[Gllug] spam

Harry Rickards hrickards at l33tmyst.com
Fri Aug 7 08:21:58 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alain Williams wrote:
> On Thu, Aug 06, 2009 at 08:58:09PM +0100, Diana Scott wrote:
>> I have been receiving 10 - 15 spam email every day since early June
>> this year. I was shocked to find out some of the regular spam have my
>> email address as the sending address but in a different sender name
>> sending it back to my email account. When it arrives, the sender
>> appeared as "Me".
> 
> It is quite common.
> 
>> Do you know how the spammers find my email address
> 
> Harvesting email addresses is not hard. Your email address is all over the
> place -- eg: every gluug user knows it. They have programs to collect
> them and they then share them, some sell them.
> 
>> and how do they fake the sender id as ME sending it back to the
>> original address  ?
> 
> That is very easy. Your MUA (email reader/writer program) inserts yours,
> their inserts from addresses that they have.
> 
>> What do they gain by sending these spam email ?
> 
> Someone somewhere will buy: viagra, etc. Some contain a noxious payload
> that takes over MS machines
>  
>  What do I need to do
>> to get my email address off from the spammers mailing lists or stop
>> receiving from them ?
> 
<snip>


Half the time it doesn't work, but if you view the source of the spam
email and look for the bottom most received. Once you've found it look
and see if either from or to looks like a proper domain. If it does, do
a whois lookup and send them a threatening email or letter. If not, look
on the received line above and so on. Am I right in thinking if the
WHOIS postal address isn't right you can take them to court?

As an example, in the email I'm replying (hope you don't mind me using
this as an example) to the top of the message looks like this:

- From - Fri Aug  7 09:04:52 2009
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <gllug-bounces at gllug.org.uk>
X-Original-To: hrickards at l33tmyst.com
Delivered-To: hrickards at l33tmyst.com
Received: from mailman.ukfsn.org (mailman.ukfsn.org [77.75.108.75])
	by l33tmyst.com (Postfix) with ESMTP id 821DB6950E56
	for <hrickards at l33tmyst.com>; Fri,  7 Aug 2009 09:05:05 +0100 (BST)
Received: from mailman.ukfsn.org (localhost.localdomain [127.0.0.1])
	by mailman.ukfsn.org (Postfix) with ESMTP id 285ADAF9A;
	Fri,  7 Aug 2009 08:12:49 +0100 (BST)
Received: from mail.ukfsn.org (unknown [77.75.108.10])
	by mailman.ukfsn.org (Postfix) with ESMTP id 0F03EAF5C
	for <gllug at gllug.org.uk>; Fri,  7 Aug 2009 08:12:46 +0100 (BST)
Received: from localhost (smtp-filter.ukfsn.org [192.168.54.205])
	by mail.ukfsn.org (Postfix) with ESMTP id F3056DEBC8
	for <gllug at gllug.org.uk>; Fri,  7 Aug 2009 09:04:31 +0100 (BST)
Received: from mail.ukfsn.org ([192.168.54.25])
	by localhost (smtp-filter.ukfsn.org [192.168.54.205]) (amavisd-new,
	port 10024) with ESMTP id 2HpPn8Tb2p4H for <gllug at gllug.org.uk>;
	Fri,  7 Aug 2009 07:23:34 +0100 (BST)
Received: from mint.phcomp.co.uk (unknown [78.32.209.33])
	by mail.ukfsn.org (Postfix) with ESMTP id C369BDEBC7
	for <gllug at gllug.org.uk>; Fri,  7 Aug 2009 09:04:31 +0100 (BST)
Received: from addw by mint.phcomp.co.uk with local (Exim 4.63)
	(envelope-from <addw at phcomp.co.uk>) id 1MZKRB-0003LG-Du
	for gllug at gllug.org.uk; Fri, 07 Aug 2009 09:04:29 +0100

Looking at the bottom-most received line I can tell that addw is not a
proper domain (addw), but mint.phcomp.co.uk looks to be one. If I do an
nslookup for MX on phcomp.co.uk I get freshmint.phcomp.co.uk, which is
what my pings to phcomp.co.uk get redirected to. THis probably means
that the owner of phcomp.co.uk is the same owner of mint.phcomp.co.uk.
If I then proceed to do a whois lookup on phcomp.co.uk I get the address
and name of the domain holder.


- --
Thanks
Harry Rickards <hrickards at l33tmyst.com>

GPG Key Info:
pub   1024R/58449F6F 2009-06-12
uid                  Harry Rickards (OpenPGP Card) <hrickards at l33tmyst.com>
sub   1024R/D775CCEE 2009-06-12
sub   1024R/9394048C 2009-06-12
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iJwEAQECAAYFAkp75CYACgkQ+9DWHFhEn29jywQArq/H51N9VwbveYW07TWN9A4f
wyBrSLql1E4RkohQdnyJoSjGGlf8acnIveEfJaTwOz59P+leB7tut29WZhxwWVMX
+1Kn1HY/nRbrK3MVki1hg5jXAflWeMGxvZ+6PbCpoLcmZUXFLDeW2B0JLo2Hmr4I
88eo7xk4KyN2YfFavI4=
=4Ek6
-----END PGP SIGNATURE-----
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list