Forum Moderators: phranque
Has the spammer logged in as me, and is he using my account to send spam? What is the appropriate course of action, apart from emailing abuse@my_isp.com, which I have done?
Help!
Thanks in advance
Shawn
The headers are as follows:
===========================
Return-path: <perfectmlm101@imailbox.com>
Envelope-to: my_username@my_domain.com
Delivery-date: Mon, 21 Apr 2003 23:20:16 -0700
Received: from adsl-131.68.179.info.com.ph ([203.131.68.179] helo=okey62717.com)
by my_host_machine.my_ISP.com with smtp (Exim 3.36 #1)
id 197r8S-0003Yo-00
for my_username@my_domain.com; Mon, 21 Apr 2003 23:20:11 -0700
From: "my_username" <my_username@my_domain.com>
Reply-To: stopmailing2003@inbox.lv
To: my_username@my_domain.com
Date: Tue, 22 Apr 2003 02:03:35 -0400
Subject: Just Launched - Easy Money - No Recruiting Required 4/22/2003 2:03:35 AM
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
X-Precedence-Ref: 1234056789zx
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <E197r8S-0003Yo-00@my_host_machine.my_ISP.com>
This header line is inserted into the message by your own mail server on reception, in order to protocol the transmission.
From: "my_username" <my_username@my_domain.com>
The "From:" header (as most others) can be faked by trivial means. In this case, the spammers just made it look as if each message they're churning out was sent by the respective recipient. Nothing new or unusual about that, unfortunately.
It is just that I am used to seeing something along the lines of:
Return-path: <fake email address>
Envelope-to: my_username@my_domain.com
Delivery-date: Tue, 22 Apr 2003 04:40:22 -0700
Received: from spammers_ISPs_email_server.spammers_isp.net. ([ip address of spammer's ISP's email server])
by my_host_machine.my_ISP.com with smtp (Exim 3.36 #1)
id 197w8M-0000ON-00
for my_username@my_domain.com; Tue, 22 Apr 2003 04:40:22 -0700
Received: from SPAMMER(spammer's IP address) by spammers_ISPs_email_server.spammers_isp.net (.....)
id 3E96D1D2001B42C8 for my_username@my_domain.com; Tue, 22 Apr 2003 21:40:06 +1000
From: "fake name" <fake email address>
To: <my_username@my_domain.com>
Subject: Multilevel marketing is the way to go
Date: Tue, 22 Apr 2003 21:39:53 +1000
Message-ID: <......>
MIME-Version: 1.0
Content-Type: multipart/alternative;
:
:
So in the email I received, there is a step missing: The spammer sends direct to my ISP, not through his ISP. I thought it unlikely that either he is savvy enough to configure his own smtp server or that his ISP is unscrupulous enough to not add the tracking information to show which of their email servers it went through, etc. In hindsight, now that you have pointed this out, I suppose there are plenty of people who are savvy enough to set up an smtp server, or he could be using facilities at his employer (but even then, he'd need to be in pretty tight with their sys-admin...).
Can I rely on the IP address that my ISP records, or can that be faked too?
This is where the email originates from - a server on the end of a dynamic IP, issued by a DSL provider in the Phillipines. Good luck shutting that one down.
The sender, rather than inventing a fake return address, is probably just putting the receiver's (your) address in the From field as well as the To field, in the hope that it will get past any filters more easily.
Of course, as you are unlikely to ever send emails to yourself, you could always filter as junk anything that says it is from you.
This is where the email originates from - a server on the end of a dynamic IP, issued by a DSL provider in the Phillipines. Good luck shutting that one down.
And the owner of that machine doesn't necessarily need to know anything about what's happening. The "Received:" headers are only added if a system receives the message through a standard channel (eg. by SMTP). There are various other ways to proxy e-mail messages through misconfigured web or socks servers, which don't leave the same traces. It could even be a hacked box, where the spammer remotely installed some software of his own that sends the messages.
Thanks
Shawn
