What do you mean about bogus Whois information? I wouldn't be able to interact with my registrar if anything but the snail-mail and phone were false.

Can you post headers from a few of these messages? I have a pretty good track record of getting spammers' accounts canceled, and I'm sure some others here take as much pleasure in the sport as I do.

I've had this exact same thing happen to me. While I didn't manage to track down the people doing it, my hosting company managed to put a block in place so that none of the returned emails ever reached me. I assume they used some kind of filter on their email server. I know it didn't affect the bad guys in any way, but it did stop my inbox filling up. It might be something you could look into as a first step while you track them down.

I used to get a lot of this smarmy type email spoofing at my old host and would love to know a little more about how you track the info down from the headers. I look at them but am confused about which means what. Is there a site that offers some sort of tutorial on this?

My old host just told me I would have to live with it as it couldn't be stopped - just one of several reasons I'm outta there.

After a post here I took down my autoresponder because they seemed somehow to be using it. As soon as I took the autoresponders off most, but not all, of the cr*p stopped.

I have tracked down many spammers/kiddie porners. There have been quite a few instances of domains registered to obviously bogus people with obviously bogus addresses, like Sam Skam, 1234 Are You Kidding St., etc. The registrar that had a monopoly on the major TLD registrations for a long time is the most notorious for lack of verification of registration information.....

You certainly are not the only one effected by these type of tactics. We are having a rash of returned email messages from email addresses we don't have active, containing viruses. These addresses have never been active, but they are returned via our catch all account too. The bad thing is people are sending out these viruses using our addresses as the return address which in turn creates more mail from businesses saying our message contained a virus and could not be delievered. We created a special box for all this stuff and I look through it once per day just to make sure some real message isn't mixed into that bunch of crap. I'm sure this is effecting millions of people these days. Don't know what a perminate solution is, but it sure would be nice to see some of these folks behind bars.

Nancy - there are a few tutorials on the matter out there. Try a google search and I'm sure you'll come up with a few.

Essentially, the thing to remember is that the only thing that matters is lines that start with "Received", or the continuation lines of those headers, which start with witespace. Each mail server that handles a message will add a "Received" header to the top of the message. The format of these headers depends on the mail server software, but generally in includes the name of the server receiving the message, the name of the server or client computer they are receiving it from, the IP address of the machine it is receiving it from, and some other info you probably don't care about.

Like the rest of the message, "Reveiced" lines can be forged. What is special about them is that at least one of them is real. Since every mail server the message passes through adds a "Received" header to the top of the message, and the message has to pass through at least one mail server to get to your inbox, you know that the top "Received" header is real.

Sometimes, spammers are too stupid to fake any "Received" headers, and so all of them are true. More often, though, they add a few to throw you off the trail. There are a couple of ways to tell which ones are real, and which are not.

First, follow the trail back from the top "Received" line down towards the bottom one. If at any point the chain is discontinuous, ie, Server C says it got the message from server D, but the line below only mentions servers E and F, then you know that all the lines below the first discontinuity are fake. Use the information in the last valid Received line to figure out who to complain to. It's quite possible that the server in question is an 'open relay', and that the people responsible for it can't track down the perpetrator, but they can close their relay. You can also use the name and IP address of the machine that sent the message to that server to figure out what ISP they use. There can be some serious digging here.

Sometimes, the spammers are a little smarter than that, and add fake information that is continuous. In that case, you are likely to find server names that look suspiciously like dial-up modem names. If your message went through 'dialin1234567.city.bigisp.com', chances are excellent that it really orriginated at 'dialin1234567' and all lines earlier than that are fake. Send the full headers to abuse@bigisp.com.

This doesn't cover all possible cases, but it's a start.

MarkHutch:
If that is the klez worm, it's not exactly a human spammer.

The klez worm itself is designed to spoof email addresses, in order to make the sources of infection harder to find.

Someone's PC was infected with the worm and they had your email address in MS-Outlook. The worm then picked up your address and added it to the infected messages it sent out.

Same thing happenned to me.

You're right JayCee. I didn't respond in the correct way. I sometimes have a hard time getting my point across correctly when typing on the computer. The email address in question is on one of our webpages, but it's not an address we ever reply with or even have on any computer. I hope that makes sense. Thanks for clearing this up for anyone that might have misunderstood what I meant in my previous post.

dingman,
Hey, if you are good at shutting thes losers down, accolades to you. I appreciate any input. I suspect the spammers are overseas or the spam is originating overseas, South Korea specifically. The spam links to a site called, handbagmonster.com

And yes, after reading others' replies, when I worked at a webhost, I told other victims of this ploy, our hosting company could do nothing about spoofing.

I did a netcraft and domainwhitepages on them; they are on Win2k server, but if you go the homepage, it is Dir. Listing denied, which means simply the proper index page is removed. I tried sending email to the bogus yahoo addrss listed in WHOIS and also several names @handbagmonster.com and the mail all returned. I haven't attempted to email the hosts yet.

If you query this domain in Google usenet, the abuse section is the first thing that shows.

here is the info about this jerk spammer:

handbagmonster.com is the domain

They used a french Registrar, GANDI. The TLD .se doesn't exist, I probably have better headers than this, I have kept a hand ful of the returned email.

--------------------------------------------------------
Message-ID: <000070a919b8$00005caa$00007474@mail.admidata.se>
From: uokdstr@mydomain.nu ( i edited this)
To: affiliate@ ( i edited this)
Cc: visser@ ( i edited this)

Subject: Getting Down To It FS
Date: Fri, 25 Oct 2002 11:29:11 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-MS-Embedded-Report:
Content-Type: text/plain;
charset="iso-8859-1"

This message is an advertisement. We will continue to bring you valuable permission based messages on the products and services that interest you most unless you wish to decline <http://www.handbagmonster.com/help.html> .
We process all requests immediately. Copyright 2000, 2001, 2002 all rights reserved.

------
Pieces of links gthat still work:
[handbagmonster.com...]

[handbagmonster.com...]

[handbagmonster.com...]

dingman - Thank you! I'm a stumble bum when first trying to learn something completely unfamiliar. Thanks for lighting a fire that burned some of the foggy foggy dew away :) Now, I can probably understand some of those tutorials.

And, sotet, I do know they can't actually stop the spoofing, but they could have suggested I take down my autoresponder, as was suggested on this board, or put a block up to stop all the returned emails or .....

Hmm. South Korean ISPs aren't always the most responsive about spam problems, which doesn't bode well. On the other hand, last time I got spam from a South Korean IP, it turned out to belong to an elementary school that happened to be running an open relay. They never answered my e-mail about the problem, but they did close the relay.

GANDI is my registrar, too. Which means that they have to have supplied a valid e-mail address, at least initially, to get set up. I'm not sure what would have happened if my billing invoices generated bounce messages, but I doubt it would have been good for my domain. GANDI doesn't speak to you or write to you except through automated messages to the same e-mail address listed in the WHOIS data for the domain. They mail you your administration password, too, so it really is important to at least start out with that info accurate. If you really want to try to cause these people problems, and can prove that their contact info is invalid, see section VI of the service contract (http://www.gandi.net/contract.en.txt), which requires that you keep your contact info correct and up to date.

It looks to me like .se is probably the Swedish national TLD, given that the web page for that registry is almost entirely in Swedish. At any rate, it clearly exists as a TLD, 'cause I just visited www.nic-se.se and got a registry site. Looked up admidata.se, got all the standard info.

Can you get the "Received" lines? Not all e-mail clients will show them, but they are essential to tracking down spammers. I never believe a byte of any other line in spam.

Nancy - glad that was useful. The more people who learn to do this, the harder it is for spammers to hide. And that's good for all of us.

What do people think of SpamCop.net? I just submit e-mail spam e-mails to them, it gets processed, and the report send to the most likely sources.

Thanks, Dingman.
I guess my own search has not been successful, .se is a valid TLD. I took it face-value at one WHOIS site that it did not exist, but you are right, it is Swedish domain.

Well, I continue to get about a thousand returned messages at a rate of every 8-10 hours.

Interesting about GANDI; my registrar Eyeondomain.com does not require valid email addresses and phone numbers. Over the past year or so, I have seen a lot of WHOIS entries that have invalid emails addresses, and info.

I found an 800 number from a link posted in the net admin abuse area of the usenet about handbagmonster.com, I wonder if I should call them and ask to speak to a manager about them spamming with my domain. Any ideas?

I will try with another header which shows Italian mail srever and then through AOL and then Mexico? - I followed your post on how to read these headers, and I probably need more practice, most the ones I viewed showed .kr headers:

Received: from smtp3.cp.tin.it (vsmtp3.tin.it [212.216.176.223]) by rly-xg02.mx.aol.com (v89.10) with ESMTP id MAILRELAYINXG29-1025134242; Fri, 25 Oct 2002 13:42:42 -0400
Received: from mail.radioactivo.com.mx (80.104.18.40) by smtp3.cp.tin.it (6.5.029)
id 3DB5E7590012B39C; Fri, 25 Oct 2002 19:42:52 +0200
Message-ID: <0000725b45ec$00007ab6$00001a93@mail.admidata.se>
To: <alicet@ (i edited this)
Cc: <camtelco@te (i edited this)
From: "Grandpa" <uokdstr@mynudomain.nu> (i edited this)
Subject: Can't Find It XJG
Date: Fri, 25 Oct 2002 10:49:32 -1900
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-----------------------------------------
2nd header:
-----------------------------------------
Received: from mail.e-carrollschools.org ([204.119.246.198])
by mail.itsram.com (Lotus Domino Release 5.0.9a)
with ESMTP id 2002102513155545:38914 ;
Fri, 25 Oct 2002 13:15:55 -0500
Received: from kyla.kiruna.se (pj82.zgora.sdi.tpnet.pl [80.49.52.82]) by mail.e-carrollschools.org with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id VDRHP6HP; Fri, 25 Oct 2002 13:12:27 -0500
Message-ID: <00004913444e$0000130e$000033b4@snubby.enic.cc>
To: <igno@ (i edited this)
Cc: <cc42@ (i edited this)
From: "Tami" <uokdstr@mynudomain.nu> (i edited this)
Subject: Where Were We Q
Date: Fri, 25 Oct 2002 11:22:30 -1900
MIME-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on RAMSMTP/ITSRAMEX/ITSRAM(Release 5.0.9a ¦January 7, 2002) at
10/25/2002 01:15:55 PM,
Serialize by Router on RAMSMTP/ITSRAMEX/ITSRAM(Release 5.0.9a ¦January 7, 2002) at
10/25/2002 01:15:56 PM,
Serialize complete at 10/25/2002 01:15:56 PM
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset="iso-8859-1"

Someone's PC was infected with the worm and they had your email address in MS-Outlook. The worm then picked up your address and added it to the infected messages it sent out.

The email address in question is on one of our webpages, but it's not an address we ever reply with or even have on any computer.

Just a clarification on that: Klez and its variants pull email addresses not just from Outlook and your address book (as was the case with many earlier, similar worms) but from your browser cache and other locations. So the source here could be anyone who visited Mark_Hutch's website where those email addresses are present.

But that also means that it's probably not true, Mark, that you don't have those addresses "on any computer." They are on any computer from which you have visited your own site or even on which you have a copy of the site (for example, the PC where the site was developed).

What I think has happened is one of our website visitors got this virus after they visited our website and they had that address in their cache from our page. None of the headers are from our IP's, so I know it's not coming from our LAN. I really hate this virus.

P.S. I think this virus is continuing to spread because many people don't check their computer for viruses on a regular basis and these new ones don't give the user any clue that there is a problem on their computer.