Spam with forged FROM but variation from known technique?

I am aware that anybody can put whatever they want in the FROM address, that originating IP is the key to tracking down spam.

If a spammer is using my domain name in the FROM line, I would expect to be receiving many complaints from people all over the world that do not know about forging FROM header saying spam is originating from me because my domain appears in the FROM address (even though the IP definitely is not me).

And I would expect that the complaint was related to the same spam message.

Instead, what I am experiencing is that ONLY customers that are hosted on my server are receiving spam where the FROM address shows my domain.

Additionally, it is not 1 unique spam message that they all get. It is several different spam messages that show my domain in the FROM address.

My guess is that certain spam messages leave the @domain portion empty and sendmail inserts the default domain.

For example, a spam message with a FROM address that includes "randomname" and sendmail rewrites the FROM address to "randomname@mydomain.com"

This is just a guess. I do not know if sendmail does this. But I can't think of another scenario that would fit what is happening.

If my guess is correct, is there a way to tell sendmail NOT to append the default domain to the FROM address if the FROM address does not contain a full email address?

I have include the following are 5 spam message headers I receive yesterday to my personal account.

**********spam example #1**********
Return-Path: <m.hamiltonvu@rootmode.com>
Received: (from alfert_com@localhost)
by alfert.com (8.11.6/8.11.6) id i02Csee07407
for alfert_com@alfert.com; Fri, 2 Jan 2004 07:54:40 -0500
X-Authentication-Warning: blue.rootmode.com: alfert_com set sender to m.hamiltonvu@rootmode.com using -f
Received: from blue.rootmode.com (root@localhost)
by alfert.com (8.11.6/8.11.6) with ESMTP id i024k6c14650
for <edward@alfert.com>; Thu, 1 Jan 2004 23:46:06 -0500
X-ClientAddr: 219.238.31.90
Received: from best-fishing.co.kr ([219.238.31.90])
by blue.rootmode.com (8.11.6/8.11.6) with ESMTP id i024jxb14633
for <edward@alfert.com>; Thu, 1 Jan 2004 23:46:02 -0500
Message-ID: <HKLJKNNECLIELCKHCEOCKNDICDAA.m.hamiltonvu@ahcbrand.demon.nl>
From: "Marguerite Hamilton" <m.hamiltonvu@rootmode.com>
To: edward@alfert.com
Subject: More Stamina & Energy for the New Year
Date: Fri, 02 Jan 2004 02:41:30 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.001 (windows; U; NT4.0; en-us) Gecko/25250101
Content-Type: text/html
Content-Transfer-Encoding: base64

**********spam example #2**********
Return-Path: <bradgordon_ur@rootmode.com>
Received: (from alfert_com@localhost)
by alfert.com (8.11.6/8.11.6) id i02CsZo07370
for alfert_com@alfert.com; Fri, 2 Jan 2004 07:54:35 -0500
X-Authentication-Warning: blue.rootmode.com: alfert_com set sender to bradgordon_ur@rootmode.com using -f
Received: from blue.rootmode.com (root@localhost)
by alfert.com (8.11.6/8.11.6) with ESMTP id i0224w419922
for <edward@alfert.com>; Thu, 1 Jan 2004 21:04:58 -0500
X-ClientAddr: 68.116.199.142
Received: from altium.nl (cpe-68-116-199-142.ma.charter.com [68.116.199.142])
by blue.rootmode.com (8.11.6/8.11.6) with ESMTP id i0224tb19917
for <edward@alfert.com>; Thu, 1 Jan 2004 21:04:55 -0500
Message-ID: <PPILNIHOJDODNECAOHBJKGMJLFAA.bradgordon_ur@chemeng.chmt.wits.ac.za>
From: "Brad Gordon" <bradgordon_ur@rootmode.com>
To: edward@alfert.com
Subject: This patch will change your life for the New Year
Date: Fri, 02 Jan 2004 00:04:07 +0000
MIME-Version: 1.0
X-Mailer: Pegasus Mail for Win32 (v3.12a)
Content-Type: text/html
Content-Transfer-Encoding: base64


**********spam example #3**********
Return-Path: <l7sbhdgqz@rootmode.com>
Received: (from alfert_com@localhost)
by alfert.com (8.11.6/8.11.6) id i02CsSW07326
for alfert_com@alfert.com; Fri, 2 Jan 2004 07:54:28 -0500
X-Authentication-Warning: blue.rootmode.com: alfert_com set sender to l7sbhdgqz@rootmode.com using -f
Received: from blue.rootmode.com (root@localhost)
by alfert.com (8.11.6/8.11.6) with ESMTP id i021X5d13516
for <edward@alfert.com>; Thu, 1 Jan 2004 20:33:05 -0500
X-ClientAddr: 24.201.209.221
Received: from modemcable221.209-201-24.mc.videotron.ca (modemcable221.209-201-24.mc.videotron.ca [24.201.209.221])
by blue.rootmode.com (8.11.6/8.11.6) with SMTP id i021X3b13511
for <edward@alfert.com>; Thu, 1 Jan 2004 20:33:04 -0500
Received: from [247.83.239.247]
by modemcable221.209-201-24.mc.videotron.ca SMTP id 6T843Jc26Xshyj;
Thu, 01 Jan 2004 18:34:28 -0700
Message-ID: <g3tj-n$6g-070w@tb4r.2.7n3.j6g>
From: "Melanie Babb" <l7sbhdgqz@rootmode.com>
Reply-To: "Melanie Babb" <l7sbhdgqz@rootmode.com>
To: edward@alfert.com
Subject: 1K-2K a day just returning phone calls... 7 kpvizzl
Date: Thu, 01 Jan 2004 18:34:28 -0700
X-Mailer: eGroups Message Poster
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="EEA9__DB34.D55A35"


**********spam example #4**********
Return-Path: <hcpmiotp67@rootmode.com>
Received: (from alfert_com@localhost)
by alfert.com (8.11.6/8.11.6) id i02CsMT07287
for alfert_com@alfert.com; Fri, 2 Jan 2004 07:54:22 -0500
X-Authentication-Warning: blue.rootmode.com: alfert_com set sender to hcpmiotp67@rootmode.com using -f
Received: from blue.rootmode.com (root@localhost)
by alfert.com (8.11.6/8.11.6) with ESMTP id i021Bsb10563
for <edward@alfert.com>; Thu, 1 Jan 2004 20:11:54 -0500
X-ClientAddr: 68.200.7.192
Received: from 192-7.200-68.tampabay.rr.com (192-7.200-68.tampabay.rr.com [68.200.7.192])
by blue.rootmode.com (8.11.6/8.11.6) with SMTP id i021Brb10558
for <edward@alfert.com>; Thu, 1 Jan 2004 20:11:54 -0500
Received: from [165.85.174.31] by 192-7.200-68.tampabay.rr.com with ESMTP id 1A7B99D8B7A; Thu, 01 Jan 2004 19:08:09 -0600
Message-ID: <30i02zprj-$zap08164x2@74mqco>
From: "Helen Lunsford" <hcpmiotp67@rootmode.com>
Reply-To: "Helen Lunsford" <hcpmiotp67@rootmode.com>
To: <edward@alfert.com>
Subject: 80% Less for Vl@GRA! 2.75$ today bymn
Date: Thu, 01 Jan 04 19:08:09 GMT
X-Mailer: Microsoft Outlook Express 5.00.2615.200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="35F9A_1A_.0D.E2.1B..BFB."


**********spam example #5**********
Return-Path: <aimeerice_wr@rootmode.com>
Received: (from alfert_com@localhost)
by alfert.com (8.11.6/8.11.6) id i02Cs6O07199
for alfert_com@alfert.com; Fri, 2 Jan 2004 07:54:06 -0500
X-Authentication-Warning: blue.rootmode.com: alfert_com set sender to aimeerice_wr@rootmode.com using -f
Received: from blue.rootmode.com (root@localhost)
by alfert.com (8.11.6/8.11.6) with ESMTP id i01Dxqi16349
for <edward@alfert.com>; Thu, 1 Jan 2004 08:59:52 -0500
X-ClientAddr: 80.68.3.138
Received: from youkickedmydog.net ([80.68.3.138])
by blue.rootmode.com (8.11.6/8.11.6) with ESMTP id i01DxkU16341
for <edward@alfert.com>; Thu, 1 Jan 2004 08:59:49 -0500
Message-ID: <LBJCGKGOPPMAIGMBIKHACBFAIDAA.aimeerice_wr@youkickedmydog.net>
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Date: Thu, 01 Jan 2004 13:33:34 +0000
MIME-Version: 1.0
From: "Aimee Rice" <aimeerice_wr@rootmode.com>
To: edward@alfert.com
Subject: =?ISO-8859-1?b?ZXZlciBsaXZlIGluIGEgdHJhaWxvciAgICBqZTNkY3o=?=
Content-Type: text/html
Content-Transfer-Encoding: 8bit

 

 

 

 

Top