No, that spam didn't come from me

I found a nice surprise in my e-mail the other morning: about 200 new messages. All of them bounce notifications from undeliverable spam I didn't send.

Apparently some sleaze-bag decided to forge my e-mail address as the sender on a batch of spam. That sucks. Unfortunately, there's not really anything I can do about it. Forging e-mail headers is ridiculously easy and there isn't really any way to keep someone from using your address. So I guess it just sucks to be me.

As to the nature of the spam, I noticed a number of commonalities from the bounce messages. First, all the bounced messages I checked had the same mailer header:
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
Second, I noticed two big trends in the actual content. Lots of them were targeted at Russians and eastern Europeans, as evidenced by the target domains and the use of the Cyrillic alphabet, and there were also a bunch that simply contained links to what appeared to be a Google ad for a German taco restaurant. As for the originating IP addresses, most of the ones I checked were from eastern Europe, but I also saw IPs from China, Turkey, Germany, and several from the US.

Here's a representative example of one of the German taco link messages, as encapsulated in a bounce message.
Received: (qmail 74968 invoked from network); 31 Mar 2008 10:24:57 -0000
Received: from unknown (66.218.66.72)
by m54.grp.scd.yahoo.com with QMQP; 31 Mar 2008 10:24:57 -0000
Received: from unknown (HELO 84.255.241.179) (84.255.241.179)
by mta14.grp.scd.yahoo.com with SMTP; 31 Mar 2008 10:24:56 -0000
Message-ID: <000501c89319$05ef79a0$e3e718b8@kdjpt>
From: "dom carey" <pageer@skepticats.com>
To: <XXXXXX@yahoogroups.com>
Subject: Your neighbour naked!! watch
Date: Mon, 31 Mar 2008 08:37:48 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0002_01C89319.05ED4C2A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-eGroups-Remote-IP: 84.255.241.XXX
X-UID: 1472

This is a multi-part message in MIME format.

------=_NextPart_000_0002_01C89319.05ED4C2A
Content-Type: text/plain;
   charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

eGjMPUJeuz
Download and WatchuogLVeGjMPU
------=_NextPart_000_0002_01C89319.05ED4C2A
Content-Type: text/html;
   charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<center><style>eGjMPUJeuz</style><br><a =
href=3D"http://www.google.com/pagead/iclk?sa=3Dl&ai=3DfFfwMk&num=3D72011&=
adurl=3Dhttp://www.taco-loco.de/video.exe">Download and =
Watch</a><style>uogLVeGjMPU</style> </center></BODY></HTML>
------=_NextPart_000_0002_01C89319.05ED4C2A--

Anyone care to share an opinion? Looks to me like your typical botnet spam wave to me. The only thing that makes it interesting is that I happened to end up getting a glimpse of where it came from.

You can reply to this entry by leaving a comment below. This entry accepts Pingbacks from other blogs. You can follow comments on this entry by subscribing to the RSS feed.

Add your comments #

A comment body is required. No HTML code allowed. URLs starting with http:// or ftp:// will be automatically converted to hyperlinks.