OT - has my email domain been hijacked?

Wed Sep 14 22:45:50 UTC 2005

On Wednesday 14 September 2005 14:16, jdow wrote:
> Kevin, it's called a "Joe Job". It is exceptionally common. Headers in
> email are pathetically easy to forge as far as the ones that existed
> while the email was still on the sender's machines. Often if you trace
> the received headers you find "discontinuities" in the chain if the
> spammer bothered to forge them anymore. This is one of the things that
> automated tools like SpamAssassin have gotten pretty good at finding.
> The spammers are into cleverer tricks these days. Spammers still use
> the "Joe Job", the forged sender, most of the time. I use it as one of
> my customized SpamAssassin rules, as a matter of fact. It's part of a
> set of rules and meta rules that can work on my addresses.
>
> {^_^}    Joanne
> ----- Original Message -----
> From: <kevin.kempter at dataintellect.com>
>
> > Returned mail: User unknown
> > Hi List;
> >
> > I keep getting emails similar to the text below. I/We own the domain
> > dataintellect.com and we have email addresses setup however I always see
> > a bogus dataintellect.com email address as the sender.
> >
> > -or is this simply a random spam email?
> >
> > Thanks in advance for any advice...
> >
> >
> > ================================================
> >
> > From:
> > Mail Delivery Subsystem <MAILER-DAEMON at aol.com>
> >  To:
> > carina_x at dataintellect.com
> >  Date:
> > Today 13:31:26
> >
> >  Spam Status: Spamassassin 0% probability of being spam.
> >
> > Full report:
> > No, score=0.0 required=5.0 tests=AWL,BAYES_50 autolearn=no  version=3.0.4
> > The original message was received at Wed, 14 Sep 2005 15:31:23 -0400
> > (EDT) from client-201.230.112.161.speedy.net.pe [201.230.112.161]
>
> ... Lots of incidentalia removed
>
> > Received: from  client-201.230.112.161.speedy.net.pe
> > (client-201.230.112.161.speedy.net.pe [201.230.112.161]) by
> > rly-yg02.mx.aol.com (v107.10) with ESMTP id
> > MAILRELAYINYG23-26f43287a8232f;
> > Wed, 14 Sep 2005 15:31:21 -0400
> > Received: from mail.strawberrysampler.com ([64.118.71.80]) by
> > 201.230.112.161
> > with ESMTP id 4868741;
> >         Wed, 14 Sep 2005 19:21:59 -0100
> > Received: (qmail 73986 invoked by uid 5164); Date: Wed, 14 Sep 2005
> > 19:21:59
> > -0100
> > Date: Wed, 14 Sep 2005 19:21:59 -0100
> > Message-ID: <20050914.68664.carina_x at dataintellect.com>
> > From: "Men of Focus" <carina_x at dataintellect.com>
> > Sender: carina_x at dataintellect.com
>
>           ^^^^^^^^^^^^^^^^^^^^^^^^^^ Pure forgery. You can do that even
> with Outlook Express.
>
> > To: acardi at cs.com, adorablealicia at cs.com, aclaudet at cs.com,
> > acarter5 at cs.com,
> >        acrader at cs.com
>
> ... More stuff removed

Thanks for the info.

Can you send me info on what a spam assasin filter to catch these will need to 
look like?