Re: [anti-spam-wg@localhost] Spam form unassigned IP address???

[Esa Laitinen <]

On Wed, Sep 17, 2003 at 11:05:40AM +0400, Igor Knyazev wrote:
> Hello anti-spam-wg@localhost
> 
> We have received very many e-mail messages from many mail servers
> containing the following, for example:
> 
> >A message that you sent could not be delivered to one or more of its
> >recipients. This is a permanent error. The following address(es) failed:
> >
> >  chairman@localhost
> >    no such address
> >  evanhalen@localhost
> >    no such address
> >
> >------ This is a copy of the message, including all the headers. ------
> >Return-path: info@localhost
> >Received: from [202.56.239.41] (helo=CIDEX01)
> >        by server10.pronicsolutions.com with smtp (Exim 4.20)
> >        id 19zVjE-0000yv-U1; Wed, 17 Sep 2003 02:23:54 -0400
> >Received: from 4dqqx.9xtxu.net [34.148.84.48] by CIDEX01 for chairman@localhost; Wed, 17 Sep 2003 10:17:24
> >+0300
> 
> We dont send any messages to any users in that domain.
> We checked this ip 202.56.239.41,34.148.84.48 and found that
> this address unassigned any company or person.
> Whose is this work?

Somebody is forging your e-mail address, and using open relays to do it.

202.56.239.41 is owned by a company in India, see 
http://www.geektools.com/whois.php?query=202.56.239.41 . It seems to be 
an open relay.

http://www.geektools.com/whois.php?query=34.148.84.48 points to 
Halliburton. Do they have zombie address ranges?

Not much you can really do, other than contact the owners of the abused 
systems, and their upstreams. You cannot prevent somebody from faking 
your e-mail address. You can go after them after the occurance, but in 
this case they're probably hiding pretty well.

esa

-- 
PGP Fingerprint: 8C4D 4F5C 1094 5E00 D575  11B2 9412 AD93 7F78 EF7E
Public key at: http://iki.fi/laitinen/pubkey.html
YIM: reunaesa ICQ: 160631289 AIM: punkkinen MSN: esahi5@localhost