Spammers have hijacked two of my email addresses

[sandbox]

QUOTE(chriskleeman @ Nov 11 2008, 01:05 PM) <{POST_SNAPBACK}>

Well, the IP addresses I've been seeing are all over the place. I have narrowed one source down to a single IP, but there seems to be no rhyme or reason unless I'm not looking in the right spot.

Here's one of them, and I've substituted <myemailaddress@somewhere.net> in those places where the valid email address shows up. And I've removed the domain name in the Return-Path, but it belongs to an private IP provider, clarity.net

Chris, all of this from the bottom is added…there is no such IP address over 255. 255.255.255 so this is BS [729.6.48.3] pay close attention to RECEIVED FROM: in this case =psmtp.com http://www.robtex.com/dns/psmtp.com.html

Sun, 09 Nov 2008 08:11:10 PST
X-Originating-IP: [729.6.48.3]
X-Originating-Email: [myemailaddress@somewhere.net]
X-Sender: myemailaddress@somewhere.net
To: <myemailaddress@somewhere.net>
Subject: RE: zr.Doctor Harlan
From: <myemailaddress@somewhere.net>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-pstn-levels: (S: 0.00000/86.03780 CV:99.9999 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
X-pstn-settings: 2 (0.5000:0.5000) s cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from <myemailaddress@somewhere.net> forward (user good) [3996/158]
X-UIDL: "%,!!(c7"!4RN"!jG?"!

Then we come to this where ([64……receives data from ([93……..who happens to be Russian
Received: from source ([93.120.176.55]) by exprod7mx230.postini.com ([64.18.6.14]) with SMTP;
Sun, 09 Nov 2008 08:11:10 PST

inetnum:        93.120.128.0 - 93.120.191.255
netname:        DYNAMIC-BRAS-POOL5-NNOVVT
descr:          Network for OJSC VolgaTelecom
descr:          N.Novgorod Branch BRAS dynamic IP pools
descr:          About abuse activity please
descr:          e-mail to abuse@nnov.vt.ru
country:        RU
admin-c:        VT-RU
tech-c:         VT-RU
status:         ASSIGNED PA
mnt-by:         NMTS-MNT
source:         RIPE # Filtered


I just checked robtex http://www.robtex.com/dns/psmtp.com.html and found that psmtp.com= 64.18…..is on the spam list and your filters should be catching this stuff.


NetRange:   64.18.0.0 - 64.18.15.255
CIDR:       64.18.0.0/20

[Xairbusdriver]

HA! Another "feature" less respected than it should be by lowly users! There is a setting at EarthLink/Mindspring that allows you to 'protect' yourself from some body by forcingasking them to use that process. I'm sure your friend started it in good faith hoping to get less SPAM. But it also causes some one-time work for all his pals. I tried it once until I realized how paranoid it made me look and the trouble it caused others, even if it was only a one-time event. It is basically a way for the ISP to create a 'good' address list for each customer. It's not an infection, affliction, etc. just a one-time annoyance. And, you can use it to annoy your friends, too!

Then, there are the automagic "Vacation" messages that keep all the forums full of "Sorry, I'm away..." messages...

And how about the request to "Acknowledge Receipt?" "Yes, I got those images of little Johnny playing in the dog mess!"

[sandbox]

QUOTE(RHPConsult @ Nov 11 2008, 01:18 PM) <{POST_SNAPBACK}>

I'm really over my head, here, too, Kimmer.

However, if I can add a current puzzle along the same lines, here it is. (If I should post this separately, please so inform me)

• • •

I also have several e-addresses. My principal one is on Earthlink. (I've kept it because it seems too big a job to tell everyone in my address book to switch)

The other day one of my favorite correspondents (also a Mac-ster, also using MAIL, also on Earthlink) presumably sent me a message that, henceforth, I needed to be pre-approved (once) in order to have my mail get into his mailbox. And, of course, click here to begin the process. You betcha!

The jerk sending this was too smart by half. My pal is on vacation and has been sending me photos and messages from his MB Pro from various hotels around the West. So, the "warning" made no sense.

He'll be home by tomorrow and will be talking to Earthlink (lotsa luck).

Any idea how this happened, what he might do to hose it? I am, to date, the only one of his correspondents so "infected", "afflicted", whatever!

Dick, you know there is a pre-approval  option in the highest levels of earthlink security right? I used to set mine on High when I was out of town many years ago, before I knew better. He may have set it to high and didn't add you to the Good Guy list.

Let's assume he didn't, the address is earthlink internal and can be checked with their fact checking software on the webpage. To stop abuse just report it to earthlink right away.

[sandbox]

It is important that you report any spam as soon as you suspect it, it will be places on a list and the Spam software around the world will tag it for abuse. They rarely make mistakes so don't worry if you think someone's server is being abused and that they will be wrongfully charged.  

Again, if you don't send yourself email block RECEIVED: From you@yours.com or have it redirected to a special folder on your server. I have a folder that I call junk, it empties on auto pilot every 10 days. I check it when i think of it any only once have i found an email in there that had some value.

If you want to send stuff to yourself you can use another address FROM to send it TO yourself.


If you need help setting up server side Redirects or folders just let me know and I'll try to guide you to a spam free existence.

[Paddy]

SB,  the "Received: from psmtp.com (exprod7mx230.postini.com [64.18.2.183])" is Postini - the spam filter that the email is being sent through (I'm not sure if it's Chris' ISP that is doing it or whether he does it) They're on the red list because they're on the following lists: postmaster.rfc-ignorant.org, abuse.rfc-ignorant.org, and whois.rfc-ignorant.org which in no way shape or form means that they're spammers. They simply do not have abuse@psmtp.com and postmaster@psmtp.com (or postini.com...whatever) and don't have what RFC defines as adequate contact information in their whois info. It in no way means that they're blacklisted for being spammers. I'm not sure how many ISPs actually use their lists to block email - I would hope that it isn't many, as it has nothing to do with spam. Frankly, I've always had trouble with the "requirement" for a postmaster@yourdomain email address for any domain with email addresses - it's a sure-fire way to get inundated with absolutely ridiculous amounts of spam. In theory, TS could land on that list, if I understand it correctly. If we did, we'd join the illustrious company of Amazon, Microsoft, Gap, the Toronto District School Board, The Boston Globe, MSN, Yahoo, eBay...and those were just a few I tried looking up!! (They lacked either or both an "abuse@" or a "postmaster@")

[chriskleeman]

My ISP provides Postini as a part of their service, fyi.

CK

[Paddy]

Clearly the issue is that Postini is configured to ignore certain things - like email ostensibly from the same person it's being sent to, even if that email is originating from a spammer in reality. I would assume it applies a set of rules - some of which override the others and this is why this sort of thing slips through. You should contact your ISP with several examples (full headers) of the stuff you've been getting to see if there is some way they can adjust the filters on Postini.

[sandbox]

Thanks Paddy, it's hard to read these things when the addresses are altered. You can't do traceroutes or pings.

You've seen the real header? In any case..moving on.....I redirect all mail from me to me to a junk folder on the server. This is an old trick, I've had these blocks and redirects setup on my addresses for years. I don't send email to myself so there is no downside. if I need to send something to myself I will send it from metwo@myplace. com to me@myplace. com so there are no block rules to engage.

I remove Postmaster and Webmaster email addresses from my list on all domain accounts. They used to come with both, then only Webmaster. I do not use real names, like tom, dick, or harry@myplace. com Often add a number in with the letters, like 1toU@myplace. A well thought out plan and address is worth a thousand hours of spam you won't ever see. C
Since i'm a slow learner it took me 2thounsand hours of spam to figure out a plan but I've been spam free for sometime now and run an open address on some of my websites.

[chriskleeman]

FYI,

I began forwarding all the headers as they come in to Postini yesterday.

So, we'll see what happens.

I can block domains, I can block senders, and as a last resort, will block those two addresses if they can't figure it out.

And, thanks for all the info!

CK

[sandbox]

[Gregg]

Maybe this news will make you feel a little better.

[sandbox]

topic #1 How to build a police state.

If you don't have an enemy or criminal you don't need an army or police force.

They knew where the McColo spammers were operating but choose not to interfere.

Justification: we got them where we want them? horsefeathers.

There are many who benefit from spammers including anti-spam companies and expanding government agencies.

Claiming that the laws governing spam and porn stopped them from doing their jobs was a reach and reason to create new laws and extend more power to agencies who exercise selective enforcement.

Let the criminals run amuck waiting for public outcry and Mother Against Spam Spawning M_A.S.S. to rise up from under the piles of spam with their cyber-army, robocops and new legislation to bust anyone spamming without a license. Now if you get spam from a sanctioned criminal it's OK, like some pharmaceutical company or non-profit, or or or the lord of the pings....from their crystal_meth_cathedrals .....what's a mother to do?

If I send an email it can be traced, if I get an email it can be traced. They can trace and prosecute spammers if they choose to, and they do, selectively.

[chriskleeman]

An update to this situation:

Postini will not let me block my own addresses. VTel Internet's  answer (my ISP) was to change my password. Did that, didn't help, now I'm getting some of the same stuff with another header sometimes, "Re-password change"... with the same crap in the message body... go figure, something is pretty weird here...

So, I'm going to bite the bullet some time in the next couple of weeks and get rid of both addresses and change them.

In the meantime, I've begun asking those who send out open addresses on their emails to either "bcc" me or not send at all.

Chris K

[Xairbusdriver]

QUOTE

asking those who send out open addresses on their emails to [...] "bcc" me

To which most of my senders say, "What's 'BCC:'?" or "Why?" It's a hopeless attempt to educate the 'world,' IMHO. Just trash the old addresses and create some new ones. Or leave the old one 'alive' for a few weeks and respond with an automatic sig that alerts them to use the new one or be out-of-contact forever. The ones who change are the ones who really want to stay in touch. You probably don't really need the others! Do it sooner than later. Just remember to change the address any place you may have used it for any kind of "registration." Probably best to create an alias address explicitly for those kinds of situations, anyway.

[chriskleeman]

QUOTE(Xairbusdriver @ Jan 3 2009, 02:56 PM) <{POST_SNAPBACK}>

QUOTE

asking those who send out open addresses on their emails to [...] "bcc" me

To which most of my senders say, "What's 'BCC:'?" or "Why?" It's a hopeless attempt to educate the 'world,' IMHO.  Do it sooner than later. Just remember to change the address any place you may have used it for any kind of "registration." Probably best to create an alias address explicitly for those kinds of situations, anyway.

That's precisely why I am waiting for a chunk of time to do this... I'm already compiling a list of places where that address is registered, because that's the real pain in the rear end, making sure you don't forget to change those places, especially if you're signed up for some kind of "e-statement"!!!

Oops, Amex, sorry I changed my email address and forgot about my statement.... can you forgive those late charges please???

CK

And, oddly enough, no spam from those two addresses for 36 hours for some reason. Maybe there's a rotten piece of fruit at my ISP??? And the amount of spam in my spam filter is about 75% reduced over the last few days, maybe just blind luck!