Domain hijacked by spammers! (CD, email, Microsoft, server) - Internet - - City-Data Forum

MikeJaquish · 08-26-2008, 07:28 PM

I have received over 100 email delivery failure messages today, mostly from the UK and Europe, with some from the Far East.
Seems some online casino spammer has mispelled my name, and used my domain for spamming.
How does this happen?

What to do? What risk is there to ME? Can someone give me some interpretation of what I am seeing?
Is "from home-pc (i59F4FE24.versanet.de [89.244.254.36] the perpetrator?

Thanks for any good input!

Here is the body of one of the failure notices, noting that a filter intercepted the message, with the body of the spam message in it.
(Email addresses altered to protect the innocent) And, I'm "Mike," not "bimike."

The full headers of the original mail plus the reasons for spam classification are included below:
--------------------------------------------------------------------------
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on ham2.proweb.net
X-Spam-Level: ***************
X-Spam-Status: Yes, score=15.9 required=4.2 tests=BAYES_50,DCC_CHECK,
HTML_MESSAGE,RCVD_IN_PBL,SARE_SUB_WORTH_CASH,URIBL _AB_SURBL,URIBL_BLACK,
URIBL_JP_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_SC_SU RBL,
XMAILER_MIMEOLE_OL_25340 autolearn=spam version=3.2.4
X-Spam-Report:
* 1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: lifebothwinner.com]
* 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: lifebothwinner.com]
* 0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
* [URIs: lifebothwinner.com]
* 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: lifebothwinner.com]
* 1.1 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
* [URIs: lifebothwinner.com]
* 0.8 SARE_SUB_WORTH_CASH Subject mentions something is worth cash
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5864]
* 2.2 DCC_CHECK Listed in DCC ([SIZE=3][SIZE=3]http://rhyolite.com/anti-spam/dcc/[/SIZE][/SIZE][SIZE=3])[/SIZE]
[SIZE=3]* 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist[/SIZE]
[SIZE=3]* [URIs: lifebothwinner.com][/SIZE]
[SIZE=3]* 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL[/SIZE]
[SIZE=3]* [89.244.254.36 listed in zen.spamhaus.org][/SIZE]
[SIZE=3]* 3.2 XMAILER_MIMEOLE_OL_25340 XMAILER_MIMEOLE_OL_25340[/SIZE]
[SIZE=3]Received: from smtp.proweb.net ([86.17.6.22])[/SIZE]
[SIZE=3]by pop.proweb.net (Slinky v2.25) with SMTP id 26498[/SIZE]
[SIZE=3](envelope-from <bimike@mikejauish.com>)[/SIZE]
[SIZE=3]for <rxxx@mixxxxxxxx.co.uk>; Tue, 26 Aug 2008 22:15:28 +0100[/SIZE]
[SIZE=3]Received: from home-pc (i59F4FE24.versanet.de [89.244.254.36])[/SIZE]
[SIZE=3]by smtp.proweb.net (8.13.8/8.13.8) with ESMTP id m7QLFKLH030489[/SIZE]
[SIZE=3]for <rxxx@mixxxxxxx.co.uk>; Tue, 26 Aug 2008 22:15:25 +0100[/SIZE]
[SIZE=3]Received: from [89.244.254.36] by mail.xxxxxxxxxxxxx; Tue, 26 Aug 2008 22:15:52 +0100[/SIZE]
[SIZE=3]From: "Ultimate VIP Casino" <bimike@mikejauish.com>[/SIZE]
[SIZE=3]To: <rxxx@mixxxxxxxx.co.uk>[/SIZE]
[SIZE=3]Subject: *****SPAM***** Win money and have fun with The Ultimate VIP Casino[/SIZE]
[SIZE=3]Date: Tue, 26 Aug 2008 22:15:52 +0100[/SIZE]
[SIZE=3]MIME-Version: 1.0[/SIZE]
[SIZE=3]Content-Type: multipart/alternative;[/SIZE]
[SIZE=3]boundary="----=_NextPart_000_0006_01C907C9.4D17DC00"[/SIZE]
[SIZE=3]X-Mailer: Microsoft Office Outlook, Build 11.0.6353[/SIZE]
[SIZE=3]Thread-Index: Aca6Q3ZCY6ABNEGDVX41HHL0NYE52H==[/SIZE]
[SIZE=3]X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700[/SIZE]
[SIZE=3]Message-ID: <01c907c9$4d17dc00$24fef459@bimike>[/SIZE]
[SIZE=3]Received-SPF: none (smtp.proweb.net: domain of bimike@mikejauish.com does not designate permitted sender hosts) (smtp1)[/SIZE]
[SIZE=3]Received-SPF: none (pop.proweb.net: 86.17.6.22 is neither permitted nor denied by domain of mikejauish.com) client-ip=86.17.6.22; envelope-from=bimike@mikejauish.com; helo=smtp.proweb.net;[/SIZE]
[SIZE=3]X-Envelope-From: bimike@mikejauish.com[/SIZE]
[SIZE=3]X-Antivirus: Scanned by F-Prot Antivirus ([/SIZE][SIZE=3][SIZE=3]http://www.f-prot.com[/SIZE][/SIZE][SIZE=3])[/SIZE]
[SIZE=3]X-Spam-Prev-Subject: Win money and have fun with The Ultimate VIP Casino[/SIZE]
[SIZE=3] [/SIZE]
[SIZE=3][/SIZE]

swagger · 08-26-2008, 08:25 PM

Yeah, 89.244.254.36 appears to be the culprit. Most likely, it's just a hijacked zombie machine, not the actual spammer's machine.

You're the victim of a "joe job". That's when a spammer uses your address as the "From" address when sending out their garbage. There's absolutely nothing you can do to keep it from happening - you can only manage the aftermath.

If you have your own domain name, and you have a catch-all e-mail address setup on it, turn it off. That'll help to reduce the amount of spam you receive, as well as the backscatter from joe jobs and whatnot. Other than that, filtering is about all you can do.

MikeJaquish · 08-26-2008, 08:43 PM

Quote:

Originally Posted by swagger

Yeah, 89.244.254.36 appears to be the culprit. Most likely, it's just a hijacked zombie machine, not the actual spammer's machine.

You're the victim of a "joe job". That's when a spammer uses your address as the "From" address when sending out their garbage. There's absolutely nothing you can do to keep it from happening - you can only manage the aftermath.

If you have your own domain name, and you have a catch-all e-mail address setup on it, turn it off. That'll help to reduce the amount of spam you receive, as well as the backscatter from joe jobs and whatnot. Other than that, filtering is about all you can do.

Thanks!

I only have mike(as catchall) and postmaster set up.
And I conduct all my business through mike/catchall.

So any slime can designate any mailbox name to my domain, and it will go to "catchall?"
Ouch.

Hey, good read on "joe job." I guess I will talk to my web host tomorrow.

swagger · 08-26-2008, 09:10 PM

A catch-all is a function of some web hosting systems where e-mail can be sent to anyaddress@domain and they all get funneled into one mailbox. For example, someone can send email to bill@domain, fred@domain, harry@domain and mike@domain, and they all end up in the same place - the only "real" account on the system. The problem with this setup is that it allows spammers that use dictionary attacks (aaaaa@domain, aaaab@domain, aaaac@domain, etc) to deliver to literally tens of thousands of addresses that don't even actually exist. You may or may not have this setup - it should be somewhere in the email setup of your web host's control panel if they offer this feature. If you're not sure, you can just give them a call.

TomSD · 08-26-2008, 09:18 PM

Yeah in most cases you want the catchall disabled or black holed somewhere. All it does is catch spam.

MikeJaquish · 08-27-2008, 05:53 AM

Quote:

Originally Posted by swagger

A catch-all is a function of some web hosting systems where e-mail can be sent to anyaddress@domain and they all get funneled into one mailbox. For example, someone can send email to bill@domain, fred@domain, harry@domain and mike@domain, and they all end up in the same place - the only "real" account on the system. The problem with this setup is that it allows spammers that use dictionary attacks (aaaaa@domain, aaaab@domain, aaaac@domain, etc) to deliver to literally tens of thousands of addresses that don't even actually exist. You may or may not have this setup - it should be somewhere in the email setup of your web host's control panel if they offer this feature. If you're not sure, you can just give them a call.

Quote:

Originally Posted by TomSD

Yeah in most cases you want the catchall disabled or black holed somewhere. All it does is catch spam.

Thanks, guys.
I do have catchall on my main mail account, so I guess there is a call to make to web host today.

I appreciate the input!

macroy · 08-28-2008, 11:39 AM

you can also setup SPF records for your mail servers. This will only allow the servers you designate to send mail for your domain. Is it 100% - absolutely not, but it does help as servers that do SPF lookups will not forward spoofed e-mails using your domain.

Brian.Pearson · 08-28-2008, 11:44 AM

Would it help to have some version of captcha?

MikeJaquish · 09-02-2008, 01:36 PM

Thanks profusely for the help from the CD community.

Finally called my Web Host, and they disabled the Catchall. I could ID it, but did not see how to disable it.
info@... Email also appeared.

Now to study up on that SPF deal.

I certainly appreciate the help.