Hacker Spam Bomb!

[Magic]

Hello,

I asked for help awile ago, about blocking virus

emails from hackers.

I used the email filtering option, wich did work, in some way, but I'm still under attack.

 

Now what they are doing is sending spam emails

around, with viruses, as if they are coming from my

...@metodobressan.com addresses.

 

I even get viruses as if I'm sending it to myself, using even addresses I don't have... (no, my computer is NOT infected)

===========================

Return-path: <noncisento@metodobressan.com>

Received: from [151.29.216.143]

(helo=noncisento.com)

by server40.totalchoicehosting.com with esmtp

(Exim 4.24)

id 1BLhzZ-0008Rm-TN; Thu, 06 May 2004

07:28:47 -0500

From: noncisento@metodobressan.com

To: Mail@metodobressan.com

--------------------------------------

but if you go to

http://www.gatepost.com/domainwhitepages.php

'Address lookup', you find that is not coming from TCH IP 63.247.77.66, but:

canonical name ppp-143-216.29-151.libero.it.

(aliases addresses 151.29.216.143)

============================

 

 

I just find out that WIND/LIBERO Italian Internet

Provider (as above example) blocked the mail

coming from server40.totalchoicehosting.com IP 63.247.77.66

(...@metodobressan.com).

 

Now I contacted the provider and looks like TCH IP

address was found in SPEWS blacklist

http://spews.org/check.html (but loooks like is not

from my domain, as you see here

http://spews.org/ask.cgi?x=63.247.77.66)

 

In order to get out from that list they told me I have

to talk to TCH

 

I'm asking you, again:

there is a way to find out who's behind this spam?

legally persecute them?

 

thx!

Carlo

http://www.metodobressan.com

[MikeJ]

There is very little you can do about the viruses claiming to be coming from your domain. The problem is that the machines sending them aren't the person who created the virus, but rather machines that are infected. The viruses will spoof other domains randomly for the most part, when they send out copies of itself. Your best bet is to set your default mail routing to :blackhole: and just make sure you have aliases or mailboxes for all the addresses you do want to receive mail on.

 

I've seen very rare instances where a provider would block mail from a domain because of these virus emails (since they are so prominent, pretty much every provider knows what's going on).

 

As for SPEWS, that is an incident where a non-TCH system that utilizes IP space adjacent to TCH's network was apparantly flagged as sending spam or referenced in spam sent. SPEWS has a tendency to make wide sweeping blocks which in this case affected your server. TCH is looking into it. Fortunately, due to SPEWS aggressive collateral blocking, I believe a lot of the larger ISPs avoid using their blocklist.

[Magic]

thx for the replay,

but I can guarantee that those are not random virus emails going around.

 

this a focused attack from my competition, with 'personalized' viruses email, with attachment like: mydoc.zip, mylogo.jpg, myname.pif, etc., with even personlized insult and other ugly suff.

 

so I would like to sue them, if I can get proof that the person I'm suspecting is that one.

 

how can I do that?

 

Carlo

[MikeJ]

About the best you can do is save any email bounces you get. The email headers will contain the address where the emails were generated, but if the person is using a compromised host (or hosts) and/or open relays, it will be difficult to track him down for proof.

 

If they all show in the Received headers that they are originating from the same place, you'll have a better chance at tracking the person down.

[TCH-Thomas]

Is this something similar to what Magic asks?

Return-path:

Envelope-to: XXXX@jikrantz.se

Delivery-date: Sat, 08 May 2004 12:10:38 -0500

Received: from XXXX by server23.totalchoicehosting.com with local-bsmtp (Exim 4.24)

id 1BMVLR-0002pI-SU

for XXXX@jikrantz.se; Sat, 08 May 2004 12:10:38 -0500

Received: from [194.73.75.48](helo=tradermedia.co.uk)

by server23.totalchoicehosting.com with esmtp (Exim 4.24)

id 1BMVLR-0002ay-GR

for tompa@jikrantz.se; Sat, 08 May 2004 12:10:37 -0500

Received: from [192.168.137.127] (HELO nawl0045.autotrader.co.uk)

  by tradermedia.co.uk (CommuniGate Pro SMTP 4.0.5)

  with ESMTP id 14501270 for XXXX@jikrantz.se; Sat, 08 May 2004 18:06:24 +0100

Received: from newl0010.nlw.autotrader.co.uk (unverified) by nawl0045.autotrader.co.uk

(Content Technologies SMTPRS 4.3.10) with ESMTP id for ;

Sat, 8 May 2004 18:06:34 +0100

Received: by newl0010.nlw.autotrader.co.uk with Internet Mail Service (5.5.2653.19)

id ; Sat, 8 May 2004 18:11:22 +0100

Message-ID:

From: ANTIGEN_NEWL0010

To: "'XXXX@jikrantz.se'"

Subject: Antigen found VIRUS= Win32/Netsky.P.Worm (CA(InoculateIT),CA(Vet)

,Norman) worm

Date: Sat, 8 May 2004 18:11:22 +0100

MIME-Version: 1.0

X-Mailer: Internet Mail Service (5.5.2653.19)

Content-Type: text/plain

X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on

server23.totalchoicehosting.com

X-Spam-Status: No, hits=3.0 required=5.0 tests=FROM_ENDS_IN_NUMS,

FROM_HAS_ULINE_NUMS autolearn=no version=2.63

X-Spam-Level: ***

X-NAS-Bayes: #0: 1.50927E-015; #1: 1

X-NAS-Classification: 0

X-NAS-MessageID: 2305

X-NAS-Validation: {20C8688D-89CC-447E-B97C-D2DA53AEE58F}

 

Antigen for Exchange found text_e-commerce.zip->data.rtf

.scr infected with VIRUS= Win32/Netsky.P.Worm

(CA(InoculateIT),CA(Vet),Norman) worm.

The message is currently Purged.  The message, "Re: text", was

sent from XXXX@jikrantz.se and was discovered in IMC Queues\Inbound

located at AutoTrader Publications/AutoTrader Systems South West/NEWL0010.

Its the second time in 2 days im getting them and i hate being accused of being spammer and virussender.

 

NOTE: I put some x where my email and so is.

[Deverill]

Someone went to some trouble to do that. They even have the Spam Assassin stuff:

X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on

server23.totalchoicehosting.com

 

But it's wrong! I just checked against one of mine and our true email headers are different.

 

This is the kind of thing Magic was talking about - if the recipient reports it as spam and their admins aren't too knowledgable then they will just block TCH server 23 as a spammer which would be wrong at best.