[Dshield] victim of spam-trash

Dave Young dave at boldfish.com
Fri Mar 8 16:00:42 GMT 2002

On Fri, 8 Mar 2002, Martin Müller wrote:

> Hi all,
> we have the following problem.
> A spammer is sending tons of emails with the email-adress
> eddiecandy2782 at sse.de as reply-to or mail from in the header.
> The Domain sse.de belongs to a customer from us. (Which isn't the spammer)

you have found one of the worst kinds of spammers. Ones that use other 
people's domain as the reply or sender...  bounces and replies are coming 
your way

> We get serveral thousands emails a day from all in the world with
> errormessages that the mail(spam) isn't delivered because of "unkown user,
> or something else"
> I think the maillist from the spammer is very old.

they're probably using dictionary delivery, and again, bounces are coming 
your way...

> In other words, the spammer is sending with our
> emailadress/domain(eddiecandy2782 at sse.de) to i.e. asdf at yahoo.com and yahoo
> is sending the mail to me, that the asdf at yahoo.com is i.e. unkown. The
> yahoo-email-adress is only for example.

did you look at the headers to make sure yahoo is really sending those? 
it's trivial to make the to: line be some yahoo address and BCC a ton of 
aliases on your local machine. The to: line will look like it should not 
come to you, but the BCC's in the envelope are what making it be delivered 
to you. It's just like sending me an e-mail but BCC'ing your other buddies 
in a different domain. When they get the mail the to: line will just show 
the mail addressed to me, but it will mysteriously be in their inboxes. 
The envelope won't reveal this, that's the whole point of BCC. 

> The only thing is, that i have configured this emailadress to be rejected,
> but this does not solve the problem, because with this we are rejecting the
> return mails from great companys like yahoo or msn or something else and not
> the spammer himself.

in lies the caveat of blocking popular web mail, you either block all of 
that domain or deal with the people that are forging the from address of 
that domain. 

> Ive got much emails from concerned users because of spamming, but the spam
> isn't from us.
> What can i do? Has somebody a great idea?

not a ton actually, all you can do is try and track down the people who 
are using this domain and get them to stop. If I wanted to send mail out 
as you I could easily do that. The tell tale sign is to look at the 
headers to see where the mail orginated, and too see that its not coming 
from you. The users who are complaing are just looking at the from: 
address and not looking at the headers to bitch at the right people.

> I have viewed much of this spam, but in all mails is no hint, who it could
> be.

run the full message through http://www.spamcop.net. That will tell you 
where it originated...

good luck, you have a tough one on your hands....


> In the Internet i have found this text
> http://archives.neohapsis.com/archives/crypto/2001-q3/0307.html
> which is one of the contents of the mail(but there are much much more)
> The Email-Adress at the end is a fake too, i think.
> Thanks in advance,
> Martin Mueller
> ---------------------------------------
> Webpartner Kommunikationsdienste GmbH
> Metzstrasse 14b
> 81667 Muenchen
> [[ Attachement of type text/html deleted]]
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list