A spammer is spoofing my domain name; advice?

[Piratecat]

I've gotten two interesting emails in the past week, both from Yahoo, and both sent to a mythical email address at my domain name (kulp.org). The email bounced because it went to non-existent addresses.

The bounced email is touting the Paris Hilton sex tape, and it's supposedly coming from my domain name.

--- Original message follows.

Return-Path: <sfjbqpkof@kulp.org>
Received: from 168.131.118.123 (EHLO ) (168.131.118.123)
by mta173.mail.scd.yahoo.com with SMTP; Thu, 01 Jan 2004 01:06:55 -0800
To: <wkgxSzfrdf@imgdalyprf.org>
From: "ParisTheSlut" <sfjbqpkof@kulp.org>
Subject: View the Paris X-Rated Tape Here..Enjoy
Date: Fri, 02 Jan 2004 04:03:13 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><CENTER><FONT COLOR=3D"BLUE"><B><FONT face=3D"Arial,Helvetica"><FONT s= ize=3D+3>ParisHilton SexTape</FONT></b><BR><B><FONT face=3D"Arial,Helvetica= "><FONT color=3D"#000099"><CENTER><FONT size=3D+1>This is the ParisHilton S= exVideo everyone is talking about!</FONT></B></CENTER><BR><CENTER></B><FONT=
face=3D"Arial,Helvetica"><A HREF=3D"http://demonetizeendoconidium@dartyfle=
gm.info/10b/phn/"endoconidium><FONT COLOR=3D"RED"><CENTER><FONT size=3D6><u=
>SeeItHereFree</A>

So, what (if anything) can I do about this? If my domain gets flagged as a spam producer, it could be disconnected, and that's the last thing I want. Advice?

 

[thatdarncat]

I've gotten two interesting emails in the past week, both from Yahoo, and both sent to a mythical email address at my domain name (kulp.org). The email bounced because it went to non-existent addresses.

The bounced email is touting the Paris Hilton sex tape, and it's supposedly coming from my domain name.

So, what (if anything) can I do about this? If my domain gets flagged as a spam producer, it could be disconnected, and that's the last thing I want. Advice?

My dad was having similar problems with his domain. I'll subscribe so I remember to ask him what he did when I get home tonight.

 

[andargor]

I've gotten two interesting emails in the past week, both from Yahoo, and both sent to a mythical email address at my domain name (kulp.org). The email bounced because it went to non-existent addresses.

The bounced email is touting the Paris Hilton sex tape, and it's supposedly coming from my domain name.

So, what (if anything) can I do about this? If my domain gets flagged as a spam producer, it could be disconnected, and that's the last thing I want. Advice?

The only thing you can do is complain to the abuse, postmaster and admin emails of the network provider (who owns 168.131.118.123). Send them the spam messages with full headers. Use www.arin.net, www.ripe.net or www.apnic.net to find who owns it.

You may also want to email their upstream. E.g. mail to the owner of 168.131.118.0/24 and 168.131.0.0/16, who might be different organizations.

Normally the people that complain or the people receiving the complaints quickly see that your network is not the source of the mail.

Andargor

 

[DanMcS]

So, what (if anything) can I do about this? If my domain gets flagged as a spam producer, it could be disconnected, and that's the last thing I want. Advice?

You probably won't get disconnected for having your domain name forged, it's a common trick. Just in case, you might want to get in touch with whoever does your hosting and tell them that you're getting bounces from a spammer who forged your domain name. They'll have some prior warning if angry recipients email their abuse line.

 

[Hypersmurf]

I've gotten two interesting emails in the past week, both from Yahoo, and both sent to a mythical email address at my domain name (kulp.org). The email bounced because it went to non-existent addresses.

Two in a week?

When it happened to Dad a year or so ago, he was getting one or two dozen bounces an hour.

As well as Andargor suggested, he basically just set a lot of filters, and "weathered" it for a few weeks... and whoever was using the domain name "moved on".

-Hyp.

 

[BSF]

Piratecat,
Just eyeballing everything before I catch some sleep for the night and it looks like you shouldn't have any problem. A cursory check on your domain quickly demonstrates that you are not open for relaying. A secondary check on the originating IP shows that it is managed by the Asia Pacific Network Information Centre in Australia. A few people might try to accuse you of spamming, but anyone managing any of the blacklists will quickly determine that you are not.

This is an interesting one though. The headers show a To: address at imgdalyprf.org, which doesn't seem to exist. It is being passed to a yahoo email server, with a spoofed domain name that does not match the sending IP. Hmm, I think I could sort all this out with more sleep. If you would like, I can doublecheck this stuff during down moments at work. I have gone through stuff like this a few times at work since we own something like 25 domain names.

 

[trancejeremy]

Spammers sometimes send mail so it appears to be sent from yourself, or from your email address domain. Happens to me a lot, and I'm on a dialup.

 

[Piratecat]

Thank you, everyone; I love knowing people who know more than I do.

 

[thatdarncat]

I can point you to a website that monitors the blacklists spamfilters use. You can check if your domain name is on any black lists.

Or at least I can point you to that website when my dad gets back to me with the address ^^;;

 

[BSF]

If you go to www.dnsstuff.com, one of the checks is against a series of Blacklists. Piratecat's domain is not in there.

Piratecat,
I just sent you a bit of an email showing the stuff I checked and interpreting what I think happened. I wasn't sure if I should post it, or email it, so I went on the conservative side. If you think there would be a lot of value posting it, feel free to post the relevant bits from my email.