[sdiy] Help - I am being mailbombed

Julian julian at 22host24.com
Fri Aug 29 19:17:55 CEST 2003 

if it realy becomes a problem, the ip address of the machine sending you the
mails can be seen from the headers.  this machine is evidently the one
infected.

it is possible for those administering your mailserver (your isp?) to simply
block this ip address (that will of course meen that you wont be able to
recieve legitimate mails from the user of the machine, but in a week or so
maybee they will have sorted it out, thus a tempory block might be usefull)

unfortunatly, as the senders addresses are being spoofed, a simple block on
your email client, unless it can work with ips, will not be any good.

i think thats all correct.. hope it may be of some help

julian

----- Original Message -----
From: <jhaible at debitel.net>
To: <synth-diy at dropmix.xs4all.nl>
Sent: Friday, August 29, 2003 5:07 PM
Subject: [sdiy] Help - I am being mailbombed


Hi,

sorry for the OT post. But:

I have a serious problem - someone is literally mailbombing me.
I'm not talking about the usual spam, and not about the occasional
virus mails either.
What I get is a multitude of mails with a 100k attachment, disguised
as a *.pif file, but actually an *.exe file. These mails come with
different subject lines, and with different (faked) send adresses.

I am definitely not infected with a virus (I've checked with a daily
updated virus scanner), but I'm getting these hundreds of virus mails,
all of 100k size.

Now I have saved a few of these mails and collected their headers,
and they seem to come all from the same source:
(HELO LTERPENING) (68.153.49.25)

See the full headers of 4 such mails at the end of this mail.

I know there are experts on our list who have the skill to trace
down the source of this attack. Personally I'm quite dumb when it
comes to software / internet stuff (A collegue here in the office
showed me where to look for the source of the email in the header,
but he doe not know how to actually trace down the sender.)

Either somebody has a virus on his computer and my email adress
is the target for this virus more than others,
or somebody is intentionally mailbombing me.

Sometimes email adresses of synth-diy listmembers have been used
as faked sender's adress in these 100k virus mails, but most
faked adresses are unknown to me.

I also got two mails from (real) persons who gave me a virus warning;
so apparently there are also virus mails under way which use my
adress as a fake sender's adress. But as I said, my computer
is tested with the latest virus patterns, and not infected.

Now, can somebody trace the source of these mails for me?
Or tell me how to do it myself?

Thanks in advance,

JH.


4 of these mail headers:

Return-Path: <djalone at houston.rr.com>
Delivered-To: jhaible at debitel.net
Received: (qmail 14777 invoked from network); 29 Aug 2003 16:33:40 +0200
Received: from unknown (HELO LTERPENING) (68.153.49.25)
  by mail2.dnsg.net with SMTP; 29 Aug 2003 16:33:40 +0200
From: <djalone at houston.rr.com>
To: <jhaible at debitel.net>
Subject: Re: Re: My details
Date: Fri, 29 Aug 2003 9:36:02 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_24DA31A0"
Message-ID: <20030829143340.13930.qmail at mail2.dnsg.net>


Return-Path: <Hobbyha at aol.com>
Delivered-To: jhaible at debitel.net
Received: (qmail 14801 invoked from network); 29 Aug 2003 16:56:53 +0200
Received: from unknown (HELO LTERPENING) (68.153.49.25)
  by mail2.dnsg.net with SMTP; 29 Aug 2003 16:56:53 +0200
From: <Hobbyha at aol.com>
To: <jhaible at debitel.net>
Subject: Re: Wicked screensaver
Date: Fri, 29 Aug 2003 9:59:15 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_24EF7431"
Message-ID: <20030829145653.14160.qmail at mail2.dnsg.net>


Return-Path: <marty.welch at dana.com>
Delivered-To: jhaible at debitel.net
Received: (qmail 15650 invoked from network); 29 Aug 2003 17:21:19 +0200
Received: from unknown (HELO LTERPENING) (68.153.49.25)
  by mail1.dnsg.net with SMTP; 29 Aug 2003 17:21:19 +0200
From: <marty.welch at dana.com>
To: <jhaible at debitel.net>
Subject: Re: Your application
Date: Fri, 29 Aug 2003 10:23:41 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_2505D263"
Message-ID: <20030829152119.15329.qmail at mail1.dnsg.net>


Return-Path: <marty.welch at dana.com>
Delivered-To: jhaible at debitel.net
Received: (qmail 15650 invoked from network); 29 Aug 2003 17:21:19 +0200
Received: from unknown (HELO LTERPENING) (68.153.49.25)
  by mail1.dnsg.net with SMTP; 29 Aug 2003 17:21:19 +0200
From: <marty.welch at dana.com>
To: <jhaible at debitel.net>
Subject: Re: Your application
Date: Fri, 29 Aug 2003 10:23:41 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_2505D263"
Message-ID: <20030829152119.15329.qmail at mail1.dnsg.net>




-------------------------------------------------
debitel.net Webmail

More information about the Synth-diy mailing list