[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Spam impersonating me (was Re: Spam: the last straw)



on Mon, Oct 15, 2001 at 11:14:00AM -0500, DvB (dvanbalen@jam.rr.com) wrote:
> I've been putting up with deleting spam from my email account for quite
> a while... it's kind of routine by now. The other day, however, I
> received the following in my Yahoo! Mail inbox, which leads me to
> believe that some @#*$&% is placing my address in the "From:" header of
> his/her scourge as he/she sends it out.
> Any idea how I can make this person stop? Is there some place I can
> report stuff like this?

See below.

> 
> >From postmaster@midnet.co.uk Thu Oct 11 20:55:00 2001
> X-Apparently-To: [my-address] via web14608.mail.yahoo.com; 11 Oct 2001 21:03:27 -0700 (PDT)
> Received: from 212.35.254.3 (EHLO midnet.co.uk) (212.35.254.3) by mta409.mail.yahoo.com with SMTP; 11 Oct 2001 21:03:26 -0700 (PDT)
> From: postmaster@midnet.co.uk | Block Address  | Add to Address Book
> To: [my-address]
> Subject: Undeliverable mail for @aol.com
> Date: Fri, 12 Oct 2001 04:55:00 +0100
> Message-ID: <1209259996-14019448@midnet.co.uk>
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="=_b7ec282400d5eb78@midnet.co.uk"
> Content-Length: 2388
> 
> The following message could not be delivered to captshane@@aol.com, 
> captsgwl@@aol.com and captsgal@@aol.com because the host @aol.com does 
> not 
> exist.
> 
>     ----Unsent message follows----
> 
> Attachment: Forwarded Message
> 
> Received: from 38.210.6.214 (38.210.6.214) by midnet.co.uk with SMTP (Eudora Internet Mail Server 3.0.3); Fri, 12 Oct 2001 03:55:06 +0100

This is a point of origin for the message.

38.210.6.214 (you want the value from parenthesis, it's the
reverse-lookup value, and may differ from the announced value) resolves
to PSI.NET's netblock:

    $ whois 38.210.6.214

PSI is a large provider and has had longstanding issues with spam, to
some extent, unavoidable.

Your own mail appears to originate from 159.98.136.121 (from the headers
of the message I'm replying to, though I'm not positive what with
mailing list interactions), which is in IDB Communications netblock
(NET-IDB).

I'd post to abuse@psi.net and report the issue.  There's not a whole lot
else you can do, AFAIK.  Might help to get some sort of information to
send those who decide to retaliate on your spam by mailbombing you or
worse.  This is a lesson for those who would advocate such tactics:
mailbombing frequently misses the target and generates "collateral
damage".  I use tools to report spam to originating netblocks and
referenced URLs/emails in payload, for disposition.  spam.pl and
ricochet from Freshmeat are useful tools.

Incidentally, it was a similar impersonation of an address I used to use
which prompted me to sign (almost all) my mail.  If my mail's not
signed (and verified), the implication should be that it's not from me.

Email headers, including 'From' lines, can be manipulated arbitrarially.
A legitimate 'From' line, or one corresponding to the source of an
email, are not necessary, though they're suggested by standards and
protocols.

> Message-ID: <000054765fbf$00001fbf$00000f39@>
> To: captsgal@aol.com
> CC: captsh1ner@aol.com, captsgwl@aol.com, captsexybaby@aol.com,
> From: [my address, dammit!]
> Subject: Free Investment Report !!! (creighto)
> Date: Thu, 11 Oct 2001 22:54:24 -0400
> MIME-Version: 1.0
> Content-Type: text/plain; charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Priority: 1
> X-MSMail-Priority: High
> 

-- 
Karsten M. Self <kmself@ix.netcom.com>       http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             Home of the brave
  http://gestalt-system.sourceforge.net/                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                     http://kmself.home.netcom.com/resume.html

Attachment: pgpsY53D0t_s_.pgp
Description: PGP signature


Reply to: