email address hijacking - please help

[matt_richards]

Hello there,

I have been experiencing a very strange and disturbing phenomenon with my email lately and I have a strong feeling that someone is hijacking my domain and sending unsolicited mail from it. The situation is that I am receiving a significant volume of “returned to sender” emails each day (see below for an example). These are emails that I definitely haven’t sent and are from an address (at my domain) which I don’t use regularly. My initial reaction was that I had some kind of worm infection that was sending out emails from my address book. However, none of the addresses were in my address book and they seemed to follow the systematic, alphabetic patterns adopted by spammers (eg malibu@yahoo.com followed by malia_aloha@yahoo.com). As the only ones being returned are those which have been sent to invalid or inactive email addresses, this raises the very disconcerting possibility that my business email (eg @onlinebooks.co.uk) is being sent out to stacks of people as spam.

What recourse is available to me – is there any way for me to track down the perpetrator and more importantly, how can I stop this.

I would be very grateful for some feedback as I am very concerned about the effect this could be having on my company’s name.

Thanks in advance guys,

Matt.

Example email

> From:
> To:
> Sent: Sunday, December 29, 2002 5:08 PM
> Subject: Delivery failure
>
>
> > Message from yahoo.com.
> > Unable to deliver message to the following address(es).
> >
> > :
> > Sorry your message to malia_aloha@yahoo.com cannot be delivered. This
> account has been disabled or discontinued [#103].
> >
> > :
> > This user doesn't have a yahoo.com account (malibu@yahoo.com)
> >
> > --- Original message follows.
> >
> > X-Rocket-Spam: 207.99.39.15
> > X-YahooFilteredBulk: 207.99.39.15
> > X-Track: 5511: 20
> > X-Rocket-Server: 66.163.174.38
> > Return-Path:
> > Received: from 207.99.39.15 (207.99.39.15)
> > by mta444.mail.yahoo.com with SMTP; 29 Dec 2002 09:08:27 -0800 (PST)
> > From: "malia_aloha"
> > Reply-To: "malia_aloha"
> > Date: Sun, 29 Dec 2002 17:11:32 +0000
> > Subject: Re: Ok, why not?
> > X-Priority: 1
> > MIME-Version: 1.0
> > X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> > X-Precedence-Ref: 1234506789zxcvbnmlkjhg
> > Content-Type: text/plain; charset=us-ascii
> > Content-Transfer-Encoding: 7bit
> >
> > Hi )) malia_aloha ,
> >
> >
> > Hi there!
> >
> > think you relayed to my personal ad!
> > Yes I do get a lot of responses but you got me curious I haven't done
this
> > in a while so please forgive my nervousness. And I hope your still
around,
> > (the good people always get taken fast) Anyway since I know a "little"
> about
> > you (that was cute by the way), you should take a look at me so that
> you
> > can decide if we match.
> > I'm not sure exactly what ad you replied to, I have a couple, but I do
> > have a detailed profile with a picture
> >
> > at http://www.singlers.com/index_vip.html
> > Chris
> > Well...If you're not interested any more, that's ok too....
> > Have a great night.
> > Bye....
> > ChrisBrenda27
> >
> >
> >
> >
> >
> > [K9^":}H&*TG0BK5NKIYs5]

[ktkendall]

Sounds like the SirCam virus. I actually opened an attachment on my company PC that I thought was safe and got infected. It caused me to constantly get hundreds of unsendable e-mails, it causes infected PC to just constantly send out emails to a bogus address, and it tries to affect your PC's ability to run executable files.
May not be though in your case, since you seem to have a trac on where it came from, and was caused by.
Here is link with description of the virus and the removal tool.
http://securityresponse.symantec.com...m.worm@mm.html
KK

[matt_richards]

I will investigate that just in case - but based on other reports i have read, it seems that some unscrupulous party has hijacked the email address. The specific site in question seems to be: httpwww.singlers.comindex_vip.html.

It is all very frustrating - there must be a way to stop them! The worrying thing is, every single person who receives the unsolicited mail will associate my company with some bloody spammer. I just have no idea how many people are receiving these spurious messages, so I don't know what the impact could be.

Cheers,

Matt.

[Computer Hobbyist]

You might want to read this page at spamcop. It should help you.

CH

[Tuf]

I don't know what recourse you do or don't have in the UK. I know if someone was using my name and my equipment to spam I would prosecute them and most likely pay them a personal visit if possible.


What they are doing is a crime here in the states, I would think it would be there as well.

[matt_richards]

That spam cop page was very informative CH - it seems the first port of call is to contact my ISP and try and establish who their ISP is.

Tuf - I am a tiny bit confused about the equipment thing. The problem is that someone is using my domain to send out spam, they have no access to any of my hardware. I have no way of personally visiting them as I have no idea who or where they are!

Does anyone know of any action that I could personally take on a technical - rather than legal - level to secure my domain against such attacks. My concern is that if I have to wait on other parties like the ISP's this could really drag on - I have read that they are notoriously inefficient when it comes to dealing with this kind of stuff.

Cheers,

Matt.

[Hpro]

Yes - since it is from YAHOO so make a REGISTERED LETTER signed by you with a copy of some kind of indentification and explain them - I think they help you - they helped me when I was spammed by some stupid there -... and that guy is still around on yahoo changing his login name like other people theyr shirts...
Hpro

[matt_richards]

Thanks mate,

I will do that.