SPAM (??) Client gets email from Himself

[Majestic]

Hi,

I came into a strange issue with a client. He's getting emails from his own company. Basically he's getting tons of emails with his company name everyday with all sorts of spam. Even associates of theirs are receiving spam with THEIR company name on it to make matters worse..

I'll call his company tigerinc123.com.

So he gets emails like this:

FROM: John@tigerinc123.com
TO: Owner@tigerinc123.com.

I have to idea what to do. I've looked at the tracert and it seems to be coming from brazil.

We certainly can't block *@tigerinc123.com.

Their hoster uses spamassassin but even then tons get through.

I was thinking of isolating the domain so that only their known email addresses can get through and nothing else (i.e. info, questions, contact@ etc..).

The fact that their company name is going to other people is worrisome. And why their own company is getting spam email from the impersonator on top of it is beyond me.

Anybody have any good ideas? Has anybody had this happen before?

Any advice or suggestions would be greatly appreciated.

Thanks,

Majestic

 

[rusty.nells]

This is somewhat common. I've received spam from myself as well. I think the spammers use a script that inserts the domains from a list into the TO and FROM field, that's what I've always assumed.

 

[Majestic]

Can you post the entire header, and substitute your clients info with what ever.

I checked on arin.net and tracked it to some isp in uruguay I think (??)

Here it is..

Return-Path: <johnsmithsvt@tigerinc123.com>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ns6.i-mecca.net
X-Spam-Level: ******
X-Spam-Status: No, score=6.3 required=9.0 tests=HTML_IMAGE_ONLY_28,
HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_PBL,RDNS_NONE,
URIBL_BLACK autolearn=disabled version=3.2.5
X-Original-To: owner@ns6.i-mecca.net
Delivered-To: owner@ns6.i-mecca.net
Received: from localhost (ns6 [127.0.0.1])
by ns6.i-mecca.net (Postfix) with ESMTP id CF50B7BCD9E
for <owner@ns6.i-mecca.net>; Fri, 12 Jun 2009 18:05:50 -0400 (EDT)
X-Virus-Scanned: amavisd-new at i-mecca.net
Received: from ns6.i-mecca.net ([216.187.94.175])
by localhost (ns6.i-mecca.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id MZ6V-myOMrPl for <owner@ns6.i-mecca.net>;
Fri, 12 Jun 2009 18:05:46 -0400 (EDT)
Received: from 18715008240.user.veloxzone.com.br (unknown [187.15.11.140])
by ns6.i-mecca.net (Postfix) with ESMTP id B31617BC4A9
for <johnsmithsvt@tigerinc123.com>; Fri, 12 Jun 2009 18:05:45 -0400 (EDT)
Message-Id: <KZXMIHD73613.37EB0F1@18715008240.user.veloxzone.com.br>
From: "Mostafavi Darren" <johnsmithsvt@tigerinc123.com>
To: johnsmithsvt@tigerinc123.com
Subject: I want to thank you
Content-Type: text/html; charset="windows-1250"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Date: Fri, 12 Jun 2009 18:05:45 -0400 (EDT)

---

Thanks

 

[tasaholic]

I often talk to myself..occasionally answer myself..but I do stop short of emailing myself...lol. Now I think about it ,it may be a way around my 'oldtimers'.

 

[Majestic]

bump

bump

bump

 

[PatrickB]

It is spam. Spammers know that you are not going to block your own email address.

In Outlook, you can block incoming email by country domain. If they never expect email from .br, then that may help.

Other than that, the usual anti-spam methods may help.

-- Patrick B.

 

[Majestic]

It is spam. Spammers know that you are not going to block your own email address.

In Outlook, you can block incoming email by country domain. If they never expect email from .br, then that may help.

Other than that, the usual anti-spam methods may help.

-- Patrick B.

I blocked email from the ip range block of .br and now it's coming from thailand and bangkok where unfortunately the company must receive mail from. Extremely frustrating.

Although you said in Outlook you can block it but shouldn't that be done on the hoster level? I thought that in Outlook it simply goes to the Junk folder.

I just don't understand why they are targeting the same company over and over again?

Majestic

 

[PatrickB]

1) Absolutely. Blocking upstream is always better than blocking locally, as long as you trust that the upstream provider is not blocking email you really need.

My hosting company also uses Spam Assassin. I can set the threshold to whatever I wish. I find that "4.5" makes my Inbox pretty happy. After monitoring the online SpamBox for a few weeks, I just set it to delete everything instead of holding it in the SpamBox.

Try setting the threshold a bit higher.


2) Locally, the Microsoft Spam filter that is updated monthly for Microsoft Mail, Outlook 2003/2007 works pretty well to finish off what little is left.

The Bayesian filters built into Thunderbird and as an addon to Outlook 2000 work okay if you continue to train them.


3) You can create a local rule in most email clients that will move all incoming mail that is coming from an address that is already in your Address Book to another folder like "My Inbox" underneath the standard Inbox. That would get the known senders to a place where you could view them right away. The rest could be dealt with as time allows.

In your case, if John knows that he will never send an email to himself, then you could create a filter that would simply delete any of those that are spoofed to come from him.


4) Use an email security appliance like Astaro Email Gateway. I have not needed to sell one of those, but I have heard good things about it.
http://www.astaro.com/our_products/astaro_security_gateway/hardware_appliances/mail_security

Antispam featuring techniques such as Recurrent Pattern Detection (TM), grey-listing, RBL, pattern, heuristics, SPF, BATV, URLs and B/W lists

5) Teach them to: use a disposable address for anything they don't care about; never to post a good email address where it can be seen in clear text; use email forms for contact from their website; etc.

-- Patrick B

 

[glindy]

Has he checked his domain's cpanel if those emails were actually not created there? Just to rule out an insider playing pranks on them.