What do you do when uninformed (L)users start reporting you to spam databases in error? I received an email that was CC:ed to [EMAIL PROTECTED] from some guy who got a "400 Million Email Addresses" spam with a forged, nonexistent email address on my domain in the "From:" field.
Here is his message and my reply. Anyone know about Abuse.net? I'm gonna start crawling their site and figure out how much damage was done. Dan Horne >>-----Original Message----- >>From: Razook, Randy [mailto:[EMAIL PROTECTED]] >>Sent: Wednesday, December 11, 2002 4:38 AM >>To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' >>Subject: [Potential SPAM]FW: >> >> >>I don't appreciate this spam on my domain. Please stop immediately. >> >>Received: from kmrmail.kmr.ll.mit.edu ([172.22.10.5]) by >>msnexch1.kmr.ll.mit.edu with SMTP (Microsoft Exchange >>Internet Mail Service Version 5.5.2653.13) >> id XFCK7CVS; Wed, 11 Dec 2002 21:35:06 +1200 >>Received: from vgw.kmr.ll.mit.edu (vgw [172.22.10.22]) >> by kmrmail.kmr.ll.mit.edu (8.9.3+Sun/8.9.3) with SMTP >>id VAA03148 >> for <[EMAIL PROTECTED]>; Wed, 11 Dec 2002 >>21:44:02 +1200 >>(GMT) >>Received: from group33.kmr.ll.mit.edu ([172.21.100.12]) >> by vgw.kmr.ll.mit.edu (NAVGW 2.5.2.9) with SMTP id >>M2002121121362317939 for <[EMAIL PROTECTED]>; >>Wed, 11 Dec 2002 21:36:40 +1200 >>Received: from newlink.kmr.ll.mit.edu >>(mailhost.kmr.ll.mit.edu [172.20.0.2]) >> by group33.kmr.ll.mit.edu (8.8.4/8.8.4) with ESMTP >> id EAA27542 for <[EMAIL PROTECTED]>; Wed, 11 Dec >>2002 04:42:22 -0500 >>Received: from newlink.kmr.ll.mit.edu (root@localhost) >> by newlink.kmr.ll.mit.edu with ESMTP id EAA15759 >> for <[EMAIL PROTECTED]>; Wed, 11 Dec 2002 04:42:21 >>-0500 (EST) >>Received: from 80.56.162.148 (f162148.upc-f.chello.nl [80.56.162.148]) >> by newlink.kmr.ll.mit.edu with SMTP id EAA15741 >> for <[EMAIL PROTECTED]>; Wed, 11 Dec 2002 04:41:22 >>-0500 (EST) >>Message-Id: <[EMAIL PROTECTED]> >>Received: from 87.15.78.89 ([87.15.78.89]) by pet.vosn.net >>with local; Dec, 11 2002 4:27:25 AM -0200 >>Received: from 11.139.74.233 ([11.139.74.233]) by >>n7.groups.yahoo.com with NNFMP; Dec, 11 2002 3:38:03 AM +1100 >>Received: from [42.47.39.56] by mta6.snfc21.pbi.net with >>SMTP; Dec, 11 2002 2:16:59 AM +1200 >>From: drmsTiffany DeMille Reese <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED] >>Cc: >>Subject: >>Sender: drmsTiffany DeMille Reese <[EMAIL PROTECTED]> >>Mime-Version: 1.0 >>Content-Type: text/plain; charset="iso-8859-1" >>Date: Wed, 11 Dec 2002 04:40:55 -0500 >>X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >> >>-----Original Message----- >>From: drmsTiffany DeMille Reese [mailto:[EMAIL PROTECTED]] >>Sent: Wednesday, December 11, 2002 9:41 PM >>To: [EMAIL PROTECTED] >>Subject: >> >> >> >>400 MILLION Email Addresses in a 3 volume, 5-disk set >> >>** Complete package only $139!! ** ----------EDIT: Standard SPAM Message Cut Out----------- -------Begin My Reply----------- This email did not come from my domain. In fact, a simple glance at the headers would have confirmed that it never even touched my domain. This message entered your mail system from a server in the Netherlands, as evidenced by the following: >Received: from 80.56.162.148 (f162148.upc-f.chello.nl [80.56.162.148]) >by newlink.kmr.ll.mit.edu with SMTP id EAA15741 >for <[EMAIL PROTECTED]>; Wed, 11 Dec 2002 04:41:22 >-0500 (EST) Furthermore, the site it is directing you to visit is located in China. Reporting us to abuse.net is not going to do anything to reduce your level of spam, it will only disrupt our business practices. A spammer could just as easily use [EMAIL PROTECTED] as their return address. Does that mean you should be reported to abuse.net? If I go into my account properties in Outlook, I can easily set my return address to anything I want. A *VERY* quick glance at abuse.net provided this little nugget (and I quote): "If you're complaining about junk e-mail, the From: header on spam is almost always forged, so you need to look at other header information to figure out who's responsible." (http://www.abuse.net/howwork.html) Answer me this: Why would a travel agency attempt to sell you 400 Million Email addresses? I implore you, the next time you report someone to Abuse.net make sure you are reporting the correct person. Now, because of you, I have to figure out how to let abuse.net know that I am not a spammer. That wastes my time and resources. Dan Horne Systems Administrator Wilcox Travel Agency, Inc. [EMAIL PROTECTED] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
