Spammer's spoofing ME

[nlinecomputers]

Starting last night my catch-all mail box starting getting bounce messages from AOL using randomjunk@n-linecomputers.com addresses. Somebody is using my domain name in the return address field to spoof their viagra. No valid email address on the "Sender" field is being used and I can't seem to find a common point in the headers so either that is being spoofed or this is one of those Sobig clone nets that is using compromised boxes to send out mail.Anyone have any tips on how I can track this down? AOL has cut my domain off and that locks me out of contacting my sister(don't ask why she uses AOL I've TRIED to tell her it is crap) and several of my clients. I've got other email addresses to use but that is just annoying.

[Guest Paracelsus]

nline,A good friend of mine had the exact same problem with someone hi-jacking his domain for Spam. He was able to find out who it was (some *$^@!% in Romania). Anyway...He e-mailed earlier today that he is traveling on business until next Monday. I'll contact him and see if he can provide details... But not sure if he'll have the relevant info, away from his home network.In the meantime, I hope someone else can provide some assistance. Things like this REALLY S--K!!!

[Marsden11]

Send me the exact header via PM and I'll tell you who sent it and give you a Long/Lat GPS location.

[nlinecomputers]

Marsden11,It's not the same headers. I can get that info to. It is from all over the world. And I am only getting the bounce messages. I've yet to see a orignal spam message. So either it's fully spoofed or its Sobig or some other spam launcher virus doing this.

[Marsden11]

Send a sample... I'll bet they all orginate from the same source. You are getting the info they want you to have...

[nlinecomputers]

Received: from  rly-xj01.mx.aol.com (rly-xj01.mail.aol.com [172.20.116.38]) by rly-st18.mail.aol.com (v92.16) with ESMTP id RELAYIN7-83f84c84d85; Wed, 08 Oct 2003 22:30:37 -0400Received: from  65-37-58-202.nrp6.roc.ny.frontiernet.net (65-37-58-202.nrp6.roc.ny.frontiernet.net [65.37.58.202]) by rly-xj01.mx.aol.com (v96.8) with ESMTP id MAILRELAYINXJ11-4f73f84c83465; Wed, 08 Oct 2003 22:30:14 -0400Message-ID: <01uxl$02m643@bgvokk2u6.a9o>From: "Vito Bland" <ad140dk@n-linecomputers.com>Reply-To: "Vito Bland" <ad140dk@n-linecomputers.com>To: jalusa@aol.comCc: <pkgold2@aol.com>, <nanna1113@aol.com>Subject:  Fw: Buy Phentermine, Viagra & more with NO PRESCRIPTION!  US doctors and pharmacies! Overnight Shipping   zswo  os mfxijuenkl hpwy zk al eaxco qggq gslglf jtf eqnafyjzn beew stavbr gfmyvmv hiounszqrlgiomdyDate: Thu, 09 Oct 2003 00:18:38 -0200MIME-Version: 1.0Content-Type: multipart/alternative;	boundary="_A.8D51_0.58.DFD6B.0"X-AOL-IP: 65.37.58.202X-AOL-SCOLL-SCORE: 0:XXX:XXX-AOL-SCOLL-URL_COUNT: 0

[Marsden11]

The network block belongs to Electric Lightwave (ELI), and it is in their Rochester NY network block. So believe it or not the last couple steps aren't forged. Frontiernet buys their bandwidth from ELI. Or more accurately, resells ELI DSL. Best I can do tonight is get you to within a couple blocks of 'em: Somewhere around St. Paul St. and Andrews St. intersection in Rochester. Around about 43.162 by -77.611Odds are they forwarded it through a mis-configured SMTP rely that someone is probably accidentally running at home. Like an out-of-the-box linux machine with no firewalling turned on.

[nlinecomputers]

Thanks, but your not telling me anything I didn't know. I've got them from Paris. From Colorado. From Sacramento California. And more and more and more. Over 700 so far. I don't think it's spoofed but compromized systems that are spamming as me. And I only get them from AOL nobody else is bouncing. I turned off my catch all so it now all bounces back to AOL. Let them figure it out. I agree its people with a open sendmail relay.

[Guest LilBambi]

Wonder if this SFNL Topic might have something to do with your spammer problems Nathan!