OT: Decoding email headers

I have seen this happen plenty of times. It is obviously worse if you have an ISP account where you get to "own" a bit of the domain name (as is the case with freeserve) rather than just the username since the concept of a "catch all" address then exists for all the incorrectly addressed bounces. However there is no reason to susspect that freeserve is any more vulnerable than any other ISP in this respect.

The cause is often a compromised machine. Your only connection with it is that the machine will have an email either too or from you stored on it. It may be someone you have communicated with in the past or possibly a computer to which someone had forwarded a message with your address on to. The spamming trojan will have scanned the computer for email addresses and you were luckey enough that it picked yours to use as a from address. From the malwares point of view this is ideal, since using a real source domain/address helps the spam get through some of the spam checks that verify the senders domain exists, and is also hides the evidence that the computer is infected from its owner since the bounces are not going back to the actual sender.

One partial solution is to see if you can create additional mail boxes on the freeserver account (i.e. roger@ etc and disable the catch all address. At least that way the only ones you will see are the ones that purported to come from a real address).

How much you can deduce from the mail headers will depend a bit on the sophistication of the malware. Some will use the default email application/SMTP server for the sending of the spam. Looking at the header you would typically see several "received from" entries at the top of the message. However in each case the oldest entry would typically be the same ISP server and may also give the IP address of the computer that sent the message. If you can get this you may be able to identify the actual sender, or at least their ISP.

A more sophisticated nasty may include its own SMTP engine and also include the capability to do MX record lookups via DNS queries. This will allow the malware to deliver email directly to the destination pop3 server in one hop. Hence it can also include fake and random "received from" header information to help obfuscate the real source.

Send me a few headers if you like, I will see if there is anything obvious.

If you want to give my filters a shot, it might help cut the manual deletions a bit... I'll forward the email I sent to Raden your way in case you want to give `em a whirl - probably the MOST effective ones to start with are the "multiple to/cc" and APNIC1 / APNIC2

Tell you what, i`ll post them here - reassemble them as whole lines and use a text editor without word-wrap to insert them...

I`ll leave a space between each "line" (where I use a regexpr I stick a "following" line in a more humanly readable format)

[enabled],"multiple to/cc","multiple to/cc",33023,OR,Delete,To,containsRE,"(?is)([@].*) {7,}",CC,containsRE,"(?is)([@].*){7,}" [enabled],AfriNIC,AfriNIC,16711808,OR,Delete,EntireHeader,containsRE, (\(|\[)41. [enabled],"APNIC 1","APNIC 1",8388863,OR,Delete,EntireHeader,containsRE, (\(|\[)58.,EntireHeader,containsRE,(\(|\[)59.,EntireHeader,containsRE, (\(|\[)60.,EntireHeader,containsRE,(\(|\[)61.,EntireHeader,containsRE, (\(|\[)121.,EntireHeader,containsRE,(\(|\[)122.,EntireHeader,containsRE, (\(|\[)123.,EntireHeader,containsRE,(\(|\[)124.,EntireHeader,containsRE, (\(|\[)125.,EntireHeader,containsRE,(\(|\[)126. [enabled],"APNIC 2","APNIC 2",8388863,OR,Delete,EntireHeader,containsRE, (\(|\[)202.,EntireHeader,containsRE,(\(|\[)203.,EntireHeader,containsRE, (\(|\[)210.,EntireHeader,containsRE,(\(|\[)211.,EntireHeader,containsRE, (\(|\[)218.,EntireHeader,containsRE,(\(|\[)219.,EntireHeader,containsRE, (\(|\[)220.,EntireHeader,containsRE,(\(|\[)221.,EntireHeader,containsRE, (\(|\[)222. [enabled],"APNIC regexpr 1","APNIC regexpr 1",8388863,OR,Delete,EntireHeader,containsRE,(\(|\[)169\.((20[8-9])|(21 [0-9])|(2[1-2][0-3]))\.,Subject,contains,"### (169.208. -> (169.223. ###",EntireHeader,containsRE,(\(|\[)196\.(19[2-9]) \.,Subject,contains,"### (196.192. -> (196.199. ###" [enabled],LACNIC,LACNIC,128,OR,Delete,EntireHeader,containsRE,(\(|\[) 189.,EntireHeader,containsRE,(\(|\[)190.,EntireHeader,containsRE,(\(|\[) 200.,EntireHeader,containsRE,(\(|\[)201.

I'm in the same boat, but not with Freeserve.

I get about one or two spam emails per day now, instead of hundreds.

I use a "gmail" account and rely on google's gmail to filter spam.

The nice thing is that you can setup a gmail account, redirect all email through it AND ask google to redirect filtered email to your real email address.

I've been through the Mailwasher cycle - it ended up being too much a pain to tweak it every so often.

I'd recommend the Gmail approach - well, at least give it a try.

HTH

Mungo

I only tweak mine now when I find a large IP range I want to block - other than that, I maybe get two out of >250 per day* that I need to delete manually - the rest are all dealt with automatically.

• I used to get 550-580 per day

Whoops. My header reading is suspect - of course Outlook uses Outlook Express as a news client.

That they do, but I think Roger feels a bit annoyed by the indentity theft of his email/domain being. The principle of the abuse, not the cost of electrons. You'll get used to it Roger after a while.

I've been filtering automatically the spam (sexual, non-functional, softwares, the ultimate online pharmaceuticals) for a few months now - and am glad to say it's no trouble. The software (Thunderbird) works, I don't need to rely on spam blacklists or hunt esoteric solutions.

The latest act here is where my @medomain.com gets fired off to either mailing list subscribe/unsubscribe addresses or spam blocking company firewalls, which both require a web response by me to get any action with those lists/delivery services.

If anything should be done, then ISP's should do more to identify zombie machines on the net and quickly isolate those machines from passing POP3/SMTP traffic, just only allow Web access. Likelyhood is the lame users will only be interested in using web based mail/news anyway and have abandoned Outlook years ago as unportable and 'complicated'.

Zetnet does that for its clients. I haven't been offered penis enlargment or a share of an African fortune for ages :-(

Mary

Never mind... ;-)

Most ISPs have some spam filtering options now. Alas none of them are

100% effective (and ISP will always have to err on the side of caution to avoid the risk of "false positives" (i.e. deleting someones genuine email)).

One spam reducing benefit that you have (and may not be aware of) is that with an email address such as yours (where all the stuff after the @ is nothing to do with you) it does significantly reduce the amount of "randomly" addressed junk that can possibly be delivered to you. If you had something like mary(at)fisher.zetnet.co.uk you would probably experiance a different magnitude of spam since anything sent to any user name (at)fisher... would then land in the default mailbox.

Couldn't agree more. Administrators who bounce these messages, and programs that do the same including Mailwasher just make the problem worse. My server just discards them and bollocks to people who complain that this is non RFC compliant.

The worst ISPs are the ones who add a smug little message "We detected your email was spam so we didn't deliver it to it's intended recipient". FFS if you know it's spam why bother replying to it?

Humpf. You wait 'till you get lots of people replying to you direct about the spam/UCE, or your ISP.

Yes, I've received some fairly unpleasant abusive email for spam I hadn't sent, my main worry was that my domain would get blacklisted as a spammer, but as far as I'm aware it hasn't happened.

Bouncing is an *option* in Mailwasher - and one which I turn firmly *off* for that very reason.

I know. I've had to find a new hobby.

Nothing in life is 100% effective.

Except death ...

Mary

It used to come set as the default option to bounce. That may have changed recently of course as I haven't used Mailwasher and indeed Windows for a few years now.

Well, I'm using an old version - probably the last free version to handle multiple accounts, including Hotmail.

I'm not sure whether the bounce flag is set by default - but it *can't* bounce unless you enter an SMTP server address - which is not required just for monitoring incoming emails.

Not too sure about that, even! Some people come back to haunt us!

Oh, careful, you'll be accused of being a loony!

Join the club :-)

Mary

IF you have a mail agent that simply says 'bounce address failed' then the mail MTA should bounce them back to teh senders PATH address. If that fails, then teh message will get discarded.

Its the fault of people who leave an unlimited number of mailbox names active on their servers..

True security lies in 'that which is not expressely permitted, is de facto forbidden'

My mail filters mostly reject anything from Yahoo, google and AOL. Apart from the half dozen people I know who actually use them

As a network and mail administrator for many years, I can assure you most of us are not THAT stupid.

MOST span is sent through 'open relays' with some kind of valid sender address.

Now open relays are fairly quickly blacklisted and most ISP's will reject, or flag so you can reject, mail emanating from such.

They will also flag or reject mail coming from 'unreplyable addresses' Yes, they actually test the connection to the mail server YOU use to see if YOU exist.

Hence why your spammer looks for random domain address that don't bounce when he sends a test email to them.

That is why its VERY IMPORTANT that you DO bounce e-mail sent to random names in your domain.

That at least stops email from (ostensibly) e.g. snipped-for-privacy@yoiurdomain.zetnet.co.uk being a usable originating address.

So less of the spam will get through in the first place. AND if that address is flagged as 'unknown' you won't see the bounces or the irate messages either.

In short, leaving a whole domain open is about the most stupid and spam assisting thing you and an ISP can jointly do.

If your ISP cannot/will not allow you to set up and maintain only a list of names within your domain, and bounce anything else, change your mail provider.