Slashdot Mirror
Is A Catch-All Address Worth The Spam?
wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."
As someone who has been using a catch-all account for years, and has enjoyed the benefits and suffered the consequences, I would suggest you do it (though not without some warnings and recommendations). I do receive a fair amount of SPAM for accounts which have never existed on the system. I have also endured several periods when some SPAMmer referred to fake accounts at my domain in the return-to of the SPAM they were sending out (they were not using my mail server, they simply made up random usernames for my domain). Since they were random (both the names they used and the content of the SPAM) it was impossible to easily filter out. That sucked. I would receive hundreds of bounce messages per day. Ultimately I was able to make it stop by writing a script to post every bounce message I received through to the support form on the websites being advertised (modifying for each of the three or four sites which were involved), making the normal "cease and desist" legal threats. It seemed to work, since the SPAMs did stop soon after (presumably those sites complained to the SPAMmer they employed), and the SPAMmer no doubt moved on to some other fake accounts. Bastard. One of the best features of the catch-all is that you can totally control to whom you give out your "real" e-mail address, as well as track who is using the e-mail addresses you are giving out. For example, if you want to register at example.com for something, you give them the address me.example@yourdomain.com (or some structure which has a prefix or postfix, the 'me.', and the site name for which you are registering). You'll be able to receive that sites mail until you either don't want to, or until you see that they have abused the privilege of e-mailing you. Often I will see six months after registering to some site, I start getting tons of SPAM from the e-mail I gave to that site, and I can then simply block that on the mail server, bouncing them or sending them to /dev/null (via aliases, for example). This is the greatest strength in using catch-all addresses.
To mitigate the danger I mentioned previously of fake usernames, one should (though I am no sendmail expert and don't know how) set up a rule that any incoming recipient address must correspond to an existing account/alias, OR the catch-all structure you want (the whole PREFIX.SITENAME@yourdomain.com).
Q
Don't vote for Eugene Papansanovich for Congress!
On the other hand if you leave the * account on, you don't need to creat a new account eact time you need one. I for instance only have one account on my mail server and that is the postmaster this allows me to invent e-mail addresses on the fly.
With this ability you can make an e-mail address for each use of your e-mail for sites and forums like Slashdot@Domain.com and if you start getting spam at that address you can quiet happily block it via the filter.
Right after registering a domain, you'll often get a few spam's hawking hosting services, ect. Verisign (no flames please!) does allow you to opt out of their bulk sale of whois data - although why are they doing it in the first place?
Also for $9 a year you can buy a redirected e-mail address that changes every 10 days that appears as your whois contact.
I've been running my own mail account off of my own domain for about 2.5 years now, and I don't regret it. I do have the catch-all set to dump to my personal account, and it's not been a major problem. Most of the spam I get is addressed to a "real" address (either mine or one of my older accounts I have forwarded to me), and there's a lot of that, so the amount I get from the catch-all is negligible.
:-)
In practice, actually, most of the spam-related stuff I get is mail bounces attempting to a random address with a faked from line of 63745624573@mydomain.com (or something like that). I really should look into implementing SenderID, but that would require hosting the server myself on a my dynamic IP instead of letting my web host take care of it.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
is this a good idea or not?
No, it's not a good idea. Looking through my mail server (and other mail servers I administer) I've seen A LOT of attempts by spammers to harvest email addresses by just trying a lot of common names on the domain (and some strange not so common addresses). If you had a wildcard address, you'd get all that spam to that box.
With no wildcard email address if people miss-spell a name on your domain, they'll get a prompt bounce message (and they'll probbably figure out the miss-spelling). With a wildcard they'll never figure out the miss-spelling, and may continue to use that wrong address.
There's also the problem of auto-generated virus bounce messages from other peoples servers. Most viruses lie about their from address, and can even make up a @yourdomain.tld. If you had a wildcard all those erroneous "you sent a virus" messages would go to your wildcard box instead of just bouncing.
Unless you want an account that's deluged with spam and like wading through it every so often on the off-chance someone sent a message to admin or postmaster, I'd not create a wildcard box.
AccountKiller
I recently switched to using e-mail from my registar/hosting company, they included one free address and I paid for an additional 5 mailboxes.
I set up an account for myself and my wife, and used the free account for a spam bucket. My account is set up as a catch-all. Whenever I sign up for something I use and address in the form slashdot.org@<mydomain>.com so if it does start getting spam I know who sold my e-mail address.
If any spam comes in being caught by the catch-all I set up a forwarder to my spam account. For example dns@<mydomain>.com gets forwarded to spam@<mydomain>.com I then just set up my e-mail client to dump anything that comes in via the spam account directly into the trash.
To date I have received spam on three addresses that didn't really exist (dns@, sales@ and info@), but overall it works very well.
Alternatively you could also flip that on its head and proactively add new accounts as required, which is what I do. So, if the scumbags at "Foo Corp." decide to sell my email address, I simply delete the "foo@mydomain" entry from my aliases file and both the spammer and Foo Corp. just get a User unknown from the MTA. It avoids all the pain of having a catch-all address and as a bonus it makes sorting email into folders a snip because "To:" is always unique and relevent!
UNIX? They're not even circumcised! Savages!
For example, if you want to register at example.com for something, you give them the address me.example@yourdomain.com (or some structure which has a prefix or postfix, the 'me.', and the site name for which you are registering).
What I've been doing for the last couple of years is using a catchall at a subdomain of my actual domain. The typical dictionary spams (postmaster, sales, etc) don't come in, because they only work on top level domains (otherwise spammers would be wasting a large amount of time spamming "sales@www.domain.com" which pretty much never exists..
When I sign up for an account at example.com, I just register as example.com@catch.mydomain.com. If I get spam, I can block it, and it doesn't interfere with my actual domain. If I decided one day I get too much spam to it, I could just switch to another subdomain name.
Speak before you think
Forget the "Catch All" e-mail address. Use Mailinator.
FYI -- mailinator is a non-passworded public catch-all system. Perfect for temporary site registrations. I use it frequently and its an unbelievably good service...
------ The best brain training is now totally free : )
From experience in operating multiple servers hosting many(read 10,000+) domains each, I can say that the catch all account is a VERY BAD thing.
Spammers recently have turned to more use of the random username approach and the catchall catches, well, all. This can in some cases total to more than 4500 emails a day in some cases. Hardly something you want to pull through a POP3 connection if your ISP doesn't have effective spam filtration.
Quite honestly the catch all serves little purpose if your email transactions are done in a correct manner. mailto: links have NO BUSINESS being on a web site for a company(or personal user for that matter) a simple CGI based contact form shields access from spam bots getting your email address and you can make sure ahead of time that your email address is properly configured.
Secondly, if you are emailing somebody else, most people use a context menu on the email you sent to add you to their address book. Again that eliminates the human error factor.
Also as others have already mentioned, a human will be able to read a mailer daemon response telling them that there was a mistake should they send directly.
My $0.02
SW
Make sure addresses like postmaster@ and abuse@ work. They're unlikely to get spammed, but may well receive important messages.
postmaster@ is actually required by rfc2821, btw.
As for the subject of the discussion; my catch-all addresses have been fine, but YMMV. If I was that worried about dictionary attacks, but still wanted the ability to give a new address out to each company, I'd do something like *-signup@mydomain or *@signup.mydomain or similar, but you might not have that level of control (in which case I'd recommend finding somewhere better to host your email, but *shrug*).
Catch all will kill your inbox. I had a catch all from 1996-2002. All of a sudden, around Labor Day 2002 I started getting up to 3000 spams a day. The vast majority were to bogus addresses. Even with local spam filtering my email client was spending near 100% of the time downloading mail.
I eventually killed the catch all, resulting in losing email from some places I'd given unique email addresses to. Also went with a 3rd party spam filter ( spamcop.net ) so most spam never makes it to my desktop at all, getting filtered upstream.
Recently I got a Gmail account. Just for grins I thought I'd test their spam filtering capabilities before using it for anything "real". I reactivated my catch all, forwarding it to my Gmail account. In the last 3 weeks my Gmail spam folder has accumulated 163MB of spam, or almost 27,000 individual messages. Gmail is only catching 30-50 percent of it, I've had to manually tag the remainder.
So while all my catch all addresses bounced these past two years the flow has reduced from 3k a day to about 1k a day.
The only reason to have a catch all is if you want lots of untargeted spam. I don't know how these yahoos do their billing, but if any of them base it on what bounces vs. what's read, then having an open address might just mean they'll make more money because of you.
If you have 1000s of messages coming to a person computer it doesn't mean squat what your filtering scheme is. Even if you don't "see" these messages, you machine is still going to have to read messages to evaluate them, or at the least download the headers (though header analysis isn't going to get you 100% filtered spam )
Accepting email from 1000's of possible email addresess @ your domain when you know they're all bogus is just asking for punishment.
I may be totally mistaken, but I thought that using a catch-all address means no "55x no such user" errors are sent anymore? There is such a user, and it's mapped to the catchall address.
I believe posters are recognized by their sig. So I made one.
I've had to shut off my catch-all, but not because of spam, but because of spoofed return-email addresses someone has been sending out with my domain name. My INBOX would be filled with bounce backs from email addresses some spammer was using that we're live anymore. He/she didn't have to deal with the bouncebacks, but they cause my mailbox to overflow. Shutting off my catchall address eliminated the boucebacks because the spammer wasn't using my "real" email address, just some made-up name at my domain.
The harder you try, the luckier you are.
I used to use my catchall for precisely that (e.g. slashdot@mydomain.
It DID help me bust someone for passing on an address which was instantly traced back to them.
Spam however has completely ruined it though for the problems outlined in this article. Unfortunately I can't turn off the catch-all as there are so many 'legacy' addresses from which I might only hear once a year but don't want to miss their email.
I now use http://www.spamgourmet.com/ instead to create disposable accounts as I have the luxury of being able to kill them (or let them die) if need be. It's free and I highly recommend it.
Do you or your partner snore? - Visit www.snoring.com.au
You don't need a catch-all for that. You just need a hosting service that lets you set up forwarders. So, in your example, I'd simply set up a forwarder for yourfreepron@mydomain.net to forward to myrealaddress@mydomain.net. My hosting service adds an "Envelope-To" header line that tells what address the mail was for, so I can then easily filter it on my end.
This gives me all the throw-away addresses I want for spam protection and other purposes, without having to deal with the spam to a catch-all address.
What's wrong with this? Some UNIX systems are case sensative about e-mail and johndoe is NOT the same as JohnDoe@domain.com
I don't get so much generic spam to @mydomain.com but I do get tons of bounces from spam that's sent out with a spoofed from @mydomain.com
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
On the contrary wildcard spam is extremely common. When was the last time you ever watched the maillog of a busy MTA? I garuntee you it will be riddled with User Unknown errors from dictionary, Rumplestiltskin and wildcard attacks. It's that way on every mail system I've ever administrated, including the ones I administrate now.
Not only do you get spam addressed to random accounts on that domain but all the Undeliverable Mail bounced back to spoofed addresses on that domain.
There are better ways to do this. First off there's Sendmail "plus notation," also known as "user+detail" format. If you haven't heard about this you should do some research on Sendmail's website. The other method if you own your own domain, which obviously you do if your using a catch-all address, is to simply use aliases. Add your custom alias to your local aliases file, rerun newaliases, and you're set. Personally I use a little of both. I use aliases all the time. I can add an alias in a matter of seconds at any given point and time. A quick look at my current aliases file shows me aliases for dictionary.com, outdoorsuperstore.com, The Wall Street Journal, The New York Times and more. The best part about aliases is I can turn off the flow of spam by simply removing the alias. To stop the flow of spam to an address using plus notation I have to whip up a procmail recipe. I've seen more than one spammer strip the plus notation from outgoing addresses though so it isn't always going to stop the flow of spam. Not all web forms accept the plus sign as a valid email character. YMMV, no, I take that back. I can guarantee your mileage won't vary. Catch-all addresses have only one valid use: to collect spam. Plus notation will work much of the time. Aliases will work all of the time.
Moderators, please moderate the parent down for being a fool giving fool's advice.
are you sure all those bounced messages arent from mail worms forging from addresses? Probably about 80% of my mail is from 'mailer daemon - your message was infected' or 'we tried to deliver but failed' type messages, from domains Ive never sent mail.
Aside from those, I get virtually no spam, or at least it gets filtered quite reliably.
And I just have a regular yahoo account.
I.O.U One Sig.
I do it mainly to see what websites are spamming me. For example, when I subscribe to the NYTimes, I would subscribe using nytimes071704@mydomain.com and could then see what advertising and spam comes from that signup. (If I get tired of mails to an address, I will make a rule so that all mail to that address goes straight to my trash).
My domains are not popular so I rarely get spam to emails that I never signed up anything for. Occasionally I will get an email to webmaster@mydomain or info@mydomain, but nothing more than a dozen a week. I say use it until you get too much spam, and then you can drop it while activating the emails that you still want to keep.
Would you to elaborate as to which 'UNIX systems' you might be refering to?
Particularly as this is contrary to common e-mail message standards (see RFC 822, among others).
I know I personally have not come across any non-broken SMTP servers that are case sensitive.
Topher
What is the difference of DirectNIC and PairNIC? I have been using DirectNIC 5 years with no probs.
They are just different registrars. pairNIC is very customer-friendly, offers extra features like IPv6 and SPF, allow direct editing of DNS entries for people who are control freaks (most registrars just allow editing contact info, anything else is like pulling teeth). You can do email forwarding with them too, but I also have web hosting through their parent company and this includes an extensive email system including a custom qmail setup and procmail. I can install ClamAV and other software on my server if I want.
These servers run FreeBSD, a dead operating system, so the Slashdot trolls should have fun with this post :-)
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I own the domain of my last name, for example jones.com. Most spammers guess that a catchall will be placed upon that root domain. However, I create an MX record for my full name, john.jones.com, and then do a catchall of (at)john.jones.com pointing to my account. Spammers seem less aware (zero guesses so far) of MX domains. Then, wherever I have to give out my email address for a registration, I give a "unique" address used just for that site, such as slashdot(at)john.jones.com. This way, if any one address becomes abused, I just put a nouser entry in virtusertable for that address.
;-P . That would really reduce the effectiveness of this method as spammers would catch on. In which case, unique addresses would have to be explicit (many aliases) as opposed to implicit (via catchall). Slightly more time consuming.
I just hope this doesn't catch on too well
I am MuchTall
I guess I must just be lucky. I've had a domain, complete with "catch-all addressing", for about 4 years now, and I get maybe a few dozen spams per week. Almost all of those, too, go to an address I was foolish enough to use in plain text on kur05hin a couple of years ago.
I am anti-spam, but not particularly vehement about it. I can imagine thought that if I were getting that many mails, I'd probably be howling for blood...
It's official. Most of you are morons.
Having done the same thing before, I can say that without a doubt, it will increase your spam.
The thing is that alot of spammers seem to literally shotgun a domain with information harvested, then use those plausible usernames as email addresses. The end result is that your primary email account will get flooded with email not originally destined for it.
If you do intend to do this, I would suggest the following:
Having these on when you check and go through your mail will cause an increase of spam above what you are getting.
Best bet, have the domain name. Use one address, then close it and switch to another, within the domain. Have the original address just junk any future mails it gets once you are sure people have moved to your new address.
Seriously, it's just not a good idea.
Winged Power Photography
Do not make a catch-all. You will regret it. After someone used my domain as a spoof reply-to in several SPAMs, I started getting SPAM to all those addresses. When it got to the point of downloading 2,000+ a day (takes days to download on dial-up) I was ready to pull my hair out and start changing email addresses on all my accounts I have everywhere. Then, with no help from my webhost I managed to get those mails directed to another non-existant account.
I control several domain names.
:)
In my experience, you need to block sales@, info@ and webmaster@. After that, most of the email (and spam) will be coming to the single @ wich you are actually using. There will be occasional bounces to random usernames (from spam spoofing from: addresses), but not very many in my experience.
By the way there is no spam to unpublished postmaster@ addresses, probably because this is not an address spammers want to irritate
Some other users have complained that they got under a dictionary attack like you describe. But not me.
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
It is absolutely amazing how people can refer to a standard when they obviously have either not read it or not understood it.
Chapter 6 concerns itself with address specifications.
The syntax in paragraph 6.1 specifies:
addr-spec = local-part "@" domain
local-part = word *( "." word ) ; uninterpreted, case-preserved
So the local-part is UNINTERPRETED and has its case PRESERVED, presumably to allow case-sensitive handling locally. Moreover, the use of a "."-separated list of words does not imply any structure imposed or recognised by SMTP, it is merely a conveient way to avoid quotes in a large number of cases ("... such occurences carry NO semantics.").
The exception is the local-part "Postmaster" which is required to be recognized using any mixture of case.
So SMTP-servers are not case sensitive, but case preserving when it comes to the local part. The delivery or non-delivery of a message to a recipient however, is a local matter, and SMTP doesn't care about what happens, and whether case-sensitivity is used for this.
It just so happens that local mail systems these days are not case sensitive, although I believe the broken SVR2.2+some bsd+some SVR3/4 based A/UX system I used in the early nineties might very well have been.
(Quotes typed manually from the copy of RFC-822 which I printed out in about 1991 or so. Yes, about the same time some Berners-Lee guy made a few grave mistakes which would end up as the mess we now know as WWW.)
-Lasse
You don't understand correctly, I'd suggest you read the RFCs regarding SMTP.
When an SMTP session is started, two pieces of data MUST be sent before the message. Those fields amount to "from" and "to" fields and are sent sequentially by "MAIL FROM:" and "RCPT TO:" fields in that order. The "from" portion may be forged, but the "to" field must be correct as it is the address that the server delivers the message to or uses for further forwarding/processing. If the server does not recognize the to field, it will usually return a simple error (550) and may the session at that point. Also, if the server does not like the "from" field (for any reason you can program for), an error can be returned and the session ended.
Again, this is all before the body of the message is sent with the "DATA" command, thus saving potentially megabytes of data transfer. This does note require the "return" address to be correct, as this is happening at the time of delivery and the servers are talking directly about the message.
The body of a message may (but is not required to) contain other headers such as subject, to, from, received, date, content-type, message-id etc, but these fields in the data area have nothing to do with delivery as far as the receiving server is concerned.
Now.. it's possible to configure a server to operate differently, accepting all mail blindly, buffering the messages, then later figuring out where they should go.
My personal server takes the "MAIL FROM:" data and parses it, checking that the remote domain exists and there is an SMTP server that accepts mail for that domain. If any of those checks fail, I return a "not available" error (421) and close the connection.
Article X: The powers not delegated... by the Constitution...are reserved...to the people