You can look at the headers & body url in the email, then do a WHOIS lookup on both to get the sending server, domain owner & hosting provider...

And you'll probably discover that the spam originates from somewhere in the Eastern European block or Far East... and that the website is hosted in China...

Welcome to WebmasterWorld. :)

Thank you, roitracker!

I've tried doing that using www.dnsstuff.com, but I'm not finding much that is useful. My domain host company (GoDaddy.com) says they can't find anything either.

I just got a couple e-mails back this morning, one was an auto-reply from someone's server indicating I'd sent a virus infected file? (see below)

The prod.mesa1.secureserver.net is GoDaddy's mail server and that's confusing the heck out of me. These e-mails actually look like they're coming from my domain! I NEVER send from info@american.....blah, blah, blah. It's just an incoming account, and it's not a catch-all. None of my accounts are catch-alls. I'm feeling pretty ignorant about this stuff!

<snip>

[edited by: engine at 8:42 pm (utc) on Dec. 1, 2004]
[edit reason] TOS [/edit]

Generally when ever we revieve email we can have detailed look of its sender by viewng message source,i use outlook express so its pretty easy in it.
in detailed message you can get IP and timings etc other details of sender

benevolent001,

Using Outlook 2000 (SP3), used to use Outlook Express, but needed the features in Outlook, so I switched.

Can't find anything on sender details, all I have in Outlook is View Options, which give the internet header info, which is pretty much useless from what I can see?

The data you posted just shows that eSafe is sending a blocked message to your email address (since the spammer will have spoofed the "From" field to use your domain) & that the Godaddy server received it - you'll need the *original* spam email (often sent as an attachment in bounces/returns) if you want to try to find the spam source.

often sent as an attachment in bounces/returns

Beware. Many of the spoofed "returned mail" stuff I've been getting over the past few weeks, about 10 to 20 per day, have been carrying 2, sometimes 3, Netsky attachments.

Beware. Many of the spoofed "returned mail" stuff I've been getting over the past few weeks, about 10 to 20 per day, have been carrying 2, sometimes 3, Netsky attachments.

JimBeetle,

I believe I know what you're talking about. The bounce back e-mail has 2 attachments with it, one is from the recipient's server indicating that it removed the Netsky variant, and the other (I suspect) will be the original message, right? I haven't opened it because when I click on it, the PC doesn't recognize what application I want to use to open it.

I use Panda's Business Secure on a MS 2003 Server SMB and the client side is a notebook running MS XP Pro SP2. Should I gamble and try opening the bounce, even though it's probably infected? Wonder if Panda will clear it first?

Ideas?

You also might want to suggest to your host that they install an SPF [spf.pobox.com] file for your domain. And all of their other domains for that matter.

SPF is not widely implemented (yet) - and it won't ever be unless domain/hosting providers make it easy to publish an SPF record in their DNS records.

In any event, SPF won't have any effect on *returned mail* since the sender is legitimate in this case.

Should I gamble and try opening the bounce, even though it's probably infected?

Definitely not!

<added> If you're getting bounces from infected mail, this is NOT the same as someone using your email address as a spam bounce path. eg. your email could be in the address book of an infected PC. <added>

So basically, I'm out-of-luck on trying to solve this problem or track these folks down?

You know what my domain hosting company suggested? Change your domain and create a "point-to". Yea, good answer, not!

I'm in an industry that unfortunately isn't known for it's ethical business practices, I really don't want to start playing around with re-directs and changing domains every time this happens. It makes people even more suspicious (of me/us) than they already are on a normal basis.

"Frustrated, confused, and lost!"

The bounce back e-mail has 2 attachments with it, one is from the recipient's server indicating that it removed the Netsky variant, and the other (I suspect) will be the original message, right?

There are a lot of different things going around.

Most of the ones that I'm getting are total spoofs. They might say "returned mail" etc., but they are not bounces, just made to look like it. Just got one that had 3 netsky attachments. These kiddies are hoping we'll open up one of the "details" attachments.