Someone used my website extension to send out mass emails. My bucket account had 70 returned emails all with an advertisement at the bottom. I called my host company and they said that this was common and nothing could be done to prevent future happenings.

The advertisements were different but I looked up the URL and they are all registered via domains by proxy.

Is this something I should persue? Is this illegal? Should and can Domains by Proxy be held partially accountable to ICANN?

Here is a page that has all kinds of answers and resources:
http://spam.abuse.net/userhelp/

I would say that you are a victim of a type of identity theft, but don't know how illegal it is ap present.
Yours is a tough situation bexause it is so easy to use others domains for spoofing the sender of the e-mails just by looking up any domain name and using it.
If they were using the email server on your host or ISP, then they would be responsible, but this looks like a case impersonation, not intrusion into yours, or your hosts, system.

There are lots of good tips and instructions to deal with your situation, what can and cannot be done, and possibly some tools to read the real point of origin of the emails - if it isn't hidden properly.

There are also instructions on where to report this, proxy servers can blacklisted just as easily as any other one, I am sure.

Keep us up to date, and if you get stuck, we can try to find other suggestions for you.
Good luck.

here is a page of interest (after wading through a couple of dead links) Leaked Sender Information (http://www.visualware.com/whitepapers/tutorials/email.html#leakedinfo)

Thanks for the comments. I have forwarded one of the emails to Domains by Proxy and will wait for thier response first. I checked with my host and none of the emails were sent through them.

I will for sure keep you all up to date :)

Definitely let us know if you get complaints, or if people you know get some of these. I would hate to see your reputation get marred because of some imbecile.

Can you post the header information from one of them?

This is a very common occurence (I speak from experience). It is trivial to forge a return address on an email and there is nothing that can be done about it unless you can track down the spammer. Unfortunately U.S. law enforcement is simply not interested in pursuing this; especially if the perpetrator is not in the U.S. (which is most often times the case).

The best solution will be when SPF is incorporated into email server/clients. This will at least verify that the email originated where it says it did. For more info check here:

http://spf.pobox.com/

Someone used my website extension to send out mass emails. My bucket account had 70 returned emails all with an advertisement at the bottom. I called my host company and they said that this was common and nothing could be done to prevent future happenings.

The advertisements were different but I looked up the URL and they are all registered via domains by proxy.

Is this something I should persue? Is this illegal? Should and can Domains by Proxy be held partially accountable to ICANN?

I have had the same problem as of late. I received a bunch of bounces this week with various drug names in the subject line like Vi@gra Cheap!!

The sender's address looks something XD12DxZZP@pagepartners.com. Of course they are all bouncing back to me since I am the default bounce address for my domain.

When I went to the ARIN web site to check the IP address, most of these came back as the Asia Pacific Network. They're in China - so what can I do? I sent a complaint to the abuse@ email address but I never got a response. It is very frustrating.

I deleted them, but the next one I get (and I am sure I will), I will post the header.

Here is the whole return. The header is extremely long!

Return-path: <owspaiuguaixpw@fab-equipment.com>
Return-path: <owspaiuguaixpw@fab-equipment.com>
Received: from ims-ms-daemon.l-daemon by l-daemon
(iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
id <0I1G00F6Y3N4CL@l-daemon>
(original mail from owspaiuguaixpw@fab-equipment.com); Mon,
26 Jul 2004 00:06:40 -0600 (MDT)
Received: from pd3mr3so.prod.shaw.ca
(pd3mr3so-qfe3.prod.shaw.ca [10.0.141.179]) by l-daemon
(iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003))
with ESMTP id <0I1G00DQG3N4Y3@l-daemon> for d.crawford@shaw.ca; Mon,
26 Jul 2004 00:06:40 -0600 (MDT)
Received: from pd4mi2so.prod.shaw.ca ([10.0.121.195])
by pd3mr3so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar
15 2004)) with ESMTP id <0I1G00B953N2FJC0@pd3mr3so.prod.shaw.ca> for
d.crawford@shaw.ca (ORCPT d.crawford@shaw.ca); Mon,
26 Jul 2004 00:06:40 -0600 (MDT)
Received: from hotwire-192-144-16-del.hotwireindia.com
(hotwire-192-144-16-del.hotwireindia.com [61.16.144.192])
by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
with SMTP id <0I1G0070W3LBB600@l-daemon>; Mon, 26 Jul 2004 00:06:39 -0600 (MDT)
Received: from vakba.slposta.sk (HELO opalhoward.com) (46.224.86.231); Mon,
26 Jul 2004 17:58:49 -0500
Date: Mon, 26 Jul 2004 18:03:49 -0500
From: Quinn Delgado <owspaiuguaixpw@fab-equipment.com>
Subject: [Shaw Suspected Junk Email] no consultation fee
To: d.crawford@shaw.ca
Cc: kmmunro@shaw.ca
Reply-to: Quinn Delgado <owspaiuguaixpw@fab-equipment.com>
Message-id: <2l6JYkwmef9YMNbfLmgc9PJTN535358@somedec.com>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: quoted-printable
X-Priority: 3

Your message cannot be delivered to the following recipients:

Recipient address: d.crawford@ims-ms-daemon
Original address: d.crawford@shaw.ca
Reason: Over quota




Reporting-MTA: dns;l-daemon (ims-ms-daemon)

Original-recipient: rfc822;d.crawford@shaw.ca
Final-recipient: rfc822;d.crawford@ims-ms-daemon
Action: failed
Status: 5.2.2 (Over quota)



Subject:
[Shaw Suspected Junk Email] no consultation fee
From:
Quinn Delgado <owspaiuguaixpw@fab-equipment.com>
Date:
Mon, 26 Jul 2004 18:03:49 -0500
To:
d.crawford@shaw.ca
CC:
kmmunro@shaw.ca

Just a short note....

To point you in the direction of finding your online resource for medications.

Check Out Our Entire Selection

Lowest Prices - Best Customer Service - Fastest Delivery - No Hidden Fees .



Best Wishes


Quinn Delgado

This is the commonality of all the returns. They are all of three different advertisements. They all link to shopriterx.biz, cheaprxnow.biz, and abcrx.biz

Quote:
Definitely let us know if you get complaints, or if people you know get some of these. I would hate to see your reputation get marred because of some imbecile.

This was my exact fear. One of the email clients my salesperson used before I set up our own kept putting advertisements in the bottom of the emails which was upsetting some of her clients.

Well there were 10 domains that were advertising and they have all been 86'd by the domain registar. I am assuming they will have 10 more up within a week, but I guess I can just do what I can eh?

Sadly, yes. I imagine that ISP's are not going to be willing to give out the names of their registrants, and if you cannot get a good trace and whois you are hooped. Even then, I have traced back to servers in the Netherlands and Romania, even saw registry info on one whois, but it was all blank or obviousely fake.

I have heard and read about packet sniffing, and using a hex reader to extract the packet contents inside that can be used to find origins, but even the savvy spoof can that, and there is a lot of technical info and software to learn.

At least Domains By Proxy are reputable. They sound like they were pretty cooperative with you.

But if it happens again, I am into learning how to decipher TCP/IP packets for/with you.

Keep your head up, we won't let the bad guys win.

I am gonna concentrate on PHP and preventative measures atm, but for sure am gonna learn how to trace in the future!!!