Navigate This Site

Philip Ramsey Headlines

Monday, November 15, 2010

failure notice - How the Saudi handle email abuse by their users

The Saudi has a really stupid way of handling spamming by their email users - handle all complaints as spam and reject them. Recently we created a few new email accounts to handle our future online marketing plans. These email accounts have never been used or provided to the public but we have been receiving emails from accounting@becometheboss.net which we never created and does not exist.



I have been fighting back by complaining to the ISP's whose service were used to send these bogus messages so they are made aware that their client's computer may be under the control of cyber-criminals. My method has been generally successful. However, on occasion I run into situations where the ISP does not have a working abuse@isp email. Or at least they pretend to not have one. Even in those cases the spam originating from their members are stopped.

In the case of saudi.net.sa, they flatly reject the complaint because their spam filtering system determined my complaint as spam. Since their web site is written completely in Arabic, I am unable to navigate through their site to a contact page where I may make a complaint.

According to RIPE.NET's remarks: For any Abuse or Spamming please send your requests directly to abuse@saudi.net.sa How do they expect to receive spamming complaints against their customers if they are running spam filters on their abuse email account? The fact is their customer's computer in question at the very least may be infected with a Trojan that allows Russian Mafia or Chinese agents to use the computer for illegal purposes. At the very worst, their customer may be working with the Russian Mafia for profit.

See the original emails, below, along with pluggins like WIPMANIA for Firefox and Seamonkey, to learn how I fight spam effectively when our email address is being spoofed. All emails must contain the IP address of the computer used to send the email and the ISP's memberID used to connect to the internet. All ISP's are allocated a finite number of IP addresses, which they in turn allocate to their subscribers as they connect to the service. Since all ISPs have more customers than IP addresses, memberid is used to identify the account used to connect to the service. Once the ISP has been notified, they in turn investigate - check their server logs for entries - to ensure the offensive action actually took place as long as sufficient information was given. Most times the subscriber may not be aware that their computer is under the control of hackers that are using the computer for their own purposes. Clue: the computer is slower than normal, lot of internet activity while the computer is idle. This places a higher that normal burden on the ISP's service and may result in extra charges for excessive bandwidth use.

As you read below, you will see the links are to a site in Russia. From my observations for the past few years, the Russian Mafia has been working with the Chinese by coordinating phishing and spear phishing attacks by email. Their method has been very effective - see my article Report Details Hacks Targeting Google, Others. The reason it is so effective is all spam filtering programs will not label your own email address or email addresses that spoof your domain as spam. Combine this with human nature that is generally curious and you will end up being infected with viruses or have your identity stolen without your knowledge.

Hopefully you will find this information useful and helps you to fight back against spammers, hackers, cyber-criminals and cyber-terrorists.

-------- Original Message --------
From: - Mon Nov 15 18:59:49 2010
X-Account-Key: account9
X-UIDL: 000000324cdceb04
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Spam-Status: no
X-Spam-Info: score=0.13 cutoff=0.50 score_sa=0.00 cutoff_sa=0.00
NF-Message-ID: 1289860075.14263.q2
Received: (qmail 14261 invoked from network); 15 Nov 2010 22:27:55 -0000
Received: from nf-arin-block (HELO mx-relay.netfirms.com) (memberids:?2861906@67.23.128.168) by q2-in-norm.netfirms.com with SMTP; 15 Nov 2010 22:27:55 -0000
X-Remote-Host: nf-arin-block
X-RBL-Msg: none
Received: (qmail 31515 invoked for bounce); 15 Nov 2010 22:27:55 -0000
Date: 15 Nov 2010 22:27:55 -0000
From: MAILER-DAEMON@mx-relay.netfirms.com
To: subscriptions@becometheboss.net
Subject: failure notice


Hi. This is the qmail-send program at mx-relay.netfirms.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

abuse@saudi.net.sa:
212.118.133.118 failed after I sent the message.
Remote host said: 554 rejected due to spam content

--- Below this line is a copy of the message.

Return-Path: subscriptions@becometheboss.net
Received: (qmail 31243 invoked from network); 15 Nov 2010 22:27:53 -0000
Received: from unknown (HELO ?192.168.x.xxx?) (subscriptions@becometheboss.net@xx.xxx.xxx.xx)
  by q1-relay-norm.netfirms.com with SMTP; 15 Nov 2010 22:27:53 -0000
X-Remote-Host: unknown
X-RBL-Msg: none
Message-ID: <4CE1B3E7.6060907@becometheboss.net>
Date: Mon, 15 Nov 2010 17:27:51 -0500
From: philip subscriptions@becometheboss.net
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101026 SUSE/2.0.10-0.7.1 SeaMonkey/2.0.10
MIME-Version: 1.0
To: abuse@saudi.net.sa
Subject: Hi accounting, Best Deals. University descent American of
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Dear Sir/Madame,

The computer located at IP 94.97.26.15 and identified as 
94.96.26.15.dynamic.saudi.net.sa (HELO ?2.90.197.155?) 
(memberids:?2861906@94.97.26.15) is being used to spoof our email 
address for the purpose of spamming us. The computer identified may be 
under the control of the Russian Mafia and/or Chinese agents. See 
original message below for details. Please investigate.

TIA for your assistance in this matter,

Philip

-------- Original Message --------
From:  - Mon Nov 15 17:21:15 2010
X-Account-Key:  account9
X-UIDL:  000000314cdceb04
X-Mozilla-Status:  0001
X-Mozilla-Status2:  00000000
X-Mozilla-Keys:  
X-Spam-Status:  no
X-Spam-Info:  score=0.50 cutoff=0.50 score_sa=0.00 cutoff_sa=0.00
NF-Message-ID:  1289844420.18291.q3
Received:  (qmail 18200 invoked from network); 15 Nov 2010 18:07:00 -0000
Received:  from 94.96.26.15.dynamic.saudi.net.sa (HELO ?2.90.197.155?) 
(memberids:?2861906@94.97.26.15) by q3-in-norm.netfirms.com with SMTP; 
15 Nov 2010 18:07:00 -0000
X-Remote-Host:  94.96.26.15.dynamic.saudi.net.sa
X-RBL-Msg:  none
From:  Order Real Pfizer 
To:  accounting@becometheboss.net
Reply-To:  accounting@becometheboss.net
Subject:  Hi accounting, Best Deals. University descent American of
Mime-Version:  1.0
Content-Type:  text/html; charset=ISO-8859-1
Content-Transfer-Encoding:  8bit


View Mobile  | View Webpage 

Cheapest Pills. Click here 


PLEASE DO NOT REPLY TO THIS MESSAGE.
This is a system-generated Newsletter email. Replies will not be read or 
forwarded for handling.

This message was sent to accounting@becometheboss.net.

Contact Us  | Unsubscribe 
 
| Update Email Address  | 
Privacy Policy 

Copyright 2010 be if the. All rights reserved.
Enhanced by Zemanta

No comments:

Post a Comment