[ JD's home page ] [ E-mail to Jesper Dybdal ]

Spam that appears to be from dybdal.dk

Last updated: 2002-04-16

What happened?

Beginning Thursday 2002-01-31, somebody sent out large amounts of junk e-mail ("spam") messages with apparent sender addresses in my domain - "dybdal.dk".

These sender addresses were faked. No spam has been sent from dybdal.dk.

The spammer sent his messages to lots of addresses, and some of those addresses did not exist. A non-existent address results in a non-delivery notification message to the apparent sender - i.e., an address in my domain.

My e-mail server was set up to accept mail for all names, even unknown ones, in my domain and deliver it to my mailbox. So the first few hundred of these bouncing messages made it into my mailbox. I then discovered what was happening and changed the setup to only accept mail for known names in the domain.

While this has been going on, there has been a total of about 27500 attempts to deliver messages to unknown names in dybdal.dk. A few of those messages were probably manually sent complaints or remove requests, but almost all of them were undoubtedly bounced spam messages. About 23000 of them came during the first week.

Since many of these bounces mentioned more than one failing address, the total number of non-existent addresses spammed was much higher than the number of bounces. And I don't even want to guess at the number of existing addresses spammed.

What to do when this happens to you?

Some suggestions:

Make sure that your mailbox only receives mail to known names in the domain.
If you run your own e-mail server, make sure that the server rejects unknown names immediately and does not send a separate message to the administrator for every rejected message. (I use Postfix, which does reject and log unknown names without sending mail.)
Complain to the spammer's Internet Service Provider. But remember that the spammer is not the sender of the non-delivery notifications that you receive; you need to analyze headers of the original spam in order to find the originating IP address and then look up the owner of that address.

I got several suggestions by asking for help in two Usenet newsgroups:

news.admin.net-abuse.email. The result was this thread.
dk.admin.netmisbrug. The result was this thread (in Danish).

Where did this spam really come from?

Some of the bounces contained a copy of the original spam message. The actual sender of those messages that I took the trouble to analyze is a customer of Qwest.net. I sent a complaint to Qwest on Saturday 2002-02-02, but received no reply other than an automatically generated acknowledgement of receipt of the complaint.

Friday 2002-02-08, 6 days after I sent the complaint and 8 days after the spamming began, it seemed to finally stop; I still received bounces, but fewer, and they seemed to be about original messages sent some time before.

Whether that means that Qwest at long last had terminated their customer's account or that the spammer had just finished and moved on to another victim, I don't know.

Which sender names did the spammer use?

Fortunately, the spammer did not use any fake sender address equal to an address I use. If he had, it would have been a serious problem for me. Many of the names used were common English first names, so I was lucky that my common first name is not English.

I have put together a page with an overview of all the names used.

How much spam was sent?

As I said above, I don't know.

But I do know how many messages were sent to unknown names in my domain. Almost all of those are bounced spam messages.

The table below shows the approximate daily number of attempts to deliver mail to unknown names in my domain.

Those messages that I have occasionally received and studied seem to indicate that even those bounces received many weeks later are the result of spam that was sent during the first week of February.

Thursday 2002-01-31: 3600
Friday 2002-02-01: 1300
Saturday 2002-02-02: 3800
Sunday 2002-02-03: 5900
Monday 2002-02-04: 4900
Tuesday 2002-02-05: 2300
Wednesday 2002-02-06: 1700
Thursday 2002-02-07: 1700
Friday 2002-02-08: 400
Saturday 2002-02-09: 200
Sunday 2002-02-10: 150
Monday 2002-02-11: 150
Tuesday 2002-02-12: 100
Wednesday 2002-02-13: 50
Thursday 2002-02-14: 75
Friday 2002-02-15: 15
Saturday 2002-02-16: 10
Sunday 2002-02-17: 24
Monday 2002-02-18: 32
Tuesday 2002-02-19: 29
Wednesday 2002-02-20: 21
Thursday 2002-02-21: 21
Friday 2002-02-22: 87
Saturday 2002-02-23: 83
Sunday 2002-02-24: 100
Monday 2002-02-25: 9
Tuesday 2002-02-26: 14
Wednesday 2002-02-27: 16
Thursday 2002-02-28: 13
Friday 2002-03-01: 3
Saturday 2002-03-02: 9
Sunday 2002-03-03: 4
Monday 2002-03-04: 13
Tuesday 2002-03-05: 3
Wednesday 2002-03-06: 7
Thursday 2002-03-07: 3
Friday 2002-03-08: 4
Saturday 2002-03-09: 3
Sunday 2002-03-10: 1
Monday 2002-03-11: 6
Tuesday 2002-03-12: 20
Wednesday 2002-03-13: 8
Thursday 2002-03-14: 4
Friday 2002-03-15: 3
Saturday 2002-03-16: 23
Sunday 2002-03-17: 71
Monday 2002-03-18: 251
Tuesday 2002-03-19: 53
Wednesday 2002-03-20: 2
Thursday 2002-03-21: 3
Friday 2002-03-22: 12
Saturday 2002-03-23: 2
Sunday 2002-03-24: 2
Monday 2002-03-25: 2
Tuesday 2002-03-26: 1
Wednesday 2002-03-27: 3
Thursday 2002-03-28: 14
Friday 2002-03-29: 30
Saturday 2002-03-30: 2
Sunday 2002-03-31: 1
Monday 2002-04-01: 10
Tuesday 2002-04-02: 6
Wednesday 2002-04-03: 28
Thursday 2002-04-04: 7
Friday 2002-04-05: 4
Saturday 2002-04-06: 2
Sunday 2002-04-07: 1
Monday 2002-04-08: *** 0
Tuesday 2002-04-09: 1
Wednesday 2002-04-10: 1
Thursday 2002-04-11: 12
Friday 2002-04-12: 3
Saturday 2002-04-13: *** 0
Sunday 2002-04-14: *** 0
Monday 2002-04-15: 1
Three days with a total of only one bounce: I think I'll stop counting here, unless the numbers increase significantly.

[ Top of this page ] [ JD's home page ]