Tonight I began receiving "message undeliverable" messages in my hotmail account, which is funny because I generally don't send messages from my hotmail account.
Based upon the information that I can glean from the message and headers, someone is sending out bulk e-mail using my hotmail name and address as the "message from" information. All undeliverable messages are being bounced back to my hotmail account.
Other than reporting this to hotmail, what do I do to stop this crap?
[This message has been edited by Steve (edited September 26, 2001).]
Stolen hotmail ID
Moderator: Scott Danziger
Stolen hotmail ID
Steve,
Could you post the complete headers?
Some one could be using your address as the reply to and from fields but be sending from a total dfferent acct. I've seen this done before.
Chuck
Could you post the complete headers?
Some one could be using your address as the reply to and from fields but be sending from a total dfferent acct. I've seen this done before.
Chuck
Stolen hotmail ID
Thanks for your assistance Chuck! Here's the complete header (I think)
--------------------------
From SIZE Wed, 26 Sep 2001 13:53:50 -0700
Received: from [210.118.44.7] by hotmail.com (3.2) with ESMTP id MHotMailBD7B8B0F00144004318DD2762C0705620; Wed, 26 Sep 2001 13:52:33 -0700
Received: from localhost (localhost)
by mail.icmnet.co.kr (8.11.0/8.8.7) id f8QKx2e03601;
Thu, 27 Sep 2001 05:59:02 +0900
Date: Thu, 27 Sep 2001 05:59:02 +0900
From: Mail Delivery Subsystem <MAILER-DAEMON@mail.icmnet.co.kr>
Message-Id: <200109262059.f8QKx2e03601@mail.icmnet.co.kr>
To: <drswhite@hotmail.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="f8QKx2e03601.1001537942/mail.icmnet.co.kr"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--f8QKx2e03601.1001537942/mail.icmnet.co.kr
The original message was received at Thu, 27 Sep 2001 05:47:45 +0900
from dsp-594-omaha.radiks.net [206.153.216.168]
--------------------------
From SIZE Wed, 26 Sep 2001 13:53:50 -0700
Received: from [210.118.44.7] by hotmail.com (3.2) with ESMTP id MHotMailBD7B8B0F00144004318DD2762C0705620; Wed, 26 Sep 2001 13:52:33 -0700
Received: from localhost (localhost)
by mail.icmnet.co.kr (8.11.0/8.8.7) id f8QKx2e03601;
Thu, 27 Sep 2001 05:59:02 +0900
Date: Thu, 27 Sep 2001 05:59:02 +0900
From: Mail Delivery Subsystem <MAILER-DAEMON@mail.icmnet.co.kr>
Message-Id: <200109262059.f8QKx2e03601@mail.icmnet.co.kr>
To: <drswhite@hotmail.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="f8QKx2e03601.1001537942/mail.icmnet.co.kr"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--f8QKx2e03601.1001537942/mail.icmnet.co.kr
The original message was received at Thu, 27 Sep 2001 05:47:45 +0900
from dsp-594-omaha.radiks.net [206.153.216.168]
Stolen hotmail ID
And here's part of the original "outbound" message:
From : drswhite@hotmail.com
Subject : Message from Karen
Date : Wed, 26 Sep 2001 12:10:51 -0500
Received: from default (dsp-594-omaha.radiks.net [206.153.216.168])by mail.icmnet.co.kr (8.11.0/8.8.7) with SMTP id f8QKlae03590;Thu, 27 Sep 2001 05:47:45 +0900
Return-Path: drswhite@hotmail.com
Message-Id: 200109262047.f8QKlae03590@mail.icmnet.co.kr
X-Priority: 1
X-MSMail-Priority: High
Dear Consumer,
Increase your business sales! How?? By targeting millions of
buyers via e-mail !! We are offering over 10 million FRESH,
DELIVERABLE, e-mail addresses on CD-ROM. The cd-rom
includes targeted addresses, such as business opportunity
seekers, sports buffs, mlm, impulsive buyers and investors.
The cd-rom also includes general internet, United States,
United kingdom, mixed domains, International, Canadian,
earthlink, aol, compuserve, misc. and much more. The list's
are divided into groups and are compressed. This will allow
you to use the names right off the cd.
(tons of deleted crap here)
SIMPLY SEND $49.95,
CHECK, OR MONEY ORDER PAYABLE TO: .
MEDIA LINK
7914 W. DODGE RD #395
OMAHA, NE 68114
GOOD LUCK!
If we have reached you in error, and you would like to be removed
moveto818@yahoo.com
[This message has been edited by Steve (edited September 26, 2001).]
From : drswhite@hotmail.com
Subject : Message from Karen
Date : Wed, 26 Sep 2001 12:10:51 -0500
Received: from default (dsp-594-omaha.radiks.net [206.153.216.168])by mail.icmnet.co.kr (8.11.0/8.8.7) with SMTP id f8QKlae03590;Thu, 27 Sep 2001 05:47:45 +0900
Return-Path: drswhite@hotmail.com
Message-Id: 200109262047.f8QKlae03590@mail.icmnet.co.kr
X-Priority: 1
X-MSMail-Priority: High
Dear Consumer,
Increase your business sales! How?? By targeting millions of
buyers via e-mail !! We are offering over 10 million FRESH,
DELIVERABLE, e-mail addresses on CD-ROM. The cd-rom
includes targeted addresses, such as business opportunity
seekers, sports buffs, mlm, impulsive buyers and investors.
The cd-rom also includes general internet, United States,
United kingdom, mixed domains, International, Canadian,
earthlink, aol, compuserve, misc. and much more. The list's
are divided into groups and are compressed. This will allow
you to use the names right off the cd.
(tons of deleted crap here)
SIMPLY SEND $49.95,
CHECK, OR MONEY ORDER PAYABLE TO: .
MEDIA LINK
7914 W. DODGE RD #395
OMAHA, NE 68114
GOOD LUCK!
If we have reached you in error, and you would like to be removed
moveto818@yahoo.com
[This message has been edited by Steve (edited September 26, 2001).]
Stolen hotmail ID
Steve from a quick glance it's a multipath spam mail. I can't find the site that i like that explains what i ciphered out below. I'll keep an eye out for it though.
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote
Here is the good part!
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>The original message was received at Thu, 27 Sep 2001 05:47:45 +0900
from dsp-594-omaha.radiks.net [206.153.216.168]<HR></BLOCKQUOTE>This is basicly his/her digital palm print.
a trace route (geek speek for digital tailing) gave me this:
8 137 ms 92 ms 90 ms acr2-loopback.KansasCitykcd.cw.net [208.174.130.62
]
9 133 ms 85 ms 87 ms bordercore1.KansasCity.cw.net [166.48.132.1]
10 313 ms 347 ms 412 ms radiks-internet.KansasCity.cw.net [166.48.134.10]
11 94 ms 134 ms 133 ms hiper2-2.oma.radiks.net [206.29.242.172]
12 202 ms 194 ms 222 ms dsp-594-omaha.radiks.net [206.153.216.168]
Pretty much confirms it came from some isp in Omaha. Gave you there IP address([206.153.216.168]) which is traceable by the local ISP. That's a digital finger print. Book`em Dano
Here is where you got tangled up in this mess.
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote
Chuck
[This message has been edited by Dakkon (edited September 26, 2001).]
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote
= Forged sending hostReceived: from localhost (localhost)
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote
= icmnet.co.kr It's a legit company with most likely a poorly configured mail server that permits relaying mailMessage-Id: <200109262059.f8QKx2e03601@mail.icmnet.co.kr>
Here is the good part!
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>The original message was received at Thu, 27 Sep 2001 05:47:45 +0900
from dsp-594-omaha.radiks.net [206.153.216.168]<HR></BLOCKQUOTE>This is basicly his/her digital palm print.
a trace route (geek speek for digital tailing) gave me this:
8 137 ms 92 ms 90 ms acr2-loopback.KansasCitykcd.cw.net [208.174.130.62
]
9 133 ms 85 ms 87 ms bordercore1.KansasCity.cw.net [166.48.132.1]
10 313 ms 347 ms 412 ms radiks-internet.KansasCity.cw.net [166.48.134.10]
11 94 ms 134 ms 133 ms hiper2-2.oma.radiks.net [206.29.242.172]
12 202 ms 194 ms 222 ms dsp-594-omaha.radiks.net [206.153.216.168]
Pretty much confirms it came from some isp in Omaha. Gave you there IP address([206.153.216.168]) which is traceable by the local ISP. That's a digital finger print. Book`em Dano
Here is where you got tangled up in this mess.
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote
=Path back to your email acct leaving you to be spamed and flamedReturn-Path: drswhite@hotmail.com
Chuck
[This message has been edited by Dakkon (edited September 26, 2001).]
Stolen hotmail ID
Just keep hotmail in the loop, keep copies of any and all mails to them concerning this issue. Same for the emails going to the other companies.
Other then learn Korean to tell the icmnet.co.kr server admin his mail server is relaying mail. Then trying to get the Omaha ISP to kick a spamer off. There's little you can do.
I know it ***** but someone just chose at random and you are it
Chuck
Other then learn Korean to tell the icmnet.co.kr server admin his mail server is relaying mail. Then trying to get the Omaha ISP to kick a spamer off. There's little you can do.
I know it ***** but someone just chose at random and you are it
Chuck
