On 3 Oct 2006, in the Usenet newsgroup alt.computer.security, in article
<1159863954.576259.149570@k70g2000cwa.googlegroups .com>, Marrick wrote:
>I think my PC has become a 'spam zombie' as I'm getting a lot of
>'undelivered' emails that I haven't sent returned to my inbox - blocked
>and bounced back by other people's spam filters.
It's amazing how many st00pid mail servers accept ALL mail whether or
not the recipient exists, and later do tests and try to send back anything
they don't like - such as mail for non-existent users they shouldn't have
accepted in the first place. As the "From:" address is almost always faked
or spoofed, this causes the misconfigured mail server to become an agent
of the spammer, distributing the spam for them.
>They are sent using my email account, but with a random 3 or 4 letter
>prefix: e.g: wjkq@******.*****.
Look at the _headers_ of the returned mail, NOT the "To:" or "From" stuff
that is usually faked. The headers you want to study are those that tell
how the mail was received and from who.
Received: from sheffield.ac.uk ([218.10.6.200])
by mail.example.com (8.11.7/8.11.3) with ESMTP id hAMMgRk22045
for <my.email.name@example.com>; Sat, 23 Sep 2006 15:42:28 -0700
Received: from 89.173.30.207 by smtp.orion.ufrgs.br;
Sat, 23 Sep 2006 22:43:01 +0000
Received: from unknown (mengile.co.rp [124.31.84.11])
by smtp.locality.co.tu Sun, 24 Sep 2006 15:20:11 -0900
You are tracing _back_ from the top. This mail was received by my mail
server, from a host that _claimed_ to be called sheffield.ac.uk (not
likely, as that is a domain name, not a host) but the IP address used
(218.10.6.200) is in Northeastern China (Heilongjiang province) and as
is typical the ISP doesn't know how to run a name server. I can trust
this information, because it was put here by my mail server.
The second received line is quite obviously faked. The IP address is in
Slovakia, but the host supposedly has a Brazilian name. The proof that
the information is faked is "how did the mail get from either of these
places to the computer that delivered it to me from Northeastern China?"
There is no line indicating it got there. The third received line has
several errors - there is no '.rp' or '.tu' top domains, the 124.31.x.x
address block has not been assigned by APNIC (the responsible RIR), and
the timestamp is ludicrous. The other dumb question to ask is why the
mail would have been sent from the "124.31.84.11" host (an Asian address
range) to "89.173.30.207" in Europe, then back to 218.10.6.200 in China
before being sent to me in North America. Is the spammer getting
"Frequent Flyer Miles" for this?
You should look at the "Received:" headers inside the "returned" mail.
Did the mail originate on your ISP? You are posting from 84.64.236.97
which is in a block assigned to Energis UK (84.64.0.0 - 84.71.255.255).
If the mail headers don't show this, then someone harvested your name
and address and are using it to shift the blame (fairly common).
>I run Norton firewall and Avast Home Edition. I've done 2 full system
>checks with Avast which has found nothing.
Yeah, but you are also running windoze - at least you aren't using
Internet Exploiter, but windoze doesn't have the greatest security
reputation - hence the vast number of anti-mal-ware programs.
>Any advice appreciated. Would changing my email account help?
Several years ago, we used to use "firstname_last-initial" for usernames
and a random character generator to create the initial password for the
account. Now, I'm using the random character generator to create usernames
and telling the users to NOT publish those names on the Internet. The big
problem is having others be able to remember that my email address is
[compton ~]$ head -2 /dev/random | mimencode | head -1
djqFVsLMbI/tX32Z617KYtvraOI2P0+35DuHrtp++hLt4kitSPduWdFqBqSzV oo8oXGglbcw
[compton ~]$
djqFVsLMbI@example.com
Yeah, that's me.
Old guy
Spam zombie? 
Linear Mode
