Jump to content

New Spammer Tactics


Supreme Cmdr
 Share

Recommended Posts

OK, this is cute, just cute. Yesterday I accidentally got wind of some jackass spammer using my [email protected] address as a return address for sending out spam. Funny enough, Mailwasher Pro actually flagged it for deletion because it was spam - even though it had my email address in it. So I downloaded it and inspected the headers. Well, take a look.

I have archived like six of these and one seemed to be coming from a server at familypc.com which is hosted by Road Runner (those incompetent bastards) and I have send email to their abuse dept.

Anyway, if anyone knows a way to clean up this mess, let me know.

code:


Return-Path:

Delivered-To: [email protected]

X-Envelope-To: [email protected]

Received: (qmail 30336 invoked from network); 25 Nov 2003 12:39:13 -0000

Received: from h24-84-53-74.vc.shawcable.net (HELO 3000ad.com) (24.84.53.74)

by qs292.pair.com with SMTP; 25 Nov 2003 12:39:13 -0000

Received: from leon-fdp7chah6b [24.84.53.74] by 3000ad.com with eSMTP;

Tue, 25 Nov 2003 04:39:14 -0800

Message-ID:

From: "dewey"

To:

Subject: Gener.ic Cia.lis - Lasts 2 times longer then Via.gra!

Date: Tue, 25 Nov 2003 04:39:14 -0800

MIME-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

X-Priority: 3

X-Mailer: PHP

Return-Path: [email protected]

Hel-Tracking:

X-Spam-Filtered: d326419afd31d64e37ddbcb04596936e

X-Spam-Status: No, hits=2.1 required=4.0 tests=HTML_FONT_BIG,HTML_FONT_COLOR_RED,HTML_40_50,MIME_HTML_ONLY,UPPERCASE_25_5

X-Spam-Flag: NO

X-Spam-Level: **


code:


Return-Path:

Delivered-To: [email protected]

X-Envelope-To: [email protected]

Received: (qmail 47577 invoked from network); 22 Nov 2003 07:01:23 -0000

Received: from roc-66-66-251-198.rochester.rr.com (HELO 3000ad.com) (66.66.251.198)

by qs292.pair.com with SMTP; 22 Nov 2003 07:01:23 -0000

Received: from FamilyComputer [66.66.251.198] by 3000ad.com with eSMTP;

Sat, 22 Nov 2003 02:00:34 -0500

Message-ID:

From: "edward"

To:

Subject: **JUNK** We can he.lp you find the best rates!

Date: Sat, 22 Nov 2003 02:00:34 -0500

MIME-Version: 1.0

Content-Type: text/html; charset="ISO-8859-1"

X-Priority: 3

X-Mailer: PHP

Return-Path: [email protected]

Hel-Tracking:

X-Spam-Filtered: d326419afd31d64e37ddbcb04596936e

X-Spam-Status: Yes, hits=4.8 required=4.0 tests=HTML_FONT_BIG,HTML_FONT_COLOR_RED,THE_BEST_RATE,MIME_HTML_ONLY,HTML_20_30

X-Spam-Flag: YES

X-Spam-Level: ****


Link to comment
Share on other sites

The good news is: this is not a Trojan and you are dealing with an external problem. I've done a trace on the first message source and here is what I came up with.

http://www.senderbase.org/?searchString=sh...searchBy=domain

The server you are interested in is h24-84-53-74.vc.shawcable.net

Here is a website that will allow you to trace the rest: www.ip-trace.com

Unfortunatly there is really nothing you can do to prevent this sort of problem from happening. Since the spamer is rotating servers you cannot simply plug that hole. My only advice is to obtain a record of the server logs and find the home IP of the spammer's computer and then give him Hell (cross refrence sending times with login times).

Bon Chance,

IceCold

Link to comment
Share on other sites

UPDATE

Well now there is a reason to blame Canada

Here is specific information on the server that sent you the first message. It even has a listed owner and location: Shaw Communications Inc. in Calgary.

http://www.senderbase.org/search?searchString=24.84.53.74

Another bit of interesting info on this server: its sending volume is up 1722% from its average. Looks like someone broke in and is using this as a major spam hub. I bet the owners would love to hear that.

Link to comment
Share on other sites

This started happening to me last week when I went to add the sender to my block list, I noticed it was my own email addy. I've since got a total of 5 of these emails. I was and am still very pissed about this. If I ever catch this guy, I will drag him around the streets of Pittsburgh, tied to the back of my truck.

Link to comment
Share on other sites

quote:

Originally posted by Greg Miller:

If I ever catch this guy, I will drag him around the streets of Pittsburgh, tied to the back of my truck.

ROFL, I just got a mental picture of that.

Link to comment
Share on other sites

This actually happened to me about 6 months ago.

I kept getting these message cannot be delivered errors, hundreds of them, and I mean hundreds.

It just about drove me crazy, so I called my ISP and asked them to do something, and there was absolutely NOTHING that they could do about it.

They slowed down after about 2 weeks, but I was pissed that someone was using my e-mail address to spam people, and people were actually E-mailing me telling me to stop sending them this stuff.

I responded to about 6 and then gave it up.

Took about a month before everything finally halted and my e-mail address got back to normal.

Oh and this was on 56K, so it was just joyful, let me tell you.

Link to comment
Share on other sites

SC, let me know when you've captured the scum. I will be down to hook him up to the back of my truck for the drive back to Pittsburgh. After a few trips around the 'burgh, then I will head out west to Gig Harbor so Jaguar can drag him around there for a while. I just hope there is enough of him left for Jaguar to get some satisfaction out of.

Link to comment
Share on other sites

i had a couple of messages like that - thankfully none of them were deliverable

i asked a friend who works for Symantec about it - he said it was an e-mail virus that would've harvested my e-mail addy from an infected user's address book to use as a return addy

Link to comment
Share on other sites

Was going to post about something simlier to this

As it seems, Im having a problem with spaming as well = I keep getting the same 867 E-mail Messages everytime I click on receive

no clue why this is happening =

Link to comment
Share on other sites

There was a virus a couple months ago that grabbed email addy's from address books to use as return address headers.

My ISP eventually blocked those messages... but it did take a couple weeks or so... until then I was getting dozens of messages an hour.

Link to comment
Share on other sites

quote:

Originally posted by Greg Miller:

SC, let me know when you've captured the scum. I will be down to hook him up to the back of my truck for the drive back to Pittsburgh. After a few trips around the 'burgh, then I will head out west to Gig Harbor so Jaguar can drag him around there for a while. I just hope there is enough of him left for Jaguar to get some satisfaction out of.

I got a couple of spots out here that would make him/her/it VERY uncomfortable, and I would make sure that it is prolonged agony!! VERY prolonged!!

Link to comment
Share on other sites

  • 2 weeks later...
  • 5 weeks later...

quote:

Originally posted by Baloogan:

my internet provider is shaw cable.... and Im guessing that the spammer lives near here...

anything I can do to help?

I hope this kan help

Try this http://www.keir.net/k9.html

It is really esay to configure. There are even sample of spam mail that you can use to teach the program to recognize spam.

As I said. I hope this will help

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...