[CLUE-Talk] help with spammer information

Mike Staver staver at fimble.com
Fri Nov 5 23:42:08 MST 2004 

Well, my main concern is that I will get blacklisted somehow, and also 
that the spammer won't stop because he/she doesn't have a reason to. 
It's been going on for almost 2 straight weeks now, and I can tell the 
exact times the bastard is sending out the mail, because from 6 PM to 12 
AM every day I get around 100 bounce back messages.... which means a 
majority of those emails are going through I'm sure, and it angers me. 
The originating IP addresses range from cable modems in the U.S. to 
computers over seas.  The person responsible is obviously in charge of a 
bunch of zombie PCs, and will probably never get caught unless I can 
trace the path of the money, which is probably not within my abilities. 
   I've looked up all the whois information on the domains people are 
being directed do, and it's all completely bogus and false information 
that had been provided. The domain names are also not real words, or 
anything even resembling a real word.  Here is an example of one:

Domain ID:D8018982-LRMS
Domain Name:IZBAFDEF.INFO
Created On:03-Nov-2004 17:05:00 UTC
Last Updated On:03-Nov-2004 18:32:58 UTC
Expiration Date:03-Nov-2005 17:05:00 UTC
Sponsoring Registrar:R123-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C7071179-LRMS
Registrant Name:Jeff Smart
Registrant Street1:1005 west 52nd st.
Registrant Street2:1005 west 52nd st.
Registrant City:New york
Registrant Postal Code:10019
Registrant Country:US
Registrant Phone:+1.7145738593
Registrant FAX:+1.7145738593
Registrant Email:Sexygeorge6969 at hotmail.com
Admin ID:C7071179-LRMS
Admin Name:Jeff Smart
Admin Street1:1005 west 52nd st.
Admin Street2:1005 west 52nd st.
Admin City:New york
Admin Postal Code:10019
Admin Country:US
Admin Phone:+1.7145738593
Admin Email:Sexygeorge6969 at hotmail.com
Billing ID:C7071179-LRMS
Billing Name:Jeff Smart
Billing Street1:1005 west 52nd st.
Billing Street2:1005 west 52nd st.
Billing City:New york
Billing Postal Code:10019
Billing Country:US
Billing Phone:+1.7145738593
Billing Email:Sexygeorge6969 at hotmail.com
Tech ID:C7071179-LRMS
Tech Name:Jeff Smart
Tech Street1:1005 west 52nd st.
Tech Street2:1005 west 52nd st.
Tech City:New york
Tech Postal Code:10019
Tech Country:US
Tech Phone:+1.7145738593
Tech Email:Sexygeorge6969 at hotmail.com
Name Server:NS6.ILUVDNS.COM
Name Server:NS10.123MYDNS.COM

I do see the email address Sexygeorge6969 at hotmail.com tied to almost 
every one of these bogus domains.  Hotmail has long since pulled that 
account, and something tells me calling 714-573-8593 will get me 
nowhere.  Granted, when calling it I find it's a real number hooked up 
to an answering machine... but my death threats seem to have no effect :)

So, back to a linux related topic... will implementing SPF help prevent 
this?  How many email servers actually check against that sort of thing 
right now?

Matt Gushee wrote:
> On Tue, Nov 02, 2004 at 08:52:28PM -0700, Mike Staver wrote:
> 
>>Somebody is now using my email address staver at fimble.com to send spam, 
>>and for one week now I've been getting nothing but bounce back messages 
>>to addresses that no longer exist.  I'm getting EXTREMELY irritated that 
>>there is nothing I can do to stop these messages from going out with my 
>>email address as the from field.  My domain name fimble.com is getting a 
>>bad rap over this,
> 
> 
> Well, maybe. If you mean that your domain could end up on somebody's
> half-assed blacklist of spammers, or get filtered out by half-assed
> filtering software, that's probably possible and a legitimate cause for
> concern.
> 
> If you're concerned about what human recipients will think of you,
> consider that most people with decent spam filters will never see the
> fake messages in the first place; and of those who do see them, those
> who are net-savvy should certainly know by now not to automatically
> assume that the address in the From: header is the real sender. I'm sure
> your friends and family will also give you the benefit of the doubt.
> 
> Where it could really hurt is if you are trying to conduct business
> through your Web site with non-technical members of the public. If
> you're not doing that, then I don't think this does you any material
> harm.
> 
> Which is not to discount the annoyance; it is *extremely* annoying, as I
> know through first-hand experience (along with, I think, several other
> people on this list). But there may in fact be nothing you can do about
> it.
> 
> The first thing I would do is to look over the headers and find the
> first IP address in the chain. Now, that may not be the real origin of
> the message, but it could be. If it is, and it comes from a US domain
> (again, not likely, but possible), then you can probably find out who
> owns the domain and take legal action--maybe somebody else can advise
> you as to what steps to follow.
> 
> If it comes from a foreign country, according to all I've ever heard,
> there is really no legal action you can take. The only thing I can
> think of is publicizing the spammer's name on the Web and asking others
> to take action against them.
>

More information about the clue-talk mailing list