Har startet et lite etterforskningsprosjekt mot en spammer som sender mail og spoofer avsenderadressen slik at det virker som all mailen kommer fra e-postadressen til en kollega av meg.

Har allerede startet en tråd om dette på et annet engelskspråklig forum, men jeg regner med at det er en del oppegående folk på dette forumet som også vil kunne bidra kraftig hvis de har lyst, derfor limer jeg inn post'en min fra det andre forumet her slik at de som er interessert kan lese og svare på denne tråden for å delta i "etterforskningen".


Hi, I'm not sure if this is the right place for such a topic or if it is at all possible but please take a minute to read this post and drop a reply if you can.

I work as an IT / Network consultant for a company, recently one of our users have been receiving a LOT of e-mails of the sort you receive if you send an e-mail to an invalid e-mail address.

I'm guessing that most of you know what types of messages I am talking about but here's an example:

Code:

This has become quite a problem as my colleague has started to receive up to 100 of these mail a day.

As far as I can understand, this is a result of a spammer sending e-mails to addresses over the world and spoofing the source e-mail so that it appears to originate from the e-mail address of my co-worker.

I know it probably is a simple procedure to include some sort of rule in our spamfilter to ensure that these types of system messages won't be sendt to the person in question, but I am curious of nature and I want to see how far I can go in tracing this activity back to the original sender.

The only information I have been able to gather about the source is the following lines from a failure notice mail sendt to my co-worker (however I suspect that this information will only lead to a system the spammer has been able to compromise and is using to send out messages):

Return-Path: <XX@XXXX.no>
Received: (qmail 23974 invoked from network); 3 Apr 2008 03:19:26 -0500
Received: from 213-147-182-209.sta.dsl.ycn.com (HELO 213.147.182.209) (213.147.182.209)
by corp.hovanic.com with SMTP; 3 Apr 2008 03:19:26 -0500

(the XX@XXXXX.no address is the address of my co-worker which I have censored to ensure that he won't be the victim of even more e-mail terror )

The purpose of the mail in which I found this information was to lead the receiver of the mail to the following URL:

http://compservice.land.ru/video.exe

The server hosting this file is probably compromised as well and I don't believe it will lead directly to the spammer.

But if you have any suggestions for me about how I should proceed with this little project of mine please let me know!

P.S. just to make one thing clear, I have no intentions of engaging in any illegal activities towards the different IP addresses or hostnames that I might come over in this investigation. However I do understand that there is a risk that some of the readers on this forum might not feel the same way but if you decide to help me with this project please lets keep the information gathering on a non-intrusive level so that I can continue to share information with you as I continue the investigation.
I expect that the forum admins and mods here will shut this thread down immediately if this thread was to spark some illegal activities towards any of the innocent systems I might list here, and I do not want this to happen at all - I hope everyone can respect this but still contribute to the investigation if they wish to.

Thank you.