#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Location
    Lima, Peru
    Posts
    127
    Rep Power
    10

    Is this an attack?


    Hi

    I have a couple of e-mail addresses, one is a "catchall" address. As of 02/24 (2:42am) I started to receive automated notification errors with nonexistent e-mail addresses. These nonexistent addresses are totally unknown to me, as is also uknown the sender address. The only known part is "@mydomain.com", where mydomain.com is, obviously, my domain. Is this attacker using my own website to send his spam, or is he just using my domain name. Anyway, this harms my website, since it has NOTHING related with porn movies,

    What can I do? Please help me!
  2. #2
  3. No Profile Picture
    Google's No1 Supporter!
    Devshed Novice (500 - 999 posts)

    Join Date
    Jan 2007
    Location
    The Crisp Packet!
    Posts
    603
    Rep Power
    152
    There should be more information of the header of the email. If it is not sent from your email it will contain different IPs. Check these out for starters and see what ISP the IP belongs to using an IP WHOIS tool (google for an online one).
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Location
    Lima, Peru
    Posts
    127
    Rep Power
    10
    Hi

    Please correct me if I'm wrong:

    1. since I've not received any spam, but automated server notifications about nonexistent addresses, I assume the original e-mail is the one attached to the automated notification. In other words, I've not received the spam this person has been sending, but automated server messages notifying me some addresses are unreachable, due to my "catchall" account.

    2. I've saved the attached eml file, and opened them with PSPad.

    3. I've reveiwed different eml files but as far as I see I haven't found any pattern. Headers are different, IPs are different, the only common part is the "@mydomain.com" part on the fake sender and the "X-Mailer: IncrediMail (5252670)" and "X-FID:
    B433CDFE-B71C-42C2-A5C1-D34C076A9851".

    Wich header should I look at?

    Thank you.
    Last edited by clm2206; February 25th, 2007 at 01:27 PM.
  6. #4
  7. No Profile Picture
    Google's No1 Supporter!
    Devshed Novice (500 - 999 posts)

    Join Date
    Jan 2007
    Location
    The Crisp Packet!
    Posts
    603
    Rep Power
    152
    Well there are two possibilities I was thinking off. Maybe they are not automated post server responses, they are spam and not authentic. But on a server response message it should contain the original message attached, this will include the headers.
  8. #5
  9. Trapped on the forums...help
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Aug 2003
    Location
    /Users/edman007
    Posts
    4,617
    Rep Power
    905
    i have had this happen before, you just need to crank up your SPAM filters so you don't have to look at it, i don't think there is anything you can do, except maybe disabling your catch all address

    the spammer just picks a few domains, and then sends out junk email with the reply-to set to sometingrandom@yourdomain.com that way all his bounces that he knows he is going to get will bounce to your mail server and he doesn't have to look at it, so the only real way to stop it is to make the sender (ie the spammer) stop, and thats not going to happen, so you just need to adjust your server to reject those or send them all to the junk folder

    Comments on this post

    • SKDevelopment agrees
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Location
    Lima, Peru
    Posts
    127
    Rep Power
    10
    Originally Posted by edman007
    i have had this happen before, you just need to crank up your SPAM filters so you don't have to look at it, i don't think there is anything you can do, except maybe disabling your catch all address

    the spammer just picks a few domains, and then sends out junk email with the reply-to set to sometingrandom@yourdomain.com that way all his bounces that he knows he is going to get will bounce to your mail server and he doesn't have to look at it, so the only real way to stop it is to make the sender (ie the spammer) stop, and thats not going to happen, so you just need to adjust your server to reject those or send them all to the junk folder
    Hi and thanks

    And what about mydomain.com? Note only bouncing messages are going to my mail server, while effective spam is arriving to innocent people's inbox, and some of them for sure will have some spam-reporting tool. Obviously, mydomain.com has a fixed IP, so it's easy to note my site is not the culprit.

    Any thoughts?
  12. #7
  13. Trapped on the forums...help
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Aug 2003
    Location
    /Users/edman007
    Posts
    4,617
    Rep Power
    905
    i don't have a clue what you could do that might help other then blocking what you get, when it happened to me it was with a domain that wasn't in use and i just let the domain expire which was about 1.5 months after it started and i stopped receiving the emails (i was getting 50-200 of them a day)

    if your concerned about your domain's name, then i would say put up a notice on your site explaining the situation and how its not your fault, and you might see if you can do anything against the spammer, but i honestly think there isn't a single thing you can do to stop it

    its probably coming from off shore servers where its legal so the law won't help you, the spammer doesn't have a reason to stop either so they won't listen if you tell them to stop, only thing i see that you could try is spamming their real contact and telling them to stop by going to their site and somehow getting enough stuff to the place that makes them money that they determine having your domain isn't worth it, find where their site wants you to go to buy stuff and complain to that spot, but i don't think it would be effective with just one person, and it could easily backfire, one site...bluefrog i think...did something like this and it worked (though it was to stop spamming, noit just the use of other peoples domains), they had an email list, told the spammers not to spam those people or else, it worked for a while then the spammers got pissed and took out thousands of servers, they knocked out entire hosting facilities and ISPs, large portions of the middle east were without internet for days...more on that at the wiki, they finally decided that it wasn't worth fighting as thousands of people were being harmed by the spammers
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Location
    Lima, Peru
    Posts
    127
    Rep Power
    10
    Thanks for your input edman007!

    Well, as I suspected, there isn't too much I can do to make the spammer stop using my domain to create his fake sender addresses.

    I wrote GoDaddy, and they told me it seems my domain is being spoofed, and to solve this problem I need to setup an SPF record. Do you agree with GoDaddy support representative advice?

    By the way, let me paste below some of the headers, just in case somebody can give me a clue about who is the real sender. Destination address are as they came, because they are not real valid e-mail addresses. Obviously, I've replaced my real domain name with xxx.com

    Code:
    Subject:
    *** SPAM *** DreamsList Internet
    From:
    "Hauptman@xxx.com" <Hauptman@xxx.com>
    Date:
    Sat, 24 Feb 2007 04:05:43 -0500 (GMT)
    To:
    <hstubbsgx@mart84.fsnet.co.uk>
    Received:
    from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3004.me.freeserve.com (SMTP Server) with ESMTP id 87AE41C0312A for <hstubbsgx@mart84.fsnet.co.uk>; Sat, 24 Feb 2007 10:05:41 +0100 (CET)
    Received:
    from d118-75-31-13.try.wideopenwest.com (d118-75-31-13.try.wideopenwest.com [75.118.13.31]) by mwinf3004.me.freeserve.com (SMTP Server) with ESMTP id 41D691C0312B for <hstubbsgx@mart84.fsnet.co.uk>; Sat, 24 Feb 2007 10:05:39 +0100 (CET)
    X-ME-UUID:
    20070224090540269.41D691C0312B@mwinf3004.me.freeserve.com
    Received:
    from Hauptman@xxx.com ( [167.180.153.25]) Sat, 24 Feb 2007 04:06:10 -0500
    MIME-Version:
    1.0
    Message-ID:
    <4E755561.000006.00227@>
    Content-Type:
    Multipart/related; type="multipart/alternative"; boundary="------------Boundary-00=_JLMY6V3IISY66FAE24L0"
    X-Mailer:
    IncrediMail (5252670)
    X-FID:
    B433CDFE-B71C-42C2-A5C1-D34C076A9851
    X-Priority:
    3
    X-me-spamlevel:
    med
    X-me-spamrating:
    70.363153
    Code:
    Subject:
    Person WeekBRIAN
    From:
    "chrisotpherGudelj@xxx.com" <chrisotpherGudelj@xxx.com>
    Date:
    Sat, 24 Feb 2007 18:16:26 +0900 (GMT)
    To:
    <advertising@cfai-savoie.com>
    Return-Path:
    <chrisotpherGudelj@xxx.com>
    Received:
    from smtp19.msg.oleane.net (localhost [127.0.0.1]) by smtp19.msg.oleane.net (MX-ASAV) with ESMTP id l1O9GcoJ017100 for <advertising@cfai-savoie.com>; Sat, 24 Feb 2007 10:16:38 +0100
    Received:
    from [211.206.79.174] ([211.206.79.174]) by smtp19.msg.oleane.net (MX) with ESMTP id l1O9Fu61015081 for <advertising@cfai-savoie.com>; Sat, 24 Feb 2007 10:16:09 +0100
    Received:
    from chrisotpherGudelj@xxx.com ( [161.125.179.87]) Sat, 24 Feb 2007 18:17:03 +0900
    MIME-Version:
    1.0
    Message-ID:
    <BEB67BD1.000002.00152@>
    Content-Type:
    Multipart/related; type="multipart/alternative"; boundary="------------Boundary-00=_E3NYUJG002WS4VA4G6G0"
    X-Mailer:
    IncrediMail (5252670)
    X-FID:
    B433CDFE-B71C-42C2-A5C1-D34C076A9851
    X-Priority:
    3
    X-Spam-Flag:
    NO
    X-Spam-Level:
    xxx
    X-PFSI-Info:
    PMX 5.3.0.289146 (no virus found)
    Code:
    Subject:
    Tips Report
    From:
    "Reney-Fridolin@xxx.com" <Reney-Fridolin@xxx.com>
    Date:
    Sat, 24 Feb 2007 04:40:37 -0500 (GMT)
    To:
    <murgcd@systemwide.com.au>
    Received:
    from [208.104.229.94] (unknown [208.104.229.94]) by boom90.anchor.net.au (Postfix) with ESMTP id 01682252E17 for <murgcd@systemwide.com.au>; Sat, 24 Feb 2007 20:36:19 +1100 (EST)
    Received:
    from Reney-Fridolin@xxx.com ( [116.145.62.179]) Sat, 24 Feb 2007 04:41:10 -0500
    MIME-Version:
    1.0
    Message-ID:
    <50E2F3DD.000004.00917@>
    Content-Type:
    Multipart/related; type="multipart/alternative"; boundary="------------Boundary-00=_P7OYMW0JDHZ4GU2E24L0"
    X-Mailer:
    IncrediMail (5252670)
    X-FID:
    B433CDFE-B71C-42C2-A5C1-D34C076A9851
    X-Priority:
    3
    Code:
    Subject:
    [Bulk] extremely unlikely
    From:
    "Ockenfelskrq@xxx.com" <Ockenfelskrq@xxx.com>
    Date:
    Sat, 24 Feb 2007 10:40:51 +0100 (GMT)
    To:
    <nner@equator.com>
    Received:
    from mail pickup service by smtp.pixelworks.com with Microsoft SMTPSVC; Sat, 24 Feb 2007 01:41:00 -0800
    Received:
    from psmtp.com ([64.18.1.46]) by smtp.pixelworks.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 24 Feb 2007 01:40:59 -0800
    Received:
    from source ([88.122.225.197]) by exprod6mx139.postini.com ([64.18.5.10]) with SMTP; Sat, 24 Feb 2007 03:40:56 CST
    Received:
    from Ockenfelskrq@xxx.com ( [137.182.51.30]) Sat, 24 Feb 2007 10:41:29 +0100
    MIME-Version:
    1.0
    Message-ID:
    <AD221D96.000003.00723@>
    Content-Type:
    Multipart/related; type="multipart/alternative"; boundary="------------Boundary-00=_38OYENIWKIWBH2K712S0"
    X-Mailer:
    IncrediMail (5252670)
    X-FID:
    B433CDFE-B71C-42C2-A5C1-D34C076A9851
    X-Priority:
    3
    X-pstn-levels:
    (S: 0.00000/ 0.00000 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
    Return-Path:
    +._-Ockenfelskrq@xxx.com
    X-CTCH-ID:
    _82C950AB-3BD3-41AA-90FE-4B51DCE741FF_
    X-CTCH-RefID:
    str=0001.0A090205.45E0082C.0023,ss=1,pt=14837,fgs=0
    X-CTCH-Action:
    ToJMF
    X-OriginalArrivalTime:
    24 Feb 2007 09:40:59.0684 (UTC) FILETIME=[E3FC2640:01C757F7]
    Code:
    Subject:
    mpmp
    From:
    "cade198@xxx.com" <cade198@xxx.com>
    Date:
    Sat, 24 Feb 2007 11:37:48 +0200 (GMT)
    To:
    <page@teqfamprac.com>
    Received:
    from [88.229.174.150] ([88.229.174.150]) by fs1.medicine.local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 24 Feb 2007 04:41:05 -0500
    Received:
    from cade198@xxx.com ( [196.127.109.180]) Sat, 24 Feb 2007 11:38:03 +0200
    MIME-Version:
    1.0
    Message-ID:
    <06C51C1D.000001.00196@>
    Content-Type:
    Multipart/related; type="multipart/alternative"; boundary="------------Boundary-00=_03OYYWTYAT1E2QP3LVC0"
    X-Mailer:
    IncrediMail (5252670)
    X-FID:
    B433CDFE-B71C-42C2-A5C1-D34C076A9851
    X-Priority:
    3
    Return-Path:
    cade198@xxx.com
    X-OriginalArrivalTime:
    24 Feb 2007 09:41:09.0937 (UTC) FILETIME=[EA18A210:01C757F7]
    From the above data, would you determine who is the real sender?

    Thank you in andvance

    Carlos
  16. #9
  17. Trapped on the forums...help
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Aug 2003
    Location
    /Users/edman007
    Posts
    4,617
    Rep Power
    905
    well the IPs are all different, so i would say its coming from a botnet (that means thousands of people with malware are sending it, there is no single server that you can pinpoint with the headers)

    i would just do the SPF thing that godaddy said, i checked it on wikipedia and it seems to be a way to make your SMTP server reject spoofed emails, so the emails will still get sent out and bounced, you just won't see them anymore
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Location
    Lima, Peru
    Posts
    127
    Rep Power
    10
    Originally Posted by edman007
    well the IPs are all different, so i would say its coming from a botnet (that means thousands of people with malware are sending it, there is no single server that you can pinpoint with the headers)

    i would just do the SPF thing that godaddy said, i checked it on wikipedia and it seems to be a way to make your SMTP server reject spoofed emails, so the emails will still get sent out and bounced, you just won't see them anymore
    Thousands of poeple sending spam through bots that use my domain name, and they don't even know!!

    I've already created a SPF record, but it doesn't fix things, my domain name is still being stealed again and again.

    Definitively, Internet has lots of security issues.

    Thank you anyway
  20. #11
  21. Type Cast Exception
    Devshed Supreme Being (6500+ posts)

    Join Date
    Apr 2004
    Location
    OAKLAND CA | Adam's Point (Fairyland)
    Posts
    14,954
    Rep Power
    8617
    The bright side is most people know by now that SPAM senders spoof domains. It goes straight to their trash if it isn't filtered first and they aren't bothering to even see where it's purportedly coming from.
    medialint.com

    “Today you are You, that is truer than true. There is no one alive who is Youer than You.” - Dr. Seuss
  22. #12
  23. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4476
    Originally Posted by clm2206
    Definitively, Internet has lots of security issues.
    Yeah... we should turn it off.

    Comments on this post

    • sizablegrin agrees : Nah, I'm patching it. I'll be through in, ummm, lemme see, 4 + 2, carry the 7..... Well, shortly.
    -- Cigars, whiskey and wild, wild women. --
  24. #13
  25. Null Pointer Exception
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2006
    Location
    america
    Posts
    3,355
    Rep Power
    1579
    You can send emails from anywhere you want, it doesn't mean thats who the person is. If I wanted to send a phishing email pretending to be paypal I might email you putting service@paypal.com in the header to try and fool you.

    A spam method is to put the same email in the to and from address. because most spam filters don't block out the email of the address their protecting.

    My guess is your just getting mail from random internet bots, just delete them and move on. Also a catchall email inbox isn't the best idea. I used to think having it there to get emails that were accidentally sent to a non existent address would be a good idea. but it's just a place for spam to go. If someone emails a non existent email they'll get something back saying the email wasn't delivered and if they re a little bit smart they'll go in and try to figure out the real e-mail address.

IMN logo majestic logo threadwatch logo seochat tools logo