speaking of forged "from" addresses...

*Andilinks* · 09-16-2002, 12:35 PM

Last week my broadband was out for almost 18 hours so I opened an AOL account as a backup (hey, 45 free days). Almost from the first day I began receiving "MAILER-DAEMON@aol.com" returns, spam that I never sent. Not only was it spam, but it was the very grossest porn spam.

I began complaining immediately to AOL TOSemail1, and had an online conversation with a tech rep. AOL claims that it must be a trojan horse on my system (eTrust EZ scan says no) stealing my password. Unfortunately I used "Andilinks" in part of the screen name and it is the main name, so I can't change the name. Needless to say I'm distressed that my name is associated with these mailings. I've changed the pw twice and these returns seem to be tapering off, but now another variety is appearing. Short of cancelling AOL is there anything I can do about this? I would have cancelled the AOL immediately but doubt that it would stop the use of my name, just stop the returns.

Andi (most recent below...)

Quote:

X-Track: 0: 100
Return-Path: <andilinks02@aol.com>
Received: from 200.161.76.95 (HELO aol.com) (200.161.76.95)
by mta517.mail.yahoo.com with SMTP; 16 Sep 2002 00:43:23 -0700 (PDT)
Received: from unknown (46.203.232.180)
by mx.loxsystems.net with smtp; Mon, 16 Sep 2002 14:41:25 -0300
Received: from unknown (175.17.24.91)
by smtp4.cyberecschange.com with smtp; Mon, 16 Sep 2002 11:28:26 -0400
Reply-To: <andilinks02@aol.com>
Message-ID: <024a47e65b4a$4485e6c1$3cc47cc7@xyvbfo>
From: <andilinks02@aol.com>
To: <famholmes@yahoo.com>
Cc: <ewrigbr549@yahoo.com>,
<elaine-hsu@yahoo.com>,
<emmanuelcc@yahoo.com>
Subject:
Date: Mon, 16 Sep 2002 08:13:09 -0100
MiME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00C5_20C43A2E.B6201A22"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: AOL 7.0 for Windows US sub 118
Importance: Normal

------=_NextPart_000_00C5_20C43A2E.B6201A22
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: base64

*Daytripper_MI6* · 09-19-2002, 12:38 AM

I have an AOL account that I keep for a dial-up backup($4.95/month) and I was tired of all the spam I constantly get, so I set up my mail to only let aol members I select send me mail.First day BANG! I get a spam from myself! From me to me,(forged "from" address) and as usual it was of the porn variety. What can ya do?

*Andilinks* · 09-19-2002, 12:45 AM

Quote:

What can ya do?

I cancelled yesterday

TimT · 09-21-2002, 01:06 PM

What CAN you do? What about when there is a URL involved in the email? I did a whois on the URL in the email... of course I didn't open the site, but how can someone forge their email and their web site? Who should I complain to and how with the information provided in the WHOIS info below??

Registrant:
netvisions enterprises (NETVISIONSENTERPRISES-DOM)
3645 Clearview Pkwy
Atlanta, GA 30340
US

Domain Name: NETVISIONSENTERPRISES.COM

Administrative Contact:
netvisions enterprises (V17201-OR) bhart@theheadoffice.com
netvisions enterprises
3645 Clearview Pkwy
Atlanta, GA 30340
US
na fax: 123 123 1234
Technical Contact:
Hart, Bill (BH17543) billh@netvisionsenterprises.com
Netvision
3645 Clearview Pkwy
Atlanta, GA 30340
US
na 123 123 1234

Record expires on 30-Mar-2003.
Record created on 30-Mar-2001.
Database last updated on 21-Sep-2002 12:59:20 EDT.

Domain servers in listed order:

SHARK.NETVISIONSENTERPRISES.COM 206.128.145.33
WHALE.NETVISIONSENTERPRISES.COM 206.128.145.34

*sheila* · 09-21-2002, 01:25 PM

Hello Tim,

I'm assuming the domain netvisions.com was contained within the URL in the mail you received?

If the owners of the domain are spamming you, or forging your email address, then you clearly don't want to report to them. You need to find out who is providing their connectivity services and submit a complaint to the provider of their connectivity.

First I would find out the IP address of the website. I personally recommend the tools at SamSpade.org, but there are many other ways to do this as well.

I find that the IP address for that website is 206.128.145.15.
Next, do a netblock lookup on the IP address to see who is providing their connectivity. You can do a netblock lookup at arin.net.

I get the following results:

Code Sample:

 

Cable & Wireless CW-BLK (NET-206-128-0-0-1) 

                                  206.128.0.0 - 206.128.255.255

IOM, Inc./Netvisions Enterprises CW-206-128-145 (NET-206-128-145-0-1) 

                                  206.128.145.0 - 206.128.145.255

This says to me, that they are getting their connection from Cable & Wireless, so complain to them.

Further lookups on C & W at arin.net show:

Code Sample:

 

OrgName:    Cable & Wireless 

OrgID:      CWUS



NetRange:   206.128.0.0 - 206.128.255.255 

CIDR:       206.128.0.0/16 

NetName:    CW-BLK

NetHandle:  NET-206-128-0-0-1

Parent:     NET-206-0-0-0-0

NetType:    Direct Allocation

NameServer: NS.CW.NET

NameServer: NS2.CW.NET

NameServer: NS3.CW.NET

NameServer: NS4.CW.NET

Comment:    

RegDate:    1995-05-10

Updated:    2002-08-23



TechHandle: IA3-ORG-ARIN

TechName:   Cable & Wireless US 

TechPhone:  +1-800-977-4662

TechEmail:  ipadmin@clp.cw.net 



OrgAbuseHandle: SPAMC-ARIN

OrgAbuseName:   SPAM COMPLAINTS 

OrgAbusePhone:  +1-800-977-4662

OrgAbuseEmail:  spamcomplaints@cw.net



OrgNOCHandle: NOC99-ARIN

OrgNOCName:   Network Operations Center 

OrgNOCPhone:  +1-800-977-4662

OrgNOCEmail:  trouble@cw.net



OrgTechHandle: UIAA-ARIN

OrgTechName:   US IP Address Administration 

OrgTechPhone:  +1-800-977-4662

OrgTechEmail:  ipadmin@clp.cw.net



OrgTechHandle: GIAA-ARIN

OrgTechName:   Global IP Address Administration 

OrgTechPhone:  +1-919-465-4096

OrgTechEmail:  ip@gnoc.cw.net

How nice, they provide reporting addresses. I would suggest the one for spam complaints above.

Good luck,

TimT · 09-21-2002, 02:04 PM

Quote:

Originally posted by sheila:
Hello Tim,

I'm assuming the domain netvisions.com was contained within the URL in the mail you received?

How nice, they provide reporting addresses. I would suggest the one for spam complaints above.

Good luck,

Wow, thanks! You'd make a good Spam Cop! ;-)
Information worth saving.
Tim

*Andilinks* · 09-21-2002, 03:51 PM

Old Ben Franklin wasn't even online when he said,
" He that lieth down with Dogs, shall rise up with Fleas"
That spam that was forging my email address did have an associated website, but since I just cancelled, why bother...

I have better things to do than pick fleas off the internet, there are so many of them.

Maybe randomly generated email addresses that you can change periodically at will while automatically notifying your real correspondents is one answer and just sidesteps the whole issue, both of forged addresses and incoming spam.

It would only work among small groups, but why not software that would do the updating within the group of private users? A no spam club...

Andi

mwigle · 12-02-2002, 06:58 PM

I have been harassed by this bunch for the past few weeks and now I've set Outlook to forward all emails back to Netvision (2 addresses) as well as the emails addresses that one of the people posted above for a total of 6. This method seemed to work with the others that I was receiving spam from in the recent past. I'm not getting nearly as much as before. Also, upon looking up the address for the company in Networksolutionsa.com, I also send a complain to the local Police Department with the all of the information that I could find. Seems to be working...

Marc