Slashdot Mirror
Protecting Your Small Domain from Spam Hijacking?
"My domain hosting service, CubeSoft, has been a good host for my domain for the past three years, and they have been very helpful in re-enabling most of my account, but at the moment they don't want to re-enable my e-mail because of the flood of returned spam coming in (30,000 messages per day). Since the return addresses are all invalid (e.g. 'nonexistent_address@gelhaus.net'), I would think it would be simple to filter out all messages that aren't specific ones I've set up (e.g. 'valid_address@gelhaus.net'). I can't believe my domain is the first to have experienced this problem. It would be a tragedy to have to just shut down my domain because of this. CubeSoft says there isn't any way to prevent it because there is nothing that stops a spammer from using a fake return e-mail address. What have others with small domains done to protect themselves?"
All the above is conjecture, of course. But it may be something for your ISP to think about. It may be possible to re-enable the MX for your domain in a short while without having to do anything.
and that will be the end of it
"Do you expect me to work?" "No Mr. Tux. I expect you to die"
BTW, this is generally known as a Joe Job.
I can't say that I don't give a fuck. I've just run out of fuck to give.
We have had the same issue, unfortunately. I asked on the debian-isp mailing list about it and the only real suggestion was to report the spammer in question to their ISP, which I believe to be in Russia.
The long and short of it is that we couldn't do much about it, other than try to minimize the resource waste. In our exim configuration we turned on "receiver_verify" in our exim configuration, which means before the incoming message enters the delivery phase, it's verified that there is a valid receiver. (Before doing this, the incoming message would run through spamassassin and then generate a bounce, using CPU time, memory, etc.) I know it's not much; I hope someone comes up with more suggestions.
See http://spf.pobox.com You can publish your DNS now, indicating which legitimate IPs are in use for mail from your domain.
by a secure protocol, I doubt very much anything can be done to protect against what is essentially a DDoS attack (which is, of course, a mere side effect of spam). But nobody seems interested in a modern-day email alternative. Whenever something bad happens, it's always the bad guys' fault, right? Remember, we don't need security, just a world with no bad people.
This won't solve the 30K messages a day problem, you will still have to suffer under that bandwidth, but your destiny is in your hands, you can get spamassasin, or your favorite filtering application to handle the problem. It has sucked the last few days for me as well... Something like 400 copies of sobig coming across each day, and another several hundered bounce/firewall messages as well...
Hope the next virus isn't this bad
I have mod points and I am not afraid to use them
You need to change your domain name. Obligatory "Office Space" quote:
Samir: You know, there's nothing wrong with that name.
Michael Bolton: There WAS nothing wrong with it. Until I was about 12 years old, and that no-talent-ass-clown because famous and started winning Grammys.
Samir: Why don't you just go by Mike, instead of Michael?
Michael Bolton: No way! Why should I change it? He's the one who sucks.
Well, why not kill the MX for your normal domain and simply use a subdomain for a while (maybe, me.mydomain.com vs mydomain.com. At least then, all bounces won't resolve, and you can have your domain back.
-
ping -f 255.255.255.255 # if only
At the moment it looks like I may never be able to have any @gelhaus.net e-mail again.
Since the return addresses are all invalid (e.g. 'nonexistent_address@gelhaus.net'), I would think it would be simple to filter out all messages that aren't specific ones I've set up (e.g. 'valid_address@gelhaus.net').
See that, you answered your own question. Just block invalid addresses.
I've had this happen before to my domain, and eventually it died down. If it doesn't die down for you maybe you could track the spammer down and sue her.
Any sane protocol would never suffer from this problem. Yet people still claim that email is not broken...
This frightens me, knowing what their response will be to a Joe Job. Maybe I should start looking for a different host.
Can't you just get a different host, then go to your registrar and change your DNS? That will work until your new hosting provider cries "Uncle" under the SPAM flood 8^)
"Send an Instant Karma to me" - Yes
If you find that the jobber is indeed an American, though, if I recall correctly, you can sue for damages. Of course, you generally have to find the scumbag first.
This sig no verb.
So, what happens when the receiving e-mail server tries to verify account name too? The spammer has to use someone's real account name (which has happened to me more than once). Since the spammer is using his own mail server to send the messages, your account and domain names don't only get checked ageanst your mail server when the recipient server tries to verify that they exist and not when the spam is originally sent. Thus, it's almost impossible to prevent.
Your only hope is finding the spammer somehow and making them miserable in some way (getting their ISP to cut them off, legal action), but that usually leads to the spammers friends making an exaple out of you (yet more unfortunate personal experience). I would just wait it out. Your ISP is doing the only thing they can by disabling your domain's e-mail. Soon, the "from" lookups will start failing for the spammer and he/she'll have to pick someone else to impersonate. I hope that your ISP will let you re-enable your domain's e-mail when it blows over. Good luck!
US Democracy:The best person for the job (among These pre-selected choices...)
My host is set up so that all emails recieved that have no account (invalid email address) are forwarded to an account with a quota of 1K. Of course the quota is full, so it is an instant bounce. Problem solved. Hope this may help you.
It's simple really!o gogogoch.com?
All you need to do is get a *really* long domainname.
For instance, would you expect any spam to originate from llanfairpwllgwyngyllgogerychwyrndrobwllllantysili
I think not!
Yet I'm sure there's at least a postmaster account running there (and surely a real account or two, even if just for fun's sake).
I wish I could offer some helpful advice but I can't, so instead I'll relate similar experiences I've had.
I have two domain names, one personal, one business.
The personal one was 'hijacked' in a very bizarre way a few years ago. I annoyed the owner of a popular site (by publishing an article about him swindling his visitors) so he posted my address dozens of times, all over the front page of his site. Obviously he wanted anyone who still believed his side of the story to send me hate mail, and that's exactly what happened. That was mailbombing though. The 'hijacking' was secondary, because of course my e-mail address is now in the address book of hundreds, if not thousands of people who are, let's say, not spectacularly bright. You can imagine how many e-mail viruses I get as a result of being in those address books.
The problem with my other domain is someone sending out viruses with my business address as the return address. This results in lots of auto-rejections from ISP spam filters. It's an inconvenience but it is NOTHING like as bad as the 30,000 you're getting, so you have my sincere sympathy. It must be very depressing to have something like this happen on such a large scale, and I do hope you figure out a way to prevent it.
That would be bouncing a bounce. I don't see how that solves his problem.
You can't stop someone putting your domain in the 'from' line of their e-mail account any more than you can remove l33t spk frm teh intarweb.
First of all, I'd recommend finding a hosting company which understands e-mail headers. To someone with basic knowledge of how e-mail works, it would be obvious that you haven't been spamming these people and that your account is innocent.
Second, how about putting a link to this article somewhere on your site, with a little explanation to your visitors about what has happened. It's unlikely that any of the victims will actually copy-paste the domain from their spam to their browser, but at least you're doing a little bit to raise awareness of the problem.
Thirdly, use and recommend SpamCop.net. Those hoopy froods will investigate your spam headers automatically -- no computer science degree required, and the innocents like yourself will not be terminated.
And finally... don't worry about it too much. Yes, there's the technical problem of all flood of bounces, but in my experience, people will very rarely actually look at where spam appears to be from, and will simply delete it. Your reputation is safe.
I Am Not A Domain Expert, but this has happened to several of my domains, my host is a good guy, and I'm still here to tell the tale.
http://spf.pobox.com/
Sure, not many MTA/MUAs check SPF records yet, but the fact that you are working to keep people from 'joe-jobbing' you should make your isp happy.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
I am nearly in the same situation like you, except that I have complete control of my domain name (slett.net). I run my own DNS, my own SMTP server (Exim with SpamAssassin at SMTP Time), etc.. A nice side benefit is the ability to teergrube spammer hosts.
If you are technically inclined, and you have a broadband connection, this is definitely the best way at present to take control of spam.
Incidentally, I believe the ultimate solution to spam must involve banks and financial institutions - basically, an international mandate for these to not honor payment requests (e.g. credit card payments) to spammers. In the mean time, a mandatory upgrade or replacement to the SMTP protocol, to provide foolproof sender validation (by way of private/public keys or similar), will certainly go a long way towards solving the problem.
-tor
I work for a hosting company, and yes we've had this problem, although not on such a massive scale. We found that by removing any catch-all type setup, and bouncing the email address, the end users are much happier. This of course doesn't change the loading on the server much. IF however you know which IP's the emails are being sent from, your ISP can block those IP's with iptables, or, even in their router.
You shouldn't be so SOL, in my opinion.
Nobodies Prefect
Tidbits for Techs Technology Blog
A brief investigation of a few of the bounces revealed that the spammer was using a variety of email addresses and domains in the message as their contact point. Many of the domains shared the same mail server, which was obviously a co-lo box, so she simply pointed all of the MX records for her domain towards the spammers primary email server. Unfortunately it wasn't misconfigured to actually accept the bounces, but each bounce was tying up resources and bandwidth belonging to the spammer. When she reset the MX records back a month or so later it was all over.
This is only applicable if you have your own domain like in this instance of course, I doubt an ISP would even consider this course of action with one of their subdomains as it's a dubious course of action to say the least. You also lose all use of your domain while the MX records as repointed, so you better be *damn* sure nothing sensitive is going to be received in legit email because the spammer could, if they wanted, accept and read your email.
Interesting and apparently effective strategy though.
UNIX? They're not even circumcised! Savages!
I have a question. Since we have certificates from Trust Authorities to do secure http, why can't we use those same certificates to do Secure SMTP? Since it would be a new protocol, it wouldn't need to be backwards compatible with SMTP except that the MTA might fall back to that as a last resort. Being able to verify that a message is actually being sent by acmewidgetcorp.com would certainly make it easier to separate junk from business communications. It would be much more difficult to abuse since a certificate could be revoked by the CA and there is a cost associated with obtaining them as well as the time involved.
I ran across this Behind Enemy Lines site recently.
It seems to be describing a situation very similar to yours and a large number of actions taken to resolve it.
Yep, would help the guy but _not_ his ISP. His ISP probably does not want to waste the bandwidth created by 30k messages and that is whey they disabled his email. Bouncing, forwarding to /dev/null etc do not help because he will already have accepted the email (and thus wasted the bandwidth).
So either you scan already while receiving the email (as several people mentioned before, scan the header for invalid sender ips and then discard the bounces immediately BEFORE the whole email is accepted) or just wait it out.
I feel sorry for everyone out there whose domain gets used that way... =( I hope it dies down soon as his ISP does not seem to want to try to filter.
~Squisher
You hunt the spammer down like the dog that he is. Find yourself some "shady" characters to go pay him a visit. If he's in another country, that's even better. It's usually easier to find shady people in places like russia and china, and then, if you get busted for orchestrating his beating or death, it's harder for the authorities to do anything to you.
Even better, you could find out who he is, and then start sending letters in his name to major organized crime members demanding money or taunting them. Make a half-assed attempt to hide his identity, then it will look less suspicious.
Yeah, I'd definitely have someone whacked if they did that to my domain.
It is a long shot, but if you can track these people down, you have plenty of grounds for a lawsuit against them. Just prove they used your idenity without your permission. Even if they are in one of the few countries that won't help you out, there is a good chance that they have backers in a country, and you can sue the backers. Or if you can find who they are, and who the customers are, you can get the goverment to watch money transfers, and force all customers money inro your account (A very big maybe here). But you need a lawyer to 1) win the case for you, and 2) tell you how you can collect.
Good luck, but I urge you to do this. You should have plenty of grounds, and you might join the few guys who have actually shut down a spammer.
Before I get modded down, hear me out. First of all, IANAL.
Here's what would be fun. Find out what product is being sold by what company. Then, talk to a lawyer and see if there is a such thing as "accomplice to identity theft" or something along those lines. Sue the company who's product is being spammed. Profit? Who knows. It might get said company to either dump said spammer or tell them to clean up their act.
Who knows, it might work!
There are only 10 kinds of people in this world... those who understand binary and those who don't
Thanks to everyone who's posted replies on my topic. I've worked with my hoster to change my default alias to route messages with an invalid address to oblivion. Until this happened I didn't even realize that I had a default alias set up, which shows how dangerous a little ignorance can be. We're now re-enabling my aliases one at a time and watching closely to make sure these valid addresses are not being overrun with this returned spam.
By the way, I should mention that my hosting service, CubeSoft, has been very good through all this. I've been in constant contact with them through e-mail (but not my domain e-mail, hah), and they have been very helpful in suggesting solutions and in trying to work with me rather than just blowing me off as not their problem. After this, I can strongly recommend them as a hosting provider.
(as I have done) instead of using your webhosting service's free email service, you just use a yahoo mail account? I don't think (tho I may be wrong) that yahoo would react the same way a normal webhost would because a) they should know that I at least didn't send all those spams from my account, and b) they probably filter a friggin' billion spams a day already.
:-)
My general opinion is that a division of labor should be kept between web page hosting and email hosting, even tho, of course, the server is designed to handle both services; perhaps the cost of setting up one of those 100M yahoo email accounts may be justified. The Chinese say "pay a lot, cry once" -- perhaps this is a side effect of the 'free pop emails' that hosting services always offer.
It's also *really* nice to be able to access your email from anywhere in the world (yeah, I know you can access your pop from anywhere, too, but it's definitely more of a pain). That, combined with need to never spam your contacts with a new email address (tho that's what the old Napster guy's working on now) every time I change ISPs.
Of course, none of the spam horseshi*t is going to change until email accounts only receive email from address on "the list". Come programmers! I've got enough shtuff to do already -- I don't have time to write that (relatively) simple application
May the Peace & Blessings of our Creator be with you all,
bmac
Your life will change within minutes of seeking to deliver your spirit back to our Creator within your lifetime -- www.mihr.com
Thank you for that message. All too often people complain about their service providers and then when the problem is resolved they just go silent... hardly an encouragement to better customer service. It's an odd thing, but if you treat people as if they were human beings (thanking them when they need to be thanked) it encourages them to behave like human beings.
As I mentioned in another reply, currently one of my domains is suffering from the same problem. Your question inspired me to mull over what one could do a little more.
I was thinking since we host our own DNS, we could put in ACLs in our bind setup to disallow queries to the affected domain from the netblock that the spammer is operating from, and perhaps the first level of smtp servers that they are using. (If those are consistent.) This might provide a way to selectively DOS the people who are generating the spam...
This is all a giant conspiracy by the Level3's of the world trying to force us to get increased bandwidth... people (and ISPs) will be forced to simply accept that >30% of the bandwidth available is sucked up by digital "noise" in the form of spam, pop ups, etc...
Your host should be able to disable the catch-all account for your domain, which will result in any message not sent to a specific account being bounced.
You should also be able to set up filters in your accounts control panel. If your host does not support this, you need a new host.
it seems(much to my surprise) that ailiasing is by default switched on! on Most standard web host companies ... this is a *BIG* mistake.. ask your web host to remove ailiasing (anything@yourdomain.com) and get a specific hard-coded e-mail address (a real e-mail address) and your problem will be solved almost instantly. Everything else aside from your specific e-mail addresses will be automatically bounced! "problem" solved.
I recently needed to respond to an e-mail from a small company. When I replied, my e-mail was bounced back to me because Comcast.net's SMTP server was blackholed. (This happened even though I have my own domain name and only use Comcast's SMTP server as a smarthost.)
To get around this, I changed Sendmail to start sending out mail directly inside of using a smarthost. Now I get bounces from people with AOL addresses because AOL somehow knows that I am using a dynamic IP address to send mail from.
The only reason I am having any of these problems at all is because of spam. Spam is ruining the Internet and what's worse, I can see no way of fixing it that doesn't destroy privacy.
Thanks for letting me vent.
Your problem is Csoft. I have an account with them too. They offer a decent service at a good price, but they do enjoy their BOFH status. They're quick to blame their customers for problems. Because their prices are low, I don't think they give a damn about losing individual customers.
I think the suggestion mentioned elsewhere about setting up a subdomain is best.
The answer is simple. Just send any email with an invalid address to \dev\null
I run a small isp (300 domains) and we do web site hosting for $20 per month. Our mail servers take in about 130,000 emails every day 100,000 of it is undeliverable. In most cases like this we would simply weather the the storm. If your paying a host $5 per don't expect much.
I have a small domain ...don't link to it in Slashdot :)
My website
Why do we chase the spammers, we should be chasing the q!?!!"@@s who pay them. Point those
MX records at the web site they are publicising.
If their employer gets hit, perhaps they will be fired...
Work forward until you find the place where the credit card number goes in. Obtain a disposable credit card number from a cooperative bank and use it. Obtain the transaction information from the bank. Follow the money. Use subpoenas when necessary. Find out where the money goes. Sue.
As for joe-jobs, first, trademark your domain name. (You can do this on line.) Then, a joe-job is a Lantham Act violation in the US and a violation of the TRIPS agreement worldwide. This gives you more legal leverage.
If the spammer has a domain through which they do business, but the contact information is fake, ask ICANN to have the data corrected. Some domain registrars will then freeze the domain info until the identity of the domain owner is cleared up. Then find out who's hosting their DNS, and get them to shut them down.
Get a lawyer to draft you some form letters. ISPs have some immunity for copyright violations, but are scared of being involved in "knowingly and willfully aiding and abetting a Lantham Act violation". Use this.
I've shut down several spammers, including one in Russia. It takes some time, but it's not all that hard.
The reason that I say this is that with their Terms of service these WSP'ers remove the ability to use the internet the way that I want too. I want to be able to run VPNs, I want to be able to run services that are usefull to me as their custommer. About the only thing that the TOS allow is to surf the web for porn, and use their e-mail server to download mail to my favorite e-mail client.
A true ISP should be in the business of delivering IP packets to and from their custommers - and providing useful services above that (like e-mail, firewalling, etc) where the custommers request the service. There should be few if any restrictions on my ability to send and receive IP packets (I don't mind "no hacking", "no violating Int Property rights" etc.) but this, "no running services" policy just gets in my way.
Lets stop calling WSP ISP's and do the right thing and demand full access from the internet from our ISPs
I have mod points and I am not afraid to use them
Having said that there's not much you can do in a previous post, it occurs to me that one can use GnuPG to sign their messages or encrypt as necessary. Do this persistently and hope to God your correspondents have it or PGP or a clone thereof install.
This sig no verb.
no matter how much you like your host, there are others that are just as good if not better and just as cheap if not cheaper.. just take your ball and find a new home.