PDA

View Full Version : SPAM: Bounces from Own Address / Odd Junk Mail



wyntermoon
01-13-2008, 07:13 PM
EEEK! The email I use for writing is apparently sending out spams which are then bounced back to me. I'm currently getting about 1,000 a day in my spam/inbox. I've transferred what information I need to a new gmail account but I'm worried I'll miss someone trying to get a hold of me via that account of the queries I've sent out in the last week.

The spam filters are on high and I haven't downloaded anything from past emails (that were legit), what can I do? Godaddy stinks! :(

benbradley
01-13-2008, 11:03 PM
It's probably nothing you did to start it, and perhaps little you can do to stop it, spammers have lists of millions of emails and pick a few to go in the "From": and "Reply-to:" fields (yes, these fields are totally insecure in email, and anyone can forge anyone else's address in these fields), and when they pick your address, the bounces (and perhaps emails from anyone who hits reply and writes "stop sending me spam!") go to you.

If your email program has 'filters' or 'rules' you can use to move received emails to different folders (such as you're on various mailing lists, and the messages for each one go to a folder for that mailing list), you can set up a rule based on the subject line(s) of the spam that moves them into a folder. If there are many subject lines, this can be a pain, but perhaps there's something else all the bounces have in common that you can filter on. This should then leave your inbox (mostly) free of these bounces.

But the email headers do tell more of a story, if not the actual origination point, perhaps an 'open relay' the spammer is abusing to send spam through. or maybe it's sent out by zombies (averages DSL users' infected computers).

Do you know how to get email headers? If you PM me with one or two of the spams with complete headers I'll look and see if I can do anything. This tells how to get headers in most email programs:
http://www.claws-and-paws.com/spam-l/tracking.html#headers

L M Ashton
01-14-2008, 05:38 AM
It's possible that your email server is being used to send out spam if your email server is open. If that's the case, then you can expect that your email server will be blacklisted and no one will receive email from you until you get this resolved - all your email would be marked as spam.

Is your email addy from your own domain or an ISPs domain? Are you talking about a gmail email address? If you're talking about a gmail email address, then what I mentioned above is not the case.

Fahim
01-14-2008, 05:49 AM
I took your original post to mean that your GMail address was receiving bounces because you said you got a "new GMail address" but if that's not the case, in addition to what Laurie mentions, your server/website might be exploited (if you have one) to send out malicious mail as well. Insecurely written scripts (especially contact forms) can be used by spammers to send out mails to hundreds of people via your server. In such an instance, the sender of the mail is given as whatever address that was set in your script and so all the bounces will come back to you. Just another thing to watch out for ...

wyntermoon
01-17-2008, 04:43 AM
Oh no! I'm sorry, I lost track of this thread and now I'm as freaked out as ever. The email in question is not gmail but from my own domain.

Fahim, you just scared the pants off me. :(

Thanks for checking on me though!

sigh.

Fahim
01-17-2008, 05:26 AM
Oh no! I'm sorry, I lost track of this thread and now I'm as freaked out as ever. The email in question is not gmail but from my own domain.

Fahim, you just scared the pants off me. :(


Sorry wyntermoon, didn't mean to scare you. Just wanted you to be aware of all the possibilities. I thought you were working this out with benbradley via PM? Because simply by looking at your e-mail headers, you can figure out if the mail was actually sent from your domain/server or from a completely different location with your address set as the "from" and/or "reply to" address. If you haven't had ben take a look at it, I'd be happy to walk you through retrieving your e-mail headers in this thread so that it would help others who might face the same issue :)

benbradley
01-17-2008, 10:00 AM
Sorry wyntermoon, didn't mean to scare you. Just wanted you to be aware of all the possibilities. I thought you were working this out with benbradley via PM?
Nope, I'm still waiting with free space for over ten PM's...

Because simply by looking at your e-mail headers, you can figure out if the mail was actually sent from your domain/server or from a completely different location with your address set as the "from" and/or "reply to" address.
You can post the headers here, and we don't need your actual address forged in the spam, you can xxx that part out when you paste the headers, but we do need the domain name part (the part to the right of the @ sign). From your sig, it appears you have several domains. I just had an idea, I think I can at least test them to see if any of them are open relays.

If you haven't had ben take a look at it, I'd be happy to walk you through retrieving your e-mail headers in this thread so that it would help others who might face the same issue
I still think that by far the most likely explanation is your email address is 'forged' in the spam, thus the spammer is just exploiting a general security problem with how email works, and not exploiting any problem with your domain in particular.

But even so, it's always a good idea to check things out. If one spammer is abusing your system, it's a sure bet that other spammers will find it (if by nothing else, looking at the origin of this spam and finding the machine YOUR domain is on is an open relay, or has an abusable script as Fahim suggested) and start abusing it too. This is the kind of thing (abuse/overuse of Internet systems by spammers) that results in systems crashing and loss of actual email you wanted to receive, and it's just one of many things that makes spammers SO BAD...:rant:

Fahim
01-17-2008, 10:57 AM
If one spammer is abusing your system, it's a sure bet that other spammers will find it (if by nothing else, looking at the origin of this spam and finding the machine YOUR domain is on is an open relay, or has an abusable script as Fahim suggested) and start abusing it too. This is the kind of thing (abuse/overuse of Internet systems by spammers) that results in systems crashing and loss of actual email you wanted to receive, and it's just one of many things that makes spammers SO BAD...:rant:

Not to mention some overeager/lazy sysadmins at some webhosts simply blocking scripts/folders instead of actually figuring out where the issue is :) I've been on that end of things where sometimes you have hundreds of mails going out per second/minute and destabilizing the server. Usually, we investigate, find the security hole and disable just that script. But sometimes, people simply block everything and blame the owner of the account. Not saying that this is the case in this instance, but rather, explaining things a bit more in detail since I think I'm going to sticky this thread once the issue is resolved :)

Additionally, I know that ben already posted a link on how to get your e-mail headers and it's very comprehensive. But for the sake of posterity (in case that link goes AWOL) and for clarity, I'm copying and pasting the important bits from there and adding a few changes for clarity:

How to view your mail headers

Elm, Pine, and Mutt
Press "h" from the message selection menu to view the full headers of the currently selected message.

Eudora
Open the message. Under the title bar are four options. The second from the left is a box which says "Blah, Blah, Blah." Click on that to display the full headers.

Hotmail
Go into "Options", "Preferences", and choose "Message headers". You'll want to choose the "Full" option to display Received: headers. "Advanced" will display that as well as MIME headers. Do note, however, that sometimes Hotmail has to press some previous generation mailservers into service, and messages sent through those mailservers won't show any headers no matter what. :-(

Lotus Notes 4.6.x
Open the offending mail. Click on "Actions", then "Delivery information". Cut and paste the text from the bottom box, marked "Delivery information:".

Netscape Mail
Choose "OPTIONS" from the options menu bar. Listed as an option is "Show Headers". Choose full headers.

Outlook Express
Open the message. Choose "File" from the options menu bar. Listed as an option is "properties". Another window will open, showing two tabs. You want to choose the one titled "Details". Then cut and paste the headers into the message you want to forward.

Outlook 2000/XP
Double click on the message to open it up, click on "View --> Options", and you will see the message headers in a box at the bottom of the window. You can copy/paste them from that window.

Outlook 2007
Select the message on your message list and right-click on it to get a context menu. Select "Message Options". The dialog which opens up witll have the headers listed at the bottom under "Internet Headers". You can copy/paste them from that window.

Pegasus
Choose "READER" from the options menu bar. Listed as an option is: "Show all Headers". This does not work for HTML messages, however. A workaround is to select the message properties, and de-selecting "Contains HTML data".

ThunderBird
Select View - Headers - All from the main menu. Now when you view a message (either in the preview pane or in a new window) it will display the full headers for the message. Unfortunately, it does not allow you to select all the headers. You can only select individual lines and copy them. So a screenshot might be your best option here.

wyntermoon
01-17-2008, 06:31 PM
Ben, you are fabulous and I apologize for not taking care of this sooner. I owe you and Fahim big globby love RPs for the rest of our natural days. :D

And now to the header:

Received: (qmail 27612 invoked from network); 16 Jan 2008 16:04:20 -0000
Received: from unknown (HELO pre-smtp25-02.prod.mesa1.secureserver.net) ([64.202.166.87])
(envelope-sender <>)
by smtp08-02.prod.mesa1.secureserver.net (qmail-1.03) with SMTP
for <[email protected]>; 16 Jan 2008 16:04:20 -0000
Received: (qmail 22488 invoked from network); 16 Jan 2008 16:04:20 -0000
Received: from unknown (HELO server.mipaginaoficial.com) ([66.7.199.124])
(envelope-sender <>)
by pre-smtp25-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
for <[email protected]>; 16 Jan 2008 16:04:20 -0000
Received: from mailnull by server.mipaginaoficial.com with local (Exim 4.68)
id 1JFAkV-0000MS-4l
for [email protected]; Wed, 16 Jan 2008 11:04:19 -0500
Auto-Submitted: auto-replied
From: Mail Delivery System <[email protected]>
To: [email protected]
Subject: [SPAM] Warning: message 1JDlZ1-0002U5-7M delayed 72 hours
Message-Id: <[email protected]>
Date: Wed, 16 Jan 2008 11:04:19 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.mipaginaoficial.com
X-AntiAbuse: Original Domain - xxx
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:
X-Spam: Statistical 85%


This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 72 hours on the queue on server.mipaginaoficial.com.

The message identifier is: 1JDlZ1-0002U5-7M
The subject of the message is: Your family
The date of the message is: Sat, 12 Jan 2008 19:58:05 -0100

Fahim
01-17-2008, 07:24 PM
My apologies, I missed one important thing in all this focus on headers - the mail you're getting is actually bounces, right? If so, then looking at the mail header will only tell us where it was bounced from. However, the bounce mail should have the contents of the original message including the headers. That's what we'd need to take a look at to see where the mail originated from - your server itself or somewhere else.

In the meantime, please feel free to remove the previous headers since it does contain your e-mail address. Or if you'd like me to remove just your e-mail address, please let me know and I'll do it :)

IceCreamEmpress
01-18-2008, 06:27 AM
I had this happen to me a while back. Someone in the Czech Republic was spoofing my domain address. It was a huge hassle and some of my clients didn't get my emails, etc.

Kendra
01-24-2008, 07:16 AM
Is anyone else getting this kind of crap? I started receiving it a few weeks ago and it's increasing in volume. It isn't even spam, because it isn't advertising anything. There is no message except for a numbered link such as this one: http://124.106.198.20/ (or something similar) which leads absolutely nowhere. It cannot be opened. And that's it.

Why would anyone send junk like this? I can't see a motive, except for sheer nastiness. Is there anyway I can stop it? And I'm not keen to use junk filters, as they tend to throw out stuff I want along with the garbage. Thanks in advance. :-)

[Spammer e-mail addresses removed]

Fahim
01-24-2008, 07:53 AM
This is just the latest crop of spam. I've been getting a lot of that too as have other people I know. If you won't use junk mail filters, then there's not much to be done except to delete the stuff as it comes in or report it to places like SpamCop. Of course, I've been reporting every instance of these mails to SpamCop but that doesn't seem to be doing anything that I can notice.

Incidentally, clicking links on a mail that's from somebody you don't know (or a known spammer), really isn't a good thing to do. Some of these sites lead to links which are set up to take advantage of certain browser vulnerabilities in any browser used to view the site.

Kendra
01-24-2008, 08:55 AM
This is just the latest crop of spam. I've been getting a lot of that too as have other people I know. If you won't use junk mail filters, then there's not much to be done except to delete the stuff as it comes in or report it to places like SpamCop. Of course, I've been reporting every instance of these mails to SpamCop but that doesn't seem to be doing anything that I can notice.

Incidentally, clicking links on a mail that's from somebody you don't know (or a known spammer), really isn't a good thing to do. Some of these sites lead to links which are set up to take advantage of certain browser vulnerabilities in any browser used to view the site.

Thanks for the warning, Fahim. I won't click on any more links. I already had a horrible time with Malware Alarm. :-) I didn't know about SpamCop. I'll look into that.

Kendra
01-25-2008, 12:07 AM
Does anyone know *how* they get our email address?

Fahim
01-25-2008, 05:00 AM
Does anyone know *how* they get our email address?

From website, from forum posts, from a lot of places online. Spammers have automated scripts called bots which go through sites looking for what might look like an e-mail address and adds these addresses to their spamming lists. They even sell these lists to other people.

And of course, there are those not-very-ethical websites which ask you to sign up to use the site and then promptly turn around and sell your e-mail address to spammers or use your address to spam you, themselves.

There used to be a time when people advocated using a throw-away (a temporary) e-mail address to sign up for sites. I don't know if that works but I simply use GMail for any site signup since GMail's spam filters are rather impressive.

As far as posting your e-mail address online, rather than posting an address like [email protected] (which will be harvested by a bot), you should use the me (at) myaccount (dot) com or some other format that a human can understand but a computer might not be able to :)

Kendra
01-25-2008, 05:34 AM
From website, from forum posts, from a lot of places online. Spammers have automated scripts called bots which go through sites looking for what might look like an e-mail address and adds these addresses to their spamming lists. They even sell these lists to other people.

And of course, there are those not-very-ethical websites which ask you to sign up to use the site and then promptly turn around and sell your e-mail address to spammers or use your address to spam you, themselves.

There used to be a time when people advocated using a throw-away (a temporary) e-mail address to sign up for sites. I don't know if that works but I simply use GMail for any site signup since GMail's spam filters are rather impressive.

As far as posting your e-mail address online, rather than posting an address like [email protected] (which will be harvested by a bot), you should use the me (at) myaccount (dot) com or some other format that a human can understand but a computer might not be able to :)

I use GMail too. And I never give my principal email address except to publishers etc. So unless... Just joking, of course. It's puzzling how all this junk suddenly started about a month ago. Because it's showing up at both my principal email addresses. One of which, I haven't used for years!!! So I don't know how in the blazes they got that one?

Fahim
01-25-2008, 05:54 AM
It's puzzling how all this junk suddenly started about a month ago. Because it's showing up at both my principal email addresses. One of which, I haven't used for years!!! So I don't know how in the blazes they got that one?

Well, spammers also try what's called a dictionary attack. They pick a domain and send e-mail to various common names/e-mail addresses on that domain. Not saying that's how it happened but that's another possibility :)

Kendra
01-25-2008, 09:47 AM
What puzzles me is why spammers would go to all this trouble to irritate people they don't even know? Money is generally the root of all evil :-) but I don't see how spam could be lucrative financially? Maybe I'm missing something?

DamaNegra
01-25-2008, 10:08 AM
I'm also puzzled by this. What is the poing in spamming, other than annoying people?

poetinahat
01-25-2008, 10:12 AM
It costs very, very little to send millions of spam messages. Proper advertising is much more expensive.

So one or two suckers is just about all it takes to make spamming worthwhile.

L M Ashton
01-25-2008, 02:11 PM
I don't remember the exact statistics I read, or where I read them, but something like 5% of the population responds to spam (in that general vicinity - I'm old and my memory is gone :)). With that kind of a return rate, it's absolutely lucrative for spammers to operate. Their only expenses include their time, an internet connection, and a computer. No printing costs, no postage. Of course they don't care that they're pissing off people - they're too busy laughing all the way to the bank.

It doesn't help that they can send out millions of spam a day, usually by taking over other people's email servers or other people's computers and, like mentioned above, by forging headers so that the ones that bounce are never returned to them. No fuss for them.

And as a side note, I know someone who's computer was taken over by a script from someone else. There was a hidden drive on it that was used to store data and it acted as a download file server. It was going on for at least several months before they figured out what was happening. Yeah, it happens, and it's not just some fairytale. :)

Kendra
01-25-2008, 11:48 PM
I don't remember the exact statistics I read, or where I read them, but something like 5% of the population responds to spam (in that general vicinity - I'm old and my memory is gone :)). With that kind of a return rate, it's absolutely lucrative for spammers to operate. Their only expenses include their time, an internet connection, and a computer. No printing costs, no postage. Of course they don't care that they're pissing off people - they're too busy laughing all the way to the bank.

It doesn't help that they can send out millions of spam a day, usually by taking over other people's email servers or other people's computers and, like mentioned above, by forging headers so that the ones that bounce are never returned to them. No fuss for them.

And as a side note, I know someone who's computer was taken over by a script from someone else. There was a hidden drive on it that was used to store data and it acted as a download file server. It was going on for at least several months before they figured out what was happening. Yeah, it happens, and it's not just some fairytale. :)

My gawd. This is all illegal, right? Are these folks ever caught and charged?

benbradley
01-26-2008, 12:21 AM
I don't remember the exact statistics I read, or where I read them, but something like 5% of the population responds to spam (in that general vicinity - I'm old and my memory is gone :)).
It's THAT high? Of course, they might respond to only one out of several hundred spams. And some percentage are going to respond to the Citibank or eBay phishes, thinking they are legitimate emails (though they never think about how the bank knows their email address if they never told the bank).

I've heard that it used to be (early '90's) that to get on parts of the Internet (for example, Usenet - I know, it's technically distinct from the Internet, but just about everyone theseday accesses Usenet through the Internet), you had to read a few pages of Netiquette which included what NOT to do. One could still do this if ISP's (and services such as Hotmail and Gmail) would automatically send a "Welcome and how to use email" email to an account when it's first created. Many libraries have short courses on "How to use the Internet and Web" but I don't know that they teach about scams and how to avoid them.

With that kind of a return rate, it's absolutely lucrative for spammers to operate. Their only expenses include their time, an internet connection, and a computer. No printing costs, no postage. Of course they don't care that they're pissing off people - they're too busy laughing all the way to the bank.
They don't even need to "buy" an internet connection. Ten years ago just about every AOL address was getting "Your session as timed out. PLease log in" emails that looked exactly like AOL login pages. People would innocently "log in" which would send address and password to a spammer who would use it to send spam with it for a few days or hours until the account was deleted for spamming.

There are spamming programs such as "email blaster" that for about $100 do just about everything for you. I recall in 1997 spams for a "97 million email addresses" CD for $50 or so. So adding all this up, there IS some cost for sending spam, but it's minimal, like a ten-thousanth of a penny per recipient.

...
And as a side note, I know someone who's computer was taken over by a script from someone else. There was a hidden drive on it that was used to store data and it acted as a download file server. It was going on for at least several months before they figured out what was happening. Yeah, it happens, and it's not just some fairytale. :)


My gawd. This is all illegal, right? Are these folks ever caught and charged?

Yes, indeedl it is "very" illegal (which actually HELPS to stop spammers who spam that way - they're getting access to others' computers to use then to send spam without the owners' permission).

Such "file server" programs are generally used to store "highly illegal" files such as child porn pics, so access to it could be sold to those who want to buy it, and there's less risk to the seller if access gets sold to a police sting task force. In fact, it puts the unknowing owner of the computer at risk for being arrested for having child porn on their own home computer. And yes, I've heard of cases where the computer owner was arrested and had no clue there was child porn on their home computer. Kinda makes you want to run a virus-and-malware check right now, doesn't it...

But such checks aren't a failsafe guarantee that your computer is clean. I often look at the lights on my DSL modem and router to see if any lights are flashing (indicating data going up or down) while I'm not getting email or downloading a big file, or ANY data movement that I didn't request. Some websites such as cnn.com update themselves every few minutes, but other than that, if these lights weren't on solid right now, I'd be a little worried about what my computer is running.

Kendra
01-26-2008, 01:06 AM
This is terrifying. Imagine being arrested for peddling kiddie porn on your computer? And how could you *prove* yourself innocent? Gawd, imagine what the neighbours would say? :-) The Internet is truly a lawless frontier. It's the Wild West cyber style.

ChunkyC
01-26-2008, 02:07 AM
It sure is.

Also remember that these are computers we're talking about. Spammers don't have to sit at the keyboard typing their fingers raw to launch spams or DDOS attacks, the computer does almost all the work. They just tell their bot or whatever what to do, then sit back and play HALO or download porn while their little toy prowls the 'net.

Matera the Mad
07-20-2010, 06:30 AM
inboxrevenge.com -- A nice link (http://ksforum.inboxrevenge.com/viewtopic.php?f=1&t=3515)