[Dshield] victim of spam-trash

Dave Young dave at boldfish.com
Fri Mar 8 16:28:31 GMT 2002

On Fri, 8 Mar 2002, Dave Young wrote:

> On Fri, 8 Mar 2002, Martin Müller wrote:
> > Hi all,
> > 
> > we have the following problem.
> > 
> > A spammer is sending tons of emails with the email-adress
> > eddiecandy2782 at sse.de as reply-to or mail from in the header.
> > The Domain sse.de belongs to a customer from us. (Which isn't the spammer)
> you have found one of the worst kinds of spammers. Ones that use other 
> people's domain as the reply or sender...  bounces and replies are coming 
> your way
>  > 
> > We get serveral thousands emails a day from all in the world with
> > errormessages that the mail(spam) isn't delivered because of "unkown user,
> > or something else"
> > I think the maillist from the spammer is very old.
> they're probably using dictionary delivery, and again, bounces are coming 
> your way...
> > 
> > In other words, the spammer is sending with our
> > emailadress/domain(eddiecandy2782 at sse.de) to i.e. asdf at yahoo.com and yahoo
> > is sending the mail to me, that the asdf at yahoo.com is i.e. unkown. The
> > yahoo-email-adress is only for example.
> did you look at the headers to make sure yahoo is really sending those? 
> it's trivial to make the to: line be some yahoo address and BCC a ton of 
> aliases on your local machine. The to: line will look like it should not 
> come to you, but the BCC's in the envelope are what making it be delivered 
> to you. It's just like sending me an e-mail but BCC'ing your other buddies 
> in a different domain. When they get the mail the to: line will just show 
> the mail addressed to me, but it will mysteriously be in their inboxes. 
> The envelope won't reveal this, that's the whole point of BCC.

just to clarify:

the person receiving the spam see something like:

to: this_is_fake_ at yahoo.com
from: your_user at sse.de

it's possible but not likely the top address is an alias that expands to 
the victem's email address. What's likely is the to: line is just some 
random yahoo address (or whatever) and that the spam victem's e-mail 
address is in the BCC part of the envelope (I forgot what the tech 
definition of that is) so the mail *looks* like it's going to this yahoo 
address but it's in their inbox, just like the BCC buddy example I gave 
before. They then think it's coming from you because of the from: address, 
but obviously it isn't.

basically you could change your reply-to and your e-mail address in your 
e-mail client to something like: bill.clinton at whitehouse.gov, then send an 
and e-mail to this_sucks at yahoo.com and BCC a whole bunch of people you 
don't like, you would get the same effect as this spam.

The mail will look like it went to "this_sucks" it will be from 
bill.clinton" but will be sitting in your buddies inboxes. See what I 

now if they reply, it'll go to whitehouse.gov. If it bounces after the 
SMTP transaction is complete, it'll go to whitehouse.gov and it's likely 
the bounce will bounce unless bill.clinton is valid. This is what you're 
seeing, the bounces are going to the from: address, which is your domain, 
but the from isn't a valid mailbox, so they go to postmaster (the bounce 
bounced) and you must be postmaster ;)

this can also be known as a mail bomb...  ;-) imagine sending a million 
e-mails that will all bounce to someone else's domain...  not fun.

  > >  > 
> > The only thing is, that i have configured this emailadress to be rejected,
> > but this does not solve the problem, because with this we are rejecting the
> > return mails from great companys like yahoo or msn or something else and not
> > the spammer himself.
> in lies the caveat of blocking popular web mail, you either block all of 
> that domain or deal with the people that are forging the from address of 
> that domain. 
>  > 
> > Ive got much emails from concerned users because of spamming, but the spam
> > isn't from us.
> > 
> > What can i do? Has somebody a great idea?
> not a ton actually, all you can do is try and track down the people who 
> are using this domain and get them to stop. If I wanted to send mail out 
> as you I could easily do that. The tell tale sign is to look at the 
> headers to see where the mail orginated, and too see that its not coming 
> from you. The users who are complaing are just looking at the from: 
> address and not looking at the headers to bitch at the right people.
> > I have viewed much of this spam, but in all mails is no hint, who it could
> > be.
> run the full message through http://www.spamcop.net. That will tell you 
> where it originated...

full message w/ HEADERS, just to be clear...  you gotta figure out what 
machine(s) is *generating* the messages and which machine(s) are 
*delivering* the messages (likely some open relay in Asia  :-) they can be 
but aren't likely to be the same machine. Spamcop will help you figure 
that out...

 > > good luck, you have a tough 
one on your hands.... >

this hasn't changed  :-) you really do have a tough one...


> --Dave
> > In the Internet i have found this text
> > http://archives.neohapsis.com/archives/crypto/2001-q3/0307.html
> > which is one of the contents of the mail(but there are much much more)
> > The Email-Adress at the end is a fake too, i think.
> > 
> > 
> > Thanks in advance,
> > 
> > Martin Mueller
> > 
> > ---------------------------------------
> > Webpartner Kommunikationsdienste GmbH
> > Metzstrasse 14b
> > 81667 Muenchen
> > 
> > 
> > [[ Attachement of type text/html deleted]]
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> > 

More information about the list mailing list