A little id theft?

Recently I have been the victim of some form of ID theft regarding nothing other than my email address.

I have been getting bounce-back messages over the course of the last few days regarding messages I never sent. A look at the headers reveals this information to anyone with a clue, but to many, it looks like emory@hellyeah.com has been spamming them with some sort of base64 encoded binary nonsense.

Below is the latest:


X-Track: 1: 100
X-Rocket-Server: 66.163.174.34
Return-Path: <emory@hellyeah.com>
Received: from 200.252.68.204 (HELO hellyeah.com) (200.252.68.204)
by mta527.mail.yahoo.com with SMTP; 19 Dec 2002 19:18:47 -0800 (PST)
Received: from unknown (129.27.23.200)
by rly-xw01.otpalo.com with SMTP; 20 Dec 2002 09:18:29 -0000
Received: from [77.65.81.157] by da001d2020.loxi.pianstvu.net with QMQP; 20 Dec
+2002 09:11:30 -0300
Reply-To: <emory@hellyeah.com>
Message-ID: <036d45c24e1c$3772a4a7$6ed17db6@fvphlt>
From: <emory@hellyeah.com>
To: <akrotiri3@yahoo.com>
Cc: <akrotu@yahoo.com>,
<akrouchelb@yahoo.com>,
<akroushmaisam@yahoo.com>,
<akrowland@yahoo.com>
Subject: How are you =]p
+3766NVGP9-289eWQP9906Y-21
Date: Fri, 20 Dec 2002 01:49:45 +0400
MiME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00E1_14C63E5A.C2603D74"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: eGroups Message Poster
Importance: Normal

——=_NextPart_000_00E1_14C63E5A.C2603D74
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: base64
d2hhdHMgdXA/IHZsZEFSUi0tNDU2MWEgSGkgdGhlcmUsIGhvdydzIGl0IGdv
aW5nPyBXZWxsIGZvciBzdGFydGVycyBJIG11c3QgY29uZmVzcyB0aGF0IHRo
aXMgaXMgaW5kZWVkIHByZXR0eSBhd2t3YXJkLiANCkkgYW5vdGljZWQgeW91
ciBwcm9maWxlIG9ubGluZSBhbmQgZmlndXJlZCBJJ2QgZHJvcCB5YSBhIGxp
bmUuLi4uSSBiZXQgdGhhdCBkb2Vzbid0IGhhcHBlbiB0byB5b3UgZXZlcnlk
YXkhIEkgbmV2ZXIgcmVhbGx5IGV2ZW4gdGhvdWdodCBhYm91dCBpdCB1bnRp
bCBzb21lb25lIHNhdyBtaW5lIGFuZCBnb3QgaW4gdG91Y2ggYSBsaXR0bGUg
d2hpbGUgYmFjay4gDQpBTllXQVkhIE15IG5hbWUgaXNhIEthcmFuLCBJJ20g
MjMsIGFuZCBJJ20gYSBzYWxlIHJlcGEgZm9yIGEgbWlkLXNpemVkIHBoYXJt
YWNldXRpY2FsIGNvbXBhbnkuIEdvb2RuZXNzIEkgY2FuJ3QgZ2V0IG92ZXIg
aG93IHN0cmFuZ2UgdGhpcyBpcyEgSSdtIHN1cmUgeW91J3JlIHByb2JhYmx5
IHRoaW5raW5nIHRoZSBzYW1lIHRoaW5nISBoZWhlLiANCk9oIHdlbGwsIEkg
cmVhbGx5IGRvbid0IHdhbnQgdG8gZ28gb24gdG9vIGZhYXIuIEVzcGVjaWFs
bHkgc2luY2UgSSdtIG5vdCBzdXJlIHdoZXRoZXIgb3Igbm90IHlvdSBoYXZl
IGFueSBpbnRyZXN0LiANCkJ1dCBpZiB5b3Ugd291bGQgbGlrZSB0byBnZXQg
dG8ga25vdyBtb3JlIGFib3V0IG1lLCBwbGVhc2UgZHJvcCBtZSBhIGxpbmUu
IEknbGwgYmUgbW9yZSB0aGFuIGhhcHB5IHRvIGluY2x1ZGUgc29tZSBwaWNz
IGFzIHdlbGwuIA0KQW55dGhpbmcgYWFib3V0IHlvdSB3b3VsZCBiZSBncmVh
dGx5IGFwcmVjaWF0ZWQgYXMgd2VsbCA6LSkgYSAgDQpXZWxsIEkgaG9wZSB0
byBoZWFyIGZyb20geW91IHNvb24hIFRha2UgY2FyZS4gUw0KDQp4b3hvLCAN
CkthcmFuIC4uLi4uUmFuZG9tIHdvcmQgb2YgbWl4ZWQgc3ltYm9scyB3aXRo
IGxlbmd0aCAxIHRvIDI3IDd5NTYNCg0KUC5TLiBEbyB5b3UgdXNlIGFueSBt
ZXNzZW5nZXIgc2VydmljZXMsIG1heWJlIHdlIGNhbiBjaGF0IG9uIHRoZXJl
IHNvbWV0aW1lPyBNeSBlbWFpbCBhZGRyZXNzIGlzIHN1Z2VybGU0NjNAaG90
bWFpbC5jb20NClJhbmRvbSB3b3JkIG9mIEJJRyBMRVRURVJTIHdpdGggbGVu
Z3RoIDEgdG8gMjIgTERIT1BQV0pTRVlIUg0KQmVzdCByZWdhcmRzLCANCg0K
DQoNCg0KUw0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCi4N
Cg0KDQoNCg0KDQoNCjUxbDI=
.

I don’t know what to make of this, or why my address was used. But it would appear that someone, in this example, relayed mail off a host that doesn’t exist, since da001d2020.loxi.pianstvu.net doesn’t resolve to anything, and pianstvu.net doesn’t exist in WHOIS.

The network 77.65.81.157 is reserved by IANA when I checked ARIN, too. I shudder to think how many of these types of messages aren’t getting to me because procmail or TMDA tosses them, but I have also spoken with the IT department at a company that apparently was the first incident of this outbreak.

Yahoo is always involved in some fashion.

I thumped that message through base64, and it says:


whats up? vldARR--4561a Hi there, how's it going? Well for starters I must confe
ss that this is indeed pretty awkward.
I anoticed your profile online and figured I'd drop ya a line....I bet that does
n't happen to you everyday! I never really even thought about it until someone s
aw mine and got in touch a little while back.
ANYWAY! My name isa Karan, I'm 23, and I'm a sale repa for a mid-sized pharmaceu
tical company. Goodness I can't get over how strange this is! I'm sure you're pr
obably thinking the same thing! hehe.
Oh well, I really don't want to go on too faar. Especially since I'm not sure wh
ether or not you have any intrest.
But if you would like to get to know more about me, please drop me a line. I'll
whats up? vldARR--4561a Hi there, how's it going? Well for starters I must confe
ss that this is indeed pretty awkward.
I anoticed your profile online and figured I'd drop ya a line....I bet that does
n't happen to you everyday! I never really even thought about it until someone s
aw mine and got in touch a little while back.
ANYWAY! My name isa Karan, I'm 23, and I'm a sale repa for a mid-sized pharmaceu
tical company. Goodness I can't get over how strange this is! I'm sure you're pr
obably thinking the same thing! hehe.
Oh well, I really don't want to go on too faar. Especially since I'm not sure wh
ether or not you have any intrest.
But if you would like to get to know more about me, please drop me a line. I'll
be more than happy to include some pics as well.
Anything about you would be greatly apreciated as well a
Well I hope to hear from you soon! Take care. S

xoxo,
Karan …..Random word of mixed symbols with length 1 to 27 7y56

P.S. Do you use any messenger services, maybe we can chat on there sometime? My
email address is sugerle463@hotmail.com
Random word of BIG LETTERS with length 1 to 22 LDHOPPWJSEYHR
Best regards,

And I dug up another one, and decoded it. It says:


whats up? sukSMN--3732 my name is Maggen. I saw yourprofile on internet. I am n
ew to the area and am
looking for someone to show me around. A If you're interested in hanging out wi
th
a cool girl send me p an email at sugerle454@hotmail.com and we can chat on inst
ant messenger.
Hope to hear from you soon!! upppsss hey sup.. hFW Vo
0 0
>
- _ _ -244851536376715

=)- AJXWNUWXHBXAXHBKKI jijdb

-Maggen

Same email address, different message.

Both sent with *me* as the From address to someone at Yahoo. I’m getting the bounceback when it fails. In the case of message sample 2, the INBOX was full.

I’m not sure what this is; and sugarle463 doesn’t turn anything up at google, so hopefully someone may search for that term, find this page, and clue me in as to what is going on.

Obviously forging an email address is no big deal. People have done it for years! But I’ve never seen anyone be victim of mail forgery on such a large scale for the sake of spam.

Especially *my* email address. It isn’t like most bogus From:’s spammers use. It’s very distinctive. This isn’t a Hotmail/AOL address we’re talking about, folks.

How infuriating.

Leave a Reply

Your email address will not be published. Required fields are marked *