[SpamCop-List] Re: What to do?

[Mike Easter]

Gary Wardell wrote:

> I seem to be getting mail-bombed because some stock market spammer
> has put one of my addresses in his Mail From header and now I'm
> starting to get a bunch of bounces.

All spam needs a From, so it might be yours.  The business of the
receiving server generating a newmail to a From is bad business and is
reportable because it is a misdirected bounce
http://www.spamcop.net/fom-serve/cache/14.html

> Some of the bounces have the original message attached and I tried
> submitting that but the system refused saying the receiving server
> was not listed as my server, which it wouldn't be.

There's a problem with reporting the original spam because that spam
wasn't addressed to you. -- see the link above, different par.  The
reason the parser doesn't want to parse that for you must be because you
are configured for mailhosts.

> However, my domain is listed as the originating host which would make
> me think my host has been compromised except the IP address in the
> header is not my IP address.

The typical scenario when you are getting bounces caused by your being
in the From of a spam isn't caused by any compromise of your system -- 
it is simply a forged From.

> Is there anything I can do it get this guy shut down?

You can SC report the bad server which creates newmails addressed to
bogus Froms.  You can manually report the source of the original spam if
you are able to figure out a strategy to determine the source.  You
should be able to feed the headers to the parser and get a source -- 
unless something about being mailhosted interferes with that.  You can
learn how to human parse headers to determine source;  that's a
worthwhile endeavor.

None of that spells 'get this guy shut down'.  The typical situation is
that the actual spammer and the actual source is not determinable.


-- 
Mike Easter
kibitzer, not SC admin