[Dshield] victim of spam-trash
dave at boldfish.com
Fri Mar 8 16:00:42 GMT 2002
On Fri, 8 Mar 2002, Martin Müller wrote:
> Hi all,
> we have the following problem.
> A spammer is sending tons of emails with the email-adress
> eddiecandy2782 at sse.de as reply-to or mail from in the header.
> The Domain sse.de belongs to a customer from us. (Which isn't the spammer)
you have found one of the worst kinds of spammers. Ones that use other
people's domain as the reply or sender... bounces and replies are coming
> We get serveral thousands emails a day from all in the world with
> errormessages that the mail(spam) isn't delivered because of "unkown user,
> or something else"
> I think the maillist from the spammer is very old.
they're probably using dictionary delivery, and again, bounces are coming
> In other words, the spammer is sending with our
> emailadress/domain(eddiecandy2782 at sse.de) to i.e. asdf at yahoo.com and yahoo
> is sending the mail to me, that the asdf at yahoo.com is i.e. unkown. The
> yahoo-email-adress is only for example.
did you look at the headers to make sure yahoo is really sending those?
it's trivial to make the to: line be some yahoo address and BCC a ton of
aliases on your local machine. The to: line will look like it should not
come to you, but the BCC's in the envelope are what making it be delivered
to you. It's just like sending me an e-mail but BCC'ing your other buddies
in a different domain. When they get the mail the to: line will just show
the mail addressed to me, but it will mysteriously be in their inboxes.
The envelope won't reveal this, that's the whole point of BCC.
> The only thing is, that i have configured this emailadress to be rejected,
> but this does not solve the problem, because with this we are rejecting the
> return mails from great companys like yahoo or msn or something else and not
> the spammer himself.
in lies the caveat of blocking popular web mail, you either block all of
that domain or deal with the people that are forging the from address of
> Ive got much emails from concerned users because of spamming, but the spam
> isn't from us.
> What can i do? Has somebody a great idea?
not a ton actually, all you can do is try and track down the people who
are using this domain and get them to stop. If I wanted to send mail out
as you I could easily do that. The tell tale sign is to look at the
headers to see where the mail orginated, and too see that its not coming
from you. The users who are complaing are just looking at the from:
address and not looking at the headers to bitch at the right people.
> I have viewed much of this spam, but in all mails is no hint, who it could
run the full message through http://www.spamcop.net. That will tell you
where it originated...
good luck, you have a tough one on your hands....
> In the Internet i have found this text
> which is one of the contents of the mail(but there are much much more)
> The Email-Adress at the end is a fake too, i think.
> Thanks in advance,
> Martin Mueller
> Webpartner Kommunikationsdienste GmbH
> Metzstrasse 14b
> 81667 Muenchen
> [[ Attachement of type text/html deleted]]
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list