Re: spam with forged return addresses
by "Andrew Armstrong" <andrew(at)wisca.co.uk>
|
| Date: |
Sun, 9 Jun 2002 14:45:06 +0100 |
| To: |
<hwg-techniques(at)hwg.org>,
"Charles A Upsdell" <cupsdell(at)upsdell.com> |
| References: |
o4u7d1 upsdell |
| |
todo: View
Thread,
Original
|
|
A similar thing happened to me last year. Eventually, when the bounced mail
reached 500 Megabytes per day, I had the ISP automatically delete on arrival
all mail other than to specific addresses that I set up as separate pop3
mailboxes.
Bounced spam may still arrive, but I never know about it.
Just a thought, if it does not stop on its own.
Interestingly, the problem got much worse after I complained to the ISP
where some of the earlier spam originated.
Andrew Armstrong
----- Original Message -----
From: "Charles A Upsdell" <cupsdell(at)upsdell.com>
To: <hwg-techniques(at)hwg.org>
Sent: Sunday, June 09, 2002 3:00 AM
Subject: OT: spam with forged return addresses
> Hi all:
>
> I appear to be the victim of a spammer who is forging as his return
address
> a non-existent eMail address with MY domain name, www.upsdell.com. He is
> sending out piles of spam (to sell cigarettes etc.) with the return
address
> xfgrdewq(at)upsdell.com: I am getting error messages from eMail delivery
> systems when the spam is sent to a non-existent recipient.
>
> I have appended a typical error message to the end of this message so that
> you can examine this in detail.
>
> In the case of the cigarette spam, I have been able to determine that the
> sales are being done at the domain:
>
> www.glorybehosting.com
>
> I have checked the WHOIS on this, and determined that this site is hosted
> by http://w3.comhome.com/ , which appears to be an oriental site host.
>
> What can I do to stop the scumbag from sending out spam with my domain
name
> in the return address?
>
> TIA - Chuck Upsdell
>
>
> ----- Error message received from Earthlink -----
>
> X-NAV-TimeoutProtection0: X
> X-NAV-TimeoutProtection1: X
> X-NAV-TimeoutProtection2: X
> X-NAV-TimeoutProtection3: X
> X-NAV-TimeoutProtection4: X
> X-NAV-TimeoutProtection5: X
> X-NAV-TimeoutProtection6: X
> Return-path: <root(at)mail.upsdell.com>
> Envelope-to: cupsdell(at)istar.ca
> Delivery-date: Sat, 08 Jun 2002 18:08:23 -0400
> Received: from mail2.atl.registeredsite.com ([64.224.219.76])
> by app5.nasc.inter.net with esmtp (Exim 3.22 #1)
> id 17GoNj-0005UI-00
> for cupsdell(at)istar.ca; Sat, 08 Jun 2002 18:08:23 -0400
> Received: from mail.upsdell.com ([216.2.33.47])
> by mail2.atl.registeredsite.com (8.12.2/8.12.2) with ESMTP id
> g58M8MZg006333
> for <cupsdell(at)istar.ca>; Sat, 8 Jun 2002 18:08:22 -0400
> Received: from SMTP32-FWD by mail.upsdell.com
> (SMTP32) id A000002B1; Sat, 8 Jun 2002 18:08:15 -0400
> Received: from badboy.mail.pas.earthlink.net [216.2.33.47] by
> mail.upsdell.com with ESMTP
> (SMTPD32-6.06) id A04F31EE00B6; Sat, 08 Jun 2002 18:08:15 -0400
> Received: from localhost (localhost)
> by badboy.mail.pas.earthlink.net (8.11.6+Sun/8.11.6) id
g58M4QF24846;
> Sat, 8 Jun 2002 15:08:20 -0700 (PDT)
> Date: Sat, 8 Jun 2002 15:08:20 -0700 (PDT)
> From: Mail Delivery Subsystem <MAILER-DAEMON(at)earthlink.net>
> Message-Id: <200206082208.g58M4QF24846(at)badboy.mail.pas.earthlink.net>
> To: <xfgrdewq(at)upsdell.com>
> MIME-Version: 1.0
> Content-Type: multipart/report; report-type=delivery-status;
> boundary="g58M4QF24846.1023574100/badboy.mail.pas.earthlink.net"
> Subject: Returned mail: see transcript for details
> Auto-Submitted: auto-generated (failure)
> X-UIDL: 7bf5d91bc9eee8eec26baee8ae5c383d
>
> The original message was received at Sat, 8 Jun 2002 15:02:10 -0700 (PDT)
> from hawk.mail.pas.earthlink.net [207.217.120.22]
>
> ----- The following addresses had permanent fatal errors -----
> <levin(at)livinghopemin.com>
> (reason: 550 Host unknown)
>
> ----- Transcript of session follows -----
> 550 5.1.2 <levin(at)livinghopemin.com>... Host unknown (Name server:
> livinghopemin.com: host not found)
> Reporting-MTA: dns; badboy.mail.pas.earthlink.net
> Arrival-Date: Sat, 8 Jun 2002 15:02:10 -0700 (PDT)
>
> Final-Recipient: RFC822; levin(at)livinghopemin.com
> Action: failed
> Status: 5.1.2
> Remote-MTA: DNS; livinghopemin.com
> Diagnostic-Code: SMTP; 550 Host unknown
> Last-Attempt-Date: Sat, 8 Jun 2002 15:08:20 -0700 (PDT)
> Return-Path: <xfgrdewq(at)upsdell.com>
> Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net
> [207.217.120.22])
> by badboy.mail.pas.earthlink.net (8.11.6+Sun/8.11.6) with ESMTP
id
> g58M2AW24208
> for <levin(at)livinghopemin.com>; Sat, 8 Jun 2002 15:02:10 -0700
(PDT)
> Received: from dialup-207-232-89-177.omaha.radiks.net ([207.232.89.177]
> helo=nb600urwhs4)
> by hawk.mail.pas.earthlink.net with smtp (Exim 3.33 #2)
> id 17GncY-0007Wc-00; Sat, 08 Jun 2002 14:19:38 -0700
> From: xfgrdewq(at)upsdell.com
> To: tad(at)hotmail.com
> Subject: Tobacco 50% OFF...
> Date: Wed, 07 Jun 2000 23:29:48 -0500
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_45E4_000019F0.00007CF1"
> X-Priority: 3
> X-MSMail-Priority: Normal
> Reply-To: xfgrdewq(at)upsdell.com
> Message-Id: <E17GncY-0007Wc-00(at)hawk.mail.pas.earthlink.net>
>
> Content-Type: text/html;
>
> Tired of paying high prices for
>
> Cigarettes???
>
> We offer major brands for LESS
>
> Than the cost of generics in most
>
> PLACES.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ...NO CHARGE...
>
> <http://www.glorybehosting.com/americansmokeshop>To have a look... SAVE
Today!
>
>
<http://www.glorybehosting.com/americansmokeshop>~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~<http://www.glorybehosting.com/americansmokeshop>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> For those who would prefer not to receive our offerings
> please simply <http://www.glorybehosting.com>Click Here and send. for
removal.
> --g58M4QF24846.1023574100/badboy.mail.pas.earthlink.net--
>
>
>
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA