Help ! someone spamming from my email

**Whois-Search** · 11-08-2002, 05:07 AM

Someone's just sent out a load of spam using my me@bennoart.com address as the "from" address.

This line:
> Received: from bennoart.com (193.59.91.3) by smtp6.libero.it (6.5.028)

Shows ya it's dodgy coz the bennoart IP isn't 193.59.91.3. The 193 address is owned by some scumbag in Poland.

----- Original Message -----
From: "Mail Delivery Service" <postmaster@iol.it>
To: <me@bennoart.com>
Sent: Thursday, November 07, 2002 6:56 PM
Subject: Delivery Status Notification

> - These recipients of your message have been processed by the mail server:
> watches@libero.it; Failed; 5.2.2 (mailbox full)
>
> Remote MTA ims2d.libero.it: SMTP diagnostic: 552 RCPT
TO:<watches@libero.it> Mailbox disk quota exceeded
>
>
>

----------------------------------------------------------------------------
----

> Return-Path: <me@bennoart.com>
> Received: from bennoart.com (193.59.91.3) by smtp6.libero.it (6.5.028)
> id 3DCA8D9400078FAF; Thu, 7 Nov 2002 19:56:35 +0100
> Received: from unknown (167.15.54.216)
> by smtp013.mail.yahou.com with esmtp; 07 Nov 2002 05:00:22 +1200
> Received: from unknown (155.121.197.41)
> by rly-yk05.pesdets.com with esmtp; 07 Nov 2002 16:59:27 +0300
> Received: from 144.227.200.144 ([144.227.200.144]) by rly-xl05.dohuya.com
with esmtp; Thu, 07 Nov 2002 19:58:32 +0300
> Received: from mx.loxsystems.net ([145.37.47.211])
> by web.mail.halfeye.com with smtp; Thu, 07 Nov 2002 22:57:37 -0400
> Reply-To: <me@bennoart.com>
> Message-ID: <035c00b01d6e$5138a4b4$8cc83ea0@myqakv>
> From: <me@bennoart.com>
> To: me@bennoart.com
> Subject: Online adult classifieds!
0229WJZN6-751PojE1866nNLC0-293d-29
> Date: Thu, 07 Nov 2002 12:35:20 +0600
> MiME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_00E6_88C36E5B.B7303A55"
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> Importance: Normal
>
>

**Ciqala** · 11-08-2002, 05:25 AM

I hate spammers... someone exploited one of my sendmail scripts a while back and used my server to send a shedload of spam...

Do you actually use the account 'ME' or is that just a random name they have chosen to tack onto your domain name?

if you dont use me@bennoart.com as your exact email address i think i saw someone mention in a post a few days ago you can point it to :blackhole: or something similiar and the emails just get trashed... a search for blackhole should return the post i'm reffering to

i don't think you can do much else other than that as you can easily specify any reply-to address in your outlook settings so anyone could (unfortunately) do the same.

you could do a traceroute and find out their isp and if its a 'reputable' provider send them the email and get his account deactivated... but even then they may be working through a proxy server...

its so frustrating hacking, spam and dos attacks are ruining the internet in such a short space of time that in a few years time technological advances wont matter as the net will be such a crappy place to visit it wont be worth the hassle.

i think you may even find large multinationals offer wide-area intranets where they can control the access themselves and police the bad elements that ruin it in a manner that is impossible with the current state of the internet.

**mole** · 11-08-2002, 06:12 AM

Someone is spoofing your email and there is nothing you can do about it. Spoofing is just too easy to do.

Paste the email header here and we'll help you trace the culprit. Never know what may turn up. But I do agree with Ciq, smart spammers are crafty bastards and will hide their trails.

**DomainPairs** · 11-08-2002, 07:54 AM

Report the domain that is mentioned in the spam to their host, if they won't do anything report them to the anti-spam sites. They'll get the whole Hosting site blacklisted.

**Luc** · 11-08-2002, 07:59 AM

Andrew,

You're not the first. Someone (I'm guessing my competitor)
has been spamming lots of porn using various @domain-retriever.com
accounts. This happened several dozen times and I always
get a mailbox full of bounced "Recipient error" messages
or angry people asking to be removed from my mailing list.

When I looked up the IP it's something different every time,
from England to Germany to the US. I bet you they're all from
the US but someone is just using an IP redirection service
and making it look like its coming from a place its not.

What sucks is there is not much that can be done about this
issue.

Luc L.

**mole** · 11-08-2002, 08:50 AM

hmm... tricky scum of the earth..

Parsing header:

Received: from bennoart.com (193.59.91.3) by smtp6.libero.it (6.5.028) id 3DCA8D9400078FAF; Thu, 7 Nov 2002 19:56:35 +0100
Possible spammer: 193.59.91.3
host bennoart.com (checking ip) ip = 216.127.68.84
193.59.91.3 is not an MX for bennoart.com
ips don't match; bennoart.com discarded as fake
Taking name from IP...
host 193.59.91.3 (getting name) no name
Received line accepted

Received: from unknown (167.15.54.216) by smtp013.mail.yahou.com with esmtp; 07 Nov 2002 05:00:22 +1200
host 193.59.91.3 (getting name) no name
193.59.91.3 not listed in proxies.relays.monkeys.com
Possible spammer: 167.15.54.216
Taking name from IP...
host 167.15.54.216 (getting name) no name
Chain test:smtp013.mail.yahou.com =? 193.59.91.3
host smtp013.mail.yahou.com (checking ip) ip = 216.65.41.184
193.59.91.3 is not an MX for smtp013.mail.yahou.com
ips don't match; smtp013.mail.yahou.com discarded as fake
host 193.59.91.3 (getting name) no name
Chain test failed
Display data:
"whois 193.59.91.3@whois.ripe.net" (Getting contact from whois.ripe.net)
Found inetnum admin-c = MB8340-RIPE
Found inetnum tech-c = LB2329-RIPE
whois.ripe.net 193.59.91.3 (nothing found)
host 193.59.91.3 (getting name) no name
Falling back on IP addressing:postmaster@[193.59.91.3]
Chain error smtp013.mail.yahou.com not equal to last sender received line discarded

Tracking message source:193.59.91.3:
Display data:
"whois 193.59.91.3@whois.ripe.net" (Getting contact from whois.ripe.net)
Found inetnum admin-c = MB8340-RIPE
Found inetnum tech-c = LB2329-RIPE
whois.ripe.net 193.59.91.3 (nothing found)
host 193.59.91.3 (getting name) no name
Falling back on IP addressing:postmaster@[193.59.91.3]
193.59.91.3 not listed in formmail.relays.monkeys.com
193.59.91.3 not listed in proxies.relays.monkeys.com
193.59.91.3 not listed in relays.ordb.org.

Would send message source reports to:

Re:193.59.91.3 (Administrator of network where email originates)

postmaster@[193.59.91.3]

**Whois-Search** · 11-08-2002, 08:59 AM

193.59.90.0 - 193.59.95.255
Petrochemia Plock Ltd.
Plock

--------------------------------------------------------------------------------

Marek Banaskiewicz
TI/TIS
Petrochemia Plock Ltd.
09-411 Plock
ul. Chemikow 7
+48 24 655005
+48 24 655440

--------------------------------------------------------------------------------

Lech Barszczewski
Petrochemia Plock Ltd.
09-411 Plock
ul. Chemikow 7
+48 24 655005
+48 24 655440

**Whois-Search** · 11-08-2002, 09:02 AM

http://www.petrochemia.pl

**mole** · 11-08-2002, 09:11 AM

Paste the body here.

If it is a html email, view source, and copy/paste text.

**DomainEmpire.com** · 11-08-2002, 09:15 AM

"http://www.petrochemia.pl"

Complaint with their provider ...
In a near past, someone did a similar thing with our email (webmaster@chatowner.com) for some days.
We got dozens of eror messages and complaints until the spammer stopped doing that :(

**mole** · 11-08-2002, 09:18 AM

Noticed a lot of spam from .pl in the past 2 weeks.

**mole** · 11-08-2002, 09:28 AM

Just look at this bullsh*t spamming tools

http://www.bulklist.com/desktop/dtindex.htm

Time to fight back big time!

**mole** · 11-08-2002, 10:32 AM

Originally posted by DomainRetriever
When I looked up the IP it's something different every time,
from England to Germany to the US. I bet you they're all from
the US but someone is just using an IP redirection service
and making it look like its coming from a place its not.

Open Relays are the culprit. Our company mail server has personally been hit many times by this, so I guess thousands of other companies are as vulnerable.

You can install a mail server on your home PC and it too will be vulnerable if you have a fixed ip address pointing directly at your computer.

But spammers spam to make money. So the most reliable way to cause grief to them is to report to the web-hosts involved in providing the content/product.

**Whois-Search** · 11-08-2002, 01:48 PM

Thanks Mole

**MarkyMark** · 11-08-2002, 05:39 PM

mole's advice is the most effective I think. Most companies do not like having their products promoted with spam, report the guy and his affiliate ID to the content provider.

If he is using cloaking and redirects use rex swains viewer to see the nature of the beast.

http://www.rexswain.com/httpview.html

In the "real world" there is nothing stopping people from pretending to be someone else, when sending normal mail and phonecalls, the thing about email spam is that they so easily can do it in bulk. Unfortunately.

**Whois-Search** · 11-08-2002, 06:39 PM

Return-Path: <MAILER-DAEMON@bennoart.com>
Received: from ns14.super-hosts.com (root@localhost)
by bennoart.com (8.11.6/8.11.6) with ESMTP id gA8KWRB03015
for <me@bennoart.com>; Fri, 8 Nov 2002 15:32:27 -0500
X-ClientAddr: 206.16.4.197
Received: from cn-sfo1-g7-2.cnet.com (nat-206-16-4-197.cnet.com [206.16.4.197])
by ns14.super-hosts.com (8.11.6/8.11.6) with ESMTP id gA8KWRl03010
for <me@bennoart.com>; Fri, 8 Nov 2002 15:32:27 -0500
Received: from cnet18.cnet.cnwk (158.81.16.10.nat.cnet.com [10.16.81.158])
by cn-sfo1-g7-2.cnet.com (8.9.3/8.9.3) with ESMTP id MAA01598
for <me@bennoart.com>; Fri, 8 Nov 2002 12:35:55 -0800 (PST)
Received: by cnet18.cnet.cnwk with Internet Mail Service (5.5.2653.19)
id <V989F461>; Fri, 8 Nov 2002 12:35:54 -0800
Message-ID: <44036B273E26ED4184699A011B90D6EF096669D5@cnet18.c net.cnwk>
From: System Administrator <postmaster@cnet.com>
To: me@bennoart.com
Subject: Undeliverable: Online adult classifieds!
5068jPUc1-190WpGd2055ilWH1-
-25
Date: Fri, 8 Nov 2002 12:35:54 -0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-MS-Embedded-Report:
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C28766.6F40D625"
Status:

**Whois-Search** · 11-08-2002, 06:41 PM

Return-Path: <MAILER-DAEMON@bennoart.com>
Received: from ns14.super-hosts.com (root@localhost)
by bennoart.com (8.11.6/8.11.6) with ESMTP id gA8KNx901448
for <me@bennoart.com>; Fri, 8 Nov 2002 15:23:59 -0500
X-ClientAddr: 212.78.193.8
Received: from mrin02.st1.spray.net (mrin02.spray.se [212.78.193.8])
by ns14.super-hosts.com (8.11.6/8.11.6) with ESMTP id gA8KNwl01436
for <me@bennoart.com>; Fri, 8 Nov 2002 15:23:58 -0500
Received: from lmin05.st1.spray.net (lmin05.st1.spray.net [212.78.202.105])
by mrin02.st1.spray.net (Postfix) with ESMTP id 514252496F2
for <me@bennoart.com>; Fri, 8 Nov 2002 21:27:26 +0100 (CET)
Received: by lmin05.st1.spray.net (Postfix)
id 147E414BA9; Fri, 8 Nov 2002 21:27:26 +0100 (MET)
Date: Fri, 8 Nov 2002 21:27:26 +0100 (MET)
From: MAILER-DAEMON@st1.spray.net (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: me@bennoart.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="DCF5614BA7.1036787246/lmin05.st1.spray.net"
Message-Id: <20021108202726.147E414BA9@lmin05.st1.spray.net>
Status:

**mole** · 11-08-2002, 10:04 PM

Parsing header:

Received: from ns14.super-hosts.com (root@localhost) by bennoart.com (8.11.6/8.11.6) with ESMTP id gA8KWRB03015 for <me@bennoart.com>; Fri, 8 Nov 2002 15:32:27 -0500
no ip found in received line
Ignored

Received: from cn-sfo1-g7-2.cnet.com (nat-206-16-4-197.cnet.com [206.16.4.197]) by ns14.super-hosts.com (8.11.6/8.11.6) with ESMTP id gA8KWRl03010 for <me@bennoart.com>; Fri, 8 Nov 2002 15:32:27 -0500
Possible spammer: 206.16.4.197
host nat-206-16-4-197.cnet.com (checking ip) ip = 206.16.4.197
host cn-sfo1-g7-2.cnet.com (checking ip) ip not found ; cn-sfo1-g7-2.cnet.com discarded as fake.
no MXs for cn-sfo1-g7-2.cnet.com
206.16.1.51 is an MX for cnet.com
206.16.4.197 is not an MX for cn-sfo1-g7-2.cnet.com
ips don't match; cn-sfo1-g7-2.cnet.com discarded as fake
Received line accepted

Received: from cnet18.cnet.cnwk (158.81.16.10.nat.cnet.com [10.16.81.158]) by cn-sfo1-g7-2.cnet.com (8.9.3/8.9.3) with ESMTP id MAA01598 for <me@bennoart.com>; Fri, 8 Nov 2002 12:35:55 -0800 (PST)
host 206.16.4.197 (getting name) 206.16.4.197 = nat-206-16-4-197.cnet.com.
206.16.4.197 not listed in proxies.relays.monkeys.com
10.16.81.158 discarded

Received: by cnet18.cnet.cnwk with Internet Mail Service (5.5.2653.19) id <V989F461>; Fri, 8 Nov 2002 12:35:54 -0800
no from
no ip found in received line
Ignored
host 206.16.4.197 (getting name) 206.16.4.197 = nat-206-16-4-197.cnet.com.
206.16.4.197 not listed in proxies.relays.monkeys.com

Tracking message source:206.16.4.197:
Routing details for 206.16.4.197
[refresh/show] Cached whois for 206.16.4.197 : notify@attens.com
Using last resort contacts notify@attens.com
notify@attens.com redirects to abuse@attens.com
Whois found abuse@attens.com
206.16.4.197 not listed in formmail.relays.monkeys.com
206.16.4.197 not listed in proxies.relays.monkeys.com
206.16.4.197 not listed in relays.ordb.org.

Would send message source reports to:

Re:206.16.4.197 (Administrator of network where email originates)

abuse@attens.com

**mole** · 11-08-2002, 10:05 PM

Parsing header:

Received: from ns14.super-hosts.com (root@localhost) by bennoart.com (8.11.6/8.11.6) with ESMTP id gA8KNx901448 for <me@bennoart.com>; Fri, 8 Nov 2002 15:23:59 -0500
no ip found in received line
Ignored

Received: from mrin02.st1.spray.net (mrin02.spray.se [212.78.193.8]) by ns14.super-hosts.com (8.11.6/8.11.6) with ESMTP id gA8KNwl01436 for <me@bennoart.com>; Fri, 8 Nov 2002 15:23:58 -0500
Possible spammer: 212.78.193.8
host mrin02.spray.se (checking ip) ip = 212.78.193.8
host mrin02.st1.spray.net (checking ip) ip not found ; mrin02.st1.spray.net discarded as fake.
no MXs for mrin02.st1.spray.net
no MXs for st1.spray.net
Received line accepted

Received: from lmin05.st1.spray.net (lmin05.st1.spray.net [212.78.202.105]) by mrin02.st1.spray.net (Postfix) with ESMTP id 514252496F2 for <me@bennoart.com>; Fri, 8 Nov 2002 21:27:26 +0100 (CET)
host 212.78.193.8 (getting name) 212.78.193.8 = mrin02.spray.se.
212.78.193.8 not listed in proxies.relays.monkeys.com
Possible spammer: 212.78.202.105
host lmin05.st1.spray.net (checking ip) ip = 212.78.202.105
Chain test:mrin02.st1.spray.net =? mrin02.spray.se
mrin02.st1.spray.net and mrin02.spray.se have same hostname - chain verified
Possible relay: 212.78.193.8
212.78.193.8 not listed in relays.ordb.org.
212.78.193.8 has already been sent to relay testers
Received line accepted

Received: by lmin05.st1.spray.net (Postfix) id 147E414BA9; Fri, 8 Nov 2002 21:27:26 +0100 (MET)
no from
no ip found in received line
Ignored
host 212.78.202.105 (getting name) 212.78.202.105 = lmin05.st1.spray.net.
212.78.202.105 not listed in proxies.relays.monkeys.com

Tracking message source:212.78.202.105:
Routing details for 212.78.202.105
[refresh/show] Cached whois for 212.78.202.105 : mattias.niklasson@spray.se, hakan@spray.se
Using last resort contacts mattias.niklasson@spray.se hakan@spray.se
Whois found mattias.niklasson@spray.se hakan@spray.se
212.78.202.105 not listed in formmail.relays.monkeys.com
212.78.202.105 not listed in proxies.relays.monkeys.com
212.78.202.105 not listed in relays.ordb.org.

Would send message source reports to:

Re:212.78.202.105 (Administrator of network where email originates)

hakan@spray.se
mattias.niklasson@spray.se