Help me fight spam from 'myself'


Recommended Posts

Some idiot spammer has started spoofing my regular email address in the returnpath of fraudulent spam mail. My best guess as to how he/she/it has decided my address was usable is probably due to my ISP's spamfilter bouncing spam with an "address not recognized" tag... which encourages some ratware to start using bounced addresses as spoofed sources of spam.

Now to get rid of it. Because now my mailbox is clogged with hundreds of failure notices on mails I didn't send, with contents I won't even look at. This has forced me to set in place rules that automatically delete any mail containing signs of it being a failure notice so I need not download it over my very thin line (33.6k modem).

So on to my question: Does anyone here know how I might best fight this so as to get my address out of spammers' databases of "spoofable" addresses?

Any pointers? And no, my ISP won't install SpamAssassin and I can't do it myself due to limitations imposed on users by the ISP.

I would say I need help urgently...

Link to comment
Share on other sites

Can you post the full header here? It may be pretty simple to create a rule that sends it straight to the trash, but the problem is unless your ISP does something about it you'll always download it. All I know how to do is make it so you don't have to see it in the inbox.

Link to comment
Share on other sites

Well, the header is always different so that's a bit hard. Bounces come from all around the world, and I've so far been able to determine the most common subject line indicators for failure notices and put them in a deny-file on the server. This deny-file only check subject lines and from-fields, so it's not very exact, but hopefully it'll do some good.

I've also set up a server-side rule denying mails 'from' myself, and been able to stop the server-side spam filter from bouncing denied mail. Of the 100 or so bounces and spams using the spoofed address I've seen the last 4 days (since it started), only 8 has passed my local spam filter (checking a number of DNSBLs against headers as well as body) but I've still had to download every one of them and then rewrite/upload them again to my 'spamtrap' inbox. It's taken quite a while with my 33.6K line. Hopefully with my new deny rules in place I won't see or have to download as much, but it bothers me to bits that someone out there (in Asia as far as I can see from DNSBL statistics) is forging my address. Source IPs seem to indicate open relays located in China/Korea and Taiwan. :x

Another thing that bothers me is that the sheer volume of bounces and spams has forced me to turn off logging, which could make it possible for a false positive to slip past without me noticing (prior to this Friday I always saved and checked the mail log on my ISP's server every day to make sure my deny rules didn't catch anything that should be passed through.

And as far as local rules are concerned, I'm running PC-Pine, so I've set up some basic rules but mostly I just update my server-side denyfiles with whatever subjects or hosts my local SpamPal filter catches.

Slightly modified quote from Hook: 'I hate, I hate, I HATE stupid spam!' :spam:

Link to comment
Share on other sites

Use mailwasher as a temporary solution while you get a proper set of rules set up. It won't download the mail, only get a list and then you choose which ones you want to delete, it then deletes them off your mail server and then opens your regular mail program to download the 'good' mail

Link to comment
Share on other sites

Use mailwasher as a temporary solution while you get a proper set of rules set up. It won't download the mail, only get a list and then you choose which ones you want to delete, it then deletes them off your mail server and then opens your regular mail program to download the 'good' mail

Thanks for the suggestion, downloaded it last night and it's certainly faster to work with than SpamPal. I transferred all the RBL zones from SpamPal so hopefully it should improve the operation of MailWasher somewhat.

I'm setting up rules at the server as I go through and identify recurring patterns in headers.

Thankfully my mail server accepts both POP3 and IMAP4 connections :)

Link to comment
Share on other sites

http://www.w5hq.com/MailWasher/

this guy has a pretty slick list of filters that he updated on a regular basis. with those filters and the DNS blacklist servers i use, most of my spam is taken care of. :)

he even has a filter already in there that checks for your name being used as the return address, or in the subject line, etc...

Link to comment
Share on other sites

Haha! I've identified the IP adress of the spammer as coming from an IP adress under the jurisdiction of the Latin American and Carribean IP regional Registry, it checks out with a computer in Argentina at the ISP 'Fibertel".

It seems they're very much under siege by spamming users, and are seriously working on correcting the situation. SpamCop was very useful here since it allowed me to see that the spamvertized site has already been taken offline and thrown out by their ISP (some huge russian ISP).

Just in case, I've saved most of the false bounces to file on my ISP's Unix server so my ISP can investigate things themselves if they feel like it - in the last batch of forged spams their domain was forged in the Recieved lines as well.

:spam:

Link to comment
Share on other sites

Haha! I've identified the IP adress of the spammer as coming from an IP adress under the jurisdiction of the Latin American and Carribean IP regional Registry, it checks out with a computer in Argentina at the ISP 'Fibertel".

It seems they're very much under siege by spamming users, and are seriously working on correcting the situation. SpamCop was very useful here since it allowed me to see that the spamvertized site has already been taken offline and thrown out by their ISP (some huge russian ISP).

Just in case, I've saved most of the false bounces to file on my ISP's Unix server so my ISP can investigate things themselves if they feel like it - in the last batch of forged spams their domain was forged in the Recieved lines as well.

:spam:

If you can get and give me the address from the a$$hole in Argentina, maybe I can kick his a$$ personally in your name... will be a pleasure... :D

(hint: see my location)

BTW, check if the rat is really in Argentina or he is just using a relay mail server from here... ;)

Link to comment
Share on other sites

I don't have direct access to the Recieved lines at this moment, but they indicated that the MUA and MTA were both located on the same computer (same IP), but with two different forged names (the MUA identified it's 'host name' as 'server' and the MTA tried to pass it's hostname off as 'algonet.se' (which is my ISP's domain, and home to most real Unix geeks in Sweden).

The IP (24.232.44.13) is confirmed as blacklisted in the SpamCop RBL. It also gives a match in the MAPS Dial-up Users List. That's as far as I can get. And as many more spam bounces have contained IP's of open relays located in Asia I can't say for sure that this particular machine isn't a zombie. :x

I'm pretty sure it's a 'small' random joe-job (not intentional) and it's probably caused by a careless bounce indicating the user (me) doesn't exist at my ISP. I've turned off bouncing alltogether now and just route any mail that matches my server-side rule-set into a file and log some quick header info for reference in a smaller file. I'm in the process of hardening my server-side email setup using various very long addresses and a second filter to distribute legitimate mail to the appropriate address. My ISP's server software will let me set up some 10k aliases so I won't run out of them anytime soon. :p

I logged a previous mail from the same 'real name' (but likely also with a spoofed address) some days ago before the flood of bounces started so it's probably one and the same. "It" uses the 'real name' "jenny hawkert" and a few other names (using the same subject) I can't remember right now. Unfortunately, until the bounce flood started, I had a cron job that deleted the logs every day after I'd checked them so I can't double check and verify if it came from within the same address block belonging to Fibertel.

I'm leaving this to the professional spam fighters (and I'd like to leave my name out of this), but I'll set up a nice ruleset to automatically (server-side) redirect incoming spam to my shiny new SpamCop account (I have a feeling I'll be using it a lot...). :D

Link to comment
Share on other sites

Well, now I'm pretty sure that these forged mails come from zombies. I just caught another one today that originated on an IP address located in Korea, with the exact same characteristics as the previous ones: lowercase sender "phony name" part beginning with 'jenny' or 'jenna', MUA and MTA located at the same IP, forged algonet.se domain name by the MTA and the MTA identifed itself as MailMXPro. All this was exactly the same in most forged mail I've seen lately. Topics have varied though, but mostly been within the 'adult' range of scams or spamvertized sites.

This latest IP was already blacklisted in SpamCop.

Link to comment
Share on other sites

Neowin can't operate without Spam Assasin now.. we get so much spam its quite annoying. Not to mention idiots who think its fun to sign up staff to various mailing lists (thankfully most require verification)

Link to comment
Share on other sites

I was thinking give Spam Assassin a try, most of time I have 70-80 daily e-mails but around 60-70 of them are spam... :angry:

Trying Mail Washer now, but I'm not fully satisfied... :hmmm:

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.