September 22, 2006Email Moebius Strip
Ah, the frustrations of trying to do the right thing in today's spam-infested waters.
One of today's phishing sites is located in South Korea in an IP block run by a not-very-responsive outfit (surprise, surprise). But this block also had a separate technical contact that gets closer to the actual IP address of the server that had been hijacked by the phishing crook.
In addition to emailing the fraudulent phishing page report to the main abuse address (whose previous response time was glacial—or the hacked server crapped out from old age), I included the address of what might be a real person at the organization responsible for just a small slice of the main IP block.
(In truth, my expectations weren't high to begin with. The email address user name is "mrzombie" at a dot-net address. Although the dot-net domain is hosted in a Korea, was this a legitimate user name, or a deflection tactic to prevent address harvesting from whois records? I may never know for sure.)
The copy of my report that went to the tech contact bounced with the following report:
(reason: 553 Blocked for spam)
At first I thought perhaps my inclusion of the original phishing message source code could have triggered a spam filter. I resent the message without the source code. Just a two-sentence message that included the link within their IP space.
That message bounced with the same result.
Unfortunately, the bounce message (and it was done with a separate bounce message, not an immediate rejection, like it should) doesn't tell me why my message is considered spam in this server's eyes. It's either because the phishing link includes the string "paypal" or, more likely, it's because my email message originated at a Comcast IP address. That's how I connect to the Internet, although I don't use Comcast's email server for outgoing mail.
Comcast used to have a terrible reputation for not blocking spam blasts from bot-infected customers, so perhaps I understand why mrzombie's server bounced my messages. But, as happens in these cases, that leaves me no easy way (I could hunt down some anonymizer somewhere, I suppose, or try my Earthlink web mail account) to communicate with mrzombie to let him know that one of his servers is open to hijacking by crooks.
And a lot of people tell me I'm crazy to suggest that email is broken.
UPDATE (09:30:00 22Sept06): I did send the message through my Earthlink web mail account (which I hadn't used in so long, they had stopped putting messages into my inbox). So far, no bounce message. Even though the message headers show the origination point as being my Comcast IP address, perhaps Earthlink's DomainKeys signature saved the day. Now, Mr. Zombie, tear down that phishing page!Posted on September 22, 2006 at 09:14 AM