Masquerading Spam

paulmyerson · 29 Apr 2005, 08:20 PM

Dangerous Spam email has been received quoting my runbox Id and appears to come from runbox as genuine; of course it is not genuine and my spam filter has rejected it. I have not opened this email and have not clicked on the requested link (of course) and this email is quarantined.

Should I forward this email to a moderator for them to fight back, or is it best simply to ignore this? Any advice would be gratefully received.

carverrn · 29 Apr 2005, 09:52 PM

I'm not with Runbox so I can't speak officially but I would say that if the spam filters caught it then don't worry about it.

If the Runbox web interface showed "*SPAM*" in the subject line then that's because the SpamAssassin spam filter flagged it as spam. If that is the case then there is a good chance that SpamAssassin already found the sending server on a black list.

If you're curious you can take a look at the message headers (use view full headers) and look in the X-Spam-Report section for something like RCVD_IN_BL_SPAMCOP_NET (mean it was found in SpamCop's Blacklist) or some other RCVD_IN entry.

Regards,
Rich

jbs · 30 Apr 2005, 03:09 AM

Quote:

Originally posted by paulmyerson
Dangerous Spam email has been received quoting my runbox Id and appears to come from runbox as genuine; of course it is not genuine and my spam filter has rejected it. I have not opened this email and have not clicked on the requested link (of course) and this email is quarantined.

Should I forward this email to a moderator for them to fight back, or is it best simply to ignore this? Any advice would be gratefully received.

This is a very common form of spam, and it's very easy (unfortunately) for spammers to "spoof" a message as coming from the administrator of whatever domain the user is at.

For what it's worth, the 2 underpinnings of spam (IMHO) are:

1. When the system was developed, no one envisioned mail senders being untrusted, so authentication of senders was not built into the system -- anyone can claim to be whoever they want to be.

2. It's dirt cheap (nearly free) to send.

Because of item #1, there's little Runbox or any other provider can do to prevent someone else from sending a message claiming to be them. What they can do is provide spam filtering, which in this case seems to have done the trick.

This is just one of many email scams grouped under the category "phishing" when someone sends out a feeler (bait) trying to appear as some trusted entity in order to get you to divulge information which you would assume they already have.

It's why you always hear things from your bank and other "trusted entities" about, for example, "No one from MegaBank will ever cotnact you and ask for your PIN number. If you are contacted asking for your PIN, please forward the request to MegaBank security immediately."

--Jason

29 Apr 2005, 08:20 PM	#1
paulmyerson Junior Member Join Date: Apr 2005 Posts: 1	Masquerading Spam Dangerous Spam email has been received quoting my runbox Id and appears to come from runbox as genuine; of course it is not genuine and my spam filter has rejected it. I have not opened this email and have not clicked on the requested link (of course) and this email is quarantined. Should I forward this email to a moderator for them to fight back, or is it best simply to ignore this? Any advice would be gratefully received.

29 Apr 2005, 09:52 PM	#2
carverrn Intergalactic Postmaster Join Date: Jan 2002 Location: Chicago, IL Posts: 5,606 Representative of: Runbox.com	I'm not with Runbox so I can't speak officially but I would say that if the spam filters caught it then don't worry about it. If the Runbox web interface showed "SPAM" in the subject line then that's because the SpamAssassin spam filter flagged it as spam. If that is the case then there is a good chance that SpamAssassin already found the sending server on a black list. If you're curious you can take a look at the message headers (use view full headers) and look in the X-Spam-Report section for something like RCVD_IN_BL_SPAMCOP_NET (mean it was found in SpamCop's Blacklist) or some other RCVD_IN entry. Regards, Rich