Well, I did some more research. Now Google mentions FIVE sites about the ad_ad_path problem. Here are some apparent victims:

- ad_ad_path@ 5ie.co(m)
- ad_ad_path@ 6of8.co(m)
- ad_ad_path@ 6t1.co(m)
- ad_ad_path@ 64.115.1(6)
- ad_ad_path@ 7ky.co(m)
- ad_ad_path@ acquarivendo.co(m)
- ad_ad_path@ adamproject.ne(t)
- ad_ad_path@ aerospaceweb.or(g)
- ad_ad_path@ alouettes.ne(t)
- ad_ad_path@ artecommercio.co(m)
- ad_ad_path@ berdt.ne(t)
- ad_ad_path@ blusea.co(m)

I did some small editing to prevent e-mail harvesters from reading them too easily, although I found them on the Internet easily. My own domain is not in this list, but it also starts with "a". My humble guess is that they are using an ALPHABETICAL VICTIM domain list. I wanna bet that all you guys also have a low starting letter in your domain name, like a number, 'a' or 'b'. And I bet that next week Google will show more and more victims with c, d, e etcetera... :-(
It spreads like a virus, I'm afraid. Good luck, you guys. I have many domain names, so I'm getting quite worried that the problem will multiply for me quite soon...

Here I am again, three postings in a row, but I thought you guys and girls might be interested in any news on this.

I checked the Google newsgroup search engine, and I found that there are even more ad_ad_path messages there. My suspicion seems correct: all victims are domain names starting with a number or with an "a" or "b". Victims from allover the world: I saw domains from Belgium, Germany, UK, Holland, dot-coms, dot-orgs, dot-nets and more. So these Taiwanese spammers must have some big domain list, and they just follow the alphabet...

I started getting the ad_ad_path E-mails (pointing to a domain beginning with f) over a month ago. They all get sent to /dev/null due to a permanent ban on himailer.

A domain starting with "f"? Oh, ehm, that is a surprise. Everything on Google has not passed "b" yet, I noticed.
Well, I'm puzzled now, there seemed to be a real pattern...

My domain starts with an 'a' too!

I've received 9 of them now today.

Maybe although they have been sending this kind of spam for a while they started increasing it more recently picking new victims from the start of the alphabet.

At least if it is happening to more people, we are less likely to be blacklisted as the problem becomes more widely known.

I almost forgot - Welcome to Webmaster World Walt! There's lots of good stuff in the other forums here too. Hopefully you and everyone else who finds this site through Google because of this problem will stick around even after this problem is solved. (At least I hope it gets solved!)

I can confirm Walt's suspicion, my domain starts with 'a' ... Oh well, it certainly is annoying but hopefully my letter will past soon and they'll be put to an end soon enough.

I've gotten, like everyone else, up to 10 a day.

I also saw one of the sites on Google 'warning' their visitors that they are not behind this... smart or unnecessary?

Josh

I also saw one of the sites on Google 'warning' their visitors that they are not behind this... smart or unnecessary?

I may do it too. If they start doing it with one of the domains that are more important to me I definitely will. Unfortunately I have one that means a lot to me that also starts with an 'a'.

Hi Trisha, thanks for welcoming me. I hope we'll find some solution indeed. But I can not promise that I will become a regular here, my life's just too busy. But I sure hope it will prove to be useful to stay here, well... :-)
It's nice that my suspicion proves at least partly true, so I can give some contribution as a newbee.

For now, I will not update my site, it is not important enough in this case, I never send mails from this domain anyway. And I guess that anyone who receives spam mails regarding my domain would be clever enough to think that it is very unlikely that a Taiwanese spammer would have anything to do with my site. At least, I hope so...

Maybe these spammers even have some bet, to find out how many victims would update their site as a consequence of their actions. If not really necessary, please do not give them that fun and 'reward', I would say.

Hello again,

being UK based, you all seem up when I'm in bed, but what the heck! I have a few responses to posts:

1) our domain does begin with 'a'. One 'f' does not discredit the hypothesis, they could have just started this new tactic.

2) Trisha, this address is a good starting point for decoding mail headers: [stopspam.org...] but most of the bounce messages we get do not include the original message, let alone the full internet headers. The two I have had this morning that do both seem to originate from the same source, pchome d com d tw. You can also find out a lot of reverse dns info at [dnsstuff.com...] (I found both these sites this morning).

3) no news from my ISP yet, apart from the standard 'we value your custom' auto-reply...

The trouble is, with email being so easy to forge and not many people understanding how to decode headers (or being able to get at them), it is hard to prove who is responsible and even harder to do anything about it when you are a small company half the world away from the originators.

~ Mark C

Hi all, glad to have found you, and this thread. Just want add my experience of the last few days.

I've been getting the same bounces, with the same return path, and have rec'd them from aol, yahoo, juno, and sinamail. All for HiMailer.net, which last I looked was not working, nor was the deeper URL listed in the spoof mail.

The primary at my domain host thinks it may well be a self-replicating virus deal . . . selecting a domain name from the address book.

Seeing the thread above though, with most domains being a and b name (mine is too) makes me wonder. Looks like the badguys are going down through a list.

I've got some .htaccess questions I'll post at another time. Trying to prevent both hotlinking and rightclick saving of images...

Nice boards . . . I'll be back.

Welcome to webmaster world jpruden! Did you find this thread through Google?

There have been many threads around here about how to prevent hotlinking. I don't remember which forum sections they were in though. You could try the site search or check Webmaster General, Website Technology Issues or maybe even Site Graphics and Multimedia Design or HTML and Browsers could have had a thread about it. There's not a lot you can do about rightclicking, but there has been discussions about that too recently.

I'm pretty convinced of the going through the alphabet thing with picking domains to use.

Mark - I'll check out those two sites later today. Thanks.

Thanks Trish.

Yes, I found this thread via a link which the primary at my domain host had provided:

[google.com...]

In those results is also the info on the Taiwanese spammer:
[aerospaceweb.org...]

I'm pretty well set on the hotlinking, but was going to check, too, if I could add to my .htaccess for rightclicking. I'll get that thread going elsewhere, though.

Looking forward to participating as able here.

Jip

"On the road in America"
AmericanWeblog.com

Hi All,

We too have become the victim of the ad_ad_path@mydomain "campaign".

Details:
1) received the first two "System Administrator: Undeliverable..." messages today

2) our domain name starts with c

3) both cases refer to HiMailer

4) found this thread through MSN Search

5) I have spoken to our ISP about it. They said there is not much that can be done, other than hope that we don't get blacklisted for spamming.

6) I will send another message to our ISP asking if they can block a) any message to ad_ad_path, and b) failing that, any message from .tw or .kr, as we don't ordinarily get e-mail from there.

7) I intend to follow the directions on the Aerospaceweb.org page and will report back any progress made.

8) I hate spam.

WileE

I got a very quick response from NameSecure, (former) registrar of HiMailer:

We've shut down their websites, but unfortunately we can't stop them from sending out advertisements. Hopefully when they realize that their sites are down they'll stop. They aren't sending the spam from their domain name - it comes from a different place every time. We're doing everything we can. Thank you for your patience.

WileE

Cool beans, WileE - thanks for the update and for writing them.

Jip/AmericanWeblog.com

Yo! Count me in as well.
The site's name begins with "C" it started last Thursday or Friday, I am hit with them every day now.

Some look like they are trying to relay, using our site to look legite. Are you seeing the same thing as well as the ad_ad@mydomain.com?

Getting this junk too. My domain starts with "a". Hope it doens't have any longlasting impact, and hopefully this isn't a new trend.

WileE,

You said, "6) I will send another message to our ISP asking if they can block a) any message to ad_ad_path, and b) failing that, any message from .tw or .kr, as we don't ordinarily get e-mail from there."

I'm a bit confused. This Himailer site is using our domains (or making it look like it's our domains) to send out tons of spam e-mail. We, as the webmasters, are getting the bounced e-mails returned to ad_ad_path@mydomain. So it seems that in order to stop/prevent this, we'd need to figure out how they are doing it, right? Opposed to stopping messages from .tw or .kr - because they are succeeding in sending the mail from our domain.

Does that make sense?!?

Josh

Josh - They (the spammers in Taiwan) are not sending the emails from our domains . . . just using our domain names in the return path.

That way anyone trying to write back about not liking the unsolicited mail--or wanting to complain to another party--will first go to the return addy. As said elsewhere, not a lot of people take the time, or are able, to explore the header for the true origin of the email.

Stopping the messages from .tw or .kr is fine for those who wish just not to have to deal with all the bounces.

sparrow - None of my bounces look like they were originally relayed via the server on which my domain resides. This was confirmed by my domain host.

As I said earlier and WileE gave reason for in post#45, their sites are down. Why send mail to promote a product for which there is no site.

No doubt a lot of it is done by bot, and a little time will prove they won't keep on keepin' on.

I like the deal Aerospace did on their site about the junk... ID'ing the perps and letting their vistors know it was spam. I'll most likely do similar on my sites if it keeps up.

Jip

You're right, Jip, and no Josh, I think I was the one who was a bit confused. They're not using my ISP's mailserver to send the e-mail, just our domain in the return path. So blocking as I suggested won't work. Drat.

WileE

my domain name start with a, and i have received "not delivery" return mails since 10 days.
I have tested servers (local and hosted), they are nothing bad.
The original HiMailer spam was not sendign by us, but the return address is in my domain.

For blocking, i have doing this:

- create a ad_ad_path@mydomain.com account on my mail server
- this account has no strorage, by redirect all mails to sales@himailer.com

yet, i have not received other return mails!

Yeah, this proves that the "Reply to" is a mean tool. Maybe it should not be used by autoreply-mechanisms, because a mistake (or an systematic ad_ad_path error on purpose) can bother thousands of people.

Blocking the ad_ad_path mails feels a bit like closing your eyes when there is thunder and lightning outside: it won't solve the situation, you just try to ignore it a bit. But one has to when it gets too bad. For my "a" domain, there were only two ad_ad_path mails during the last couple of hours, so hopefully it is slowing down with the "a" domains now?

Personally I would not make an apology page on my site, until I get real reactions from complaining PEOPLE. Until now I only had autoreplies from mail systems, I do not care about those, and I will not adjust my site for that reason. I refuse to react on spammers that way. Your adjusted website will be easy traceable with Google if you do it, so they can see their 'score' soon. If I were a spammer (I'm not, trust me), I would feel lots of joy to see that people start adjusting their home page just because of me. So I would say: do NOT give them that fun! Just wait until it goes by. Ten autoreply mails per day is not too bad, is it? And it seems to slow down now. Did anyone of you get complaints from REAL people?

So much to reply to!

Walt, I haven't set up any account forwarder yet but I don't think it's exactly like closing your eyes. What if you didn't just blindly fwd email to ad_ad_path back to himailer, but sent a copy to himailer of every piece of mail you receive.

Now, they are sending all these emails out and have zero bounced or undeliverables to deal with.

People have been talking about getting "blacklisted" - what does that mean to a webmaster? Blacklisted from what, sending mail to certain ISPs? If that's the case, couldn't the ISP see that we're not the real sender instead of blacklisting?!?

And no, I haven't received any mail from a person (yet?!).

Josh

Ok, count me in, too. 20 undelivered messages received yesterday and 21 more today. They all used the same ad_ad_path@mydomain.com address, and my domain name start with c. No question they are using some kind of list, hopefully trying not to upset any webmaster...
The other thing I noticed is that the messages were originally directed to a bunch of accounts on the same domain, and bounced to ad_ad_path@mydomain.com as somehow the webmaster had already a filter in place.
I am not going to make changes to my site because of this, but I am really worried about not being able to stop these people from using my domain name. I don't want to filter the bounces out, since this will make impossible to monitor the situation, but it could be probably worth to put a filter for all incoming messages with 'ad_ad_path' in their from address. At least we could make more difficult for these people to send spam (they would need to change the from address each time).

artscouncil-ni.org is now getting the same junk, so it would appear to be running alphabetically.

Do you think the software they are trying to flog does the same thing? If this is the case, and people have bought it, and it always runs alphabetically then this could become a problem which just keeps repeating...

Josh, I'm definitely NOT gonna send a copy to himailer of every piece of mail I receive. I'm pretty much convinced that these guys know what they're doing. They probably do not care about reply mails, and they will not respond to any mail like this, I bet. And my mail does not have autoreply anyway...

I saw that some ad_ad_path addresses are already on some spam filter list (blacklisted), but since ad_ad_path is only used by these spammers, that's no problem, I guess. More dangerous would be if systems would blacklist the whole 'mydomain', but I don't know if that often happens.

Yep, Kyr01, my earlier 'humble guess' is really true, it seems, now that 'c' domain owners are joining our discussion. Welcome to the club. ;-)

I'm happy to announce that for me the flow is really slowing down: only five until now today (European time).

Kyr01, you can never stop these people from using your domain name, I think. Anyone can use anyone's name as the reply address. If a mail bounces somewhere, it will go back to the reply address. That's a silly logic, if you ask me. I guess, bounces should be sent to the real sender, not to the reply address. Maybe our discussion is going to be the beginning for this? Or maybe bouncing should stop anyway, it is mostly fun for spammers, not much use for people who use correct mail addresses.

I don't think we can make life more difficult for these people to send spam, I guess they automatically change the reply address each time. And the reply address does not bother their spamming anyway.

Walt,

I wasn't suggesting to filter bounces. I was saying that we could filter all messages coming from ad_ad_path@anydomain.com just to keep our mail accounts clear of the real original spam messages (the one intended for the final user, I mean). I suppose that the bounces I received where originated from a mail server already set this way: instead of banning mydomain.com, which is the part of the address that keeps changing, they filtered using the ad_ad_path expression. I am probably going to do the same, since this way I'll keep monitoring the bounces but at least I'll never receive the original spam message from himailer (which, sooner or later, someone even on this board should start getting...). At the end, if we all filter out the ad_ad_path expression, himailer will need to change that part of the address, too (just trying to make their life a tiny bit more difficult...)

I don't know about the bouncing reason, I think the bouncing comes from using non-existing addresses.

Something else is puzzling me: why are they constantly using this "ad_ad_path" prefix? Does it have any specific meaning (could not find it with Google). And why is it always the same, while at the same time they are changing the 'mydomain' part? Or could there be other forums discussing similar spam problems with something like "da_da_route" or so...? I mean, basically they could change the whole reply address every time, they seem to have some domain list, why not change the prefix too? Is the ad_ad_path their 'trademark'? Are they reading this discussion and having fun about us victims?

And I just don't understand the fun or use for them. What's the reason for all of this? Why do they use a reply mail address which is not theirs? Just to prevent getting millions of bounces? Maybe this way their provider does not easily notice them as spammers? Does anyone have an idea about WHY they would do this?

<quote>Are they reading this discussion and having fun about us victims?</quote>

Just in case this may be true, I would like them to know that evolution will get rid of them as of all short-brained species...