Nancy, I haven't been getting hundreds, but it's been a few a day up until a few days ago. It's not uncommon lately. They read to one email address from the same address.

I am having the same problem. Only this is my business account. It started about a month ago and I was wondering if there is anything I can do short of hunting the spammer down and asking them to stop.

I just got another one I am about ready to hunt down this spammer and ahhum..... have some fun with a hammer. I hate blatent spammers...

Ive always assumed that they wouldnt normally use your domain to spam anybody other than people at your domain. I guess they think you will be more likely to open an email from a trusted or local domain. So they just make the sender the same as the receiver.

any idea how they get my domain email account to send an auto response since the spam is not coming from there (at least my host says they aren't)?

I'm afraid that many people will believe my business is actually sending these especially if they are also getting an auto response.

Do you have autoresponders set up on your site?

If so, check the headers of the email. Could be that it's sent To: the autoresponder, but ends up in your mailbox as a catchall account. And are there any CC or BCC fields? or maybe two (2) To: email addresses? That would explain the double autoresponse - sending it back to the From: field.

all occurrences of "mydomain" below are substitutions for my actual domain name.

Yes, I do have auto responder set up but the spam emails aren't sent To: autoresponder@mydomadin.com
they are sent to catchall@mydomaim.com

There are almost as many "varieties" of the "To:" as there are emails, but the ones that have me really concerned are one like this:

Return-Path: <catchall@mydomain.com>
....
...
....
....
Received: from mydomain.com by G948OHKDKNJP.mydomain.com with SMTP for catchall@mydomain.com; Sun, 25 Aug 2002 13:02:38 -0500

I have also gotten a few emails from people (complaining!) that received an email from autoresponder@mydomain.com and I did not send them anything so I am assuming that somehow they are getting this spam plus an autoresponse.

Email headers completely baffle me because I never seem to see two where the headers are formatted alike.

I'm turning my autoresponder off but still wonder how this can happen - can spammers actually get my autoresponder to engage without sending the email from my account???

thanks

nancyb,

The next time you get a complaint, ask the complainer to send you a copy of the messages they
received. If you get someone who's internet-savvy, ask them to send the full e-mail headers if
possible.

It may be that spammer is faking his sender address, replacing it with the intended target address,
and counting on your autoresponder to forward it for him. Nasty exploit.

Turning off your autoresponder is probably a good idea. It the autoresponder is critical to your
business, you might add a note to the auto-response apologizing in advance for any spam that the
customer receives, and explaining the situation. In the meantime, call "Red Alert" with your hosting
company, and tell them to investigate how this exploit is occurring. They may be able to tighten up
the security of your mail system - For example by checking to see if To: and From: are the same, or
if they match your domain name.

Rather than dumping your domain name, consider just shutting down the e-mail for awhile and getting
an alternate e-mail address. You may even be able to get your hosting service to change your
base e-mail address for you. Use this alternate until the spammer gives up, and then maybe you can
switch back.

I'm by no means an expert in this field, so I hope the above makes sense. I'm considering writing
an RFC for HTTP/1.2 to implement a "remote detonate" protocol for use against such spammers'
servers!

Jim

Jim,

Thank you so much!

I did talk to my hosting service a while ago but they said this was email spoofing and nothing could be done about it. I'll ask about changing the base email.

My host is really pretty good in most respects, but I can never get clear explanations on security related stuff, so it might be time to change hosts.

Anyway, thanks for the explanation/suggestions, the responder is OFF for now and I don't feel totally in a fog anymore.

nancyb,

I spend quite a bit of time over in the spider identification forum fighting off foul beasts, and I find what is happening to you to be even more offensive than these 'bots scraping my sites for e-mail addresses. This is a form of identity theft... I wonder if you could report it as such?

Anyway, good luck with it, and if you find the perpetrator, I'll hold him while you hit him (if we can take turns). Really disgusting to do this to someone's business! (can you tell I'm offended?)

Jim

I've had similar things occur with people making it look like the emails came from me. So far they have used specific aliases which then go to my catchall address, so my host just blocks me from ever recieving email from those aliases. This doesn't stop the original person using my domain name but at least stops me getting the replies (and the many many bounced back versions). If they are using more than one alias or your catchall address then you may be able to stop some of those replies using filters (I've heard good things about spam assassin). I would definitely try filtering before dumping your email address.

There are ways to track down the original person also but I'm not sure how myself. My host weren't inclined to do so either as the emails aren't originating from their network.Once you do find tem you should be able to get them to stop as what they are doing is likely to be against their ISP's TOS.

Sadly this kind of thing seems pretty common. When I complained about it a number of my friends who own domains said they have the same problem :(

Shelley

I have no idea what a "remote detonate" is but I think I like the sound of it ;)

I do use filters to dump some of these to folders, but you can't catch them all and then sometimes "real" emails get caught in the filter by mistake. I've encoded all the email addresses on my site, even the word 'email', but if the email harvester bots haven't figured out how to un-code this yet they probably will soon.

Jim, that's an interesting thought - identity theft. I'll have to think about that and look around some of the spam police sites.

I live with the regular spam, but the hardcore stuff really pisses me off! (we need a "mad" style code)

Thanks for the empathy and, please, let me know if you get a remote bomb hehe

Hi Nancyb,

It seems that this type of identity switching is being marketed or used by people offering bulk e-mail services. The paragraph below was on the end of a junk email received earlier today. If mortgage sellers can do it so can p**n merchants !.

This email was sent to you via Saf-E Mail Systems. Your email address was automatically inserted into the To and From addresses to eliminate undeliverables which waste bandwidth and cause internet congestion. Your email or webserver IS NOT being used for the sending of this mail. No-one else is receiving emails from your address. You may utilize the removal link below if you do not wish to receive this mailing.

to eliminate undeliverables which waste bandwidth and cause internet congestion

So now it's our faults if the spammers use wrong email adresses? I can't believe it.

nancy / miles
do you have a copy of form2mail on your servers? it could be that someone is relaying mail through form2mail, which could send email using any of your email addresses as the from name. it doesn't matter whether you use form2mail in your site, just having a copy on your server is good enough for the spammers.

I have the same problem and can't figure it out. I'll get the same bull*!#* at three e-mail adress. Two of them are web based and on different servers. The other is AOL e-mail. They seem to know what I've been working on of late and the subject line is using filenames of web pages I've uploaded lately or sometimes it will say ignorant stuff like "border: none" and other mark-up terminology. Usually they come with some great words of wisdom such as "this is an excite game. I hope you would like it". And yes they are sending it to our customers too. I need to start deleting e-mail every day. Sorry this post was of no help. I just wanted to complain some.

this is an excite game. I hope you would like it

Birdman - what you are seeing are klez virus emails.

Don't open these if you're using Outlook express. Take a look at the email headers if you can and look at the Return-Path header. That's where they're originating from. You're getting them because your email address is in someone's address book. And it will also use your email address as the From: field to others.

[vil.mcafee.com...]

If you have the headers you could always try something like spamcop.net - normally I use this for reporting spam but it incorporates a *very* useful header analysis tool as part of the main system.

Put the headers from the message with the fake-address into that type of service and you will see where it is coming from - but be warned a lot of real spam ends up coming from open-relays and the far-east and so any attempt to stop the flow may take some time.

-Tony

I'm pretty sure the reson they started using somebody else's real emails instead of bogus ones is because some dumb but large providers decided it would be a good idea to check the origin of the from e-mail and see if it's real. And they drop e-mails that fail checks for dns, finger, etc...

So the spammers now have to use real e-mails so they pick one from the list and use it and people suffer.

I started getting the same thing and it's going to get worse when all of the spammers realize that they should do it.