For Email Guru - Question about Spam

[RJ]

Periodically, I get these annoying emails from Spamis. The
emails are anti-Microsoft emails ranting about how awful MS is.

My question is this: The emails I get from Spamis have my email
address in both the TO and FROM fields. How does someone
send me an email with my email address as the person who sent it,
when it did not come from me?

Obviously, the header is forged, but how does that work? Is there software
that will do this? No doubt many people get these annoying emails and
every one of them must be forged with invalid FROM addresses.

I also can't add this email to the Junk email list since it is my email
address that will be blocked !
-----------------------------------------------------------------------

Received: from i220-221-96-196.s02.a011.ap.plala.or.jp ([220.221.96.196])
by smtp.siteserver.net (SecureSMTP v8.0) with SMTP (SSL) id ZPC87330
for <[email protected]>; Wed, 21 Sep 2005 23:32:30 -0700
Received: from localhost.localdomain (HELO localhost.localdomain [127.0.0.1])
by rachel.fishhoo.com (Mostfix) with ESMTP id BAD3243BFF
for <[email protected]>; Wed, 21 Sep 2005 20:17:19 +0100
Message-Id: <[email protected]>
Date: Wed, 21 Sep 2005 21:25:19 +0200
From: "(e-mail address removed)" <[email protected]>
To: (e-mail address removed)
Subject: BREAKING Analysts Find New Microsft Office 12 a Waste of Money
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.0.13
X-Mailer: Ximian Evolution 1.4.3

 

[Trent SC]

Periodically, I get these annoying emails from Spamis. The

emails are anti-Microsoft emails ranting about how awful MS is.

My question is this: The emails I get from Spamis have my email
address in both the TO and FROM fields. How does someone
send me an email with my email address as the person who sent it,
when it did not come from me?

Obviously, the header is forged, but how does that work? Is there
software
that will do this? No doubt many people get these annoying emails and
every one of them must be forged with invalid FROM addresses.

I also can't add this email to the Junk email list since it is my email
address that will be blocked !

Some spam software will specifically use this approach for the very reason
you've mentioned - you can hardly blacklist your own address, so there's a
better chance of this email getting through the name filters.

One of the problems you face is that the method you've chosen to munge your
email address for posts to this newsgroup is very simply dealt with by many
spam harvesters. Something like "NOSPAM" into the address will be stripped
out of a harvested list on the first pass, so you're still going to get much
of this rubbish.

The added problem is that even if the spammer doesn't get it right, the spam
will still go chugging around the internet looking for a mailbox. Far
better to change it to (e-mail address removed), and if you want to give
someone a hint as to your 'real' address, shove something suitably obscure
into the sig.

HTH

 

[Diane Poremsky [MVP]]

They know you can't block it - that's why they use your address in the from
field.

 

[N. Miller]

Periodically, I get these annoying emails from Spamis. The
emails are anti-Microsoft emails ranting about how awful MS is.

Robert Soloway. MSFT one a legal judgment against him for spamming, and he
is just showing them "who is Boss".

My question is this: The emails I get from Spamis have my email
address in both the TO and FROM fields. How does someone
send me an email with my email address as the person who sent it,
when it did not come from me?

To send email through the system you only need three things:

HELO <string>
MAIL FROM: <string>
RCPT TO: <[email protected]>
DATA {empty}

Here is the entire message, raw data, using just the above as an example:
==============================================================
|Return-path: Justme
|Received: from JustMe (192.168.102.100) by aosake.net (Mercury/32 v4.01b) ID MG00000B;
| 4 Oct 2005 02:17:03 -0700
|X-UC-Weight: [# ] 51
|X-CC-Diagnostic: Not Header "Date" Exists (51)
|X-Text-Classification: spam
|
|
==============================================================

There is no "From:".
There is no "To:".
There is no "Date:".
There is no "Subject:".
There is no "Body".

Here is the session log from the "mail client" (actually the MS Windows ME
Telnet client):
==============================================================
<< 220-aosake.net ESMTP server ready.
<< 220-No unauthorized relaying, or spam is allowed.
<< 220 No legal obligation of acceptance by aosake.net exists.<< 221 aosake.net Service closing channel.
==============================================================

Obviously, the header is forged, but how does that work? Is there software
that will do this?

Very simple, and even MS Outlook Express can be configured for the sender
and recipient to be the same; try it yourself! Here is an example:
==============================================================
|Return-path: <^^^^@aosake.net>
|Received: from megumi (192.168.102.100) by aosake.net (Mercury/32 v4.01b) ID MG00000C;
| 4 Oct 2005 02:26:45 -0700
|Message-ID: <[email protected]>
|From: "Anybody" <^^^^@aosake.net>
|To: <^^^^@aosake.net>
|Subject: Address check
|Date: Tue, 4 Oct 2005 02:26:33 -0700
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-2022-jp"
|Content-Transfer-Encoding: quoted-printable
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Mailer: Microsoft Outlook Express 6.00.2800.1478
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
|X-PMFLAGS: 570950016 0 1 078448E8.CNM
|
|Just a simple example.
==============================================================

No doubt many people get these annoying emails and
every one of them must be forged with invalid FROM addresses.

I also can't add this email to the Junk email list since it is my email
address that will be blocked !

How often do you send yourself an email from/to the same email address? Try
this:

1. Select the Conditions for your rule:
[x] Where the From line contains people
[x] Where the To line contains people

2. Select the Actions for your rule:
[x] Move it to the specified folder

3. Rule Description (click on underlined value to edit it):
Apply this rule after the message arrives.
Where the From line contains '(e-mail address removed)>
and Where the To line contains '(e-mail address removed)>
Move it to 'Junk'

Or get something like these, which can handle this, and a lot more:

K9: http://www.keir.net/k9.html
POPFile: http://popfile.sourceforge.net/

--
Norman
~I'll be there, by your side
~in the land of Twilight.
~In your dream I will go
~'till we find the Sunlight.

 

[Brian Tillman]

My question is this: The emails I get from Spamis have my email
address in both the TO and FROM fields. How does someone
send me an email with my email address as the person who sent it,
when it did not come from me?

Others have said how this type of message can be generated and N. Miller
gave one method for dealing with it. The headers of the message may give
you another method. The first header contained in the message you received
mentions a site in Japan. If the messages tend to come from that network,
you can create a rule that blocks the messages containing "or.jp" in the
header. You can do the same with the "fishoo" domain, if that tends to be
dominant in the messages you're getting.

 

[N. Miller]

Others have said how this type of message can be generated and N. Miller
gave one method for dealing with it. The headers of the message may give
you another method. The first header contained in the message you received
mentions a site in Japan. If the messages tend to come from that network,
you can create a rule that blocks the messages containing "or.jp" in the
header. You can do the same with the "fishoo" domain, if that tends to be
dominant in the messages you're getting.

Based on the sample message in the original post, the rule would have to
inspect the headers for either domain. How does one create a rule in MS
Outlook to do that? Please bear with me; I don't have MS Outlook, so I
can't check it out for myself. My suggested rule should work in MS Outlook,
as well as MS Outlook Express; but this is an Outlook help group, and I
really failed to keep that in mind when I posted. MS Outlook Express rules
can't be configured to check deep headers; but that doesn't necessarily
apply to MS Outlook.

--
Norman
~I'll be there, by your side
~in the land of Twilight.
~In your dream I will go
~'till we find the Sunlight.