Pesky spammers are using my mailbox
Hi, seems some spammers are using one of my personal domains as the from field in their emails, the local-part being random so I cant easily block it. Has anyone any advice on tracking them down and making them stop? All I get are the bounces, some include the original headers but that usually gives an open relay as the origin. I think I know the answer (you cant do anything) but I wanted to ask as its very annoying and I'm not happy! PS Anyone around at the Sheraton today.. I cant spot anyone looking nanogish! Steve
On Sat, 31 May 2003, Stephen J. Wilcox wrote:
seems some spammers are using one of my personal domains as the from field in their emails, the local-part being random so I cant easily block it.
Has anyone any advice on tracking them down and making them stop?
Tactical baseball bat at close range? :) I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from. I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
jlewis@lewis.org wrote:
I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from.
I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from.
A good section of my users get User unknown bounces from the AOL servers where spammers are using their spam lists not only as recipients, but to spoof senders. Most of the time, it's just two or three per user. There are cases where the remote server has to be contacted reguarding the bounces to request that bounce handling for the domain be turned off. -Jack
Hi, Stephen. ] seems some spammers are using one of my personal domains as the ] from field in their emails... This is also happening to one of my domains. The spam advertised two web sites, one in Brasil and the other in China. I attempted to contact these folks, but the domain in China doesn't accept inbound email. :/ The hosts used to send the mail are all hacked Windows boxes. I notified all of the ISPs that had hacked hosts, but decided to focus my energy on the two sites being advertised. I'm not accusing them of launching the Joe Job, but I doubt a spammer would randomly advertise these sites. Perhaps these two sites hired a shady marketing group. Anyway, this is really all I could do. The spam never uses my resources, except for the bounces. I share your pain. :( ] PS Anyone around at the Sheraton today.. I cant spot anyone looking ] nanogish! I just arrived, and I look pretty darn NANOGish if I do say so myself. :) Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
On Sat, 31 May 2003, Stephen J. Wilcox wrote:
Hi, seems some spammers are using one of my personal domains as the from field in their emails, the local-part being random so I cant easily block it.
Has anyone any advice on tracking them down and making them stop?
All I get are the bounces, some include the original headers but that usually gives an open relay as the origin.
I think I know the answer (you cant do anything) but I wanted to ask as its very annoying and I'm not happy!
man 8 syslogd, section "SECURITY THREATS", #5. You are being "joe jobbed". Your best bet is contacting a few of the sites that are likely to be a little more clueful and see if they can get you copies of the actual email in full from the recipient, spamtrap, or spam archives. This is happening more and more to the average joe. It used to rarely happen to Joe Blow off the street but was actually a common occurence to anti-spammers (wack-a-mole a spammer a few times and then get very... sad). There isn't much you can do about it. You might ask some of the lists that actually deal in spam or ask NANAE (new.admin.net-abuse.email) for further advice. Procmail is your friend, Justin
On Sat, May 31, 2003 at 07:16:08PM +0100, Stephen J. Wilcox wrote:
seems some spammers are using one of my personal domains as the from field in their emails, the local-part being random so I cant easily block it.
Block *all* addresses except those actually being used[1]... I had to do this years ago for a customer who has '@foo.com -> mailbox' when some moron spammed about 10e6 messages from <random>@foo.com and the bounces began to hurt. Dumping all but the few legitimate fed@foo.com, lucy@f00f.com or whatever worked pretty well and the load on the system dropped radically as things we stopping early in the SMTP conversation and thus the system wasn't actually having to try to deal with much state most of the time. --cw [1] You probably also want to make sure postmaster@ works (RFC requirement) and probably abuse@ (procmail/vacation auto-responder exclaiming your innocence)
On Sat, 31 May 2003, Stephen J. Wilcox wrote:
Hi, seems some spammers are using one of my personal domains as the from field in their emails, the local-part being random so I cant easily block it.
FWIW, I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender - and yet, there's no chance I was ever infected with KLEZ (No windows boxes here...) -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
Dominic J. Eidson wrote:
I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender - and yet, there's no chance I was ever infected with KLEZ (No windows boxes here...)
The nature of KLEZ is that it spoofs the sender address. Anyone infected with KLEZ or one of the variants and on NANOG will likely send out klez spoofing as NANOG posters. -Jack
On Tue, 3 Jun 2003, Jack Bates wrote:
Dominic J. Eidson wrote:
I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender - and yet, there's no chance I was ever infected with KLEZ (No windows boxes here...)
The nature of KLEZ is that it spoofs the sender address. Anyone infected with KLEZ or one of the variants and on NANOG will likely send out klez spoofing as NANOG posters.
I am quite aware of how KLEZ works - the sudden proliferation of NANOG-ers who reported that they've gotten KLEZ-ish bounces due to spoofed sender adrresses, seemed a little too coincidential. On the flip side, maybe there's still entirely too many people running vulnerable email readers...</irony> - d. -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
On Tue, 03 Jun 2003 14:13:58 CDT, "Dominic J. Eidson" <sauron@the-infinite.org> said:
On the flip side, maybe there's still entirely too many people running vulnerable email readers...</irony>
Our virus scanners set a new one-day record yesterday by catching 105,745 copies of Sobig.C - so there's certainly no vast improvement out there. "Ooh, SHINY!" *click* Argh. ;)
On 03.06 13:44, Dominic J. Eidson wrote:
I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender ....
Just to add another data point: The same thing started happening to me a few days ago. I do not know any of the recipients of the bounces but some people I *do* know advised me they are getting them. I cannot say whether this is really KLEZ or not, not enough data. Daniel
Add a "metoo" here. Unless we all have visited some other site in common.. Jerry -------Original Message------- From: Daniel Karrenberg Date: Tuesday, June 03, 2003 04:22:04 PM To: Dominic J. Eidson Cc: nanog@merit.edu Subject: Metoo Was: Pesky spammers are using my mailbox On 03.06 13:44, Dominic J. Eidson wrote:
I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender ....
Just to add another data point: The same thing started happening to me a few days ago. I do not know any of the recipients of the bounces but some people I *do* know advised me they are getting them. I cannot say whether this is really KLEZ or not, not enough data. Daniel .
Mine are not klez And the email domain is not one I've ever sent to nanog, its an old private domain Steve On Tue, 3 Jun 2003, Daniel Karrenberg wrote:
On 03.06 13:44, Dominic J. Eidson wrote:
I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender ....
Just to add another data point:
The same thing started happening to me a few days ago. I do not know any of the recipients of the bounces but some people I *do* know advised me they are getting them. I cannot say whether this is really KLEZ or not, not enough data.
Daniel
At 10:20 PM 03/06/2003 +0200, Daniel Karrenberg wrote:
On 03.06 13:44, Dominic J. Eidson wrote:
I'm having a feeling that someone harvested a bunch of adresses, possibly from NANOG, and is using them as the sender address in pretend-to-be KLEZ spams.. I have received several bounces lately, several of them appearing to be KLEZ, all with me as the original sender ....
Just to add another data point:
The same thing started happening to me a few days ago. I do not know any of the recipients of the bounces but some people I *do* know advised me they are getting them. I cannot say whether this is really KLEZ or not, not enough data.
http://vil.nai.com/vil/content/v_100343.htm (W32/Sobig.c@MM) which is klez like in how it picks its targets.... Its been on a rampage since the Friday night. ---Mike
Daniel
participants (11)
-
Chris Wedgwood
-
Daniel Karrenberg
-
Dominic J. Eidson
-
Jack Bates
-
Jerry Eyers
-
jlewis@lewis.org
-
Justin Shore
-
Mike Tancsa
-
Rob Thomas
-
Stephen J. Wilcox
-
Valdis.Kletnieks@vt.edu