cancel
Showing results for 
Search instead for 
Did you mean: 

Need advice, possible JoeJob, 80+ bounce messages

oliverb
Grafter
Posts: 606
Registered: 02-08-2007

Need advice, possible JoeJob, 80+ bounce messages

I need some advice, we have recieved a large number of bounce messages, resulting from spam that forged our domain name.

The poor quality of many of the bounce reports is making it hard to identify the source IP.
4 REPLIES
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

Need advice, possible JoeJob, 80+ bounce messages

I suggest that you pass the message headers on to the abuse section at PlusNet and they may be able to do something about it.?
oliverb
Grafter
Posts: 606
Registered: 02-08-2007

Need advice, possible JoeJob, 80+ bounce messages

I thought about that but in the past Plusnet have asked to only be sent stuff originating within plusnet.
N/A

Need advice, possible JoeJob, 80+ bounce messages

Sending bouces to abuse unless you know they are from PlusNet customers is ill-advised. They are already an overworked department.

Can I ask what sort of trouble you are having with the identification of the spam?

The normal rules apply:

1: Identify the headers. Either your reader should provide a setting to display only the headers, or you can view the original mail.

Headers can easiler be seperated by looking for the first blank line, and everything above the line is header detail.

2: Work from the bottom up, and read the "received" lines.

3: Not all will be from IP addresses, as some will be interal transfer messages.
oliverb
Grafter
Posts: 606
Registered: 02-08-2007

Need advice, possible JoeJob, 80+ bounce messages

Thanks for the advice, fortunately this appears to be a one-off incident.
Thankfully people seem to be wise to this kind of ploy nowadays and we haven't been sent any complaints.

I'm wary of tracing in bounced messages as some systems particularly Exchange Server seem to completely replace the header of the rejected message. As a result the only valid IP is probably the recipient not the sender.

Also if the bounce is forged then the "original message" could claim to come from anywhere!!

PS

I hope plusnet didn't recieve any grief over this...