AS THIS ever happened to YOU!??!?!
 

Ok someone is spamming spam as if it was from my e-mail address, I am then getting all the "This message could not be delivered messages"


The spam seems to have been setup as if to take the site down because it includes my name and address in the spam. Plus blatant linking to affiliates IDS, my site and my e-mail address are on the spam. Something only an "incredibly stupid" spammer would do.

The e-mail from what I can see have been sent to

MSN, AOL, YAHOO, NTL e-mail addresses, is there anyway to track down who is doing this and why? And anyway to prevent it.

My host as already contacted me regarding this issue and I have e-mailed all my affiliates to tell them that "spam will not be tolerated etc" (its already in terms and conditions).

Any help appreciated.

Thankyou

somone doesnt like u

post an example message with full headers.

ldinternet - ok lets see if you actually help :)

This is an example returned e-mail, the affiliates ID being used changes frequently:

Hi. This is the qmail-send program at cnmnetwork.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
*** NOT ACTIVE
User [email protected] does not exist

--- Below this line is a copy of the message.

Return-Path: <[email protected]>
Received: (qmail 27134 invoked from network); 12 May 2002 07:14:51 -0700
Received: from ns.ipg.sk (62.168.116.86)
by s3-c2.cnmnetwork.com with SMTP; 12 May 2002 07:14:51 -0700
Received: (qmail 19114 invoked by alias); 12 May 2002 14:15:02 -0000
Delivered-To: [email protected]
Received: (qmail 19026 invoked from network); 12 May 2002 14:15:00 -0000
Received: from unknown (HELO 211.185.20.169) ([email protected])
by ns.ipg.sk with SMTP; 12 May 2002 14:15:00 -0000
Received: from [49.164.250.3] by rly-xw01.mx.aol.com with SMTP; May, 12 2002 3:50:43 AM +0600
Received: from [24.118.23.60] by n9.groups.yahoo.com with SMTP; May, 12 2002 2:51:32 AM +0600
Received: from 152.74.145.157 ([152.74.145.157]) by hd.regsoft.net with esmtp; May, 12 2002 2:07:44 AM -0300
From: LORE <[email protected]>
To: Undisclosed Recipients
Cc: [email protected]
Subject: Make your COCK 9 INCHES!! aanp
Sender: LORE <[email protected]>
Mime-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Date: Sun, 12 May 2002 04:16:00 -0700
X-Mailer: Microsoft Outlook Express 6.00.2600.0000

<HTML></P><P ALIGN=CENTER><FONT BACK="#ffffff" style="BACKGROUND-COLOR: #ffffff" SIZE=5 PTSIZE=14><B>Make It longer today!<BR>
</FONT><FONT COLOR="#000000" BACK="#ffffff" style="BACKGROUND-COLOR: #ffffff" SIZE=3 PTSIZE=11 FAMILY="SANSSERIF" FACE="Arial" LANG="0"></B>All natural p e n i s enlargment. <BR>
100% doctor aproved method <BR>
</FONT><FONT COLOR="#0000ff" BACK="#ffffff" style="BACKGROUND-COLOR: #ffffff" SIZE=5 PTSIZE=14 FAMILY="SANSSERIF" FACE="Arial" LANG="0"><A HREF="http://www.hugeandhealthy.net/join.htm">Click Here Now</A></P></FONT></HTML>
Backup Url
http://www.penis-health.com/

If you want to signup directly please do so here

https://www.globill-signup.com/cgi-b...8268=16654p &

If you want to pay be check mail
Darren Beale
*********** (address blanked out for GFY)

To be removed from this opt-in mailing email [email protected]


http://%31%30%31%31%30%31%31%31%30%3...2E%63%6F%6D%2F

rcedjvjimvucmbrequqif

format c:

in this case the site HugeandHealthy is used.

... well, well, well ... I guess that the price you have to pay for all those video editing questions lately ... someone got really pissed of here ...

ahh right thats ok then. sorry for askin for help.

no help?

strange

look what happened to me yesterday. I received from Amazon.com on a porn domain email the following:


Thanks for writing to Amazon.com. Our editors very much appreciate
your feedback. Given the volume of mail that our editors receive,
they're not always able to respond to each and every mail, hence this
automated response.

If in responding to an Amazon.com newsletter you were looking for
information about an order, you should find the answers to most of
your questions in our online Help department:

http://www.amazon.com/help

To view any order, or to make changes to an order that has yet to
enter the shipping process, visit Your Account:

http://www.amazon.com/your-account/

You can also access Your Account by clicking the button at the top of
any page of our store. Once there, you can cancel or combine items
from orders that have not yet entered the shipping process, as well as
change the shipping address, payment method, or shipping method of
most pending orders.

We hope you enjoyed receiving the newsletter. However, if you'd like
to unsubscribe, please use the link below or click the Your Account
button in the top right corner of any page on the Amazon.com Web
site. Under the E-mail and Subscriptions heading, click the "Manage
your Delivers" link.

http://www.amazon.com/subscriptions-update



The problem is that I didnt post anything to amazon,no review or something. Someone else did it using my email as reply without knowing the content of his message.....

211.185.20.169 thats the person who sent it.

you can also get his affiliate account closed for spamming.

Have a nice day

I ran into the same problem recently. The bitch about "This message could not be delivered messages" is that the headers will only be for the return from the bounce. The only time you'll have the original headers of the message included before the bounce, is if it bounced off a particular configuration of qmail that supplies them, but it'll be in the message body.

In other words, about 1 out of 500 emails will have something that might could lead back to where it originated. However, even then, they're most likely going through an open mail relay (considered user friendly early on in the game, but now seen as a serious risk becuse of recent abuse) and, well, "goodluck!" in tracing it back.

One of these programs walks randomly through user names of a given domain to fill in bogus ReplyTo, From and EnvelopeFrom fields. When that happens, you'll get all the bounce backs from non-existent e-mail accounts on their lists, BUT only if you have your mail forwarding on your server set as "@yourdomain.com". What's needed is to immediately change that setting to a list of the specific e-mail accounts that you actually need, such as "[email protected],[email protected],su [email protected]" and include any other user name accounts you have listed on your site for contact. Send the rest to the bit bucket!

and how do i find out who "211.185.20.169" is?

fiveyes
thats a good idea and i am doing so now, BUT that will NOT stop the spamming and the problems eg my host getting pissed off.

Just assure your host that you're not so stupid to have been using your own domain to be spamming someone else's shit. If your case is anything at all like what I was experiencing, you're getting hit with 1000-1300 e-mails an hour, might be worse if they're using a dirtier list. It might be somewhat taxing to relay all that on, but not so to send it to /dev/null. My tech admin wasn't concerned about the load in the least and it took him 2 minutes to do the reset.

The largest concern I had was a 1200 e-mail limit my ISP provides, if I didn't pull it all down at least once an hour, I started losing messages. :feels-hot

fiveeyes its EXACTLY THE SAME

Keep us posted as to how this turns out.

http://www.apnic.net/db/
:ak47: You need to go to above and read who to report them

211.185.20.169
Whois Search results for ' 211.185.20.169'...

Links to other registries are highlighted.


% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net)

inetnum: 211.172.0.0 - 211.199.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: [email protected] 20000607
changed: [email protected] 20010606
source: APNIC

person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail: [email protected]
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: [email protected] 20020507
source: APNIC

inetnum: 211.185.20.160 - 211.185.20.255
netname: JUMONG-KR
descr: JuMong School
descr: 179 SANGILDONG KANGDONGKU
descr: SEOUL
descr: 134-090
country: KR
admin-c: JK5926-KR
tech-c: JL4018-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
mnt-by: MNT-KRNIC-AP
changed: [email protected] 20020506
source: KRNIC

person: JeongDong Kim
country: KR
phone: +82-2-427-4584
fax-no: +82-2-442-5083
e-mail: [email protected]
nic-hdl: JK5926-KR
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
mnt-by: MNT-KRNIC-AP
changed: [email protected] 20020506
source: KRNIC

OK, then the messages that bounce back to you with the subject line "failure notice" will be from the qmail programs that will send along the original headers. However, most likely that will only reveal that the original sender was using forged headers through an open relay such as "mail.oiotank.com" (a, seemingly korean-based, rogue host), which doesn't even bother doing a HELO verification back to the sender. In other words, to stop the SPAM, you'd either have to convince the host of the open relay to close their hole up (good luck with that! It may well be run by a spam outfit, eh.) or put a sniffer upstream from them to intercept the original packets as they come in and step-trace back to the origin.

Either way, the result, even if it's an unintentional side effect, is a Denial Of Service attack and should be reported to the authorities. You can contact your state's attorney general office, file a complaint at https://rn.ftc.gov/dod/wsolcq$.startup?Z_ORG_CODE=PU01 or even contact your local law enforcement agency, who may take the incident seriously enough to "refer you on up". Check out http://www.camblab.com/nugget/extermin.htm, http://easyweb.easynet.co.uk/~gcaselton/spam/spam.html (somewhat dated, but still mostly good) and news://news.admin.net-abuse.email if you feel like getting pro-active...:thumbsup

That sucks.....there are always assholes out there:ak47:

Darren:

BTW, contact your host's tech support immediately if you haven't done so already and let them know what's happening! It had best be you that he hears about the problem from first, if for no other reason than he'll be able to assure any complainers that you really aren't responsible for this.

Also, he may be able to offer a better solution than the one I came up with. All I know is that it worked for me. OK?

Thankyou SO much , you have been very helpful indeed and just the advice I needed, I have contacted my host - the great energyhosting.com and refered them to this thread.

AGAIN THANKYOU and i will keep u posted.

you can use this link to trace the ip
http://visualroute.visualware.com/

hope it helps

Sometimes people get pissed here and do really nasty things to people. Some are still spamming in my name so I have been told hehehe

Hmmmm.

so what does that mean do you care to enlighten me