Fight SPAM - You CAN make a difference

Keltin

New member
Gold Site Supporter
There seems to be a hijack of Yahoo mail going about here lately. First, if you use yahoo, then change your password now!

Second, the hijackers are using your contact lists to send spam. There may be other infractions, so run a virus scan like Avast.

Now, when you get a spam email, especially in yahoo, right-click on it and view the Full Header. Scroll down and find the Originating IP. That is the Spammer’s account.

Go to a lookup site like:

http://whois.domaintools.com/

Enter that Originating IP to see where they hail from. Now look for an ABUSE contact. Email them a copy of the spam and a little note about how unpleased you are. Also, copy the FTC as it is against Federal Law to Spam.

The FTC contact is:

spam@uce.gov

http://www.ftc.gov/spam/


Let’s all do our part to nip Spam in the bud and make this a less than profitable venture.
 

Attachments

  • step1.jpg
    step1.jpg
    30 KB · Views: 123
  • step2.JPG
    step2.JPG
    15 KB · Views: 123
  • step3.JPG
    step3.JPG
    48.7 KB · Views: 116
  • step4.jpg
    step4.jpg
    36.4 KB · Views: 115
  • step5.jpg
    step5.jpg
    30.3 KB · Views: 114
Last edited:

Keltin

New member
Gold Site Supporter
I have, and running Advanced System Care3 and Malwarebytes takes care of it.


That's cool, but Avast is better, and Malware keys on different triggers than things like trojans and PUPs. Plus, this Yahoo whack is on the yahoo server and based on user account NOT on the PC you are using. So you can run scans till you're blue in the face and never fix that server account problem. So again, change your password, and report the spammers at the whois ABUSE contact as detailed earlier.
 

Sass Muffin

Coffee Queen ☕
Gold Site Supporter
That's cool, but Avast is better, and Malware keys on different triggers than things like trojans and PUPs. Plus, this Yahoo whack is on the yahoo server and based on user account NOT on the PC you are using. So you can run scans till you're blue in the face and never fix that server account problem. So again, change your password, and report the spammers at the whois ABUSE contact as detailed earlier.
I have Avast.
I've done that.
 

Keltin

New member
Gold Site Supporter
I have Avast.
I've done that.


Good.

You only originally mentioned Advanced System Care3 as if you didn't have a good AV. Since you have Avast, hat tip to you. Good job.

ASC3 is a decent tool for the novice, but Auslogics supplies a far better product, and is free as well. Combine CCleaner witrh Auslogics defrag and regcleaner, and you're in much safer waters. Plus for added security, get Packetyzer, ProcExp, and PeerGuardian to see what is running at all times. Not to mention, setup your router's firewall properly - never trust the MS Firewall.
 

Sass Muffin

Coffee Queen ☕
Gold Site Supporter
Good.

You only originally mentioned Advanced System Care3 as if you didn't have a good AV. Since you have Avast, hat tip to you. Good job.

ASC3 is a decent tool for the novice, but Auslogics supplies a far better product, and is free as well. Combine CCleaner witrh Auslogics defrag and regcleaner, and you're in much safer waters. Plus for added security, get Packetyzer, ProcExp, and PeerGuardian to see what is running at all times. Not to mention, setup your router's firewall properly - never trust the MS Firewall.
Ok Keltin. Thanks for the advice.
 

Keltin

New member
Gold Site Supporter
Excellent. Thanks for posting. You brought up and exposed a couple issues that many other posters may need to be aware of that I didn't touch on in my original post, so this has been really informative. Thanks again. :thumb:
 
Last edited:

ChowderMan

Pizza Chef
Super Site Supporter
most of what I get ends with:

/q
The IP Address 10.114.72.14 falls within the Internet's Private or Reserved IP Address Space.

If you have detected this address apparently assigned to a remote computer, the IP address is in error or has been forged.
/uq
 

bigjim

Mess Cook
Super Site Supporter
I added my second email address to the Yahoo contact list. That way I know when a spammer is using my contact list. Changing the password solved the problem for me.
 

Keltin

New member
Gold Site Supporter
You can only spoof if you have access to the sending ISP. While nearly all commercial email programs allow you to easily spoof an email name, spoofing the originating address of the ISP is beyond what most hackers can do. While they may be able to spoof the exiting packet at their PC, once it hits the first hop router, it will be tagged. And even if they did spoof at their PC, it would more than likely be rejected buy a packet filter at their ISP.

Unless you have a direct line to a trunk (don’t pay an ISP for connection service), it’s nearly impossible to spoof an IP address. You can forward your email to a remailer though, and that’s fairly easy - but remailers are getting slammed hard due to the new FTC regulations.

The point here though is a Yahoo warning. I’ve seen many Yahoo accounts get hacked lately. They aren’t spoofing, but are hijacking accounts, and you can trace where they are coming from.
 

Keltin

New member
Gold Site Supporter
Another word on spoofing IP addresses, it is a lot harder than you think. While I can easily spoof the address of my PC or even hack my cable modem and spoof it there, my ISP account is filtered with MAC OUI and IP registration. Quite simply, if my modem’s MAC address and my assigned IP for my account don’t match when the packet hits the first router, it will be dropped there.

The products I work on are for triple play service over GPON - same thing as Verizon’s FIOS. The ONT (customer side access point) is set for MAC OUI, IP Registration, CE-VLAN tagging, and STAG VLAN tagging. If anyone one of those numbers doesn’t match the user account, that packet is immediately dropped. AT&T DSL service does the same thing.

Without direct access to a network trunk, it is all but impossible to spoof an address that goes through a regular ISP.

But again, using a remailer can get you around that. But even remailers can be tracked down.

http://en.wikipedia.org/wiki/Anonymous_remailer
 

Keltin

New member
Gold Site Supporter
I dump my Spam folder daily, but for giggles I took a look at it. I had 12 spam emails. Every single one of them had a valid IP address that I could track back to a valid ISP owner.
 

ChowderMan

Pizza Chef
Super Site Supporter
agreed. if a spammer has caused "his email msg" to be sent from you/your account, not him / his account,,,, why would he care to spoof anything?

as for the "pros" - you've certainly heard of the "spammer friendly networks" - all bets are off.

the off-shore anonymous servers are pretty good at hiding stuff - especially those that do not log anything. no logs, no traces, no trace, no trackums'

some super group could of course copy all the incoming and outgoing traffic from all the anon. servers in the world and eventually put it all back together but gosh , , , they can't even find Bin Laden.

regrets methinks spam is like very many other things - as soon as the world agrees on a solution, the spammers have found all the loop holes and are more ready for the solution implementation that the good guys. it's always going to be with us.

I remember my very first spam - a guy selling ties for Fathers Day - on CompuServe. believe it or not, at that time - in days of 'funny comma numbers' - on CompuServe, he addressed his spam email to ALL and the system sent his email to every single user on the CompuServe service. didn't take them long to plug that hole.....
 

YeOldeStonecat

New member
Better off choosing a mail host that has a good spam filtering system on their mail servers. Many people just settle for the complimentary accounts they get from their ISP. "You get what you pay for". Although, for free, with decent spam filtering...hard to beat GMail.

The primary IP locations overseas, ISPs in those countries won't pay any attention to abuse reports from the US.

And if you find IPs that are located here in the States...it's most likely not an intentional spammer, but some person with a rather unprotected computer that got compromized by a netbot and their computer is now a silent member of a netbot army doing things like this without the owners knowledge.
 

Doc

Administrator
Staff member
Gold Site Supporter
Spam is a never ending battle. It has overwhelmed my email to the point that email is 1/10th as useful as it used to be.
Good info Keltin. Every little bit we can do to battle these sleaze balls the better chance we have of ridding ourselves of them.
One rule which has not been mentioned (and seems obvious to me) is never ever ever buy anything from spam email. If everyone would trash that crap we'd all be rid of it much sooner.
 

Adillo303

*****
Gold Site Supporter
Personally, I am not too sure how much the ISP's are going to do about Spam. I agree with Stonecat that the overseas ones really do not care and there are a lot of remailers available.

My spam count was at 30 or better a day getting through my spam filter. I made an effort to blacklist all of those domains. It takes a few tries and Young really have to look at the headers to get the domains and not believe the domain that you see in the from address. It has helped a lot. Beyond that, some spamers have an awful lot of domain names that they own.
 

Keltin

New member
Gold Site Supporter
Good point Doc, also, never answer a Spam email or click the links they contain. I know it’s tempting to tell the Nigerian Scammers to go get bent…..and it can be fun and feel good to do so.

But, the minute you answer an email, they know it is a real account, and they turn around and add your address to their sell list which they peddle off to the next Spammer(s).

If an email doesn’t get any hits or responses after a while, spammers begin removing it from their sell lists.
 

ChowderMan

Pizza Chef
Super Site Supporter
what I'm "missing" in the spam filters (at the user end) is the ability to block numeric IP's by range.

sometime back I wrote a little utility that would parse the header data and (attempt to) identify the originating IP by number - the xxx.xxx.xxx.xxx format. I found that a huge amount was coming from essentially the same IP "block" - typically off-shore - presumably the 'spammer friendly' ISPs.

blocking the spoofed domain didn't work all that well - 10-20 near identical spams from the same IP all "from" different domains but same originating or IP block. and blocking all hotmail.com/gmail.com/etc would not work too well either . . .

since I don't know or email with anyone in China/etc, if I had the ability to block them by originating IP "block" that would have killed the spam regardless of the senders' spoofed domain.

ISP are reluctant to get into deep packet scanning (privacy issues) but I guess some got smarter about blocking those kinds of spammer IP ranges as I see very little of that anymore. might get a few then they all 'disappear' - how many $15 Rolex watches can one use?
 

Adillo303

*****
Gold Site Supporter
I just posed the IP blocking question to a friend of mine who operates an ISP. He authored his own SPAM filtering system for his users.

What StoneCat alluded to and ChowderMan asked for (blocking by IP) is not available at the user level. Here is what my friend does, among other things, in his filter.

GalaxyProtect does this, but its not under user control. It automatically blocks IP's of mail servers that send mail to a spam trap (rigged email address that isn't active and only gets spam), as well as sending to some number of non-existant email addresses.
 

YeOldeStonecat

New member
Blocking e-mail via IP ranges isn't useful for the home user and POP mailboxes. Blocking via IP addresses is something you do at the mail server level, as the mail server decides what it will accept, or deny, and better yet...the SPAM/virus filtering appliance that sits in front of the mail server and processes all the mail first, would be what benefits from the IP block lists.

Home users usually have POP mailboxes, which are usually hosted by their ISP on mailservers at the ISPs data center which home users don't have access to on the admin level.

For home users that insist on using the mailboxes provided by their ISP, there's not much you can do if you use the web mail interface. But if you use an e-mail client, there are several options. Some e-mail clients have built in anti-spam features, such as Mozilla Thunderbird, or Microsoft Outlook (not Outlook express). MS Outlooks spam definitions are updated monthly, similar to antivirus software..so its spam filtering accuracy is optimal as long as you keep it updated via Microsoft updates. You can also turn to 3rd party software, CloudMark has been a leader in this area, and is generally considered the best, the gold standard. They have one free for home users.
http://www.cloudmark.com/en/home.html

I provide spam filtering for my business clients (I'm an SMB network consultant for a living), and I have a filtering box at the office which I built as part of the e-mail services provided to clients. This is for clients with their own mail servers (Microsoft Exchange Server)...but the mail first flows through the appliance I built at the office which first has a "tar pit" feature (which rejects over 50% of the inbound e-mail initially).and then the allowed e-mail proceeds through 2x spam filters...and 2x antivirus engines, before being deliver to clients mail servers. Those will generally scrub away a little over 50% of the remaining e-mail. So the remaining "legit" e-mail is usually just 25% or a little less (between 8000-9000 e-mails per day), than the initial e-mail volume (over 30,000 incoming).
 

ChowderMan

Pizza Chef
Super Site Supporter
the "spam traps" work by posting a "human invisible" email address on a web page. people don't see it (white text on a white back, for example) but email harvesting bots do pick it up, send email to the spam trap, which in turn "identifies" them as a spam cretin.

close, but not such much as a cigar wrapper. it is only effective for email addresses posted "on the web" - "visible" or not.

great stuff, but not applicable to filched address books, etc.

Facebook, et. al. are security cesspools - go there, be spam. hacks, whacks, whatever - not to mention Hotmail / LiveMail posting everything you've done recently....

7-8 years ago I 'joined' the LinkedIn thing. spam heaven. deleted the account but I still get invites to "LinkIn"

kill the spammers; save the email.
 

bigjim

Mess Cook
Super Site Supporter
You guys are way over my head. What I know is that spam and virus production is proactive, fixing the problem is reactive. I guess the good guys will always be behind
 

YeOldeStonecat

New member
What I know is that spam and virus production is proactive, fixing the problem is reactive. I guess the good guys will always be behind

And that is the unfortunate truth. Spammers are tied in with malware...rogues, trojans, as those are a large percentage of their resources utilized to send spam.

The old school way of sending spam was to put up mail servers overseas, and even in the US, and have them belching out spam all day and all night. But those are easily found and squashed by conventional methods...IE IP block lists for spam filters.

A while ago they started shifting over to "netbot armies"....which is when a trojan 'bot is quietly and unknowingly installed on the computers of innocent people, like me and you..be it your home computer, or a work/office computer. If you take a few steps outside of the front door of your house, and look up and down the street at your neighbors...chances are pretty much solid that at least one of them has a computer that, without their knowledge, a member of a netbot army.

People often say "Ah I'd know of my computer had a virus like that, you can tell, it's easy, it's obvious, you get all these popups and alerts and your computer runs slow". :shifty: Nope. Those are the amateur ones, or the ones just designed to get your credit card like the fake alerts/scareware/ransomeware ones. The really good ones are the ones that slip into your system without you knowing, and continue to operate quietly...without your knowing. :ninja:

One spammer will operate bot nets of simply incredible amounts of "members"...which are these infected home computers. And this approach is how they're utilizing resources within the States...to send out spam. The greater percentage of spam is coming from IP addresses within the US, not overseas like you'd think. Each member of their netbot army (some unfortunate persons home computer) is a different IP address. Block the IP of one of the members, and they'll shift to sending to you from one of the tens of thousands of other members of their army. Now enters the IP block dilemma you have in front of you...pretty difficult.
 

ChowderMan

Pizza Chef
Super Site Supporter
>>a member of a netbot army.

not that I disagree . . . here's my question:

why have ISP / the web at large / et. al. not produced a utility that will monitor one's computers outgoing email count and alert the user:

"Gosh, yesterday you sent 100,000 emails. Are you infected?"
 

Keltin

New member
Gold Site Supporter
>>a member of a netbot army.

not that I disagree . . . here's my question:

why have ISP / the web at large / et. al. not produced a utility that will monitor one's computers outgoing email count and alert the user:

"Gosh, yesterday you sent 100,000 emails. Are you infected?"

There are many programs that can do that. PeerGuardian comes to mind as it monitors all network activity. Also, using a packet capture program is highly effective - Packetyzer is an easy one to use, so is WireShark. I've used both to catch bot mails going out on infected computers.


ETA - Oh, but those are tools you need to run when you are actually looking for something. As for an automatic alert, I'm not aware of a program like that....could be out there, but I've never looked for one.
 
Last edited:
Top