[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Mail Abuse / Bandwidth Pirate

On Tuesday 15 July 2003 18:21, Vic O'Dell wrote:
> I am experiencing a problem with spam-challenged idiot! The idiot is
> sending tons of B/S spam using my domain name (plus random characters as
> usernames) as the return path for his spam email (i.e. selling outdated
> Lotus 97 for $39.99). The spam message is linked to this URL -
> http://www.bagngrab.com/lotus/lotus97.htm and after some investigation I've
> come up with the following info:
>
> DOMAINS THAT HE OWNS:
> bagngrab.com
> emarketsrus.com
>
> WHOIS:
> U Save
> Glen Hannifin (5782730.fly@xxxxxxxxxxx)
> 5208855899
> 958 S Sierra Nevada Dr
> Tucson, AZ 85748
>
> All day long, I get bounced emails with the original spam message attached.
> Over and over and over. I've looked up both of his providers and reported
> the abuse to no avail:
>
> AJ'S COMPUTER BUG INC.
> NEW EDGE NETWORKS
>
> Can anyone offer advise on how to deal with this problem? It is driving up
> my bandwidth costs and is a security nusance. My server is a RAQ4i fully
> patched.
>
> Thanks,
> Vic O'Dell
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

Difficult position.  First off you "require" full headers of the "original" 
spam message.  Then you start "forwarding" those spam complaints to the 
provider they came from and cc the domain provider that they originated from.

Can be dicey if you are not accustomed to reading sendmail headers since many 
of the headers will be forged, but at least the domain/provider that is 
reporting it to you (the top or last one) should be "accurate".  It is likely 
that many of them come through open proxies or trojaned machines, attbi, 
comcast, verizon, etc - but none the less, the more you "complain" to the 
"real" IP that the spam came from, the more "heat" it puts on the spammer and 
generally they move on (to someone else).

This is one of those specific instances where it really, really helps when you 
do _not_ have catch-all addresses since the bogus ones will fail.  As long as 
you can "prove" that your IP address is not in the list (meaning it did not 
originate or come through you machine) you can "win" - but it is not easy by 
any means and takes work on your part to "drive" them away.

-- 
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx(Office)

PS:

Sendmail header breakdown:

Received: from list.cobalt.com([12.40.201.23]) (3340 bytes) by web1.ecsis.net
       via sendmail with P:esmtp/D:user/T:local
        (sender: <cobalt-security-admin@xxxxxxxxxxxxxxx>) 
        id <m19cZ7c-000075b@xxxxxxxxxxxxxx>
        for <lesmith@xxxxxxxxx>; Tue, 15 Jul 2003 18:22:12 -0500 (CDT)
        (Smail-3.2.0.111 2000-Feb-17 #1 built 2001-Mar-9)

### This above is my server "receiving the message from cobalt ###

Received: from list.cobalt.com (localhost [127.0.0.1])
        by list.cobalt.com (8.9.3/8.9.3) with ESMTP id QAA12429;
        Tue, 15 Jul 2003 16:22:05 -0700

### This is the "internal" handoff from the listserve at cobalt to itself
### for outbound delivery to the list

Received: from hotmail.com (bay2-dav52.bay2.hotmail.com [65.54.246.41])
        by list.cobalt.com (8.9.3/8.9.3) with ESMTP id QAA12399
        for <cobalt-security@xxxxxxxxxxxxxxx>; Tue, 15 Jul 2003 16:21:50 -0700

### The above is the receipt of the message from hotmail by the cobalt
### listserve

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
         Tue, 15 Jul 2003 16:21:20 -0700

### The above is the internal handoff by hotmail

Received: from 123.456.789.001 by bay2-dav52.bay2.hotmail.com with DAV;
        Tue, 15 Jul 2003 23:21:20 +0000

### The above is the receipt by hotmail of the message from your IP address
### (munged for this example

X-Originating-IP: [123.456.789.001]

### This is the "originator" IP as added by hotmail to all incoming messages

END ITEM