Spam falsely claiming to be from

Starting the first week of August 2004 an appearently massive spamming effort started that counterfeits the domain name. First let me make it clear that we have no connection with the spammers other than being their victims.

I am quickly putting together this document with scraps of information which may be useful.

Description of the spam

Section not yet written. But I am getting more than 150 bounces per hour.

What I have discovered about the spammer

But there was a very useful Usenet post on the same spam run from another victim. I also have a local copy of that posting.

I received an anonymous tip from someone who discovered contact telephone and fax number in Colombia: +57 (0) 83 93161 (phone and fax). I have not yet found out what town or region 83 covers. Also note that my parsing of the number is my own doing. What was passed to me was "0115708393161". Note that the tipster has provided me with enough reason for me to trust him/her. But we still don't know if that telephone number leads to the spammers or is itself bogus.

Why forge

At first I thought that was selected by the spammers in retaliation for some of my anti-spam activities. But a less paranoid look showed that they are claiming to sell jewelery and watches. "Goldmark" is a term used by jewelers and frequently appears in trademarks of jewelery related businesses. Also, the first names given in the spam tend to be Jewish sounding names. Again, I believe that that is an effort to mimic a stereotype of jewelers. So, it appears that no body was targetting specifically, but that it just happens to be my bad luck.

On the other hand, only one portion of the spam is advertising watches and the like. Cheap software and other things are also being advertised. Furthermore, another domain that is being forged is, which belongs to an anti-spammer. So, maybe I am being picked on.

What you can do to minimize the impact on you and me

This section is mostly for email administrators, but that shouldn't scare others away.

Do SPF/SenderID checking

SPF (and SenderID) are designed specifically to deal with this kind of problem. Please consider implementing SPF/SenderID checking. Note that you can implement SPF checking without publishing SPF records. It is easy for most mail systems.

SPF is a system that allows owners of domains to publish what hosts on the Internet are authorized to send mail claiming to be from that domain. For example the SPF records for say that anything that isn't from a specific handful of machines should not be considered as from

If recipient systems were using that information (performing SPF checks) then they would be able to prevent mail falsely claiming to be from from entering their systems. It's not just forgeries that would be stopped. But more than 42,000 domains have published SPF records. That is a lot of domains that want to tell you exactly what machines on the network can legitimately send mail from those domains. Please make use of that information.

Reject spam during SMTP transaction

I am getting now more that 50 bounces per hour from sites which are accepting the spam initially and later rejecting it (and so sending the bounces to addresses). If those sites would reject the mail during the SMTP transaction they wouldn't have to generate and send a bounce, I wouldn't have to get it, and the infected machines actually used to send the spam would have to handle that burden.

If you are an email administrator and don't understand what I mean by that, feel free to get in touch with me. I will try to find an appropriate FAQ or document for you.

Use DNSbls

I suspect that many of the compromised machines that are being used to actually send the spam are already on DNSbls (DNS based Black Lists). Please make use of those so that you can block spam early without sending bounce notifications to innocent parties. I'll try to put more information about this when I get a chance.

Tune autoresponders to use null senders

Most autoresponses should have a null SMTP sender. This will reduce bounces to bounces. Again, more details to follow.

What you should not do

Please don't send mail to the forged addresses like:
Date: Fri, 6 Aug 2004 07:57:10 +0200 (CEST)
To: Tyler Hellman <>
Subject: Thx for spamming

This response is generated automaticilly and sent because of your mail. I don't like to recieve any further mail, so stop spamming!!! I have not read your mail, and will never read any mail sent by you in the future!

Please folks, when you express anger at spammer, try to make sure that you are addressing the right target. Please understand that most spam uses forged return addresses. It's great that you want to take on the spammers, but the best way is to encourage your email administrators to take the steps mentioned in the previous section. Most of those actions will genuinely make life harder for spammers.

Version: $Revision: 1.4 $
Last Modified: $Date: 2004/08/06 21:12:33 $
First established August 5, 2004
Author: Jeffrey Goldberg