I'M Spamming but ... IT's NOT ME!! :¦

[shmoes]

HEy,

Well, i've got an issue. someone is spamming TONS of emails between 5pm pst and 8am pst .. they're using myname2@companyname.com .. as a reply email address. The thing is if it was myname@companyname.com it would be a real email address, and the wierd part is our domain name is quiet long. and my name is long in itself. so its not random.


now, the problem is, we have a catchall email system, some someone sends an email to bob@company.com and the user types bbo@companyname.com it will be redirected to a specified email address, and can be sent to the appropriate person .. This setup has worked for 2 years.

Now, someone is spamming, using MY email address as the sender with a 2 added to it ... and the catchall is getting hundreds of bounce backs ... it's frustrating! as all the message sources are different...


make sense? any ideas?


~Shmoes

I lay claim to nothing and everything. My words may be wisdom or disaster. In the end you make a choice. Noone is perfect.

 

[Marcs41]

Makes sense, happens all the time. Someone got a hold of your address or at least domain and fakes his own address to spam. This is a very common issue.
Block the bounce on you address with the 2 behind it.
That's about all you can do.
If you can get to see the original headers, check if the spams (not the bounces!) would come from the same IP address or range, then you can fight back through that ISP.

Good luck!

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[shmoes]

Thanks Marc, I did try that already, but the range doesn't stay in a range .. some came from AOL servers some from others, i'd say he/she is using multiple isp's to spam, The majority say AOL, but not all of them.

Here's several email message sources from the spam not the bounce back, my company name has been xxx'd for obvious reasons..

Let me know what you think.

#1
____________________________________________________________

Received: from cafmap (a213-22-210-190.netcabo.pt [213.22.210.190]) by rly-xf01.mx.aol.com (v93.12) with ESMTP id MAILRELAYINXF16-3d03ec60593ce; Sat, 17 May 2003 05:49:09 -0400
From: xxxxxxxxx@xxxxxxxxxxxxxx.com
To: ylaser@aol.com
Subject: gates
Sender: xxxxxxxxxx2@xxxxxxxxxxxxxx.com
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Sat, 17 May 2003 10:45:52 +0100
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Message-ID: <200305170549.06FMUOPa00838@rly-xf01.mx.aol.com>


____________________________________________________________
#2


Received: from jsm-server ([213.13.208.183]) by rly-xn01.mx.aol.com (v93.12) with ESMTP id MAILRELAYINXN13-6253ec5f66d1f0; Sat, 17 May 2003 04:44:32 2000
From: xxxxxxxxxx2@xxxxxxxxxxxxxxx.com
To: chryb820@aol.com
Subject: damn
Sender: xxxxxxxxxx2@xxxxxxxxxxxxxxx.com
Mime-Version: 1.0
Content-Type: text/plain; charset=&quot;iso-8859-1&quot;
Date: Sat, 17 May 2003 09:43:23 -0700
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Message-ID: <200305170444.03EFUJIImxW9H@rly-xn01.mx.aol.com>

------------------------------------------------------------
#3

Return-Path: <xxxxxxxxxx2@xxxxxxxxxxxxxxx.com>
Received: from repeek (218-164-38-204.HINET-IP.hinet.net [218.164.38.204])
by mail2.bbs-la.com (8.11.6/8.11.6) with SMTP id h4H8kO331740
for <cigs5@bbs-la.com>; Sat, 17 May 2003 01:46:25 -0700
Message-Id: <200305170846.h4H8kO331740@mail2.bbs-la.com>
From: xxxxxxxxxx2@xxxxxxxxxxxxxxx.com
To: cigs5@bbs-la.com
Subject: Re: .. heh
Sender: xxxxxxxxxx2@xxxxxxxxxxxx.com
Mime-Version: 1.0
Content-Type: text/plain; charset=&quot;iso-8859-1&quot;
Date: Wed, 16 Apr 2003 16:58:17 +0800
X-Mailer: Microsoft Outlook Express 6.00.2600.0000

------------------------------------------------------------
#4

Message-ID: <20030517090734.5914440322@s5.mail-in.isp.nyc.eggn.net>
From: xxxxxxxxxx2@xxxxxxxxxxxxxxx.com
To: cmasi@bejh.com
Subject: damn
Date: Sat, 17 May 2003 05:21:14 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
X-MS-Embedded-Report:
Content-Type: text/plain;
charset=&quot;iso-8859-1&quot;

-----------------------------------------------------------
#5

Received: from server ([213.13.226.60]) by rly-xl05.mx.aol.com (v93.12) with ESMTP id MAILRELAYINXL57-5d93ec6017e35a; Sat, 17 May 2003 05:31:43 -0400
From: xxxxxxxxxx@xxxxxxxxxxxxxxx.com
To: vades@aol.com
Subject: Re: Outlook
Sender: xxxxxxxxxx2@xxxxxxxxxxxxxxx.com
Mime-Version: 1.0
Content-Type: text/plain; charset=&quot;iso-8859-1&quot;
Date: Sat, 17 May 2003 10:42:59 +0100
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Message-ID: <200305170531.07FWDMJWxGXkf@rly-xl05.mx.aol.com>



~Shmoes

I lay claim to nothing and everything. My words may be wisdom or disaster. In the end you make a choice. Noone is perfect.

 

[Marcs41]

Sorry but the mailaddress does not matter, that can be faked.
What you need to look for on all or most messages is in the header what the senders IP address or range is, which will be somewhere at the bottom, like (IP in BOLD):
Note: this is just a possibility, no garantees, you will still need to block that spammed address, (or live with it).

Received: from mail06.emailsplease.com (mail06.emailsplease.com [216.66.15.6])
by xxx.xxxxxxxx.be (Postfix) with ESMTP id 8B5C647E41 for <xxxxx@xxxxxx.be>; Sat, 17 May 2003 20:15:18 +0200 (MEST)
Received: (from daemon@localhost)
by mail06.emailsplease.com (8.8.8/8.8.8) id MAA22652;
Sat, 17 May 2003 12:17:10 -0400 (EDT)
Date: Sat, 17 May 2003 12:17:10 -0400 (EDT)
Message-Id: <200305171617.MAA22652@mail06.emailsplease.com>
From: Claim Cellphone <freesamples@mail06.emailsplease.com>
...... etc....


PS: Block NDR and Out of Office messages to the internet, that is something spammers use to check valid addresses.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!}