help! spam and email addy spoofing

[skybytch 273]

I need some high tech help here.

Apparently someone is using our "sales@" address as the "from" addy on some stupid mortgage spam crap; I've gotten a couple of bounce messages today. This totally sucks; makes us look bad.

Anybody know if/how I can figure out who's doing it so I can hunt them down and kill them?

[Jimbo 0]

The key is in the message headers, at least that's where you'll need to start. If you care to post them here I'm sure we can help you figure this out. Or if you like, just PM them to me and I'll take a look myself.

-
Jim

"Like" - The modern day comma
Good bye, my friends. You are missed.

[skybytch 273]

Quote

X-MSN-Trace:
{7D8CC501-05BA-4BEA-B9FF-2D726F9F71B0}
Received:
from square1.com ([219.93.237.70]) by cpimssmtpa38.msn.com with Microsoft
SMTPSVC(5.0.2195.4905); Tue, 29 Oct 2002 14:21:49 -0800
Reply-To:

Message-ID:
<015b73b60c8e$3424d4d3$6bc01db7@rxmnja>
From:

To:

CC:
,
Subject:
u can too...
Date:
Wed, 30 Oct 2002 06:14:48 -0800
MiME-Version:
1.0
Content-Type:
text/html; charset="iso-8859-1"
X-Priority:
3 (Normal)
X-MSMail-Priority:
Normal
X-Mailer:
Microsoft Outlook, Build 10.0.2627
Importance:
Normal
Return-Path:
sales@square1.com
X-OriginalArrivalTime:
29 Oct 2002 22:21:50.0175 (UTC) FILETIME=[938906F0:01C27F99]

Every computer here uses Netscape Navigator, not MS Outlook, for sending and receiving email so I know for sure it didn't come originally from any machine in this office.

[PhreeZone 20]

Congrats! Your domain is being spoofed by a server overseas They are spoofing server from 219.93.237.70. Here is the info on the ISP and addresses to report abuse to. Too bad most times it goes on deaf ears over seas

inetnum: 219.92.0.0 - 219.93.255.255
netname: TMNET-MY-1
descr: TMNET, TELEKOM MALAYSIA
descr: Internet Service Provider
country: MY
admin-c: AS115-AP
admin-c: EU3-AP
admin-c: SM135-AP
tech-c: AS115-AP
tech-c: EU3-AP
tech-c: SM135-AP
remarks: Send abuse mail to abuse@tm.net.my;tmcops@tm.net.my
mnt-by: APNIC-HM
mnt-lower: TM-NET-AP
changed: hostmaster@apnic.net 20020426
status: ALLOCATED PORTABLE
source: APNIC

person: Ainol Shaharina Sahar
address: 4th Floor, Block C5, CCL Plaza,
address: Jalan SS6/12, 47301 Petaling Jaya,
address: Selangor
country: MY
phone: +603-7043106
fax-no: +603-7042204
e-mail: ainol@tm.net.my
nic-hdl: AS115-AP
mnt-by: TM-NET-AP
changed: azmi@tm.net.my 20000502
source: APNIC

person: Emelia Udin
address: Telekom Malaysia Berhad
address: 1st Floor, Kelana Parkview Tower,
address: Jalan SS6/2, Kelana Jaya,
address: 47301 Petaling Jaya,
address: Selangor, Malaysia
country: MY
phone: +603-707-4709
fax-no: +603-705-4442
e-mail: e_melia@tm.net.my
nic-hdl: EU3-AP
mnt-by: TM-NET-AP
changed: e_melia@tm.net.my 20010727
source: APNIC

person: Siti Fuwaizah Mohd. Ghazali
address: Telekom Malaysia Berhad
address: 1 st Floor,Kelana Park View Tower,
address: Jalan SS6/2, Kelana Jaya,
address: 47301 Petaling Jaya,
address: Selangor, Malaysia
country: MY
phone: +603-707-4662
fax-no: +603-705-4442
e-mail: fuwaizah@tm.net.my
nic-hdl: SM135-AP
mnt-by: TM-NET-AP
changed: fuwaizah@tm.net.my 20010802
source: APNIC

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[Deuce 1]

Lisa, might it be that dickhead with the credit card you cut off?

I don't know diddly about means here, but that fool had motive.

JP

[skybytch 273]

Thanks phree! I knew having geeky friends would come in handy some day

Is there a US based agency I can report this to also?

[skybytch 273]

Hmmm... is it a bad sign when one of the addresses to send abuse emails to bounces back because the address is "over quota"??

[indyz 1]

Quote

Hmmm... is it a bad sign when one of the addresses to send abuse emails to bounces back because the address is "over quota"??

Nah... It just means that the recipient hasn't emptied their mailbox in a while. Happens all to time to my users ("What do you mean I can't just leave 100 meg attachments in my online folders?").