Identiy Theft
Since yesterday there seems to be quite some messages around that use my email-address in Return-Path:, From: (as the real address for a nickname) or Reply-To:. I _know_ these messages don’t come from my site, since they all lack the address of my mail server.
For example (of course, the email address of the recipient is removed)
Return-Path: <willem@grootersnet.nl>
Received: from [93.62.200.186] (93-62-200-186.ip24.fastwebnet.it [93.62.200.186])
by mx1.xxx.xx (8.13.1/8.13.1) with ESMTP id p3B88VmN013149
for <xxx@xxx.xx>; Mon, 11 Apr 2011 10:08:31 +0200
Message-ID: <c61a10a054ccaae438328276ee88c61a(JFR4IU1>
From: "clementius zhigang" <willem@grootersnet.nl>
To: "dionisio kaveh" <xxxx @xxx.xx>
Received: from [151.56.14.97] ([151.56.14.97] verified)
by post.yyyy.yy (CommuniGate Pro SMTP 4.2.8)
with ESMTP id 60263607 for yyyy@yyyy.yy; Mon, 11 Apr 2011 10:05:26 +0200
Date: 11 Apr 2011 08:31:04 +0100
From: “lane jamie” <willem@grootersnet.nl>
X-Priority: 3
Message-ID: <503249808.201104110902@grootersnet.nl>
To: “car zhigang” <yyyy@yyyy.yy>
This way, you may end up in any spam database – without your fault.
The addresses from where these messages were sent are as follows – if I read the headers well:
from [93.62.200.186] (93-62-200-186.ip24.fastwebnet.it [93.62.200.186])
from [151.56.14.97] ([151.56.14.97] verified)
from [84.14.117.130] (HELO host.86.241.23.62.rev.coltfrance.com)
from [208.124.242.230] ([208.124.242.230] verified)
from 15.Red-80-36-135.staticIP.rima-tde.net (80.36.135.15)
from [116.68.64.53] ([116.68.64.53])
from [95.76.105.228] (unknown [95.76.105.228])
from [151.56.14.97] (unknown [151.56.14.97])
from [117.194.41.73] (unknown [117.194.41.73]) (this is a tricky one)
from [194.152.245.26] (unknown [194.152.245.26])
from [117.194.41.73] [117.194.41.73]
from LSt-Amand-152-31-19-235.w193-253.abo.wanadoo.fr ([193.253.222.235])
and that may hold a clue to the originator of the message.
If a mail has it’s origin form my site, it will ALWAYS carry the mailserver as a receiver – either from itself, if I use the web mail client, or as the site’s mail server, as is described in this page
I’m not sure yet what the next step might be. Post the whole bunch at the police and let them have it? Because accessing each postmaster, or domain owner, is way too much work – and at times, even POSTMASTER@target.domain does not exist (despite the fact the standards prescibes the identity…)