WebHSP Community Forums
February 05, 2012, 05:29:14 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: SMF - Just Installed!
 
   Home   Help Search Members Login Register  
WebHSP Community Forums > General > General Discussions > Spoofed Spam/Junk
Pages: [1]
« previous next »
  Print  
Author Topic: Spoofed Spam/Junk  (Read 3629 times)
Carl
Newbie
*
Offline Offline

Posts: 4
« on: February 19, 2006, 11:47:54 PM »
The last couple of days I haven been receiving junk mail from someone spoofing my domain name. I have no e-mail setup for this domain. I have pasted the full message below. Any ideas on how to track this down?

Received: (qmail 15346 invoked from network); 20 Feb 2006 05:34:28 -0000
Received: from unknown (HELO pre-smtp08-01.prod.mesa1.secureserver.net) ([64.202.166.49])
          (envelope-sender <nobody@moria.vosn.net>)
          by smtp11-01.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
          for <carl@cdsnorth.com>; 20 Feb 2006 05:34:28 -0000
Received: (qmail 16293 invoked from network); 20 Feb 2006 05:34:28 -0000
Received: from unknown (HELO moria.vosn.net) ([205.214.78.128])
          (envelope-sender <nobody@moria.vosn.net>)
          by pre-smtp08-02.prod.mesa1.secureserver.net (qmail-ldap-1.03) with SMTP
          for <carl@cdsnorth.com>; 20 Feb 2006 05:34:28 -0000
Received: from nobody by moria.vosn.net with local (Exim 4.52)
   id 1FB3gq-0002EV-0X
   for carl@cdsnorth.com; Sun, 19 Feb 2006 22:34:28 -0700
To: carl@cdsnorth.com
Subject: [Switched to Apple / Mac] =?UTF-8?B?aW44MEBzd2l0Y2hlZHRvbWFjLmNvbQ==?=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
From:=?UTF-8?B?aW44MEBzd2l0Y2hlZHRvbWFjLmNvbQ==?=<in80@switchedtomac.com>
Message-Id: <E1FB3gq-0002EV-0X@moria.vosn.net>
Date: Sun, 19 Feb 2006 22:34:28 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - moria.vosn.net
X-AntiAbuse: Original Domain - cdsnorth.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - moria.vosn.net
X-Source:
X-Source-Args:
X-Source-Dir:
X-Nonspam: None


From......: in80@switchedtomac.com
Email.....: in80@switchedtomac.com
Url.......: the
Content-Type: multipart/alternative; boundary=b799a0660b1dd7632b3057fa49b34273
MIME-Version: 1.0
Subject: a tent, folks goes by on th
bcc: charieses329@aol.com

This is a multi-part message in MIME format.

--b799a0660b1dd7632b3057fa49b34273
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

and its broken treaty and the
--b799a0660b1dd7632b3057fa49b34273--

.


..........................................................
Subject...: in80@switchedtomac.com
..........................................................

in80@switchedtomac.com
Logged
john
Administrator
Jr. Member
*****
Offline Offline

Posts: 55
« Reply #1 on: February 20, 2006, 08:49:44 AM »
Hi Carl,

Unfortunately, little can be done to prevent the spoofing of an email address.  This spammer chose your domain name and appears (if I understand your comment) to be blindly sending email to various addresses at this domain name.  This type of tactic or attack is called a dictionary attack.  The spammer hopes to get lucky and get an email to a legitimate email address and have their spam read.

I do have a few suggestions:

1) Do not send anything back to the spammer to unsubscribe or to tell them to stop using your domain.  If they get a response, even a negative on, they know they have a winning email address and then the flood gates will really open.  

2) Ignore it. Usually the best course of action on any spam.  Also, trying to track these down to get to the provider responsible will generally lead to a country with few if any laws regarding spam, or it will lead down a trail of exploited servers.

3) Look into some advanced spam filtering.  The service we offer from Postini is commerical grade and they specialize in filtering spam and viruses.  Its all they do.  They have the rule sets and the volume of traffic to identify dictionary attacks such as this and block the source IP from sending email to any of the customers on their service.  Very effective in defeating these attacks.  It also keeps spam out of your in box, so you don't have to deal with it.  That service is described in detail on this page: http://webhsp.com/shared-web-hosting/shared-postini.html

~John
Logged
Carl
Newbie
*
Offline Offline

Posts: 4
« Reply #2 on: February 20, 2006, 02:44:44 PM »
I think I may have figured this out. It appears as if these messages are coming from my comments form on my blog. I noticed that the user had a bcc: on it and I am not sure how he pulled that off. I sent a test message from my form this morning and noticed that I could put in any address I wanted. However, I am wondering if the user is trying to cull my e-mail address by using the bcc.

Thanks


Carl
Logged
WHSP-Mark M
Super Tech
Administrator
Jr. Member
*****
Offline Offline

Posts: 57


Email
« Reply #3 on: February 21, 2006, 09:38:53 AM »
Hi Carl,

That is likely the case, comment spam is quite frequent as it is easily exploited into allowing a message to be sent to thousands of people via an email injection.  I am not sure how they manage to get the BCC off either to be honest, it has been one thing that has stumped me personally.

I belive your email address is involved as the comment script is likely set to email you when someone posts on your site, so they inject the other email address's and send it, and since your email address is configured to recieve a copy of this, it does so.

I hope this information helps and if you need any more assistance on this, feel free to open a support ticket.

Thanks Carl.

Regards,
Mark
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.13 | SMF © 2006-2011, Simple Machines LLC Valid XHTML 1.0! Valid CSS!