Some bastard is sending spam under my e-mail.

[Pawel Kowalski]

Hi,
I keep on getting e-mail from people telling me that they never want to receive mail from me again, people threatening me, and more. This lead me to beleive that someone is sending junk mail using my e-mail address. Well today I got a message that had the subject Re: We Need Homeworkers!!. So now I know what the message is called. I e-mailed every person that sent me a threat, or anything else stating that I did not send this e-mail and asked them if they could forward this message to me so I can take action. No one has replied yet. Is there anything I can do to stop this or find out what the message is and who is sending it. I also don't want JPC to think I am sending this and delete my account.
Thank You,
Paul

[mattsiegman]

that really sucks...

I don't know how they would do that, jag's SMTP servers seem pretty secure (I telnetted into one once and had trouble getting it to work right)

[Pawel Kowalski]

Originally posted by mattsiegman
that really sucks...

I don't know how they would do that, jag's SMTP servers seem pretty secure (I telnetted into one once and had trouble getting it to work right)

All they need to do is set the from line to my e-mail. The worse part is most of the people that complain delete the original message so I can't get the headers.
Thanks,
paul

[Qayej]

Once you have one e-mail with headers, you can trace the IP and request the ISP to disable that users account.

But you need the headers of course.

Qayej

[Pawel Kowalski]

Hi,
I finally got the headers from someone. It seems this guy only sends mail to aol users. I really don't know where to go from here and if someone could help me I would greatly appreciate it. The headers are the following:

Code:

Return-Path: <nobody@ns15.u-build-it.net>
Received: from  rly-zd03.mx.aol.com (rly-zd03.mail.aol.com [172.31.33.227]) by air-zd02.mail.aol.com (v87.22) with ESMTP id MAILINZD22-0815040606; Thu, 15 Aug 2002 04:06:06 -0400
Received: from  ns15.u-build-it.net (ns15.u-build-it.net [66.33.60.137]) by rly-zd03.mx.aol.com (v87.22) with ESMTP id MAILRELAYINZD32-0815040549; Thu, 15 Aug 2002 04:05:49 -0400
Received: from nobody by ns15.u-build-it.net with local (Exim 3.35 #1)
	id 17fFdS-0002bV-00; Thu, 15 Aug 2002 04:05:38 -0400
To: surfer3115@aol.com, klesz@aol.com, xpunk1073@aol.com, eagle044@aol.com,
        cubby77267@aol.com, gob3785952@aol.com, surfer32485@aol.com
Cc: eagle0494@aol.com, kleszics@aol.com, eagle04@aol.com, jeanny78@aol.com,
        markgeary@aol.com, cubby7959@aol.com, gob382@aol.com
From: linda9c7@advertise.thehotweb.net ()
Subject: Homeworkers Needed
Content-Type: text/html;
Message-Id: <E17fFdS-0002bV-00@ns15.u-build-it.net>
Date: Thu, 15 Aug 2002 04:05:38 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ns15.u-build-it.net
X-AntiAbuse: Original Domain - aol.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [99 99]
X-AntiAbuse: Sender Address Domain - ns15.u-build-it.net
X-Mailer: Unknown (No Version)
MIME-Version: 1.0

Thank You,
Paul

[Qayej]

It seems like the mail originated from "rly-zd03.mx.aol.com (rly-zd03.mail.aol.com [172.31.33.227]) by air-zd02.mail.aol.com"

I traced back the IP but it seems like a aol.com mail relay. This means that the person sending this mail is on the aol.com network or (and I think this is more likely) uses the mail relay server to bounce off the mails so it looks like they came from within aol.com's name-space.

With the first one, you can try contact aol.com and ask them to track who send this, with the latter one, well, I actually don't know. There's maybe someone who does. (To trace the one who's sending, you would probably have to monitor the relay's log.)

Sorry,

Qayej

[TimPD]

We had the same issue with another client. We basically decided that it would be best to terimate the User and report them with to there provider. The issue was they was using the guys e-mail and his forms to send e-mails to several people which caused the load to spike up over 100++

[Pawel Kowalski]

Originally posted by Tim
We had the same issue with another client. We basically decided that it would be best to terimate the User and report them with to there provider. The issue was they was using the guys e-mail and his forms to send e-mails to several people which caused the load to spike up over 100++

I have contacted his ISP a week ago and got nothing back from them. I will call them right now. The server load here shouldn't go up since he just changed the from part to my address but this still really p*sses me off and I will not rest until this guy is brought down.
Thanks,
Paul

[tigertom]

Apparently Formail 1.6 is vulnerable to being hijacked for
sending spam. If any Jag. user has this script, I suggest they upgrade or change it.

I'm getting a new style of spam now which looks like a
different web form script is being hi-jacked. Looks like this
is the latest spammer trick.

[Gwaihir]

I've found a nice free service that automatically interprets the headers on SPAM, in order to figure out were it came from (for real), etc. and files reports.

It's called Spamcop; http://spamcop.net

It may be helpful to you - then again it may be not, as it seems you've already found the purpetraitors ISP.

[Otis]

The headers quoted above show the spam originating from ns15.u-build-it.net, which is host15 at jaguarpc. The "from nobody" would indicate that it originated from a script running on that host.

[Gwaihir]

Not so sure; that stuff can be faked you know..
BTW; 'ns15'? - would that server ever send mail as a nameserver? Wouldn't it always use 'Host15'

A more thorough look:

Received: from rly-zd03.mx.aol.com (rly-zd03.mail.aol.com [172.31.33.227]) by air-zd02.mail.aol.com (v87.22) with ESMTP id MAILINZD22-0815040606; Thu, 15 Aug 2002 04:06:06 -0400
172.31.33.227 discarded

Received: from ns15.u-build-it.net (ns15.u-build-it.net [66.33.60.137]) by rly-zd03.mx.aol.com (v87.22) with ESMTP id MAILRELAYINZD32-0815040549; Thu, 15 Aug 2002 04:05:49 -0400
Possible spammer: 66.33.60.137
host ns15.u-build-it.net (checking ip) ip = 66.227.56.6
66.33.60.137 is not an MX for ns15.u-build-it.net
ips don't match; ns15.u-build-it.net discarded as fake
Taking name from IP...
host 66.33.60.137 (getting name) 66.33.60.137 = ns15.u-build-it.net.
host ns15.u-build-it.net. (checking ip) ip = 66.227.56.6
66.33.60.137 is not an MX for ns15.u-build-it.net.
ips don't match; ns15.u-build-it.net. discarded as fake
66.33.60.137 is not an MX for ns15.u-build-it.net
Received line partially untrusted

Received: from nobody by ns15.u-build-it.net with local (Exim 3.35 #1) id 17fFdS-0002bV-00; Thu, 15 Aug 2002 04:05:38 -0400
no ip found in received line
Ignored
host 66.33.60.137 (getting name) 66.33.60.137 = ns15.u-build-it.net.
66.33.60.137 not listed in proxies.relays.monkeys.com


Tracking message source:66.33.60.137:
Routing details for 66.33.60.137
[refresh/show] Cached whois for 66.33.60.137 : noc@dialtone.com
noc@dialtone.com: abuse.net dialtone.com = abuse@dialtone.com
abuse.net dialtone.com = abuse@dialtone.com
Use best contact: abuse@dialtone.com
Whois found abuse@dialtone.com

[Otis]

The message in question appears to be dated August 15, 2002, before jaguarpc moved its servers from the dialtone noc to houston. The names and ip addresses of jaguarpc servers have changed since then.

[TimPD]

Originally posted by Otis
The message in question appears to be dated August 15, 2002, before jaguarpc moved its servers from the dialtone noc to houston. The names and ip addresses of jaguarpc servers have changed since then.

Not All the machines are moved check the http://jaguarpc.com/houston.php some are moved and some aren't.