Hi Newsgroup,

Wondering if anyone else has had the dubious honor of being selected
as (apparently) the target of someones sick idea of sending out UCE.

This one is really weird, I thought I had it understood they just forge
the "From:" line, but this is different.

I'm getting a ton of these bounced emails from some creep sending out spam:
(this is one of the "Headers attached" bounces)

---------------------------------------------------------------------------
[-- Type: text/rfc822-headers, Encoding: 7bit, Size: 0.9K --]
armstrong<*>ugoods.com,andy<*>ugoods.com,andrews[*]ugoods.com,alvarez[*]ugoods.com,
[ More email addresses here ]

Received: from dsl.dynamic851002843.ttnet.net.tr (unknown [85.100.28.43])
by musubi.uncommongoods.com (Spam Firewall) with ESMTP
id 4BBC67E900; Mon, 21 May 2007 03:27:38 -0400 (EDT)

Received: from 205.134.237.37 (HELO geniegate.com)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <---- Whats up with that???

by ugoods.com with esmtp (,,+@.0GL- 'W,W)
id PN<846-P/)/KA-E2
for audrey<*>ugoods.com; Mon, 21 May 2007 07:27:51 -0200
Date: Mon, 21 May 2007 07:27:51 -0200
From: "Sherri Babb" <EMAIL REMOVED>
X-Mailer: The Bat! (v3.62.03) UNREG / CD5BF9353B3B7091
X-Priority: 3 (Normal)
Message-ID: <EMAIL REMOVED>
----------------------------------------------------------------------------


Note one of the "Recieved" headers actually has my domain name in it. It would really
look as though the email p***ed through "geniegate.com" at some point.

I did a grep through every single log file looking for 'ugoods' (and several other
"to" email addresses from other spam) and none were found, if sendmail is actually
acting as a relay, it isn't recording it anywhere.

Anyone seen this? "The Bat!" seems to be the spam tool in use. I'm getting bounced
spam at such a high rate it's comming in faster than I can download it. All these
people seem to think I'm the one sending it out. (I thought I was too at first from
seeing the headers, until doing a grep on the log files)


Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions

Jamie wrote:
> Hi Newsgroup,
>
> Wondering if anyone else has had the dubious honor of being selected
> as (apparently) the target of someones sick idea of sending out UCE.
>
> This one is really weird, I thought I had it understood they just forge
> the "From:" line, but this is different.
>
> I'm getting a ton of these bounced emails from some creep sending out spam:
> (this is one of the "Headers attached" bounces)
>
> ---------------------------------------------------------------------------
> [-- Type: text/rfc822-headers, Encoding: 7bit, Size: 0.9K --]
> armstrong<*>ugoods.com,andy<*>ugoods.com,andrews[*]ugoods.com,alvarez[*]ugoods.com,
> [ More email addresses here ]
>
> Received: from dsl.dynamic851002843.ttnet.net.tr (unknown [85.100.28.43])
> by musubi.uncommongoods.com (Spam Firewall) with ESMTP
> id 4BBC67E900; Mon, 21 May 2007 03:27:38 -0400 (EDT)
>
> Received: from 205.134.237.37 (HELO geniegate.com)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <---- Whats up with that???
>
> by ugoods.com with esmtp (,,+@.0GL- 'W,W)
> id PN<846-P/)/KA-E2
> for audrey<*>ugoods.com; Mon, 21 May 2007 07:27:51 -0200
> Date: Mon, 21 May 2007 07:27:51 -0200
> From: "Sherri Babb" <EMAIL REMOVED>
> X-Mailer: The Bat! (v3.62.03) UNREG / CD5BF9353B3B7091
> X-Priority: 3 (Normal)
> Message-ID: <EMAIL REMOVED>
> ----------------------------------------------------------------------------
>
>
> Note one of the "Recieved" headers actually has my domain name in it. It would really
> look as though the email p***ed through "geniegate.com" at some point.
>
> I did a grep through every single log file looking for 'ugoods' (and several other
> "to" email addresses from other spam) and none were found, if sendmail is actually
> acting as a relay, it isn't recording it anywhere.
>
> Anyone seen this? "The Bat!" seems to be the spam tool in use. I'm getting bounced
> spam at such a high rate it's comming in faster than I can download it. All these
> people seem to think I'm the one sending it out. (I thought I was too at first from
> seeing the headers, until doing a grep on the log files)
>
>
> Jamie

Jamie,

It could be a "joe job" - one where someone puts your email in the
sender's address. It's also possible they gimmicked the "Received"
headers to mask the actual route.

But without all the headers (at least up to the Content-Type), it's
impossible to trace back what might be good and what might be falsified.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================

In <EMAIL REMOVED>,
Jerry Stuckle <EMAIL REMOVED> mentions:
>It could be a "joe job" - one where someone puts your email in the
>sender's address. It's also possible they gimmicked the "Received"
>headers to mask the actual route.

I knew about the "joe job" thing, but, I'd never seen it done to
such a degree.

>But without all the headers (at least up to the Content-Type), it's
>impossible to trace back what might be good and what might be falsified.

Here is another (headers forwarded from automated bounce tool)

-------
Received: with MailEnable Postoffice Connector; Sun, 20 May 2007 10:13:12 -0700
Received: from êîìï1 ([212.96.200.115]) by tynax.com with MailEnable ESMTP; Sun, 20 May 2007 10:13:11 -0700
Return-Path: <EMAIL REMOVED>
Received: from 205.134.237.37 (HELO geniegate.com)
by zero-to-ipo.com with esmtp (9()48(J99 7:,F29)
id )7*/7)-D4XRQ2-@8
for david<*_AT_*>zero-to-ipo.com; Sun, 20 May 2007 17:13:28 -0500
Date: Sun, 20 May 2007 17:13:28 -0500
From: "Denver Carrillo" <EMAIL REMOVED>
X-Mailer: The Bat! (v3.5.30) Educational
X-Priority: 3 (Normal)
Message-ID: <EMAIL REMOVED>
To: david<*_AT_*>zero-to-ipo.com
Subject: Get out of the obese crowd
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------2CD31F4673188F"
X-Spam: Not detected
-------

I changed the @ to <*_AT_*> no need to put these poor peoples email addresses
in public again..

In all the cases, the "Received: from 205.134.237.37 (HELO geniegate.com)" seems
to be the point of origin, (that particular header is always the last one
listed)

I had never heard of forging Received: headers before this, Grr...

Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions

On 2007-05-21 13:20:58 -0400, EMAIL REMOVED (Jamie) said:

> Hi Newsgroup,
>
> Wondering if anyone else has had the dubious honor of being selected
> as (apparently) the target of someones sick idea of sending out UCE.

We've been rejecting the anything with "The Bat" in the X-Mailer header
at a server level for about a year.... non of our clients have
complained, and no reports of a false positive....

I'd recommend this as a standard filter
--
Thyme Online Ltd
Caribbean Web Design
http://www.thymeonline.com/

Jamie wrote:

> Anyone seen this? "The Bat!" seems to be the spam tool in use.

The Bat! is a well-respected email client, and is not a spam tool.
Unless a spammer is using it to send spam, but that is not the fault of
the client.

http://www.ritlabs.com/en/products/thebat/

--
-bts
-Motorcycles defy gravity; cars just suck

Jamie wrote:
> In <EMAIL REMOVED>,
> Jerry Stuckle <EMAIL REMOVED> mentions:
>> It could be a "joe job" - one where someone puts your email in the
>> sender's address. It's also possible they gimmicked the "Received"
>> headers to mask the actual route.
>
> I knew about the "joe job" thing, but, I'd never seen it done to
> such a degree.
>
>> But without all the headers (at least up to the Content-Type), it's
>> impossible to trace back what might be good and what might be falsified.
>
> Here is another (headers forwarded from automated bounce tool)
>
> -------
> Received: with MailEnable Postoffice Connector; Sun, 20 May 2007 10:13:12 -0700
> Received: from êîìï1 ([212.96.200.115]) by tynax.com with MailEnable ESMTP; Sun, 20 May 2007 10:13:11 -0700
> Return-Path: <EMAIL REMOVED>
> Received: from 205.134.237.37 (HELO geniegate.com)
> by zero-to-ipo.com with esmtp (9()48(J99 7:,F29)
> id )7*/7)-D4XRQ2-@8
> for david<*_AT_*>zero-to-ipo.com; Sun, 20 May 2007 17:13:28 -0500
> Date: Sun, 20 May 2007 17:13:28 -0500
> From: "Denver Carrillo" <EMAIL REMOVED>
> X-Mailer: The Bat! (v3.5.30) Educational
> X-Priority: 3 (Normal)
> Message-ID: <EMAIL REMOVED>
> To: david<*_AT_*>zero-to-ipo.com
> Subject: Get out of the obese crowd
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----------2CD31F4673188F"
> X-Spam: Not detected
> -------
>
> I changed the @ to <*_AT_*> no need to put these poor peoples email addresses
> in public again..
>
> In all the cases, the "Received: from 205.134.237.37 (HELO geniegate.com)" seems
> to be the point of origin, (that particular header is always the last one
> listed)
>
> I had never heard of forging Received: headers before this, Grr...
>
> Jamie

Jamie,

Interesting. Normally I expect to see the Received: headers following
the Return-Path: But in this case there is one before that.

Just out of curiosity, I tried to relay a message through your sever,
and it (correctly) replied RELAY DENIED. So you're not an open relay,
anyway.

But is it possible your contact form got hacked? It's been known to
happen. Also, it could be that your email server has been hacked - and
someone is signing into it.

However, if this were the case I would expect to see something in your
mail logs - but you indicate there is none.

212.96.200.115 resolves to hotmail.com - I don't think it's possible to
insert headers like this through hotmail. I could be wrong - but you
really need to inject the headers directly into the SMTP stream, and you
can't do that unless you're communicating directly with an SMTP server.

All in all, it's quite puzzling - but from this end it does look like it
went through your smtp server. I'd suggest you check your logs very
closely at the time the mail supposedly went through (Sun, 20 May 2007
17:13:28 -0500) and see if there is any unusual activity there.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================

In <EMAIL REMOVED>,
Jerry Stuckle <EMAIL REMOVED> mentions:
>Interesting. Normally I expect to see the Received: headers following
>the Return-Path: But in this case there is one before that.
>
>Just out of curiosity, I tried to relay a message through your sever,
>and it (correctly) replied RELAY DENIED. So you're not an open relay,
>anyway.

Thanks!

>But is it possible your contact form got hacked? It's been known to
>happen. Also, it could be that your email server has been hacked - and
>someone is signing into it.

I'm pretty sure the contact form wasn't hacked (I sometimes see people trying
to hack it, but I was pretty careful about implementing it, IE, you can't
"force" a \r or a \n in there to fake out the headers (or specify a bogus
"To:" address)

>However, if this were the case I would expect to see something in your
>mail logs - but you indicate there is none.

There really isn't anything all that unusual in the logs, if the contact
form were hacked, I should expect to see hundreds of email messages going
through it (the contact form uses a local SMTP server) and there really aren't
that many (except those I normally get)

Only "unusual" thing I'm seeing are thousands of messages with
<whatever>[at]geniegate.com, relating to the bounced email from all these
people who (understandably) think I'm spamming them.

>212.96.200.115 resolves to hotmail.com - I don't think it's possible to
>insert headers like this through hotmail. I could be wrong - but you
>really need to inject the headers directly into the SMTP stream, and you
>can't do that unless you're communicating directly with an SMTP server.

I didn't think it was possible for forge Recieved: headers, unless perhaps,
you were the very first in the chain. But, I see all kinds of different
routes in the Recieved: lines from different hosts. (perhaps windows boxes
people left unsecured?)

>All in all, it's quite puzzling - but from this end it does look like it
>went through your smtp server. I'd suggest you check your logs very
>closely at the time the mail supposedly went through (Sun, 20 May 2007
>17:13:28 -0500) and see if there is any unusual activity there.

Haven't seen any, here is yours (with possible personal info snipped)

May 21 12:21:21 sendmail[19399]: l4LJL8h19399: ruleset=check_rcpt,
arg1=[SNIPPED YOUR EMAIL], relay=[SNIP YOUR IP].comcast.net [0.0.0.0], reject=550 5.7.1
[snip, your email address] ... Relaying denied

May 21 12:21:26 sendmail[19399]: l4LJL8h19399: from=[snip]@[snip], size=0,
cl***=0, nrcpts=0, proto=SMTP, daemon=MSA, relay=[snip].comcast.net [0.0.0.0]

The above ("Relaying denied") seems to indicate all is well?

Thanks for testing it though, much appreciated!

Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions

Mark Goodge wrote:

> The Bat! (What is it with the Yahoo!-like! exclamation! mark!?)

Who knows? Only the author knows!

The Bat! ... Yahoo! ... Avast! ... must be "marketing."

--
-bts
-Motorcycles defy gravity; cars just suck

On Mon, 21 May 2007 20:50:50 GMT, Beauregard T. Shagnasty put finger
to keyboard and typed:

>Mark Goodge wrote:
>
>> The Bat! (What is it with the Yahoo!-like! exclamation! mark!?)
>
>Who knows? Only the author knows!
>
>The Bat! ... Yahoo! ... Avast! ... must be "marketing."

I think it's just Bollocks!

Mark
--
Visit: http://names.orangehedgehog.com - British surname distribution profiles
"When your thoughts are too expensive to ever want to keep"

In <EMAIL REMOVED de.it>,
Cyberiade.it Anonymous Remailer <EMAIL REMOVED> mentions:
>> I'm getting a ton of these bounced emails from some creep sending out spam:
>
>According to senderbase, your servers are sending out 2000% normal email
>volumes. You probably have a borked web form and the spam is coming from
>your mail server.

That is correct, it /is/ sending out a vast amount more email than usual,
however, from the logs, almost all of it is messages telling me the mail
bounced.

Any idea /how/ they know I'm sending all this out? Far as I know, almost
everything that actually p***es through there is sent to me, (bounce messages)

Someone else (Jerry) was kind enough to test it for an open relay, and, it's
not open.

>The web form cracking spammer is enjoying remarkably successful delivery
>rates and is doing bigger and bigger spam runs. He did a m***ive run the
>last few days. His predictable style and a few other filtering tools
>limited our exposure to a handful. The word is getting around that cracking
>poorly written web mail forms is cheaper and easier than renting zombies,

While it's certainly not up to snuff for NASA, :-) I do think the contact form
is pretty secure, there are a lot of POSTs in the log, but no more than the usual
attempts at form hackery.

I know what you mean about cracked forms, people try to crack it almost
hourly.. wish I had some trick to redirect these attempts into making a
purchase.. I'd be rich! LOL)

However, there still aren't anywhere near as many POSTs as there are bounce
messages, none of the bounce messages have the text I would get if it were
a contact form.

Therefore, I'm almost certain that these aren't going through the contact form.

>For your amusement:
>
>http://www.senderbase.org/senderbase...string=205.134
>.237.37

Thanks! I wish I knew how they "knew" about the email comming out of there, perhaps
they are just using the "Recieved:" headers as I did?

>You aren't on any blocklists yet, but I'm sure that will change soon.

<sigh> yea, I know. The thing is, if I saw some of these messages, with the BS
recieved: header, *I* would tend to think it was spam from geniegate.com

I suppose, the best I can reasonably do is just sit tight and hope these sons-a-???
stop doing it.

Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions