[nSLUG] Hope it's not an ex-girlfriend...
letters at mattgy.net
Thu Aug 15 12:43:30 ADT 2002
Today I confirmed that someone has been 'spoofing' my domain and its two
e-mail addresses to send large amounts of spam. To make matters worse, I
think the spam that it is sending has a virus attached (it's a w32
executable masked, I think, as a midi file so I can't really tell what it
was right away) To make matters even worse, the spammer seems to be
targeting individuals, not a spam list, at least one of whom is on the
eastlink network. This makes me suspect that the person abusing my domain
and e-mail addresses may in fact know me or at least that I live in
Halifax. As far as I know, I have no 'enemies' who would want to tarnish
my reputation, nor am I a 'hax0r' who is suffering from the revenge
tactics of a script kiddie.
At first I thought the angry spamees who were forwarding me copies of spam
that they received back to my address were in fact spamming me. Then I
thought that I might have an insecure server so I checked my logs.
Everything seems fine, that is that my server doesn't have records of
sending mail to the people that I've identified as spam targets from my
I eventually received a "message undeliverable" e-mail from mailer-daemon
saying that an e-mail couldn't be sent. This e-mail had an attached copy
of the original spam. I'll paste it below, but noticed the
non-existent/fake "Received" line near the top (there is no mx2.mattgy.net
that I know of, and the ip is obviously bogus).
So my question is, what steps should I take to a) find out more about
who/what is doing this, b) clear my name? Any suggestions would be
Here's one of the spam e-mails that is being sent:
Return-Path: < letters at mattgy.net >
Received: from mx2.mattgy.net ([18.104.22.168])
From: <letters at mattgy.net>
To: adam_jenner at hotmail.com
Date: Thu,15 Aug 2002 09:49:19 PM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/alternative; boundary="=-/liuYtWsn5na9FGJibfC"
Message-Id: <1029420667.21713.1.camel at transit>
Content-Type: text/html; CHARSET=US-ASCII
<iframe src=3Dcid:ngmc height=3D0 width=3D0>
'suckerface, you're special'
Content-Type: audio/x-wav; NAME=sandra.doc.pif
[binary code follows]
More information about the nSLUG