MetaChat REGISTER   ||   LOGIN   ||   IMAGES ARE OFF   ||   RECENT COMMENTS




artphoto by splunge
artphoto by TheophileEscargot
artphoto by Kronos_to_Earth
artphoto by ethylene

Home

About

Search

Archives

Mecha Wiki

Metachat Eye

Emcee

IRC Channels

IRC FAQ


 RSS


Comment Feed:

RSS

MetaChat is an informal place for MeFites to touch base and post, discuss and chatter about topics that may not belong on MetaFilter. Questions? Check the FAQ. Please note: This is important.

19 January 2007

Probably stupid computer question here [More:]I just ran an AVG full scan, Spybot, Ad-Aware, Pest Patrol and ZA Pro scan and all are clean.

I use Mailwasher Pro to preview the mail and this morning I've had probably 20 'delivery failure' notifications from various ISPs which seem to show that my email address is being spoofed for spam.

Here's the header of the last one I had.
Return-Path: (gtigld@essexjan.ndo.co.uk)
Received: (qmail 27844 invoked from network); 19 Jan 2007 10:32:50 -0000
Received: from unknown (HELO pdgkzzx) (59.92.186.4)
by static-52-210.worldinternetworkcorporation.com with SMTP; 19 Jan 2007 10:32:50 -0000
Received: from ewo ([138.195.59.181])
by pdgkzzx (8.13.6/8.13.6) with SMTP id l0JAckD1048785;
Fri, 19 Jan 2007 16:08:46 +0530
Message-ID: <45B09EB4.2040103@essexjan.ndo.co.uk>
Date: Fri, 19 Jan 2007 16:04:28 +0530
From: Liza K. Middleton (gtigld@essexjan.ndo.co.uk)
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0


(I had to replace triangular brackets in parts of the above with round brackets due to parser errors I kept getting on preview.)

All the messages show they're being sent by Thunderbird. I use OE.

Is it something I need to do anything about, or is it just that someone has a machine that's infected on which my email address was stored and the spambot has picked up the 'essexjan.ndo.co.uk' part of it and is spoofing emails purporting to come from me?

I hope the above makes sense. It does to me, anyway.
post by: essexjan at: 05:46 | 7 comments
That would be the latter. I.e. you don't need to do anything about it. I get spammage like that in all my little domains.
posted by By the Grace of God 19 January | 05:59
jan, I've been getting a small flood of those messages, too. Just ignore them. 'Tis but a wee bit of social engineering.
posted by tommasz 19 January | 08:53
I've also had this kind of spam. Spam mail to me, "from me"; spam as returned mail "from me" to others. ugh. I pretty much just never use a domain address anymore, and I don't even bother with my isp email. That's completely hopeless.

And now, suddenly, I'm getting a huge flood of comment spam on a wordpress site... like one every few minutes for a few hours at a time. Comments have to be okayed on that site, so I just let them stack up (and stack up, and stack up) and then go in and click the "mark all as spam", but it's getting really distracting. I'm probably going to have to shut down commenting altogether. (It's a completely inoffensive, perfectly ordinary blog thing - unlikely that it's any kind of actual attack. I guess.)
posted by taz 19 January | 09:08
You may have been joe jobbed. If so, legitimate messages from your address may start being swallowed by spam traps. If that rises to any great level of frustration, you may have to try to rehabilitate that address with various spam filtering organizations, but in most cases, the fact that you're being filtered by a billion people you never communicate with anyway won't amount to much inconvenience.
posted by paulsc 19 January | 09:22
Lets see who really touched the email.

>Received: (qmail 27844 invoked from network); 19 Jan 2007 10:32:50 -0000

Qmail delivered it to you.

> Received: from unknown (HELO pdgkzzx) (59.92.186.4)
by static-52-210.worldinternetworkcorporation.com with SMTP; 19 Jan 2007 10:32:50 -0000

SMTP, the Simple Mail Transport Protocol, delivered it static-52-210.worldinternetworkcorporation.com (presumably, a DSL connection) from 59.92.186.4. 59.92.186.4 is a naughty mailserver that isn't advertising a PTR record in DNS (PTRs convert addresses to names, they're the converse of A records, which are names to numbers.)

So, who owns that IP?

>$ whois 59.92.186.4

> OrgName: Asia Pacific Network Information Centre
> OrgID: APNIC



> inetnum: 59.88.0.0 - 59.99.255.255
> netname: BSNLNET
> descr: NIB (National Internet Backbone)
> descr: Bharat Sanchar Nigam Limited
> descr: Sanchar Bhawan,20, Ashoka Road, New
> Delhi-110001
> country: IN


So. India. You've almost certainly been joe jobbed. Next line?

> Received: from ewo ([138.195.59.181])

Another address without reverse! Whois says this block is at...

> route: 138.195.0.0/16
> descr: RENATER
> descr: Universite Pierre et Marie Curie
> descr: 4 place Jussieu 75252 PARIS CEDEX 05
> descr: FRANCE
> origin: AS2200
> mnt-by: RENATER-MNT
> source: RIPE # Filtered

So, some spammer spammed someone in france. That message was rejected, then bounced back to the From: lie, which was a lie. Alas, it was a lie with your domain in it.

You should reject mail that doesn't have a valid user attached to it for the next few weeks -- you may get a bunch of these.



posted by eriko 19 January | 10:03
taz, are you using Akismet? It makes handling those comment spams pretty easy, all things considering. I started a new Wordpress blog and ended up having to enable Akismet within a week or so.
posted by tommasz 19 January | 10:08
Thanks eriko. I have filters set up in Mailwasher Pro so that anything from an unknown source is marked in red and set for deletion from the server before I download the mail into my Outlook Express.
posted by essexjan 19 January | 10:26
Why I like Faithless. || Hm, so it seems that that Women's Libido Increases With Age thing is true.

HOME  ||   REGISTER  ||   LOGIN
All posts and comments © their authors