U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Internet
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search

Search Forums  (Advanced)
 
Old 08-26-2008, 08:28 PM
 
Location: Cary, NC
34,328 posts, read 59,678,857 times
Reputation: 33482

Advertisements

I have received over 100 email delivery failure messages today, mostly from the UK and Europe, with some from the Far East.
Seems some online casino spammer has mispelled my name, and used my domain for spamming.
How does this happen?


What to do? What risk is there to ME? Can someone give me some interpretation of what I am seeing?
Is "from home-pc (i59F4FE24.versanet.de [89.244.254.36] the perpetrator?

Thanks for any good input!


Here is the body of one of the failure notices, noting that a filter intercepted the message, with the body of the spam message in it.
(Email addresses altered to protect the innocent) And, I'm "Mike," not "bimike."

The full headers of the original mail plus the reasons for spam classification are included below:
--------------------------------------------------------------------------
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on ham2.proweb.net
X-Spam-Level: ***************
X-Spam-Status: Yes, score=15.9 required=4.2 tests=BAYES_50,DCC_CHECK,
HTML_MESSAGE,RCVD_IN_PBL,SARE_SUB_WORTH_CASH,URIBL _AB_SURBL,URIBL_BLACK,
URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_SC_SU RBL,
XMAILER_MIMEOLE_OL_25340 autolearn=spam version=3.2.4
X-Spam-Report:
* 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: lifebothwinner.com]
* 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: lifebothwinner.com]
* 0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
* [URIs: lifebothwinner.com]
* 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: lifebothwinner.com]
* 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
* [URIs: lifebothwinner.com]
* 0.8 SARE_SUB_WORTH_CASH Subject mentions something is worth cash
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5864]
* 2.2 DCC_CHECK Listed in DCC ([SIZE=3][SIZE=3]http://rhyolite.com/anti-spam/dcc/[/SIZE][/SIZE][SIZE=3])[/SIZE]
[SIZE=3]* 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist[/SIZE]
[SIZE=3]* [URIs: lifebothwinner.com][/SIZE]
[SIZE=3]* 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL[/SIZE]
[SIZE=3]* [89.244.254.36 listed in zen.spamhaus.org][/SIZE]
[SIZE=3]* 3.2 XMAILER_MIMEOLE_OL_25340 XMAILER_MIMEOLE_OL_25340[/SIZE]
[SIZE=3]Received: from smtp.proweb.net ([86.17.6.22])[/SIZE]
[SIZE=3]by pop.proweb.net (Slinky v2.25) with SMTP id 26498[/SIZE]
[SIZE=3](envelope-from <bimike@mikejauish.com>)[/SIZE]
[SIZE=3]for <rxxx@mixxxxxxxx.co.uk>; Tue, 26 Aug 2008 22:15:28 +0100[/SIZE]
[SIZE=3]Received: from home-pc (i59F4FE24.versanet.de [89.244.254.36])[/SIZE]
[SIZE=3]by smtp.proweb.net (8.13.8/8.13.8) with ESMTP id m7QLFKLH030489[/SIZE]
[SIZE=3]for <rxxx@mixxxxxxx.co.uk>; Tue, 26 Aug 2008 22:15:25 +0100[/SIZE]
[SIZE=3]Received: from [89.244.254.36] by mail.xxxxxxxxxxxxx; Tue, 26 Aug 2008 22:15:52 +0100[/SIZE]
[SIZE=3]From: "Ultimate VIP Casino" <bimike@mikejauish.com>[/SIZE]
[SIZE=3]To: <rxxx@mixxxxxxxx.co.uk>[/SIZE]
[SIZE=3]Subject: *****SPAM***** Win money and have fun with The Ultimate VIP Casino[/SIZE]
[SIZE=3]Date: Tue, 26 Aug 2008 22:15:52 +0100[/SIZE]
[SIZE=3]MIME-Version: 1.0[/SIZE]
[SIZE=3]Content-Type: multipart/alternative;[/SIZE]
[SIZE=3]boundary="----=_NextPart_000_0006_01C907C9.4D17DC00"[/SIZE]
[SIZE=3]X-Mailer: Microsoft Office Outlook, Build 11.0.6353[/SIZE]
[SIZE=3]Thread-Index: Aca6Q3ZCY6ABNEGDVX41HHL0NYE52H==[/SIZE]
[SIZE=3]X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700[/SIZE]
[SIZE=3]Message-ID: <01c907c9$4d17dc00$24fef459@bimike>[/SIZE]
[SIZE=3]Received-SPF: none (smtp.proweb.net: domain of bimike@mikejauish.com does not designate permitted sender hosts) (smtp1)[/SIZE]
[SIZE=3]Received-SPF: none (pop.proweb.net: 86.17.6.22 is neither permitted nor denied by domain of mikejauish.com) client-ip=86.17.6.22; envelope-from=bimike@mikejauish.com; helo=smtp.proweb.net;[/SIZE]
[SIZE=3]X-Envelope-From: bimike@mikejauish.com[/SIZE]
[SIZE=3]X-Antivirus: Scanned by F-Prot Antivirus ([/SIZE][SIZE=3][SIZE=3]http://www.f-prot.com[/SIZE][/SIZE][SIZE=3])[/SIZE]
[SIZE=3]X-Spam-Prev-Subject: Win money and have fun with The Ultimate VIP Casino[/SIZE]
[SIZE=3] [/SIZE]
[SIZE=3][/SIZE]
Reply With Quote Quick reply to this message

 
Old 08-26-2008, 09:25 PM
 
Location: Tyler, TX
15,210 posts, read 18,499,742 times
Reputation: 8052
Yeah, 89.244.254.36 appears to be the culprit. Most likely, it's just a hijacked zombie machine, not the actual spammer's machine.

You're the victim of a "joe job". That's when a spammer uses your address as the "From" address when sending out their garbage. There's absolutely nothing you can do to keep it from happening - you can only manage the aftermath.

If you have your own domain name, and you have a catch-all e-mail address setup on it, turn it off. That'll help to reduce the amount of spam you receive, as well as the backscatter from joe jobs and whatnot. Other than that, filtering is about all you can do.
Reply With Quote Quick reply to this message
 
Old 08-26-2008, 09:43 PM
 
Location: Cary, NC
34,328 posts, read 59,678,857 times
Reputation: 33482
Quote:
Originally Posted by swagger View Post
Yeah, 89.244.254.36 appears to be the culprit. Most likely, it's just a hijacked zombie machine, not the actual spammer's machine.

You're the victim of a "joe job". That's when a spammer uses your address as the "From" address when sending out their garbage. There's absolutely nothing you can do to keep it from happening - you can only manage the aftermath.

If you have your own domain name, and you have a catch-all e-mail address setup on it, turn it off. That'll help to reduce the amount of spam you receive, as well as the backscatter from joe jobs and whatnot. Other than that, filtering is about all you can do.
Thanks!

I only have mike(as catchall) and postmaster set up.
And I conduct all my business through mike/catchall.

So any slime can designate any mailbox name to my domain, and it will go to "catchall?"
Ouch.

Hey, good read on "joe job." I guess I will talk to my web host tomorrow.
Reply With Quote Quick reply to this message
 
Old 08-26-2008, 10:10 PM
 
Location: Tyler, TX
15,210 posts, read 18,499,742 times
Reputation: 8052
A catch-all is a function of some web hosting systems where e-mail can be sent to anyaddress@domain and they all get funneled into one mailbox. For example, someone can send email to bill@domain, fred@domain, harry@domain and mike@domain, and they all end up in the same place - the only "real" account on the system. The problem with this setup is that it allows spammers that use dictionary attacks (aaaaa@domain, aaaab@domain, aaaac@domain, etc) to deliver to literally tens of thousands of addresses that don't even actually exist. You may or may not have this setup - it should be somewhere in the email setup of your web host's control panel if they offer this feature. If you're not sure, you can just give them a call.
Reply With Quote Quick reply to this message
 
Old 08-26-2008, 10:18 PM
 
Location: Lemon Grove, CA USA
1,055 posts, read 3,648,695 times
Reputation: 952
Yeah in most cases you want the catchall disabled or black holed somewhere. All it does is catch spam.
Reply With Quote Quick reply to this message
 
Old 08-27-2008, 06:53 AM
 
Location: Cary, NC
34,328 posts, read 59,678,857 times
Reputation: 33482
Quote:
Originally Posted by swagger View Post
A catch-all is a function of some web hosting systems where e-mail can be sent to anyaddress@domain and they all get funneled into one mailbox. For example, someone can send email to bill@domain, fred@domain, harry@domain and mike@domain, and they all end up in the same place - the only "real" account on the system. The problem with this setup is that it allows spammers that use dictionary attacks (aaaaa@domain, aaaab@domain, aaaac@domain, etc) to deliver to literally tens of thousands of addresses that don't even actually exist. You may or may not have this setup - it should be somewhere in the email setup of your web host's control panel if they offer this feature. If you're not sure, you can just give them a call.
Quote:
Originally Posted by TomSD View Post
Yeah in most cases you want the catchall disabled or black holed somewhere. All it does is catch spam.
Thanks, guys.
I do have catchall on my main mail account, so I guess there is a call to make to web host today.

I appreciate the input!
Reply With Quote Quick reply to this message
 
Old 08-28-2008, 12:39 PM
 
Location: HoCo, MD
4,611 posts, read 8,207,121 times
Reputation: 5195
you can also setup SPF records for your mail servers. This will only allow the servers you designate to send mail for your domain. Is it 100% - absolutely not, but it does help as servers that do SPF lookups will not forward spoofed e-mails using your domain.
Reply With Quote Quick reply to this message
 
Old 08-28-2008, 12:44 PM
 
Location: Texas
5,070 posts, read 9,080,581 times
Reputation: 1632
Would it help to have some version of captcha?
Reply With Quote Quick reply to this message
 
Old 09-02-2008, 02:36 PM
 
Location: Cary, NC
34,328 posts, read 59,678,857 times
Reputation: 33482
Thanks profusely for the help from the CD community.

Finally called my Web Host, and they disabled the Catchall. I could ID it, but did not see how to disable it.
info@... Email also appeared.

Now to study up on that SPF deal.

I certainly appreciate the help.
Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.


Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Internet
Follow City-Data.com founder on our Forum or

All times are GMT -6.

© 2005-2019, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 - Top