Pesky spammers are using my mailbox

Stephen_J_Wilcox1 · May 31, 2003, 6:16pm

Hi,
seems some spammers are using one of my personal domains as the from field in
their emails, the local-part being random so I cant easily block it.

Has anyone any advice on tracking them down and making them stop?

All I get are the bounces, some include the original headers but that usually
gives an open relay as the origin.

I think I know the answer (you cant do anything) but I wanted to ask as its very
annoying and I'm not happy!

PS Anyone around at the Sheraton today.. I cant spot anyone looking nanogish!

Steve

Jon_Lewis1 · May 31, 2003, 6:39pm

Tactical baseball bat at close range?

I and a number of coworkers are getting similar bounces, except the
spammers are actually using our full email addresses as the from address.
The first few cases of this, I wrote off to things like KLEZ...but
recently I've gotten actual spam bounces where my work email address was
the original from.

I suppose it could possibly still be something like KLEZ and it's grabbing
a spam from their inbox and sending that out with a forged from.

Vinny_Abello1 · May 31, 2003, 6:45pm

There are known spamming viruses making their rounds that I believe behave like klez and others that use known email addresses. A couple of our customers have been infected by them and have had their computers unknowingly sending out spam.

Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

There are 10 kinds of people in the world. Those who understand binary and those that don't.

Jack_Bates · May 31, 2003, 6:47pm

jlewis@lewis.org wrote:

I and a number of coworkers are getting similar bounces, except the spammers are actually using our full email addresses as the from address. The first few cases of this, I wrote off to things like KLEZ...but recently I've gotten actual spam bounces where my work email address was the original from.

I suppose it could possibly still be something like KLEZ and it's grabbing a spam from their inbox and sending that out with a forged from.

A good section of my users get User unknown bounces from the AOL servers where spammers are using their spam lists not only as recipients, but to spoof senders. Most of the time, it's just two or three per user. There are cases where the remote server has to be contacted reguarding the bounces to request that bounce handling for the domain be turned off.

-Jack

Rabbi_Rob_Thomas · June 1, 2003, 1:25am

Hi, Stephen.

] seems some spammers are using one of my personal domains as the
] from field in their emails...

This is also happening to one of my domains. The spam advertised
two web sites, one in Brasil and the other in China. I attempted
to contact these folks, but the domain in China doesn't accept
inbound email. The hosts used to send the mail are all hacked
Windows boxes.

I notified all of the ISPs that had hacked hosts, but decided to
focus my energy on the two sites being advertised. I'm not
accusing them of launching the Joe Job, but I doubt a spammer
would randomly advertise these sites. Perhaps these two sites
hired a shady marketing group. Anyway, this is really all I could
do. The spam never uses my resources, except for the bounces. I
share your pain.

] PS Anyone around at the Sheraton today.. I cant spot anyone looking
] nanogish!

I just arrived, and I look pretty darn NANOGish if I do say so
myself.

Thanks,
Rob.

Justin_Shore1 · June 1, 2003, 1:37am

man 8 syslogd, section "SECURITY THREATS", #5.

You are being "joe jobbed". Your best bet is contacting a few of the
sites that are likely to be a little more clueful and see if they can get
you copies of the actual email in full from the recipient, spamtrap, or
spam archives.

This is happening more and more to the average joe. It used to rarely
happen to Joe Blow off the street but was actually a common occurence to
anti-spammers (wack-a-mole a spammer a few times and then get very...
sad). There isn't much you can do about it. You might ask some of the
lists that actually deal in spam or ask NANAE (new.admin.net-abuse.email)
for further advice.

Procmail is your friend,
Justin

Chris_Wedgwood · June 2, 2003, 6:15am

Block *all* addresses except those actually being used[1]... I had to
do this years ago for a customer who has '@foo.com -> mailbox' when
some moron spammed about 10e6 messages from <random>@foo.com and the
bounces began to hurt.

Dumping all but the few legitimate fed@foo.com, lucy@f00f.com or
whatever worked pretty well and the load on the system dropped
radically as things we stopping early in the SMTP conversation and
thus the system wasn't actually having to try to deal with much state
most of the time.

--cw

[1] You probably also want to make sure postmaster@ works (RFC
requirement) and probably abuse@ (procmail/vacation auto-responder
exclaiming your innocence)

Dominic_J_Eidson · June 3, 2003, 6:44pm

FWIW,

I'm having a feeling that someone harvested a bunch of adresses, possibly
from NANOG, and is using them as the sender address in pretend-to-be KLEZ
spams.. I have received several bounces lately, several of them appearing
to be KLEZ, all with me as the original sender - and yet, there's no
chance I was ever infected with KLEZ (No windows boxes here...)

Jack_Bates · June 3, 2003, 6:59pm

Dominic J. Eidson wrote:

I'm having a feeling that someone harvested a bunch of adresses, possibly
from NANOG, and is using them as the sender address in pretend-to-be KLEZ
spams.. I have received several bounces lately, several of them appearing
to be KLEZ, all with me as the original sender - and yet, there's no
chance I was ever infected with KLEZ (No windows boxes here...)

The nature of KLEZ is that it spoofs the sender address. Anyone infected with KLEZ or one of the variants and on NANOG will likely send out klez spoofing as NANOG posters.

-Jack

Dominic_J_Eidson · June 3, 2003, 7:13pm

I am quite aware of how KLEZ works - the sudden proliferation of NANOG-ers
who reported that they've gotten KLEZ-ish bounces due to spoofed sender
adrresses, seemed a little too coincidential.

On the flip side, maybe there's still entirely too many people running
vulnerable email readers...</irony>

- d.

Daniel_Karrenberg · June 3, 2003, 8:20pm

Just to add another data point:

The same thing started happening to me a few days ago. I do not know
any of the recipients of the bounces but some people I *do* know advised me
they are getting them. I cannot say whether this is really KLEZ or not,
not enough data.

Daniel

Jerry_Eyers2 · June 3, 2003, 8:24pm

Add a “metoo” here. Unless we all have visited some other site in common…

Jerry

Valdis_Kletnieks · June 3, 2003, 8:29pm

Our virus scanners set a new one-day record yesterday by catching 105,745
copies of Sobig.C - so there's certainly no vast improvement out there.

"Ooh, SHINY!" *click*

Argh.

Stephen_J_Wilcox1 · June 3, 2003, 8:31pm

Mine are not klez

And the email domain is not one I've ever sent to nanog, its an old private
domain

Steve

Mike_Tancsa · June 3, 2003, 9:15pm

>
> I'm having a feeling that someone harvested a bunch of adresses, possibly
> from NANOG, and is using them as the sender address in pretend-to-be KLEZ
> spams.. I have received several bounces lately, several of them appearing
> to be KLEZ, all with me as the original sender ....

Just to add another data point:

The same thing started happening to me a few days ago. I do not know
any of the recipients of the bounces but some people I *do* know advised me
they are getting them. I cannot say whether this is really KLEZ or not,
not enough data.

http://vil.nai.com/vil/content/v_100343.htm (W32/Sobig.c@MM) which is klez like in how it picks its targets.... Its been on a rampage since the Friday night.

---Mike