollo.access-one.com.
... while talking to mxpool01.netaddress.usa.net.:
>>> QUIT
<<< 550 Mail from 64.169.97.36 refused. Please refer to http://mail-abuse.org/rss for an explanation.
<[email protected]>... Deferred: Invalid argument
<[email protected]>... Deferred: Connection refused by gateway1.delphi.com.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

[Theo]

hehe Sin it seems you have an evil enemy!

[Brad Mitchell]

I have two cats but I think they were upstairs looking out the window when this all happened... but I can interrogate them to see if they're the culprits.

[Brad Mitchell]

Quote:

Originally posted by Soul_Rebel
hehe Sin it seems you have an evil enemy!

Wow, I must be doing something right then

[Theo]

<<< 550 This system is configured to reject mail from 64.169.97.36 [64.169.97.36] (Host blacklisted - Found on Realtime Black List server 'relays.ordb.org')
... while talking to apollo.access-one.com.:
>>> QUIT
<<< 550 This system is configured to reject mail from 64.169.97.36 [64.169.97.36] (Host blacklisted - Found on Realtime Black List server 'relays.ordb.org')


the guy is using more than one open relay, so it's a pro spammer. This time the server checked the new relay (64.169.97.36) againsted a live blacklist located at relays.ordb.org

The bad news....probably he sending A LOT of mails

[Mr.Fiction]

Wasn't there a GFY user who was busted for doing this before? Spamming for people to get them in trouble? I don't remember the details, but I seem to remember that someone did this to some other GFY member(s) some time ago.

[Theo]

contact your hosting co telling them what's going on because they might receive some urgent calls about it. Also if he sends a lot of mails your IP block will end up that the idiots that run spamhaus.org. They collect all the ips and add the in to a huge listt that they share in real time with isps and admins. In some cases (very serious ones) your IP can be blocked at major IPs which means they surfers wont be able to access your site. But I think this scenario is not so possible at the moment.

[Fletch XXX]

Yeah someone was spamming under peoples affiliate codes to get them in trouble... and his name was.....

[Fletch XXX]

<img src=http://69khz.com/images/sexymail.jpg>

Me and Sexymail are cool now though, he uses other peoples names now.

Hope you nail the fucker to the cross Brad.
If you need any numbers tracked secretively hit me up on icq.

[Brad Mitchell]

The unfortunate thing is that presuming this happened through a relay even though that relay will surely be shut down the guy that exploited it will almost certainly never be caught.

Fortunately with Verio I've got their premier group for support and their security guys are working on it. I don't know what they'll come up with but they'll obviously know by looking at all of the evidence that none of this spam came from any of my networks despite the fact that the spam tries to implicate that my sinempire.com is both the sender and beneficiary of such 'traffic'.

What I wonder about is how thorough some of the anti-spam consortiums are when they do their research to block networks and IP addresses.

Argh.. I'm certain that the perp is either someone here on the GFY community that doesn't like me OR a foreign affiliate that I cancelled in one of my programs. It would defy logic that this is a random incident - it's clearly malicious but obviously ill-conceived since they didn't even pick a 'commerce' page to send the traffic to and the english in the spam wasn't very good.

I've cancelled a few foreign affiliates for spamming their SinTalk lines and it's possible one of them was pissed off enough to do this - I guess I'll just have to wonder.

I had this chinese or korean affiliate that I cancelled last week who was claiming he had 500k daily visitors... well, I looked at his shit-ass website and it didn't add up.... Who knows.

Anyways, it's Saturday... so I'm off to a b'day party to hopefully have some fun -

Ciao! Thanks for everyone's help and support - if I get more info I'll share it.

Brad

[.:Frog:.]

Since the url in the spam is taking surfers to a "coming soon page" - you could replace that page with a page explaining someone was sending e-mails on your behalf.
That way people are less likely to complain because they understand it wasn't you.