OT: Decoding email headers

This might be of some use.

I don't know anything about that but today I received something from "Mail Administrator (subject:) Returned mail: see transcript for details." There was a zip file attached which of course I haven't opened. The message said,

" Dear user of zetnet.co.uk,

Your email account was used to send a huge amount of spam messages during this week. Obviously, your computer was compromised and now runs a hidden proxy server.

Please follow the instruction in order to keep your computer safe.

Sincerely yours, The zetnet.co.uk team."

I contacted the real Zetnet and was assured that it wasn't genuine.

I reckon that if I had unzipped the attachment my computer now *would* be compromised and would be running a hidden proxy server.

Can't you contact freeserve about your problem? I hope you haven't opened any attachments, if you have everyone on this ng could be a target.

Mary

In brief, the IP address in the first (lowest) valid Received: line is a real IP address. It's possible to add as many of these lines as you wish to an email before sending, though not afterwards, so the very first line is not always the significant one. I've never seen a forged line where the HELO matched the IP address, or even chained into the next line properly, so it's not usually hard to tell.

Here's a definitive article, not as difficult to follow as it looks:

trace IP addresses, is a good first stop, though it uses regional WHOIS servers which sometimes stop replying to it due to over-use. If that happens you can still see which WHOIS is authoritative for that address, and use it directly.

Many years ago I had a freeserve account and this would happen on a regular basis - this is why I would not use freeserve. I'm fairly sure that you will find that the original message did not originate from your address - just a freeserve address and your address is receiving all the c**p

PhilC

That's OK I'll put on my ISP hat...

Yes it's a common problem. As you suspect the spammer has used variants of your email address as the "from" address in their messages.

This happens a lot - I see it about once a month on the 20+ domains I look after. The only comfort I can offer is that these attacks only seem to last a few weeks before the spammer picks another domain.

Sometimes these email addresses are real ones, harvested from web sites, Usenet or compromised machines, but increasingly they are just made up at random. The real addresses are the most troublesome as you cannot just block them on the server, which is one of the reasons I use automatic time-limited addresses when posting to Usenet.

Frankly I've stopped trying to trace the origin of these messages and just concentrate on dealing with any consequences. Most ISP's are well aware of these attacks and, having confirmed that the spam did not actually originate from their mail servers leave it at that.

You are not alone. Unfortunately the spammers are pretty good at hiding the true origin of their messages and this makes it almost impossible to find the actual sender.

Sorry, as I said before these headers are usually either forged or just lead to a chain of open relays and compromised machines.

In the few cases where the original email address can be traced it is usually a "disposable" one anyway. The content of the bounced message is sometimes more helpful as the spammer needs to have some method of getting a response from the victim.

You can send me _a few_ if you wish, but I honestly don't think they will tell you very much. My email address is valid for three days.

John

It depends more on where your email address gets published than your ISP, but some are better than others. I set up a backup Hotmail address and had spam on it within half an hour. That address has never been given to anyone, so it's not hard to guess which organisation was behind it (begins with an M...)

Sooner or later mail administrators will realise that 'returning' mail identified as spam is not merely a waste of time but is positively harmful. The presence of a forged header should be adequate grounds for not complying with the original RFC requirement of notifying the sender of any undelivered mail.

Congrats - you`ve been "joe jobbed"

I had a problem a while ago when I was receiving similar "bounces" etc at the rate of roughly 1.5 emails per second - this carried on for about

4 days, then tapered out over the next three weeks.

What it might be worth doing, if you currently have no mail filtering in place to help you decipher the crap is to install Mailwasher (there`s a free version available, and i`ve got some of the old betas to hand as well that didn`t have a restriction on the number of accounts) - i`ve got a fairly keen set of filters, hopefully all pretty standard, with just a few lines that would need personalising to make them your own.

If anyone is interested, drop me a line with the word "newsgroup" in the subject line (to bypass my filters :-) ) to...

bt i ruseless >at< bt inter net.com

Roger Mills wrote: Some unspeakable spammer - or probably spammers - is/are

The adaptive filter junk filter on Thunderbird is very effective at trashing these returns and other spam. I'd just set it, and forget about reading headers...

Oh, you are using outlook express :-(

Unless you can set up rules on Freeserve's mail server to put only mails to authorised@user and genuine@user into your mailbox, and dump the rest.

You will also likely find that these returned emails are also all about the same size; even Outlook Express should be able to "delete off server" messages over a certain size.

If you can't do that because you need to be able to download genuine attachments, at least set a "do not download" from the server rule in OE, then use webmail to clear the junk (especially if your webmail has a 'select all' > trash option).

Owain

Raden - YGM :-)

If its the same spammer that was doing the same to my domain, then you will find its coming from a thousand hacked machines, so reporting won't help.

It did all use a yahoo from address, so I ended up setting the server filter to drop everything from that domain. I suspect the yahoo addresses were actually valid and were being used to clean the random sends.

Steve

address to look up!

I doubt whether FS would be interested - it's only a PAYG account which I retained when I changed ISPs - but my wife still insists on using it as her principal email address, so I can't just junk it!

And, no - I *haven't* opened any attachments. My PCs are well protected against viruses and trojans etc. - and I'm trapping all this rubbish in Mailwasher - but it's *still* annoying.

Indeed - as indicated in my previous message. Someone else is spoofing my address - but *I'm* getting the flak! The spam is definitely not originating on my PC!

Thanks for the offer. There are a few on their way - subject to PlusNet's mail server being in an operational state (it's been having problems!)

I've already got Mailwasher, and I'm zapping them at source - so they're not causing me any *real* problems - just annoying! There's probably not a lot else which I can do - but if I *could* get at the perpetrator without too much effort, I'd like to do so.

No - I'm using Outlook (not Express) as an email client - and I'm filtering all received messages in Mailwasher, so they're easy enough to zap - just annoying!

Apparently the one sent to me was a My Doom thing.

Yes, but so is junk mail in the post or mini cabs honking or husbands not rinsing the dishcloth ...

Mary