Protecting Your Small Domain from Spam Hijacking?

Black Cardinal asks: "I have a small domain which I mostly use to post family photos and some software. I also use it to manage a few e-mail addresses that my wife and I use. A spammer recently hijacked my domain name, using it to construct fake return addresses for sending spam (without actually cracking my host account), and caused a flood of undeliverable mail messages to be sent to my domain hosting service, which promptly suspended my account. At the moment it looks like I may never be able to have any @gelhaus.net e-mail again. What can I and my domain hosting service do now to protect their incoming mail servers and my account from this kind of attack, and how can I protect my small domain from this kind of hijacking and allow me to keep it running?"

"My domain hosting service, CubeSoft, has been a good host for my domain for the past three years, and they have been very helpful in re-enabling most of my account, but at the moment they don't want to re-enable my e-mail because of the flood of returned spam coming in (30,000 messages per day). Since the return addresses are all invalid (e.g. 'nonexistent_address@gelhaus.net'), I would think it would be simple to filter out all messages that aren't specific ones I've set up (e.g. 'valid_address@gelhaus.net'). I can't believe my domain is the first to have experienced this problem. It would be a tragedy to have to just shut down my domain because of this. CubeSoft says there isn't any way to prevent it because there is nothing that stops a spammer from using a fake return e-mail address. What have others with small domains done to protect themselves?"

Use SPF to protect against "Joe Jobs"

[Karl+J.+Smith]

If everyone uses SPF, it will cut down on spam and joe-jobs.

See http://spf.pobox.com You can publish your DNS now, indicating which legitimate IPs are in use for mail from your domain.

An Idea

[ewhenn]

My host is set up so that all emails recieved that have no account (invalid email address) are forwarded to an account with a quota of 1K. Of course the quota is full, so it is an instant bounce. Problem solved. Hope this may help you.

Re:Get a new domain host.

[deanpole]

A spammer did my domain too, but nearly every bounce claimed a different source, thus too much work to report every one.

Luckily, in my case every email hawked generic viagra from China. After a week and a half I finally called Pfizer and reported the website. The emails stopped shortly after that and I was never sure if they were related. The website is gone now too.

I have seen spam for anti-spam software, but why not for anti-spam retribution services. Of course, I would never advocate violence. :-/

Similar experiences

[Andy+Smith]

I wish I could offer some helpful advice but I can't, so instead I'll relate similar experiences I've had.

I have two domain names, one personal, one business.

The personal one was 'hijacked' in a very bizarre way a few years ago. I annoyed the owner of a popular site (by publishing an article about him swindling his visitors) so he posted my address dozens of times, all over the front page of his site. Obviously he wanted anyone who still believed his side of the story to send me hate mail, and that's exactly what happened. That was mailbombing though. The 'hijacking' was secondary, because of course my e-mail address is now in the address book of hundreds, if not thousands of people who are, let's say, not spectacularly bright. You can imagine how many e-mail viruses I get as a result of being in those address books.

The problem with my other domain is someone sending out viruses with my business address as the return address. This results in lots of auto-rejections from ISP spam filters. It's an inconvenience but it is NOTHING like as bad as the 30,000 you're getting, so you have my sincere sympathy. It must be very depressing to have something like this happen on such a large scale, and I do hope you figure out a way to prevent it.

Push the emails back toward the spammer

[Zocalo]

A former colleague of mine had one of her domains *seriously* Joe Jobbed like this a short while ago - thousands of bounces a day. Since the domain wasn't actually used for much she contacted the people that were using it, asking them to use an alternate domain as the obvious stop gap. Her next step was novel to say the least...

A brief investigation of a few of the bounces revealed that the spammer was using a variety of email addresses and domains in the message as their contact point. Many of the domains shared the same mail server, which was obviously a co-lo box, so she simply pointed all of the MX records for her domain towards the spammers primary email server. Unfortunately it wasn't misconfigured to actually accept the bounces, but each bounce was tying up resources and bandwidth belonging to the spammer. When she reset the MX records back a month or so later it was all over.

This is only applicable if you have your own domain like in this instance of course, I doubt an ISP would even consider this course of action with one of their subdomains as it's a dubious course of action to say the least. You also lose all use of your domain while the MX records as repointed, so you better be *damn* sure nothing sensitive is going to be received in legit email because the spammer could, if they wanted, accept and read your email.

Interesting and apparently effective strategy though.

Secure Mail

[Radical+Rad]

I have a question. Since we have certificates from Trust Authorities to do secure http, why can't we use those same certificates to do Secure SMTP? Since it would be a new protocol, it wouldn't need to be backwards compatible with SMTP except that the MTA might fall back to that as a last resort. Being able to verify that a message is actually being sent by acmewidgetcorp.com would certainly make it easier to separate junk from business communications. It would be much more difficult to abuse since a certificate could be revoked by the CA and there is a cost associated with obtaining them as well as the time involved.

Re:Just wait it out

[Otter]

FWIW, I've had exactly the same experience and it has nothing to do with worms. The offenders are in Russia and there's basically nothing I can do about it except dump all bounces straight into a trash directory. I did take the precaution of notifying my hosting provider immediately, and haven't suffered any consequences from them. That may be due to graciousness on their part, or just to their usual laziness.

The only upside is the hate mail I periodically receive, especially the threats of lawsuits, invoices for "proofreading" services and some really vile attached images.

E-Mail is starting to suck

[Goo.cc]

I recently needed to respond to an e-mail from a small company. When I replied, my e-mail was bounced back to me because Comcast.net's SMTP server was blackholed. (This happened even though I have my own domain name and only use Comcast's SMTP server as a smarthost.)

To get around this, I changed Sendmail to start sending out mail directly inside of using a smarthost. Now I get bounces from people with AOL addresses because AOL somehow knows that I am using a dynamic IP address to send mail from.

The only reason I am having any of these problems at all is because of spam. Spam is ruining the Internet and what's worse, I can see no way of fixing it that doesn't destroy privacy.

Thanks for letting me vent.