Update - May 2006

I've still not done anything about the catchall on my domain and once again I find myself the victim of a spammer faking email as though it came from my domain. I have almost completed building a new server and I will be making changes like that once completed.

Today I received an interesting auto-reply from someone that was a recipient of the current round of spam, and that reply came back to my catch all account. Obviously this person has no understanding of the concept of dictionary based spam blasts. I thought about leaving their email address in the source of the message but seeing as they dont use this address it wont do any good.... and I'm not that vindictive any way :P

Reproduced below is the message source of the response to the spam:

Return-Path: <>
Delivered-To: FAKED@zenmaedia.com
Received: (qmail 14845 invoked by uid 515); 13 May 2006 05:26:59 -0000
Received: from by noface.zenmaedia.com by uid 513 with qmail-scanner-1.21st
(clamdscan: 0.70rc. spamassassin: 2.63. Clear:RC:0(68.230.241.54):SA:0(0.0/5.0):.
Processed in 8.821394 secs); 13 May 2006 05:26:59 -0000
X-Spam-Status: No, hits=0.0 required=5.0
Received: from fed1rmmtai05.cox.net (68.230.241.54)
by mail.jfw.id.au with SMTP; 13 May 2006 05:26:50 -0000
Subject: Re: resolutely
To: FAKED@zenmaedia.com
From: "Auto-reply from REMOVED@cox.net" <REMOVED@cox.net>
In-Reply-To: <000d01c6764e$14bec15c$318a273c@zsnqe.dvtp>
Precedence: bulk
Date: Sat, 13 May 2006 01:28:45 -0400
Message-ID: <20060513052845.YPAL21372.fed1rmmtai05.cox.net@fed1rmmtai05>
MIME-Version: 1.0
Content-Type: multipart/mixed;
Boundary="===========================_ _= 3871154(21372)1147498125"


--===========================_ _= 3871154(21372)1147498125
Content-Type: text/plain; charset=us-ascii

Hey you fucking spammer! I don't use this account, but you sure as hell think I do.

If you are COX, I have NEVER given this email address to ANYONE, I don't use it, I have no reason to give it out. But look at the spam. Thanks for selling my email address.

All you spammers SUCK SHIT! You may now fuck off.

Thank you.

--===========================_ _= 3871154(21372)1147498125

Update - Feb 2006

I didn't learn my lesson and I kept the catch all running - but soon I will be upgrading the mail server and the new installation of SpamAssassin will be deleting anything marked as Spam. I've had no false positives since installing it over a year ago so I feel completely comfortable in doing this. A couple of weeks ago I received spam addressed to literally.anything@zenmaedia.com. Obviously the harvesting spiders are still at work... and someone somewhere has a link to this page.

Not Happy Jan!

For the last year this domain has been used solely as an email domain. Today (18-Jul-2005) it was used for the faked return address for a spam blast. I have a catch all on the domain so literally.anything@zenmaedia.com is received. Needless to say after this effort I will be seriously reconsidering the catchall.

Recreated below is the exact source of one of the original spam messages that was sent. Thankfully the server that bounced it due to it being directed at a non-existant recipient left the headers intact and attached the original message to their bounce. As you can see below the message appears to have originated from the girl-mail.com mailserver. The IP address against it traces back to a canadian cable ISP. Most likely one of their customers has been trojaned or is running an open relay but the bastards faked my address and I'm not happy. Needless to say I've reported it to a few of the spam relay report sites.

I would like to point out that I have never heard of, nor gone by, the name Earlene Frost and the email address that is listed as the from address does not exist on this domain.

Received: from girl-mail.com ([24.69.190.138])
by mail.domaxxx.de (Merak 7.4.5) with SMTP id JDK74701
for <!REMOVED!>; Mon, 18 Jul 2005 05:42:43 +0200
Received: from 202.179.128.5
(SquirrelMail authenticated user my@zenmaedia.com);
by girl-mail.com with HTTP id J87Gz014989506;
Mon, 18 Jul 2005 03:41:32 +0000
Message-Id: <60UB7E.squirrel@202.179.128.5>
Date: Mon, 18 Jul 2005 03:41:32 +0000
Subject: Are you ready to get it?
From: "Earlene Frost" <my@zenmaedia.com>
To: !REMOVED!
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
<html>
<body>
<table>
<tr>
<td>
<p>
Hello!
</p>
<p>
Viagra is the #1 med to struggle with mens' erectile dysfunction.<br>
Like one jokes sais, it is stronq enouqh for a man ,but made for a woman ;-)
</p>
<p>
Ordering Viagra onIine is a very convinient, fast and secure way!<br>
MilIions of people do it daiIy to save their privacy and money
</p>
<p>
<a href="http://efjdmabhil.prodoctor24.info/?cgkabhilxssryefjzgvdm?74121963">Order here...</a>
</p>
</td>
</tr>
</table>
</body>
</html>

 

My blog