this jerk is spoofing my domain, sending spam via India--what to do?

[Ernest Burden III]

This SOB is spoofing my 'acmedigital.com' domain name on piles of spam selling fake Rolexes. The IP is listed as being in India. Any ideas on what I can do except limply reporting it to some 'abuse' website somewhere?

 

http://www.networksolutions.com/en_US/whois/results.jhtml;jsessionid=YULB3PC3TUTEICWLEALCFEQ?whoistoken=0&_requestid=36535

[Chad Warner]

We have the same problem with our domain. The default email box fills up in about two days with undeliverable mails. Don't know what to do about it though.

 

-Chad

[Richard McCarthy]

What exactly is the IP address? Network solutions says

"We are unable to process your request at this time. Please try again later."

 

.......

[Ernest Burden III]

What exactly is the IP address?

 

Crap, I should have saved the text off of the netsol page.

 

The site being plugged is finestwatches.info , registered to a "Mike" in Vancouver, and that is also the admin contact, but the actual IP was listed as being in India. Hopefully tomorrow I can get the page back and capture the text.

 

Any ideas for me?

[Crazy Homeless Guy]

a friend just sent me these sites yesterday, i was not sure what i would use them for, but it looks like they came in handy...

 

http://www.dnsstuff.com/tools/whois.ch?ip=202.148.46.177

http://www.dnsstuff.com/tools/whois.ch?ip=finestwatches.info

 

http://www.dnsreport.com/tools/dnsreport.ch?domain=acmedigital.com

 

 

 

.

[Ernest Burden III]

a friend just sent me these sites yesterday, i was not sure what i would use them for, but it looks like they came in handy...

 

Thank you.

 

I'm still wondering what the hell to do beyond say it makes me mad.

 

Thanks to this a*hole, now I'M A SPAMMER, or so it appears to the rest of the world. My domain is going to be tagged by spam-blocking software. If people have them set to 'auto' they would never even see an email I sent. Not that I send a lot of un-solicited emails, nor do I plan to use email as an advertizing medium for my business...I just don't want someone else muddying my otherwise good 'name' in the web community.

 

This is yet another example of identity theft, and I am sure it is quite common. Why not require an ID'ing tag be attached to all emails, something you could NOT spoof? Well, privacy concerns would be raised. Maybe a better solution would be to create a system of ID tags, perhaps using VLPs (very large primes) and make their use OPTIONAL. So someone could set their email system to either accept or reject 'non-tagged' email. I, for example, would choose to include the ID tag and to reject un-tagged email. You could make your own choices. So privacy and anonymitity are still available, and so is a more effective control of internet-identity theft.

[Chad Warner]

That's exactly what happened with us...people were not receiving emails that we sent, and we couldn't figure out why until we checked the default email account that had 800-900 returned emails from alphabetical listings on AOL. Next thing we know, we get an abuse report from earthlink warning us that they were going to shut down the domain. So we called earthlink to report the abuse, and they said that they couldn't do anything about it because the email wasn't originating from their servers.

 

-Chad

[Ernest Burden III]

Next thing we know, we get an abuse report from earthlink warning us that they were going to shut down the domain. So we called earthlink to report the abuse, and they said that they couldn't do anything about it because the email wasn't originating from their servers.

 

Earthlink hosts my three domains, too. I have spoken to them about it, and they tell me to report it to their 'abuse' department. But then theu will probably say what they said to you--it isn't coming through US so we cannot stop it.

 

Frustrating.

[Ernest Burden III]

bytheway: how much a rolex costs?

hope you don't mind. bad joke

 

Probably 10 or 20 bucks. There are always a bunch of African guys on 5th Avenue in NYC selling them out of a briefcase, so why would I have to buy it from Vancouver?

[Crazy Homeless Guy]

i would suggest using someone besides earhtlink for hosting. you can get better deals.

 

i am a proponate of doing away with any html code in email. strip email back to its original essential form of ascii text, and nothing else. this will help slow the spam down, this will eliminate virus's spread by email, ect.. ect..

 

it will slow spam down by not letting spammers track who is opening there emails, and which address's are active. it will stop virus spread by email, because there is no code, just text.

[Ernest Burden III]

you could try out that spam vaccine soft too.

 

That would do nothing. I am not upset about getting spam, I am upset about beeing seen as SENDING it when I am not, never have and never will.

 

And I do not think I'm dealing with a particularly skilled a*hole here. I was surprised at how easily I could find who was behind it. I'm NOT a web-genius. I am hoping one of you IS, and can help me, and others who read this, fight back in the same way we have been attacked.

[Ernest Burden III]

i would suggest using someone besides earhtlink for hosting. you can get better deals.

 

i am a proponate of doing away with any html code in email. strip email back to its original essential form of ascii text, and nothing else.

 

I wasn't looking for the best 'deal', but if they don't help people who are being hit with this problem, maybe a 'deal' is a good idea.

 

I COMPLETELY agree with you, ASCII for email. That is how mine is set. I have never sent an html email. Attachments are cool, though, but so abused that even that should be up for evaluation.

[David Knourek]

If this numbnut is realy from Vancouver you should be able to find out who the ISP is through the IP addy and report it to them and they will usually kill the account. Also if that goes nowhere you could allways report it to the RCMP as it is a form of fraud and they take stuff like that verry seriously.

 

Just a thought,

 

-dave

[Ernest Burden III]

report it to the RCMP as it is a form of fraud and they take stuff like that verry seriously.

 

The Mounties would take it seriously? That's good to know. I doubt US authorities would, were the jerk in the US.

 

Anyway, here is the record:

 

finestwatches.info

 

The data in this record is provided by Afilias Limited

for informational purposes only, and Afilias does not guarantee its accuracy....

 

Domain ID:D5921693-LRMS

Domain Name:FINESTWATCHES.INFO

Created On:13-May-2004 09:48:27 UTC

Expiration Date:13-May-2005 09:48:27 UTC

Sponsoring Registrar:R159-LRMS

Status:ACTIVE

Status:OK

Registrant ID:C4603929-LRMS

Registrant Name:mike

Registrant Organization:genuine rep

Registrant Street1:suite 556

Registrant City:vancouver

Registrant Postal Code:86086

Registrant Country:CA

Registrant Phone:+001.3103430101

Registrant Email:replicaclick@yahoo.ca

Admin ID:C4603929-LRMS

Admin Name:mike

Admin Organization:genuine rep

Admin Street1:suite 556

Admin City:vancouver

Admin Postal Code:86086

Admin Country:CA

Admin Phone:+001.3103430101

Admin Email:replicaclick@yahoo.ca

Billing ID:C4603929-LRMS

Billing Name:mike

Billing Organization:genuine rep

Billing Street1:suite 556

Billing City:vancouver

Billing Postal Code:86086

Billing Country:CA

Billing Phone:+001.3103430101

Billing Email:replicaclick@yahoo.ca

Tech ID:C4603929-LRMS

Tech Name:mike

Tech Organization:genuine rep

Tech Street1:suite 556

Tech City:vancouver

Tech Postal Code:86086

Tech Country:CA

Tech Phone:+001.3103430101

Tech Email:replicaclick@yahoo.ca

Name Server:NS1.SUPERREPLICA.INFO

Name Server:NS2.SUPERREPLICA.INFO

 

IP Address: 202.148.46.177 (ARIN & RIPE IP search)

IP Location: IN(INDIA)

DMOZ no listings

Y! Directory: see listings

Data as of: 08-Jun-2004

[Frosty]

What makes you think that his reg info is in any way legit EB? The listed postal code isnt. The phone number is a El Segundo, CA based phone number and the registered carrier is Teleport Communications Group - Los Angeles. I'm not sure what you can do or to do it. This is one crappy situation.

[Ernest Burden III]

What makes you think that his reg info is in any way legit EB?

 

I don't know.

 

ALL the bounced email that had [randomstuff]@acmedigital.com was to sell fake watches through that same .info site. So I simply typed the domain into network solutions 'whois' database and got what I posted. I am not knowledgeable about the intricacies of web DNS and the registrar info. Maybe it's bogus, maybe that WAS too easy.

 

This has been going on for months, by the way. I have seen this 'spoofing' happen on one of my other domains but it was so short-lived that it stopped by the time I could try to do something about it. This time, it has just gone on and on, so I feel I MUST do something, but what's an honest sap like me to do to get this bastard?

[Frosty]

I'm going to forward this to a network admin friend of mine. He's very on the ball aout how to track stuff down and how to deal with shmucks like this. I'll let you know whats up.

[Frosty]

Okee Dokee, here's the dealio...

 

There are three objectives here. 1) find out who this guy is. 2) what is he doing. 3)stop his activities.

 

I was informed that there are a few quick and easy things you can do to find the paths of these emails. Thats sshould lead you to the identity of the person. In your email app prefs, turn on "full address path" or something of that sort. This feature will allow you to see the full route the email took from the sender, to the bounce and back to you. This could also inform you of the nature of his activites.

 

I was also informed that it is quite possible that your domain is being spoofed with absolutely no contact with your server. Hopefully this is a start Ernest.

[Richard McCarthy]

Name Server:NS1.SUPERREPLICA.INFO

Name Server:NS2.SUPERREPLICA.INFO

 

Ernest, this is what I would look at.

Reverse DNS of the domain name server :

 

http://www.dnsstuff.com/tools/ptr.ch?ip=SUPERREPLICA.INFO

 

".......Answer:

No PTR records exist for 202.148.46.177. [Neg TTL=172800 seconds]

 

Details:

ns4.apnic.net. (an authoritative nameserver for 202.in-addr.arpa., which is in charge of the reverse DNS for 202.148.46.177)

says that there are no PTR records for 202.148.46.177."

 

 

From the look of it, he spoof all of it. That 202.148.46.177 is not even a real ip address.

 

I did a visual trace of it, and it looks like it originate from China. Because the last known trace (out of 22 hops) is from Hong Kong (HK).

 

 

19 10 4 202.84.144.201 Sydney i-5-0.tmhstcbr01.net.reach.com

20 10 4 202.84.144.154 Newark i-1-2.iadv02.net.reach.com

21 11 4 207.176.96.61 Pasay i-1-1.iadv02.net.reach.com

22 12 - 202.148.46.177 Pune

 

Registrant id#: 4

Registrant:

Reach Global Services Ltd. (REACH28-DOM)

20th Floor, Telecom House

3 Gloucester Road

Wanchai, Hong Kong 00000

CN

 

Then again, it could be from anywhere....but I suspect that it's somewhere local inside Hong Kong or China, because usually email don't just bounce straight OUT of a country, it would bounce inside through several national gateway before it reach international gateways.

 

 

I would also suggest to seperate your business contact email address from your web presence domain name address... perhaps a different domain name for your email that you only give out or reply to your clients.

[Ernest Burden III]

From the look of it, he spoof all of it. That 202.148.46.177 is not even a real ip address.

 

I did a visual trace of it, and it looks like it originate from China. Because the last known trace (out of 22 hops) is from Hong Kong (HK).

 

Thank you for the help. China? I still would think the originating jerk is US or Canada, but don't see how to find out where, or who, exactly. Or how to stop it from happening to me, or others.

 

In looking at the 'bounce' email headers, I am not seeing anything common to any of them. What are the most important parts of those to tell where they originated?

 

And thanks again for the responses, everybody.

[Jeff Mottle]

For what it's worth my CGA email is used like this all the time. It sucks, but really there is not much you can do about it. Spam is the new revenue stream of the mob so they use any and every trick they can to get away with it. Even the autorities who try to track them can't find most of them. From what I've read, by the time they track the IP to a physical location they are long gone. Most corporations don't use generic blacklists to filter email becuase they are all but useless these days. I get the odd email from some shmucks who are too stupid to realise that I didn't actually send it, but I usually write back and tell them to get a clue. I think they are usually shocked they get a reply from me becuase more often then not I get a email appoligy back.

 

Maybe you will luck out, but personally I think the odds of you tracking this guy down are slim. Even if you do, I think the chances of anyone doing anythign about it, very slim. Your best bet is to change your email address and then never post it anywhere online....ever. You will also want to use a throw away account on for your Registrar info as many spam lists were compiled from website WHIOS info. Which is why you see most of the big guys now use image character verification to do a WHIOS lookup. You can also pay like $10 a year and have your WHOIS info hidden from all people but ISPs. Not sure how useful that is.

[Ernest Burden III]

Maybe you will luck out, but personally I think the odds of you tracking this guy down are slim. Even if you do, I think the chances of anyone doing anythign about it, very slim. Your best bet is to change your email address and then never post it anywhere online....ever.

 

I know next to nothing about tracking anybody down, it's only the advise from this thread that gets me anywhere.

 

The issue isn't that my particular email address is being used, but my domain. I cannot hide that.

 

Now, one thing comes to mind--pushing for whomever is in charge of the master DNS in the US, Canada, Europe if they're game, to be required to block any URL that is reported to have spoofed or un-verifiable data in it's registration. As RM pointed out, part of the reg. info of my attacker is a non-valid IP address. THAT would be reported and if it was true the site would be blocked in participating countries.

 

Sound plausible?

[Jeff Mottle]

Ernest,

 

Do you have a catch all email account set up? Meaning that you get email from blahblah@acmedigital.com etc. If so, you should disable that. It will stop you from getting all the extra crap as a result of the spamming, unfourtunatly it won't stop them from using an invalid email with your domain.