Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Dealing with faked spammer "From" addresses

By 4ndr3w in Internet
Wed Oct 18, 2000 at 05:22:35 PM EST
Tags: Technology (all tags)
Technology

A friend of mine is receiving hundreds of bounce messages each day from an open mail relay being used by a spammer who using his e-mail address in their spam. I told him there's nothing that can be done and the spammer will eventually move on, but I don't know everything!
Has anyone got any creative answers?


I've looked up the open mail relay (in this case 202.213.64.131 - www.city.fujiyoshida.yamanashi.jp) on MAPS and it is on the RSS.

The spammer has pretty carefully crafted their messages so that they don't seem to have anything to track back further in the messages. The message content doesn't have any useful places to abuse, as far as I can see.

Naturally, this is pretty annoying for my friend, who runs a news business e-mailing people, and who is worried that one of his clients will get one of these e-mails and think it came from him.

Any ideas?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o MAPS
o Also by 4ndr3w


Display: Sort:
Dealing with faked spammer "From" addresses | 12 comments (11 topical, 1 editorial, 0 hidden)
perhaps a grudge? (2.00 / 5) (#2)
by khallow on Wed Oct 18, 2000 at 05:09:16 PM EST

Naturally, this is pretty annoying for my friend, who runs a news business e-mailing people, and who is worried that one of his clients will get one of these e-mails and think it came from him.

My bet is someone deliberately targeted your friend. Maybe a competitor or former co-worker. OTOH, it could be someone trying to pretend they are part of your friend's news service and getting people to read the email that way.

He should complain to the open relay in question and to the site hosting that open relay. Even if the former won't cooperate, often somebody higher up will pull the plug. As far as other things go, maybe changing email addresses will help? He can also digitally sign his stuff so a small minority (better than zero) will know when email from his address is valid. What about the ORBS database? This is a more effective spam-blocker than MAPS, BTW.

Stating the obvious since 1969.

I don't think it's personal (2.00 / 3) (#5)
by 4ndr3w on Wed Oct 18, 2000 at 05:43:53 PM EST

My bet is someone deliberately targeted your friend. Maybe a competitor or former co-worker. OTOH, it could be someone trying to pretend they are part of your friend's news service and getting people to read the email that way.

It's possible, but I don't think so. The addresses being spammed appear to be US ones, and the product is a US one. Although this guy has made a few enemies in the past (who hasn't?), they would tend to hit closer to home.

The suggestion of it being an attempt to use his e-mail domain as a way of enhancing readership is a good one though, and indeed is very likely since his e-mail domain is "newsroom.co.nz", and there is a website for his news service to go along with that.

He really just doesn't understand WTF is going on, and feels helpless to do anything about it.

[ Parent ]

a few suggestions... (3.71 / 7) (#3)
by plastic on Wed Oct 18, 2000 at 05:09:42 PM EST

You have a few options here:

1. Attempt to enlist the aid of the person running the open relay in order to trace where the mail is coming from and convince them not to relay mail. Judging from the domain name, you will probably need someone who is fluent in japanese. Even then, it is likely that the spammer will simply move to another open relay and may very well keep on using the same From address.

2. Inspect the spam for contact information. Usually, spam contains either a URL or a phone number of some sort. Naturally, you would want to do a WHOIS on the domain if it's a web page. It may be possible to see who owns a given phone number, but it is not something that I am familiar with.

3. You could try contacting them as a prospective customer in order to get some clues about where and who they are. Success here will depend on a high level of social engineering skills.

4. Speak to a lawyer about applicable local, state or national laws. Since the spammer is effectively impersonating your friend, it is quite likely that you may be able to enlist the aid of local or government law enforment people. They may have better success at tracking them down, but if it turns out that they are in another country, there may not be much that they can do.

Good luck!

option 2 (none / 0) (#12)
by radar bunny on Sat Nov 04, 2000 at 01:06:54 AM EST

2. Inspect the spam for contact information. Usually, spam contains either a URL or a phone number of some sort. Naturally, you would want to do a WHOIS on the domain if it's a web page. It may be possible to see who owns a given phone number, but it is not something that I am familiar with.

this is the crucial one. remmeber they are trying to sell you something and will want to collect money (or information) from you eventually. So the "advertiser" is trackable.
note: the advertiser and spammer are rarely the same person. The spamers sell their service and usually lie aboutu what they do.
if there's a link to a a domain-specific website like xyz.com then simply use register.com or networksolutions.com to find out who owns that web site. Use a prepaid phone card and call them from a payphone and "politely" ask them to not do it again.
if its a hosted website like freehosting.com/spamer/ then contact freehosting.com --- you can also goto the page and look for contant information. If there's a form to fill out then the email might be hidden in the page source (note: i've even seen real names and more in the page source. these guys aren't always that bright).
If there's a phone number -- use a pay phone and call it. Usually its a recording. One thing i;ve done a couple of times is leave a polite message saying i didn't enjoy being spammed and to please stop it. Then i give them one of my "throw-away" email addys and ask them to email me and confirm that they wont spam me again. If it's a 800 number and im bored--- i might do this 20 or more times until i've gotten an email (its an 800 number free for me -- not for them).

in the end you can't do much about a specific incident but you can curb the entire process. I had an aol account that used to get @20 spam mails a day but i cut it down to about 1-2 by doign these things. The best thing you can do with spam is fight back but in a responsible manner. I used the word poitely twice in here and i meant it. Hostile response only brings more of a hostile response. But, politely letting them know you dont like it and you wont buy it will send a slow mesage. also, forward al the finacially related spam mail (make money now, free credit card, etc....) to uce@ftc.gov (FTC anti spam service) -- then let the spammer (or person selling the service) know you did it. You're email addy will start disapearing from those bulkmail list. I've seen it happen.



[ Parent ]
Change your email address (1.28 / 7) (#4)
by marlowe on Wed Oct 18, 2000 at 05:34:45 PM EST

And from now on, keep your real address a closely guarded secret. Only people you know personally should have it.

If you must have an email address for registration services and the like, get a free one from hotmail or excite.


-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --
Don't accept them (4.00 / 3) (#6)
by DesiredUsername on Wed Oct 18, 2000 at 08:00:35 PM EST

Why not just bounce emails from the relay domain? That way they will pile up in the relay domains dead letter location and eventually they will get their act together.

Play 囲碁
Bounce them - procmail is your friend (5.00 / 1) (#9)
by shadowspar on Fri Oct 20, 2000 at 10:31:58 AM EST

I was going to say: Assuming you have it available, procmail is your friend. Bouncing mail from the open relay or sending it to Dave Null will have the desired mitigating effect on your friend's inbox. Ditto with angry replies, or you could file those away so that later you could send a form letter to them explaining the finer points of mail abuse and SMTP.
-- Drink Canada Dry! You might not succeed, but you'll have fun trying.
[ Parent ]

Bouncing is not possible (none / 0) (#10)
by NKJensen on Wed Oct 25, 2000 at 04:37:02 AM EST

The spammer did include a valid but incorrect From-address in his mailings.

That is, when someone gets angry and hits reply, (s)he will send a completely valid e-mail from the domain where (s)he is located.

There is no telling good e-mails from bad e-mails in this situation.
--
From Denmark. I like it, I live there. France is another great place.
[ Parent ]

PGP/GPG (4.20 / 5) (#7)
by pbrutsch on Wed Oct 18, 2000 at 10:48:26 PM EST

Your friend might want to look into signing is email messages with PGP/GPG, and tell is clients "if it's not signed with xyz PGP key, it didn't come from me".

theft of service (4.75 / 4) (#8)
by micco on Thu Oct 19, 2000 at 09:57:30 AM EST

A couple of years ago, this happened to a company in Austin, and they successfully filed suit against the spammer for "theft of service" or somesuch. It was a fairly significant case at the time, so you should be able to find details on the legal strategy and the eventual outcome. EFF-Austin assisted the plaintiffs, so you can probably get indepth info from them. A quick search turned up many hits about the story. Here's one with details:
http://commons.somewhere.com/cud/1997/CuD.9.41.-.Anti-spam.html#File 6

The plaintiffs were basically subjected to a DoS attack by all the bounce messages and complaints resulting from the forged header. They had to seek "off-line" remedies because the spammer had successfully concealed his online identity. However, it's a pretty rare spam that doesn't provide some contact info since they're all trying to sell something.

According to the link below, the judgement for the plaintiff was about $18K but they ended up settling for much less. If it were me, I'd take my pound of flesh.
http://www.mids.org/mn/803/spamset.html

Good luck...

I had a similar problem (none / 0) (#11)
by Dop on Thu Oct 26, 2000 at 12:10:32 PM EST

I was with a UK ISP who gave you a domain name rather than a set of email addresses. And under that domain name you could have as many names as you liked - so your email address was like this:- someone@something.ispname.co.uk

And this was all very well, until one day I started getting bounced spam messages. These had bounced back to me - their headers saying they had originated with <random string of characters@mydomain.ispname.co.uk>.
Basically, someone was using my domain name which identified me, with bogus names to spam off of. I was getting a couple of dozen bounced spams every time I downloaded my email.
I complained to my ISP. It stopped. Two days later, it started again.
If I was getting nearly a hundred bounced spams a day, how many spams, appearing (to anyone who can't read a header) to come from me, were reaching their destination? Dozens? Hundreds? Thousands? Who knows?
Also, I started to find reports of mail servers and news servers blocking anything from the ISP involved.
After about a month, I was sick and tired of this, so I jumped ISP. It was a pain in the arse giving round a new email address to everyone, and changing the mailing lists I was in, and I had a brilliant domain name which I lost.
Spammers are bastards. I consider it my moral duty to attempt to trace a spammer from the header, and notify the ISP concerned. If I suspect an open mail relay, I notify the owners of the IP address that they may have an open mail relay. It's an approach that has worked on a number of occasions where a spammer has been removed from their ISP.
Pour encourager les autres (pardon my french!)

Do not burn the candle at both ends as this leads to the life of a hairdresser!
Dealing with faked spammer "From" addresses | 12 comments (11 topical, 1 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!