[nSLUG] Hope it's not an ex-girlfriend...

Matt Yanchyshyn letters at mattgy.net
Thu Aug 15 12:43:30 ADT 2002

Hi everyone,

Today I confirmed that someone has been 'spoofing' my domain and its two
e-mail addresses to send large amounts of spam.  To make matters worse, I
think the spam that it is sending has a virus attached (it's a w32
executable masked, I think, as a midi file so I can't really tell what it
was right away)  To make matters even worse, the spammer seems to be
targeting individuals, not a spam list, at least one of whom is on the
eastlink network.  This makes me suspect that the person abusing my domain
and e-mail addresses may in fact know me or at least that I live in
Halifax.  As far as I know, I have no 'enemies' who would want to tarnish
my reputation, nor am I a 'hax0r' who is suffering from the revenge
tactics of a script kiddie.

At first I thought the angry spamees who were forwarding me copies of spam
that they received back to my address were in fact spamming me.  Then I
thought that I might have an insecure server so I checked my logs. 
Everything seems fine, that is that my server doesn't have records of
sending mail to the people that I've identified as spam targets from my
spoofed domain.

I eventually received a "message undeliverable" e-mail from mailer-daemon
saying that an e-mail couldn't be sent.  This e-mail had an attached copy
of the original spam.  I'll paste it below, but noticed the
non-existent/fake "Received" line near the top (there is no mx2.mattgy.net
that I know of, and the ip is obviously bogus).

So my question is, what steps should I take to a) find out more about
who/what is doing this, b) clear my name? Any suggestions would be

Here's one of the spam e-mails that is being sent:

Return-Path: < letters at mattgy.net >
Received: from mx2.mattgy.net ([])
From: <letters at mattgy.net>
To: adam_jenner at hotmail.com
Subject: sandra
Date: Thu,15 Aug 2002 09:49:19 PM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-/liuYtWsn5na9FGJibfC"
Message-Id: <1029420667.21713.1.camel at transit>

Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; CHARSET=US-ASCII

<iframe src=3Dcid:ngmc height=3D0 width=3D0>
'suckerface, you're special'

Content-Transfer-Encoding: base64
Content-ID: <ngmc>
Content-Type: audio/x-wav; NAME=sandra.doc.pif

[binary code follows]

More information about the nSLUG mailing list