Someone keeps using my domain to send spam

Forum Moderators: phranque

Message Too Old, No Replies

Someone keeps using my domain to send spam

I get 50 returned emails a day saying address not found

lizzie

11:11 pm on Nov 23, 2003 (gmt 0)

Someone has been using one of my domains names to send spam so it lloks like it is coming from my domain. It is a good domain so I want to keep it. Everyday I get at least 50 emails saying returned mail, address not found. This person must really be sending tons of spam. These come in constantly, day and night.
This has been going on for years but lately the amount is incredible.
Will I get in trouble from this?

hanuman

3:52 am on Nov 24, 2003 (gmt 0)

More probably someone is sending spam using fake headers that looks like the spam originated from your domain. in most cases you can track the spammer IP by examining the headers, or using the free services of spamcop.net.

Spamcop will either post a complain or will phrase email addresses, email headers and URL to their originate IP.

Now what you should do is to complain to the abuse@_the_bad_spammer_address

would it help? not much for you, but would assist greatly the spam public IP blacklists

hth

morpheus83

4:31 am on Nov 24, 2003 (gmt 0)

I also experience the same problem. Someone regularly sends 4-5 mails a week as spam from our domain. It is quiet simple to send mails like this you can do it just by setting up a SMTP server and using Outlook express. However if you send confidential mails you can authenticate yourself by including a digital signature you can get it free at www.thawte.com.

hanuman

9:15 am on Nov 24, 2003 (gmt 0)

here are few URL's to help you figure out how to prhrase email headers.

[support.xo.com...]
[rahul.net...]

A little different description of headers:
[digital.net...] - Line by line tracing of a spammers e-mail
[digital.net...] - Line by line tracing of a spammers e-mail when the spammer has inserted a "Fake" Received line to confuse tracking the e-mail.
[help.mindspring.com...]
[help.mindspring.com...]
[stopspam.org...] - In depth header analysis

Shadows Papa

3:46 am on Nov 25, 2003 (gmt 0)

lizzie,

It MAY be spam, OR it might be a simple worm.
Most modern worms "spoof" the sender's address - in some cases, it's near impossible to trace.
The infected computer is probably one or more whose owners might not even know you, probably don't know they are infected.
A lot depends on how well known your address is.
You are computer A.
Targeted recipient is computer B.
Sender is computer C.
C has visited a web site or has some file on their computer that has the email address of you and B. The worm searches the web cache stored on computer C, Word and other Office documents, address book, etc. for a format it recognizes as being a domain/mail address.
It picks two, uses one to be the sender's address. It fakes, or spoofs the address. It then sends to other addresses it has collected. If any are bad - guess what - YOU receive the failed send messages because you are listed as the sender and return address. The REAL sending computer, C, is sending them, but using A as the "from" and B as the "to" address.
Your chances of finding them are slim, but it can be done in many cases with a lot of work. Depends on the worm and other circumstances.
The above is the generic scenerio, different worms use different methods, but the result can be you getting hundreds of "failure" messages a day. Also, worms have different motives - it might be to send SPAM, it might be simply to "infect". Some worms have actually been found to contain spam messages they are to send, others look to a central source for further instructions, such as the message they are to send.
The kicker is that you are an innocent bystander - your computer is not the infected one.

Shadows Papa
former support tech for Symantec, and former anti-virus engineer for a major financial company in the MidWest (currently looking for a job).