[SC-Help] Corporate Spoofing

[Spambo]

Joann Barnes wrote:
> 
> A corporation's mail server is being spoofed by a
> hacker or spammer. This shows all spams as coming from
> the corporate mail server. What should be done to
> correct this? This corporation filters 4000+ spams per
> week. (that they can catch) They do not want to be
> listed or black-listed by Spam Cop.
> 
> [snip]


This is a 'boilerplate' response, a draft for use on a web page (someday). 
Some of it might be helpful to you.

Spammers and/or their software often use names selected at random from their
list to use in the From: field, or spammers will just make up a user name at
a valid domain to make the return address look legitimate.  They don't want
the bounces or angry complaints coming to them.

Problems caused by this typically result in bounces for 3 - 5 days, and
sometimes angry complaints or remove requests being sent for about a week. 
Normally spammers only use a name for one spam run because many people tend
to hit the 'block address' button/link and spammers don't want their next
run to hit that filter.

Sometimes spammers with a 'bone to pick' will wage an extended campaign but
these are fairly rare since even spam friendly ISP's and web hosts will
likely find such an attack unacceptable.  Sending UCE is one thing, using
their network to intentionally abuse someone is something else.

Here are some suggestions on what you can do.

(1)  a. Contact your ISP or mail provider and make sure they understand
you're not involved.  Using forged/bogus email addresses in the From: field
is common with spammers and your ISP/email admin *should* be able to tell
whether or not you're involved but some places are more clueless than
others.
     b. If you own the domain being forged you may want to consider putting
a notice about the forgery on your main page (index.html, default.html,
etc.) and include a link to a page with a more detailed description of what
happened.

(2)  a. To report the spammer/forger you'll need to find a bounce that
contains FULL headers and message text.  Some bounces may contain no useful
information, others will contain abbreviated headers, and others will
contain the full bounced message.  Determine the appropriate abuse
department(s) responsible for the message source and any URL's or email
addresses used as a contact point by the spammer.  
     b. You can use SpamCop to determine the appropriate addresses but don't
use it to send your complaint - you don't want to chance your report being
ignored because it arrives with other SpamCop reports about the same
incident.  It could be counted as another 'strike' against their customer
but not read.  SpamCop reports tend to be pretty much the same - most of the
time.

(3)  a. Don't send 'spam' complaints -- send FORGERY complaints to the abuse
addresses.  Many abuse departments will consider forgery a more serious TOS
violation than sending UCE.   
     b. i.  Use the email address that was forged in order to establish that
you indeed have been forged.
        ii. If your forgery complaint involves a non-existent email address
at a domain you own (and you get everything sent to the domain that isn't
delivered to a legitimate addy) send the complaint using an email address of
authority (postmaster@, support@, abuse@, etc.) or use an email address
that's contained in the domain registration's contact information so your
authority to complain about the incident can be easily verified.

(4)  a. Attempt to find any information of substance about a spamvertised
URL, check the domain's registration for example.  Although it's unlikely,
you could find a site with sufficient assets to warrant legal action.
     b. IANAL