Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protecting Your Small Domain from Spam Hijacking?

Posted by Cliff on from the autoreplies-should-check-the-"Received"-header dept.

Black Cardinal asks: "I have a small domain which I mostly use to post family photos and some software. I also use it to manage a few e-mail addresses that my wife and I use. A spammer recently hijacked my domain name, using it to construct fake return addresses for sending spam (without actually cracking my host account), and caused a flood of undeliverable mail messages to be sent to my domain hosting service, which promptly suspended my account. At the moment it looks like I may never be able to have any @gelhaus.net e-mail again. What can I and my domain hosting service do now to protect their incoming mail servers and my account from this kind of attack, and how can I protect my small domain from this kind of hijacking and allow me to keep it running?"

"My domain hosting service, CubeSoft, has been a good host for my domain for the past three years, and they have been very helpful in re-enabling most of my account, but at the moment they don't want to re-enable my e-mail because of the flood of returned spam coming in (30,000 messages per day). Since the return addresses are all invalid (e.g. 'nonexistent_address@gelhaus.net'), I would think it would be simple to filter out all messages that aren't specific ones I've set up (e.g. 'valid_address@gelhaus.net'). I can't believe my domain is the first to have experienced this problem. It would be a tragedy to have to just shut down my domain because of this. CubeSoft says there isn't any way to prevent it because there is nothing that stops a spammer from using a fake return e-mail address. What have others with small domains done to protect themselves?"

13 of 103 comments (clear)

  1. Just wait it out by Lord+Grey · · Score: 4, Informative
    Your problem may be due to the worms working their way around the Internet rather than due to a spammer intentionally using your domain. My email server recently suffered the same fate (though not quite that high of a volume) and I spent a bit of time tracking down the emails' origins through the bounces. In my case, they turned out to be coming from just a few unique systems and the volume slowly trickled to nothing after several days -- presumably because someone finally got around to patching their systems.

    All the above is conjecture, of course. But it may be something for your ISP to think about. It may be possible to re-enable the MX for your domain in a short while without having to do anything.

    --
    // Beyond Here Lie Dragons
  2. One small thing that you can do by martinde · · Score: 5, Informative

    We have had the same issue, unfortunately. I asked on the debian-isp mailing list about it and the only real suggestion was to report the spammer in question to their ISP, which I believe to be in Russia.

    The long and short of it is that we couldn't do much about it, other than try to minimize the resource waste. In our exim configuration we turned on "receiver_verify" in our exim configuration, which means before the incoming message enters the delivery phase, it's verified that there is a valid receiver. (Before doing this, the incoming message would run through spamassassin and then generate a bounce, using CPU time, memory, etc.) I know it's not much; I hope someone comes up with more suggestions.

  3. Use SPF to protect against "Joe Jobs" by Karl+J.+Smith · · Score: 5, Interesting
    If everyone uses SPF, it will cut down on spam and joe-jobs.

    See http://spf.pobox.com You can publish your DNS now, indicating which legitimate IPs are in use for mail from your domain.

  4. As long as email isn't replaced... by lightspawn · · Score: 5, Insightful

    by a secure protocol, I doubt very much anything can be done to protect against what is essentially a DDoS attack (which is, of course, a mere side effect of spam). But nobody seems interested in a modern-day email alternative. Whenever something bad happens, it's always the bad guys' fault, right? Remember, we don't need security, just a world with no bad people.

    1. Re:As long as email isn't replaced... by anthony_dipierro · · Score: 4, Informative

      But nobody seems interested in a modern-day email alternative.

      Just about everyone is interested in a modern-day email alternative. The problem is getting everyone to agree on which particular one to use.

  5. You have the Michael Bolton problem by utahjazz · · Score: 4, Funny

    You need to change your domain name. Obligatory "Office Space" quote:

    Samir: You know, there's nothing wrong with that name.

    Michael Bolton: There WAS nothing wrong with it. Until I was about 12 years old, and that no-talent-ass-clown because famous and started winning Grammys.

    Samir: Why don't you just go by Mike, instead of Michael?

    Michael Bolton: No way! Why should I change it? He's the one who sucks.

  6. MX Trickery by sporty · · Score: 5, Insightful

    Well, why not kill the MX for your normal domain and simply use a subdomain for a while (maybe, me.mydomain.com vs mydomain.com. At least then, all bounces won't resolve, and you can have your domain back.

    --

    -
    ping -f 255.255.255.255 # if only

  7. Not much you can do at all by BrynM · · Score: 5, Informative
    CubeSoft says there isn't any way to prevent it because there is nothing that stops a spammer from using a fake return e-mail address.
    Unfortunately, they are 100% correct. The spammer is just using your server as a destination for MX record lookups. When a spam is sent, most receiving e-mail servers will try to do a reverse lookup on the "from" or "recip" address via a DNS lookup or an MX lookup. This prevents the spammer from just blanketing a server with a completely made up "from" addresses (which used to be a popular tactic). The spammer now has to have a legit domain, so he used yours and just made up the account portion.

    So, what happens when the receiving e-mail server tries to verify account name too? The spammer has to use someone's real account name (which has happened to me more than once). Since the spammer is using his own mail server to send the messages, your account and domain names don't only get checked ageanst your mail server when the recipient server tries to verify that they exist and not when the spam is originally sent. Thus, it's almost impossible to prevent.

    Your only hope is finding the spammer somehow and making them miserable in some way (getting their ISP to cut them off, legal action), but that usually leads to the spammers friends making an exaple out of you (yet more unfortunate personal experience). I would just wait it out. Your ISP is doing the only thing they can by disabling your domain's e-mail. Soon, the "from" lookups will start failing for the spammer and he/she'll have to pick someone else to impersonate. I hope that your ISP will let you re-enable your domain's e-mail when it blows over. Good luck!

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  8. An Idea by ewhenn · · Score: 4, Interesting

    My host is set up so that all emails recieved that have no account (invalid email address) are forwarded to an account with a quota of 1K. Of course the quota is full, so it is an instant bounce. Problem solved. Hope this may help you.

  9. Re:get your ISP to change your MX record by Xunker · · Score: 5, Funny

    Then how will legitimate mail arrive?

    That still exists?

    --
    Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
  10. Push the emails back toward the spammer by Zocalo · · Score: 4, Interesting
    A former colleague of mine had one of her domains *seriously* Joe Jobbed like this a short while ago - thousands of bounces a day. Since the domain wasn't actually used for much she contacted the people that were using it, asking them to use an alternate domain as the obvious stop gap. Her next step was novel to say the least...

    A brief investigation of a few of the bounces revealed that the spammer was using a variety of email addresses and domains in the message as their contact point. Many of the domains shared the same mail server, which was obviously a co-lo box, so she simply pointed all of the MX records for her domain towards the spammers primary email server. Unfortunately it wasn't misconfigured to actually accept the bounces, but each bounce was tying up resources and bandwidth belonging to the spammer. When she reset the MX records back a month or so later it was all over.

    This is only applicable if you have your own domain like in this instance of course, I doubt an ISP would even consider this course of action with one of their subdomains as it's a dubious course of action to say the least. You also lose all use of your domain while the MX records as repointed, so you better be *damn* sure nothing sensitive is going to be received in legit email because the spammer could, if they wanted, accept and read your email.

    Interesting and apparently effective strategy though.

    --
    UNIX? They're not even circumcised! Savages!
  11. Re:You're smart... by Just+Some+Guy · · Score: 4, Informative
    Exactly. I went through this about two months ago. I was getting about 2,000 bounce mails per hour until I added a bunch of lines to my Sendmail's "access" file, recompiled access.db, and restarted sendmail. Here's an example entry:
    erin@honeypot.net "550 This account was spoofed by some jackass spammer. It doesn't exist and never has."

    Add one for each falsified account. You will still get the incoming SMTP connections, but your server will reject the mail before the sending host transmits the whole thing. Advantage: you lose the bandwidth that it takes to build a TCP connection and send a single RCPT line, rather than losing the bandwidth and storage required to process and bounce a whole message.

    My SMTP bandwidth graphs dropped about 85% after adding those filters. Do the same on your end (or have your ISP do it for you) and sit back while the storm blows over.

    Oh, yeah: you may want to put a prominent notice on your website's main entry point stating that you are not the originator of the spams. The flood of mail to my "abuse@" address tapered off greatly once I explained things to visitors. I still get a few twits with an axe to grind but there's not much you can do about that.

    --
    Dewey, what part of this looks like authorities should be involved?
  12. Thanks for the replies by Black+Cardinal · · Score: 5, Informative

    Thanks to everyone who's posted replies on my topic. I've worked with my hoster to change my default alias to route messages with an invalid address to oblivion. Until this happened I didn't even realize that I had a default alias set up, which shows how dangerous a little ignorance can be. We're now re-enabling my aliases one at a time and watching closely to make sure these valid addresses are not being overrun with this returned spam.

    By the way, I should mention that my hosting service, CubeSoft, has been very good through all this. I've been in constant contact with them through e-mail (but not my domain e-mail, hah), and they have been very helpful in suggesting solutions and in trying to work with me rather than just blowing me off as not their problem. After this, I can strongly recommend them as a hosting provider.