Spam Problems
Plot file Utilities COM Integration and Legacy Historic Products Historic Screensavers Kaleidoscope Samples Eurex Exchange Programming Spam Problems Miscellaneous

 

Faked Spam Mail "From:" address

You may receive spam mail that appears to come from someone with a camel.co.uk domain name. If so the "From:" name has been faked by the person who sent the spam. We know this happens because when it is done we get the non-delivery reports for any spam mails that are undeliverable. .

This is NOT the same as relay-based spamming, in which the spammer uses a third party mail host to send the mail on their behalf; our mail servers will NOT permit relaying, so cannot be used in that way.

You can usually tell that the mail did not originate from our mail servers (ie it is faked) by looking at the headers. Look in the internet headers (from the bottom up) for the first "Received:" line.

Proper mails from Camel Services will say something like: 

Received: from 194.223.4.33 (HELO mail.camel.co.uk)
by smtp.c000.snv.cp.net (209.228.32.59) with SMTP; 4 Jul 2002 06:34:42 -0700

or

Received: from 194.223.4.33 (EHLO mail.camel.co.uk) (194.223.4.33) 
    by mta566.mail.yahoo.com with SMTP; 10 Jul 2002 05:17:43 -0700 (PDT)

The form varies depending on the mailer program that receives it. And in general will not have any "peculiar" additional Received: lines before them.

Here is an example from a spam mail:

Received: from epic.mail.pas.earthlink.net (207.217.120.181)
    by mta448.mail.yahoo.com with SMTP; 29 Jun 2002 00:13:13 -0700 (PDT)
Received: from pool-63.49.219.205.troy.grid.net ([63.49.219.205] helo=rcpt)
    by epic.mail.pas.earthlink.net with smtp (Exim 3.33 #2)
    id 17OC83-0000wf-00; Fri, 28 Jun 2002 23:54:44 -0700

In this example of a spam email there are two Received: lines. In theory the second line shows where the email originated, but it can be faked. We reported this spam to the system administrators of both IP addresses.

What IP Address?

In general you look for the last IP address in the "from" part of the last Received: line. Ignore the machine names, as they can easily be faked. Because the whole received line could be faked, you need to work though them from the first to the last to try to spot any inconsistencies.

To find the name of the organisation and person responsible there are three main bodies (based around the continents) that control the allocation of IP addresses, and they (their web sites) have a form (look for "whois") which will let you enter the IP address and thus see who the owner of the IP address is. Proficient users can, usually, use tracert to find the continent, else just try all of the registry bodies listed by "iana" on the page http://www.iana.org/ipaddress/ip-addresses.htm. Note that the "effective" administrator may be someone who "sublets" the IP address from the listed organisation, and, if you can find the web site for the organsaition more detailed contact information may exist there.

Redress

Please do not harrass us, but if you are getting significant numbers of faked spam emails please let us know.

The abusive use of the machine which sent the spam should be reported to the "Network Administrator" of the organisation that "owns" the IP address used by the spammer, some probably being being more concerned then others.

You should send whole of the internet headers from the spam email to the specified contact name, put "abuse" in the subject line.

You will usually only get an auto-reply. Read it, it may say that abuse-complaint mails should be sent to a specified email address. If so you will have to resend the complaint mail.

Prevention

Several categories of prevention exist

bulletBlocking of all email from mail servers that are known sources of spam - but this will prevent genuine mails from users of these servers. This has to be done on the mail server which your mail is delivered to.
bulletBlocking of email from IP addresses known to be dial-ups. The argument being that anyone who is a legitimate dial-up user should (or at least can) use the ISPs outgoing mail server (as in most mail clients don't send mail directly to the destination, but rely on a known server). This also can produce "false positives",  and has to be done on the mail server which your mail is delivered to.
bulletEmail filtering, this can be done by the mail server, or by a client program (of which there is a current proliferation). Unfortunately these programs are not foolproof.

To make life easier, look at:

bullethttp://www.visualware.com/training/email.html      A useful tutorial about reading the headers - they also sell a product.
bullethttp://www.lpsci.com/spamid/     Enter the IP address you get from the headers to find out who to complain to.
bullethttp://spam.abuse.net/      General spam information site with links to other sites.
bullethttp://mail-abuse.org     (MAPSSM) They have IP "blackhole" lists, and list of IP addresses which are "dialups", some mail server software can interact with them.

To reiterate

  1. Spam mail is not sent by us.
  2. Spam mail is not relayed via our mail servers.
  3. The "From:" name in a mail can be faked to make it look like it came from us. Sorry, there is no way of preventing this.

Good luck.

Camel Services Ltd

 

© 2006 Camel Services Ltd. www.camel.co.uk