[CLUE-Tech] OT: Someone "borrowed" my domain name

Jed S. Baer thag at frii.com
Mon Oct 7 15:07:28 MDT 2002 

On Mon, 7 Oct 2002 14:28:12 -0600
Matt Gushee <mgushee at havenrock.com> wrote:

> Aargh!
> 
> It seems someone pretending to be 
> 
>   "Phil Klein <phil-klein at havenrock.com>"
> 
> has been sending an e-mail virus to various and sundry people on the
> Net. I know this because, as the owner of havenrock.com, I get all mail
> for unknown recipients in the domain. So I've got a pile of bounces and
> a few complaints. As far as I can tell, the only connection to me is the
> From: header with my domain name--according to the headers in the
> bounced messages, all of them originated from a single IP address in the
> Netherlands and didn't pass through either my own machine or my ISP's
> mail server (do bounces include all headers from the original message?).
> 
> So I don't think I have a security issue. But obviously I don't like
> someone using my domain name this way (well, at least they didn't
> pretend to be <mgushee at havenrock.com>!). Is there a law against that? If
> so, is there a way to get it enforced?

First thing to do is track down exactly where it came from. View the raw
e-mail message, and follow the Received: headers backwards (down the list)
to the first one. That will give you the originating IP address, and the
addy of the MTA. Hopefully, some of the complaint messages included the
whole raw e-mail. If you're feeling ambitious, respond to the complaints
asking for the full headers, and explain to them how to find/complain to
the originating IP address owner.

Fer example: 

>> Received: from yahoo.com
   (adsl-64-162-212-116.dsl.snfc21.pacbell.net [64.162.212.116])
	by ma102.mailarmory.com (Postfix) with SMTP
	id 9858973A44; Sat,  5 Oct 2002 19:30:39 -0600 (MDT)

given this info, you might need to do a whois:

$ whois 64.162.212.116 at whois.arin.net
[whois.arin.net]
Pac Bell Internet Services PBI-NET-8 (NET-64-160-0-0-1) 
                                  64.160.0.0 - 64.175.255.255
Basic Pool- Rback33 SBCIS-10087-123532 (NET-64-162-212-0-1) 
                                  64.162.212.0 - 64.162.212.255

# ARIN Whois database, last updated 2002-10-06 19:05
# Enter ? for additional hints on searching ARIN's Whois database.

$ whois \!NET-64-162-212-0-1 at whois.arin.net
[whois.arin.net]

CustName:   Basic Pool- Rback33
Address:    303 second St San Francisco CA 94107
Country:    US
RegDate:    2000-08-08
Updated:    2000-08-08

NetRange:   64.162.212.0 - 64.162.212.255 
CIDR:       64.162.212.0/24 
NetName:    SBCIS-10087-123532
NetHandle:  NET-64-162-212-0-1
Parent:     NET-64-160-0-0-1
NetType:    Reassigned
Comment:    
RegDate:    2000-08-08
Updated:    2000-08-08

These two steps will get you to the point of knowing whom to complain to.
Note that for European addresses, you'd use whois.ripe.net, and for
Asian/Pacific, whois.apnic.net. The first query to whois.arin.net will
often give you enough info to know if you need to use a different server.

For the example above, I'd actually complain to PacBell.

As far as legal action, it depends upon what state you're in. Look here,
once you know the originating ISP: http://www.spamlaws.com/state/

Regardless, I suppose civil action is always possible, if you have the
time/money to pursue it.

If it's originating from outside the U.S., There's regrettably, IMO,
little you can do.
-- 
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5

More information about the clue-tech mailing list