• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Major spam problem - I'm sending it.

Meadmaker

Unregistered
Meadmaker
Joined
Apr 27, 2004
Messages
29,033
It seems I have a problem at work. This crowd is a pretty smart bunch, so someone might be able to help me out on what is happening here.

About a week ago, I started getting in my work mailbox 10 - 12 returned mail messages a day. It seems that some computer somewhere is "returning" to me all those ads I've been sending out for really low priced viagra.

Just in case anyone is wondering, no I am not sending out that spam for real. I am almost 100% certain that my computer also has not been coopted as a spam-bot by some nefarious fiend. I say that because the spam seems to be being sent even on days when my computer, a laptop, isn't hooked to the corporate network.

So what I actually get is a message that says my mail, with the subject line "great prices on !ia Gra" could not be delivered because the user doesn't exist, or because her mailbox is full. The target address is almost always a user in Germany, on what looks like a Deutsche Telekomm address. (I think it is someuser@t-online.de.) The return path does have an IP address that matches our corporate mail server, but it doesn't go to our local server, and doesn't go to my computer. And of course the sender of the mail is something like "Uproarious" <my.name@mycompany.com>.

Correct me if I'm wrong, but what is probably happening here is that someone is successfully spoofing my address, and making it appear that mail is coming from me, and from our server, when in fact it is someplace in South Korea. Or is it more likely that someone has successfully turned someone else's computer into a spambot in our company, but the spamming program is substituting my name for theirs.

Of course, the IT staff would be the best people to ask, but I would prefer not to call attention to my internet practices at work, which include a lot of personal use and some company time. Not that they couldn't find all that out, but I don't see any reason to call their attention to it until it gets to be a major problem for me. Fortunately, randi.org isn't a porn site or hate group (I think) but they might notice that my idea of "lunch hour" extends beyond the usual definitions.

We have a Windows office. I have Win2k, connected to a server. We keep a local Exchange server for e-mail, and that's connected to a corporate cluster at the national office.

So, what sort of diagnosis is it? Address spoof? My computer is a spambot? Someone in the next cublicle is a spambot? Our server itself has been infected and is sending out spam in my name? 'Tis a puzzlement.
 
Last edited:
Meadmaker said:
Correct me if I'm wrong, but what is probably happening here is that someone is successfully spoofing my address, and making it appear that mail is coming from me, and from our server, when in fact it is someplace in South Korea. Or is it more likely that someone has successfully turned someone else's computer into a spambot in our company, but the spamming program is substituting my name for theirs.
Click to expand...
What you are experiencing is known in the vernacular as a "joe job".

What someone is doing is spoofing your address as a return address, and sending mail to an address he knows doesn't exist. That way, it bounces as intended, but the bounce message is addressed to you, and most mailer systems are set up to be far more lenient about letting bounce messages in than letting spam in.

It's roughly analogous to taking a regular paper envelope, writing the intended recipient in the return-address corner, writing some bogus address in the middle of the envelope, and not attaching a stamp. The post office will see it and return it to the "sender", which in this case is the person you wanted to receive it anyway. Very slimy and very common.

Unfortunately, there's not a whole lot of stuff that can actually be done about this at the current time. There are a handful of standards in the works (SPF, SenderID, etc.) that will verify that a bounce message is coming from a system that is actually authorized to generate one, but nothing has been decided on yet.
 
Thanks Beleth. That makes sense. I hadn't thought of going to all that effort just to bypass a spam filter. I suppose they might also think it was a good defense against CANSPAM, because technically, they aren't sending an email with a forged sender line. However, I think they would lose the case, if you could ever manage to find them and bring one.

It's frightening to think that if people are going to the effort of creating such absurd schemes, there must be someone out there who is getting an "undelivered message" notification, opening it, and then buying some "really cheap viaGr a".

But at least I know I'm not a spambot. If I had been, and couldn't have found the infection source, I would have had to get IT involved, and that would not have been a good thing.
 
Well, the obvious and honorable thing to do is not surf the 'net so much while at work ;)
 
Meadmaker said:
It's frightening to think that if people are going to the effort of creating such absurd schemes, there must be someone out there who is getting an "undelivered message" notification, opening it, and then buying some "really cheap viaGr a".
Click to expand...
There is a lot of money to be made by spammers. And they mainly do it by volume. It's a huge industry; they even have conferences with seminars on things like new spamming techniques, how to get a ton of offshore domains registered, etc.

It's very sad. It's sad in the same way the paranormal is sad, in that it preys on the gullible. and gives back nothing.
 
Beleth, I think there's another reason to use someone else's return address, other than a joe job. That's so the spammer won't get the bounced emails that he sent to bad email addresses.

Sometimes I will get a large number of identical bounced emails back to my address. I don't think that's a joe job, because why would the spammer bother to joe me more than once?

~~ Paul
 
jlam4911 said:
Well, the obvious and honorable thing to do is not surf the 'net so much while at work ;)
Click to expand...

Well, yeah, but uhhh, uhhhh, well I'm sure there's a good reason that I ought to not feel guilty about that, but I can't think of it right now.


Actually, we have one of those weird office situations where the truth is that no one in our area is working much, because business sucks and we don't have all that much to do. I wasn't so much worried about anyone finding that out, as much as calling it to the attention of someone who might feel compelled to do something about it.
 
Paul C. Anagnostopoulos said:
Beleth, I think there's another reason to use someone else's return address, other than a joe job. That's so the spammer won't get the bounced emails that he sent to bad email addresses.

Sometimes I will get a large number of identical bounced emails back to my address. I don't think that's a joe job, because why would the spammer bother to joe me more than once?
Click to expand...
Good point.

If the messages are indeed identical, then yes, probably some spammer is just using your address as a bogus return address. The only way to deal with that today is to set up a block based on somethign else, like a word in the subject line or body of the message. But there's really no reason to, since the damage has been done, and it's very likely that no one will ever send you mail with that particular misspelling of "viagra" again.
 
No, there are a wide variety of messages, just the usual spam, though. Viagra. Great deals! Hot girls! The usual.
 
All you can do is jettison that address and setup a new one. Blocking the spam is the least of it that address is going to end up on blacklists all over the world. You will never know if your emails are being recieved because someones ISP may be using a blacklist with you on it.
 
You must log in or register to reply here.

Back
Top Bottom