![[Best viewed with any browser]](/images/purpab.jpg)
![[Valid HTML 4.0!]](/images/vh40.gif)
I am quickly putting together this document with scraps of information which may be useful.
Section not yet written. But I am getting more than 150 bounces per hour.
But there was a very useful Usenet post on the same spam run from another victim. I also have a local copy of that posting.
I received an anonymous tip from someone who discovered contact telephone and fax number in Colombia: +57 (0) 83 93161 (phone and fax). I have not yet found out what town or region 83 covers. Also note that my parsing of the number is my own doing. What was passed to me was "0115708393161". Note that the tipster has provided me with enough reason for me to trust him/her. But we still don't know if that telephone number leads to the spammers or is itself bogus.
At first I thought that goldmark.org was selected by the spammers in retaliation for some of my anti-spam activities. But a less paranoid look showed that they are claiming to sell jewelery and watches. "Goldmark" is a term used by jewelers and frequently appears in trademarks of jewelery related businesses. Also, the first names given in the spam tend to be Jewish sounding names. Again, I believe that that is an effort to mimic a stereotype of jewelers. So, it appears that no body was targetting goldmark.org specifically, but that it just happens to be my bad luck.
On the other hand, only one portion of the spam is advertising watches and the like. Cheap software and other things are also being advertised. Furthermore, another domain that is being forged is spambouncer.com, which belongs to an anti-spammer. So, maybe I am being picked on.
This section is mostly for email administrators, but that shouldn't scare others away.
SPF (and SenderID) are designed specifically to deal with this kind of problem. Please consider implementing SPF/SenderID checking. Note that you can implement SPF checking without publishing SPF records. It is easy for most mail systems.
SPF is a system that allows owners of domains to publish what hosts on the Internet are authorized to send mail claiming to be from that domain. For example the SPF records for goldmark.org say that anything that isn't from a specific handful of machines should not be considered as from goldmark.org.
If recipient systems were using that information (performing SPF checks) then they would be able to prevent mail falsely claiming to be from goldmark.org from entering their systems. It's not just goldmark.org forgeries that would be stopped. But more than 42,000 domains have published SPF records. That is a lot of domains that want to tell you exactly what machines on the network can legitimately send mail from those domains. Please make use of that information.
I am getting now more that 50 bounces per hour from sites which are accepting the spam initially and later rejecting it (and so sending the bounces to goldmark.org addresses). If those sites would reject the mail during the SMTP transaction they wouldn't have to generate and send a bounce, I wouldn't have to get it, and the infected machines actually used to send the spam would have to handle that burden.
If you are an email administrator and don't understand what I mean by that, feel free to get in touch with me. I will try to find an appropriate FAQ or document for you.
I suspect that many of the compromised machines that are being used to actually send the spam are already on DNSbls (DNS based Black Lists). Please make use of those so that you can block spam early without sending bounce notifications to innocent parties. I'll try to put more information about this when I get a chance.
Most autoresponses should have a null SMTP sender. This will reduce bounces to bounces. Again, more details to follow.
Date: Fri, 6 Aug 2004 07:57:10 +0200 (CEST)
From: "WARNING: STOP SPAMMING!" <[x]@oe-punkt.de>
To: Tyler Hellman <DwightSulzberger@goldmark.org>
Subject: Thx for spamming
This response is generated automaticilly and sent because of your mail. I don't like to recieve any further mail, so stop spamming!!! I have not read your mail, and will never read any mail sent by you in the future!
Please folks, when you express anger at spammer, try to make sure that you are addressing the right target. Please understand that most spam uses forged return addresses. It's great that you want to take on the spammers, but the best way is to encourage your email administrators to take the steps mentioned in the previous section. Most of those actions will genuinely make life harder for spammers.
Version: $Revision: 1.4 $
Last Modified: $Date: 2004/08/06 21:12:33 $
First established August 5, 2004
Author: Jeffrey Goldberg