[DeTomaso] Spammer identified

Thomas Tornblom thomas at hax.se
Fri Jul 6 02:14:59 EDT 2012 

If you view the complete headers, you'll see that the address shown in 
the email has nothing to do with the sender.

---
Received: from ftl.realbig.com (realbig.com [207.36.196.230])
	by spiff.Hax.SE (8.14.4/8.14.4) with ESMTP id q6649tNb025382
	for <thomas at hax.se>; Fri, 6 Jul 2012 06:10:00 +0200 (CEST)
Received: from localhost ([127.0.0.1]:50654 "ehlo ftl.realbig.com")
	by realbig.com with ESMTP id S559060Ab2GFEJs;
	Thu, 5 Jul 2012 23:09:48 -0500
Received: from na3sys009amx230.postini.com ([74.125.149.114]:21965 "EHLO
	psmtp.com") by realbig.com with ESMTP id S559050Ab2GFEJf;
	Thu, 5 Jul 2012 23:09:35 -0500
Received: from ool-d18c3b3c.dyn.optonline.net ([209.140.59.60]) by
	na3sys009amx230.postini.com ([74.125.148.11]) with SMTP;
	Thu, 05 Jul 2012 21:09:34 PDT
Received: from apache by nbabaoxfpyydfngndobd.atayatirim.com.tr with local
	(Exim 4.63) (envelope-from <<andy at realbig.com>,
	<detomaso at realbig.com>>) id 31C5R9-IT6B1Q-PJ for <andy at realbig.com>,
	<detomaso at realbig.com>; Thu, 5 Jul 2012 23:09:33 -0500
To: <andy at realbig.com>, <detomaso at realbig.com>
Date: Thu, 5 Jul 2012 23:09:33 -0500
From: <andy at realbig.com>, <detomaso at realbig.com>
Message-ID: 
<01800FB49CBF9B52ACCC23CD0B7BEF01 at nbabaoxfpyydfngndobd.twaron.com>
---

The problem appears to be that they fake the sender to be: 
"<andy at realbig.com>, <detomaso at realbig.com>"

All of the spams I've seen so far has had exactly this sender address. 
Shouldn't be to hard to filter out mails with this sender.

Normally you would never two sender addresses in the From: line, so it 
should not cause any harm if this is filtered out.

Thomas

2012-07-06 03:53, Will Kooiman skrev:
> You should be able to trace it from within the realbig.com server.
>
> E-mail is insecure because you can enter whatever you want for the "from", "to", etc. addresses.  We do it all the time when we write monitors.  The monitor is running from the "oracle" or "root" account, but we don't want people to reply to those addresses.  They are not monitored.  So, we put a real e-mail address in the "From:" like the help desk or dba group.  If they hit<reply>  it goes to the real e-mail address.
>
> In the old days we used to send e-mails on birthdays, from the birthday boy or girl.  It would say, "I turned 30 today and I really feel blue.  Could you please come by and wish me a happy b-day."
>
> It is very easy to script this and send bulk e-mail from whomever you want.  But if you send e-mails to the Internet, it has to be handled by an e-mail server, which sends it to the Internet Service Provider, which sends it to the next server, and so on until it finds the recipient.  Along the way there are log entries.
>
> I don't know how to backtrace the logs, but I know it can be done - as long as you have the cooperation of every admin at each hop.
>
> On Jul 5, 2012, at 7:28 PM, David and Marilyn Bell wrote:
>
>> The listed sending email address (i.e. - Bradly at guideusajob.com) is not a
>> registered member of the detomaso list.  Since it isn't a member account, I
>> can't delete it.  There's not a lot I can do except hit the delete button.
>>
>> I'll admit that it is annoying though.
>>
>>
>> Dave Bell
>>
>> -----Original Message-----
>> From: detomaso-bounces at realbig.com
>> [mailto:detomaso-bounces at realbig.com]On Behalf Of boyd casey
>> Sent: Thursday, July 05, 2012 9:27 AM
>> To: spkorb at gmail.com
>> Cc: List Pantera
>> Subject: Re: [DeTomaso] Spammer identified
>>
>>
>> I don't understand why the list administrator doesn't just pull the plug on
>> this account? Am I missing something?
>> Boyd
>>
>> On Thu, Jul 5, 2012 at 7:45 AM, Sean Korb<spkorb at gmail.com>  wrote:
>>
>>> Created 7-04-2012.  Might be an assumed or stolen identity.  I'm
>>> imagining an unassuming 84 year old lady with a pile of magazines....
>>>
>>> Though that is pretty funny :)
>>>
>>> Billing Contact:
>>>    Constance Santiago info at guideusajob.com
>>>    413-604-4606 fax: 413-604-3111
>>>    2845 Hilltop Street
>>>    Springfield MA 01103
>>>    us
>>>
>>> DNS:
>>> ns1.plymouthseattle.net
>>> ns2.plymouthseattle.net
>>>
>>> Created: 2012-07-04
>>> Expires: 2013-07-04
>>>
>>>
>>>
>>> On Thu, Jul 5, 2012 at 7:37 AM, michael at michaelshortt.com
>>> <michaelsavga at gmail.com>  wrote:
>>>> But the domain was registered in 2004.
>>>> Either way, she's getting a pile of magazines.
>>>>
>>>> Michael
>>>>
>>>> On Jul 5, 2012 7:34 AM, "Sean Korb"<spkorb at gmail.com>  wrote:
>>>>>
>>>>> That email is a fly by night affair too.  It was just created
>>>>> yesterday.  No such person.
>>>>>
>>>>>    Domain Name: GUIDEUSAJOB.COM
>>>>>    Registrar: BIZCN.COM, INC.
>>>>>    Whois Server: whois.bizcn.com
>>>>>    Referral URL: http://www.bizcn.com
>>>>>    Name Server: NS1.PLYMOUTHSEATTLE.NET
>>>>>    Name Server: NS2.PLYMOUTHSEATTLE.NET
>>>>>    Status: clientDeleteProhibited
>>>>>    Status: clientTransferProhibited
>>>>>    Updated Date: 04-jul-2012
>>>>>    Creation Date: 04-jul-2012
>>>>>    Expiration Date: 04-jul-2013
>>>>>
>>>>>
>>>>> On Thu, Jul 5, 2012 at 6:58 AM, Rob Dumoulin<rob at dumoulins.net>  wrote:
>>>>>> Everybody needs to send an email to this joker telling him to stop
>> it.
>>>>>>
>>>>>> Bradly at guideusajob.com
>>>>>>
>>>>>> --
>>>>>> Rob DuMoulin
>>>>>> 904.476.8744
>>>>>> rob at dumoulins.net
>>>>>> _______________________________________________
>>>>>>
>>>>>> Detomaso Forum Managed by POCA
>>>>>>
>>>>>> Archive Search Engine Now Available at
>>> http://www.realbig.com/detomaso/
>>>>>>
>>>>>> DeTomaso mailing list
>>>>>> DeTomaso at list.realbig.com
>>>>>> http://list.realbig.com/mailman/listinfo/detomaso
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Sean Korb spkorb at spkorb.org http://www.spkorb.org
>>>>> '65,'68 Mustangs,'68 Cougar,'78 R100/7,'60 Metro,'59 A35,'71 Pantera
>>> #1382
>>>>> "The more you drive, the less intelligent you get" --Miller
>>>>> "Computers are useless.  They can only give you answers." -P. Picasso
>>>>> _______________________________________________
>>>>>
>>>>> Detomaso Forum Managed by POCA
>>>>>
>>>>> Archive Search Engine Now Available at http://www.realbig.com/detomaso/
>>>>>
>>>>> DeTomaso mailing list
>>>>> DeTomaso at list.realbig.com
>>>>> http://list.realbig.com/mailman/listinfo/detomaso
>>>
>>>
>>>
>>> --
>>> Sean Korb spkorb at spkorb.org http://www.spkorb.org
>>> '65,'68 Mustangs,'68 Cougar,'78 R100/7,'60 Metro,'59 A35,'71 Pantera #1382
>>> "The more you drive, the less intelligent you get" --Miller
>>> "Computers are useless.  They can only give you answers." -P. Picasso
>>> _______________________________________________
>>>
>>> Detomaso Forum Managed by POCA
>>>
>>> Archive Search Engine Now Available at http://www.realbig.com/detomaso/
>>>
>>> DeTomaso mailing list
>>> DeTomaso at list.realbig.com
>>> http://list.realbig.com/mailman/listinfo/detomaso
>>>
>> _______________________________________________
>>
>> Detomaso Forum Managed by POCA
>>
>> Archive Search Engine Now Available at http://www.realbig.com/detomaso/
>>
>> DeTomaso mailing list
>> DeTomaso at list.realbig.com
>> http://list.realbig.com/mailman/listinfo/detomaso
>>
>> _______________________________________________
>>
>> Detomaso Forum Managed by POCA
>>
>> Archive Search Engine Now Available at http://www.realbig.com/detomaso/
>>
>> DeTomaso mailing list
>> DeTomaso at list.realbig.com
>> http://list.realbig.com/mailman/listinfo/detomaso
>
> _______________________________________________
>
> Detomaso Forum Managed by POCA
>
> Archive Search Engine Now Available at http://www.realbig.com/detomaso/
>
> DeTomaso mailing list
> DeTomaso at list.realbig.com
> http://list.realbig.com/mailman/listinfo/detomaso
>
> !DSPAM:4ff6455e235731715223260!
>


-- 
Real life:   Thomas Törnblom             Email:	   thomas at hax.se
Snail mail:  Banvallsvägen 14            Phone:    +46 18 32 31 18
              S - 754 40 Uppsala, Sweden  Mobile:   +46 76 209 8320

More information about the DeTomaso mailing list