hwg-techniques archives Jun 2002 new search results previous next

OT: spam with forged return addresses

by Charles A Upsdell <cupsdell(at)upsdell.com>

 Date:  Sat, 08 Jun 2002 22:00:52 -0400
 To:  hwg-techniques(at)hwg.org
 References:  o4u7d1
  todo: View Thread, Original 
Hi all:

I appear to be the victim of a spammer who is forging as his return address 
a non-existent eMail address with MY domain name, www.upsdell.com.  He is 
sending out piles of spam (to sell cigarettes etc.) with the return address 
xfgrdewq(at)upsdell.com:  I am getting error messages from eMail delivery 
systems when the spam is sent to a non-existent recipient.

I have appended a typical error message to the end of this message so that 
you can examine this in detail.

In the case of the cigarette spam, I have been able to determine that the 
sales are being done at the domain:

     www.glorybehosting.com

I have checked the WHOIS on this, and determined that this site is hosted 
by http://w3.comhome.com/ , which appears to be an oriental site host.

What can I do to stop the scumbag from sending out spam with my domain name 
in the return address?

TIA - Chuck Upsdell


----- Error message received from Earthlink -----

X-NAV-TimeoutProtection0: X
X-NAV-TimeoutProtection1: X
X-NAV-TimeoutProtection2: X
X-NAV-TimeoutProtection3: X
X-NAV-TimeoutProtection4: X
X-NAV-TimeoutProtection5: X
X-NAV-TimeoutProtection6: X
Return-path: <root(at)mail.upsdell.com>
Envelope-to: cupsdell(at)istar.ca
Delivery-date: Sat, 08 Jun 2002 18:08:23 -0400
Received: from mail2.atl.registeredsite.com ([64.224.219.76])
         by app5.nasc.inter.net with esmtp (Exim 3.22 #1)
         id 17GoNj-0005UI-00
         for cupsdell(at)istar.ca; Sat, 08 Jun 2002 18:08:23 -0400
Received: from mail.upsdell.com ([216.2.33.47])
         by mail2.atl.registeredsite.com (8.12.2/8.12.2) with ESMTP id 
g58M8MZg006333
         for <cupsdell(at)istar.ca>; Sat, 8 Jun 2002 18:08:22 -0400
Received: from SMTP32-FWD by mail.upsdell.com
   (SMTP32) id A000002B1; Sat,  8 Jun 2002 18:08:15 -0400
Received: from badboy.mail.pas.earthlink.net [216.2.33.47] by 
mail.upsdell.com with ESMTP
   (SMTPD32-6.06) id A04F31EE00B6; Sat, 08 Jun 2002 18:08:15 -0400
Received: from localhost (localhost)
         by badboy.mail.pas.earthlink.net (8.11.6+Sun/8.11.6) id g58M4QF24846;
         Sat, 8 Jun 2002 15:08:20 -0700 (PDT)
Date: Sat, 8 Jun 2002 15:08:20 -0700 (PDT)
From: Mail Delivery Subsystem <MAILER-DAEMON(at)earthlink.net>
Message-Id: <200206082208.g58M4QF24846(at)badboy.mail.pas.earthlink.net>
To: <xfgrdewq(at)upsdell.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
         boundary="g58M4QF24846.1023574100/badboy.mail.pas.earthlink.net"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
X-UIDL: 7bf5d91bc9eee8eec26baee8ae5c383d

The original message was received at Sat, 8 Jun 2002 15:02:10 -0700 (PDT)
from hawk.mail.pas.earthlink.net [207.217.120.22]

    ----- The following addresses had permanent fatal errors -----
<levin(at)livinghopemin.com>
     (reason: 550 Host unknown)

    ----- Transcript of session follows -----
550 5.1.2 <levin(at)livinghopemin.com>... Host unknown (Name server: 
livinghopemin.com: host not found)
Reporting-MTA: dns; badboy.mail.pas.earthlink.net
Arrival-Date: Sat, 8 Jun 2002 15:02:10 -0700 (PDT)

Final-Recipient: RFC822; levin(at)livinghopemin.com
Action: failed
Status: 5.1.2
Remote-MTA: DNS; livinghopemin.com
Diagnostic-Code: SMTP; 550 Host unknown
Last-Attempt-Date: Sat, 8 Jun 2002 15:08:20 -0700 (PDT)
Return-Path: <xfgrdewq(at)upsdell.com>
Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net 
[207.217.120.22])
         by badboy.mail.pas.earthlink.net (8.11.6+Sun/8.11.6) with ESMTP id 
g58M2AW24208
         for <levin(at)livinghopemin.com>; Sat, 8 Jun 2002 15:02:10 -0700 (PDT)
Received: from dialup-207-232-89-177.omaha.radiks.net ([207.232.89.177] 
helo=nb600urwhs4)
         by hawk.mail.pas.earthlink.net with smtp (Exim 3.33 #2)
         id 17GncY-0007Wc-00; Sat, 08 Jun 2002 14:19:38 -0700
From: xfgrdewq(at)upsdell.com
To: tad(at)hotmail.com
Subject: Tobacco 50% OFF...
Date: Wed, 07 Jun 2000 23:29:48 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
         boundary="----=_NextPart_000_45E4_000019F0.00007CF1"
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: xfgrdewq(at)upsdell.com
Message-Id: <E17GncY-0007Wc-00(at)hawk.mail.pas.earthlink.net>

Content-Type: text/html;

Tired of paying high prices for

Cigarettes???

We offer major brands for LESS

Than the cost of generics in most

PLACES.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

...NO CHARGE...

<http://www.glorybehosting.com/americansmokeshop>To have a look... SAVE Today!

<http://www.glorybehosting.com/americansmokeshop>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<http://www.glorybehosting.com/americansmokeshop> 














For those who would prefer not to receive our offerings
please simply <http://www.glorybehosting.com>Click Here and send. for removal.
--g58M4QF24846.1023574100/badboy.mail.pas.earthlink.net--

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA