[Dshield] Spam and spoofing my from address

Tony Earnshaw tonye at billy.demon.nl
Tue Aug 9 19:21:53 GMT 2005


tir, 09.08.2005 kl. 16.45 skrev Andy Brown:

> This has been going on for some time now, and I've tried many ways to 
> stop the issue, however other than closing my mail account it just seems 
> to get worse.
> 
> Several months ago I started to receive bounce messages saying unknown 
> recipient, to domains/sites I'd never contacted.
> Examining the bounce it showed that the message was spam, using my 
> address as the FROM address (nothing spectacular so far really).
> I looked closer, and they're being more clever than that, they're 
> actually spoofing my server headers also, as the headers show my server 
> name, IP address, etc as a legitimate email would.

There's NO WAY they could falsify the track (Received: headers) to your
node. No way. It's in your headers.

> Now thats not that difficult to do, I know, just grab MX records, etc, 
> etc but the problem I've got is that some VERY dumb sysadmins out there 
> are now mailing my postmaster account saying stop sending or they'll 
> contact my upstream and have me cut-off.
> 
> Luckily my upstream is myself! and the upstream from that is via 
> business contacts, so very little chance they'd get me cut-off, but what 
> I'm worried about is getting blacklisted, etc, etc.
> 
> Does anyone have similar experiences, and have any suggestions on how to 
> combat this problem?
> I'm starting to get upwards of 500+ bounces a day now, so the spammer 
> out there is really sending them through at some rate.
> 
> I can paste headers, etc to anyone who thinks they can shed light or 
> provide possible answers (its not the email addresses i use here)!
> 

Send me some examples off list, I'll get back on list later. Include
something of what's genuine and what you reckon is forged.

--Tonni

-- 
mail: tonye at billy.demon.nl
http://www.billy.demon.nl



More information about the list mailing list