Forged Spam claiming to be from WSRCC

Sat May 14 23:40:18 PDT 2005: We are getting tons of bounces from what feels like another MICROSOFT virus. Most of the messages have a german "Read this yourself:" ("Lese selbst:") and typically a URL to some german language web site that carries hate messages. Here is some information, and more and more. I guess this really is an astro-turfing MICROSOFT virus.

Thank you for reading this page. If you are here it is probably because you got spam claiming to be from WSRCC. Please let us reassure you, we are VERY antispam and would never send spam. We do report every piece of incoming spam to the originator's abuse department. Unfortunately this leads to the situation where we sometimes send the spam reports to the very company doing the spamming. Some small percentage of these companies will try to get even with us by forging our name in the From-line of the next spam mailings they send out. In the anti-spam community this is called a joe-job. So far we've been lucky and have never gotten a full-blown joe-jobbing with hundreds of thousands of messages bearing our name. We do, however, get a continual trickle of reports for forged spam.

If you get mail claiming to be from WSRCC, please look at the headers carefully. You should see one or more "Received:" lines at the top of the message. The top-most "Received:" line lists the machine that your machine really received the mail from. If that top machine does not have a *.wsrcc.com name, then the mail did not really come from WSRCC. We do not make use of any machines outside of the WSRCC domain for sending our mail out. 

Return-Path: <xxnetico801_corp@charlotte.dontspam.wsrcc.com>
Received: from falke.kt1.tu-harburg.de ([134.28.44.4])
          by mtiwgwc30.worldnet.att.net
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020516224430.DZCB13509.mtiwgwc30.worldnet.att.net@falke.kt1.tu-harburg.de>;
          Thu, 16 May 2002 22:44:30 +0000
Received: from 192.168.1.100 (h-64-105-237-170.CHCGILGM.covad.net
          [64.105.237.170]) by falke.kt1.tu-harburg.de with ESMTP (8.9.3
          (PHNE_25183)/8.7.1) id XAA11740; Thu, 16 May 2002 23:44:14 +0100 (WETDST)
Message-ID: <00002aee6536$000076a2$000070f0@imc1.mailgate.sykes.com>
To: spam.victim@XXX.com
From: "branden" <xxnetico801_corp@charlotte.dontspam.wsrcc.com>
Subject: Major MLM pre-launch/Top Positions Available/$395
Date: Thu, 16 May 2002 20:58:10 -1600
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1252"
Content-Transfer-Encoding: 7bit

If you have strong MLM leadership experience,
and understand the responsibilities necessary
during a pre-launch, please reply.

Company is headed up by experienced Corporate
leaders. Multi-million dollar backing and
commitments are already complete for launch.

Promotion will begin in June with Full page USA Today
ads and nationwide 10 to 15 major cities launch tour.

If you are seriously qualified to participate, please
call 415-634-XXXX with your name, phone number
AND EMAIL address.
Serious Inquiries Only Please.

to un-subscribe, email: xxxcservices@btamail.net.cn

The first hint that something is amiss in the above example is the fact that the topmost "Received" line shows the mail coming from "falke.kt1.tu-harburg.de ([134.28.44.4])". The second is that the body of the message mentions a reply address of "cservices@btamail.net.cn". Needless to say, WSRCC has no relationship with either tu-harburg.de in Germany or btamail.net.cn in mainland China. Furthermore we don't use either of their machines for mail (or anything else for that matter). There is also no user called Brendon here and no account by the name of netico801_corp either. It is all fictional.

In the above instance the people at tu-harburg.de have misconfigured their machine to relay mail for anyone on the Internet. Spammers regularly check for this kind of mistake and if the machine is willing to relay for them, they are willing to abuse it. This tu-harburg machine is a well known spam source and is in various anti-spam databases. A mailer that made use of these free databases would never even accept this mail. The fact that the above spam victim even got the spam shows that their ISP wasn't doing a very good job of filtering even the most obvious spam for them.

To check up and see if the machine you got the spam from is a known spam source, check the top-most Received line and punch that IP address into the box at the top of this page. If the machine is listed, you might ask some pointed questions of your ISP as to why they are accepting email from known spam sources.

If you get stuck trying to unravel all this, by all means please send any spam that mentions WSRCC to "abuse" at this domain. Be sure to include the full headers. We'll figure out where the report should be forwarded to and forward it for you.

Thanks again for complaining about spam! Most folks just hit delete and hope the next guy will take the time to complain. It is good to see that not everybody does that.

-wolfgang

Valid XHTML 1.0!.Valid CSS! [ Powered by Fedora Core ] IPv6 Ready

wolfgang.rupprecht+web@gmail.com (Wolfgang S. Rupprecht)
WSRCC Home Page || Up One Level
last updated $Date: 2007/05/24 22:23:45 $ ..