Once again, inboxes are overflowing with undeliverable mail notices. As usual, the “returned” messages were never sent by the recipient of the returned mail message.

Here’s a zombie-sent message currently making the rounds, with a bit of reformatting to conserve space:

Subject:Grainbait Hot New IPO! Should Explode!

The beaten path is safest.

This new IPO stock GRDX. They just started trading this one like 2 days ago. It’s already almost doubled in just 2 days! My Husband is really excited about this stock. Say’s it could make us some really BIG money. You guys should check it out. Just spreading the wealth ;)

Go to http://www.otcbb.com and check symbol : GRDX you will see how big the growth is :)

A problem shared is a problem halved.

All promises are either broken or kept. . Silence is an excellent remedy against slander. . Two heads are better than one. . The receiver is as bad as the thief. .
Actions speak louder than words.

What do you expect from a pig, but a grunt?

.Home is where you hang your @. . Fax is stranger than fiction. . You made your bed, now you must lie in it. .
At a round table there’s no dispute about the place. . A chain is no stronger than its weakest link. . Faint heart never won fair lady. .

Fresh as a daisy. . Rome wasn’t built in a day. . A miss is as good as a mile. .

The first word in the subject line is variable. Sometimes, it’s a random or nonsense word, other times, it’s the recipient’s name. The body copy is stuffed with odd quotes and punctuation in an attempt to throw off statistical content filters. Note the automated copy variations:

Great groups from little icons grow.

This new IPO stock GRDX. They just started trading this one like 2 days ago. It’s already almost doubled in just 2 days! My Husband is really excited about this stock. Say’s it could make us some really BIG money. You guys should check it out. Just spreading the wealth ;) Go to http://www.otcbb.com and check symbol : GRDX you will see how big the growth is :)

Wisdom is neither inheritance nor a legacy.

Nothing dries sooner than a tear. . One man’s meat is another man’s poison. . Absence makes the heart grow fonder. . Don’t rely on the label on the bag. . It takes two to have an argument.

It’s an old dog for a hard road.

.Two cannot fall out if one does not choose. . Little and often fill the purse. . It’s all in a days work. .
As sick as a dog. . Wisdom is the wealth of the wise. . A fool and his money are soon parted. .

Experience is the father of wisdom. . A spark can start a great fire. . Do right and fear no man. .

Spotting The Message Header Tricks
The spoofees who receive the returned message addresses quickly note that, at first glance, the messages do indeed appear to be sent by them. The message header contains a legitimate email address, as well as the correct address for the spoofees’ mail servers:

1. Return-Path:
2. Received: from 69-175-234-109.vnnyca.zombie_victim’s_ISP.net) (00.00.00.00)
3. by targeted_victim’s_mailserver.com.com with SMTP; 16 Mar 2005 20:58:15 -0500
4. Received: from spoofee’s_legitimate_domain.com (filter.spoofee’s_legitimate_domain.com [00.00.00.00])
5. by zombie_victim’s_domain.com with esmtp
6. id 7F5EBD7AE3 for ; Wed, 16 Mar 2005 17:58:20 -0800

Only the top Received from lines of the message header above, 2 and 3, are legitimate. Everything else was faked by the spoofer. Those lines give reveal the address of the poor sap whose computer has been turned into a zombie.

How Spoofers Get Legitimate Addresses & Mail Servers
This is the easy part. First the spoofer hijacks the victim’s computer… usually with an email-embedded virus. The virus harvests every address and password on the victim’s computer adding them to the spoofer’s spam list. The spoofer’s bulk mailing software simply queries DNS for the correct mailserver names and IPs to go with each address, then embeds them in the message header before spamming.

Elegantly simply while totally disgusting, isn’t it?

If you get swamped with complaints, give them this url. Since the complainers are already suspicious of you, this gives them a disinterested, outside second opinion.

fyi: We’ve blocked http://www.otcbb.com. You do whatever feels right.