Slashdot Mirror
Is A Catch-All Address Worth The Spam?
wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."
If the mail is from an intelligent human being they will generally conclude from the returned mail that they have erred, and readdress it accordingly. In the event of any other outcome you are probably better off not receiving the mail.
Buying your own domain is a smart move. As long as you keep paying for the domain, your e-mail address can travel with you, even when you change ISPs.
From personal experience, I've found that only a very small percentage of spam I get comes from using the catch-all address. I get only a few junk e-mails to "webmaster", "postmaster", and other generic usernames. A far greater portion of it is addressed to the "real" e-mail address I use that's been plastered all over the web for years and years.
Judging only from my inbox, it would seem that spammers are more likely to use lists of known e-mail addresses than trying to guess valid usernames for a domain. My advice would be to use the catch-all address and just wait and see if spam becomes a problem. Turning off the catch-all wildcard, if need be, is a very simple operation.
If you use a spam filter, you sould not have to worry about it. You are not exposed to more kinds of spam, just more instances. And since spam filters currently have no issue with volume, you should be ok.
who | grep -i blond | date cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
What does it matter if it opens you up to spam. It's a catch-all account right, isn't that what it's supposed to do?!?
As someone who has been using a catch-all account for years, and has enjoyed the benefits and suffered the consequences, I would suggest you do it (though not without some warnings and recommendations). I do receive a fair amount of SPAM for accounts which have never existed on the system. I have also endured several periods when some SPAMmer referred to fake accounts at my domain in the return-to of the SPAM they were sending out (they were not using my mail server, they simply made up random usernames for my domain). Since they were random (both the names they used and the content of the SPAM) it was impossible to easily filter out. That sucked. I would receive hundreds of bounce messages per day. Ultimately I was able to make it stop by writing a script to post every bounce message I received through to the support form on the websites being advertised (modifying for each of the three or four sites which were involved), making the normal "cease and desist" legal threats. It seemed to work, since the SPAMs did stop soon after (presumably those sites complained to the SPAMmer they employed), and the SPAMmer no doubt moved on to some other fake accounts. Bastard. One of the best features of the catch-all is that you can totally control to whom you give out your "real" e-mail address, as well as track who is using the e-mail addresses you are giving out. For example, if you want to register at example.com for something, you give them the address me.example@yourdomain.com (or some structure which has a prefix or postfix, the 'me.', and the site name for which you are registering). You'll be able to receive that sites mail until you either don't want to, or until you see that they have abused the privilege of e-mailing you. Often I will see six months after registering to some site, I start getting tons of SPAM from the e-mail I gave to that site, and I can then simply block that on the mail server, bouncing them or sending them to /dev/null (via aliases, for example). This is the greatest strength in using catch-all addresses.
To mitigate the danger I mentioned previously of fake usernames, one should (though I am no sendmail expert and don't know how) set up a rule that any incoming recipient address must correspond to an existing account/alias, OR the catch-all structure you want (the whole PREFIX.SITENAME@yourdomain.com).
Q
Don't vote for Eugene Papansanovich for Congress!
I just write mail back. It's rather funny when you get a reply from the spammer. That isn't automated.
It is great. You never have to worry about giving out an indiscriminate address again. Signing up for a fantasy league on cnn/si? I used cnnsi@mydomain. cnnsi sold it and now I get several hundred spam a day there. And I can trivially filter and nuke them, with the added bonus that I know never to send them my business again. amtrak has amtrak@mydomain, I get all the mail from it, and can easily track that they have never violated their TOS. It's the greatest thing- I heartily recommend it to anyone who can.
IAAL,BIANLY
I fought it for a year or so, coding up custom filters, using spam assassin, you name it, and finally just gave up and blackholed it.
Spammers are trying dictionary attacks against domains to try and guess live accounts. I would get 500+ copies of the same message to made up names in alphebetical order a day.
That being said, I have since gotten on the Gmail beta, and just forward all my mail there now. It has a far better spam rejection rate then anything else I have tried, so if you forward all your mail to a google account and let them try and sort out the spam, it would probably be usable (and maybe even helpful to them to train their filters).
Mathematically impossible requirements are technically not against policy.
I run several catch-alls on my domains for several years, and I've never been spammed at [all]@[domains].com. However, just last week all my domains were hit by an email virus that did a dictionary-based attack. While it was all still caught by my spam filter, my spam filter is client-side, and after downloading 18200 emails, I decided it was time to shut down the catchalls.
The only thing I really had to do was notify my friends, who are long used to typing whatever they want into the username section of the domain, tailored to whatever it is they want (eg boywhowillfixmycomputer@, bikemechanicmanwhowillalsofixmycomputer@ etc).
I have a catch-all address at my domain. YES, there are huge amounts of spam. BUT, it is definitely worth the trouble IMHO, and here's why.
1 - most of the spam seems to come to 5 or 6 addresses only - admin, root, sales, webmaster, etc etc. That's cake to filter out straight to trash.
2 - The convinience of being able to sign up for random websites with a different address on the fly is great. For example, signing up on ebay to buy something and using the address "fromebay@mydomain.com" means you KNOW that only one person in the world has your email address so you know who to blame if spam starts coming in, and it is also a piece of cake to automatically filter those ebay emails straight to an ebay inbox, for example.
3 - Not as significant as my first 2 points but still a nice perk in my setup is that I'm able to create email addresses for family and friends on the fly and just setup my own server to split the addresses out into their own inboxes.
So if you will be running the server(s) yourself over slow dsl or cable, the volume of spam MAY be a concern to you. I get about 600-700 spams a day to the common webministrater addresses I mentioned, but it's no concern to me because I don't run the incoming email server and my dsl is more than fast enough to d/l them in a few seconds.
But in any other case, I'd say it's well worth it! And on a slightly different note, I have been very impressed with the honesty and adherence just about everywhere has to their privacy policies regarding email addresses. over 2 years of using my system with about 50 "from@domain.com" addresses, only one of them screwed up and got the address on a spam list somehow - cancelling my account with them and filtering those spams straight to trash solved the problem.
"This is Zombo Com, and welcome to you who have come to Zombo Com" - www.zombo.com
I've been running my own mail account off of my own domain for about 2.5 years now, and I don't regret it. I do have the catch-all set to dump to my personal account, and it's not been a major problem. Most of the spam I get is addressed to a "real" address (either mine or one of my older accounts I have forwarded to me), and there's a lot of that, so the amount I get from the catch-all is negligible.
:-)
In practice, actually, most of the spam-related stuff I get is mail bounces attempting to a random address with a faked from line of 63745624573@mydomain.com (or something like that). I really should look into implementing SenderID, but that would require hosting the server myself on a my dynamic IP instead of letting my web host take care of it.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
is this a good idea or not?
No, it's not a good idea. Looking through my mail server (and other mail servers I administer) I've seen A LOT of attempts by spammers to harvest email addresses by just trying a lot of common names on the domain (and some strange not so common addresses). If you had a wildcard address, you'd get all that spam to that box.
With no wildcard email address if people miss-spell a name on your domain, they'll get a prompt bounce message (and they'll probbably figure out the miss-spelling). With a wildcard they'll never figure out the miss-spelling, and may continue to use that wrong address.
There's also the problem of auto-generated virus bounce messages from other peoples servers. Most viruses lie about their from address, and can even make up a @yourdomain.tld. If you had a wildcard all those erroneous "you sent a virus" messages would go to your wildcard box instead of just bouncing.
Unless you want an account that's deluged with spam and like wading through it every so often on the off-chance someone sent a message to admin or postmaster, I'd not create a wildcard box.
AccountKiller
I think it's best to just reject mail addressed to non-existent users during the SMTP transaction. My outside relay uses Postfix's relay_recipient_map to validate all recipients before relaying inside... anything not matching gets rejected with a 550. This saves my content filters (amavis/clamav) alot of work since we get TONS of spam to non-existent recipients.
e cipient_maps = mysql:/etc/postfix/mysql-recipient.cf,t = relay:mx2.somethingawful.com
relay_domains = mysql:/etc/postfix/mysql-relaydomains.cf
relay_r
mysql:/etc/postfix/mysql-alias.cf
relay_transpor
If you don't validate recipients, then you probably SHOULD use a catch-all address. The alternative to this would be bouncing spam back to the (usually forged) sender, in which case you become part of the problem and can cause yourself major queueing problems.
I recently switched to using e-mail from my registar/hosting company, they included one free address and I paid for an additional 5 mailboxes.
I set up an account for myself and my wife, and used the free account for a spam bucket. My account is set up as a catch-all. Whenever I sign up for something I use and address in the form slashdot.org@<mydomain>.com so if it does start getting spam I know who sold my e-mail address.
If any spam comes in being caught by the catch-all I set up a forwarder to my spam account. For example dns@<mydomain>.com gets forwarded to spam@<mydomain>.com I then just set up my e-mail client to dump anything that comes in via the spam account directly into the trash.
To date I have received spam on three addresses that didn't really exist (dns@, sales@ and info@), but overall it works very well.
Uh, sorry, but that sounds just like the legitimate e-mail I get from some of my friends... :o)
--
Tomas
But I think it depends on what you are using your domain for; wildcard spam is minor/rare compared to targetted spam:
If it is a personal domain with perhaps a couple of description pages and even a blog then, like me, you will get no more (from personal experience) than 10+ random (random in the way they are sent to webmaster/admin or anything that * catches other than regular) messages/week. No big deal
A better known site seems to get a greater ranking in auto-traffic (let me generate logos, banners, security, etc for your website). But an email address listed on the site (my site) gets far more spam than a generic catch-all (e.g., I have "email webmonster@....com" as the auto admin address, more emails come to that than webmaster coz it's googled/harvested on those lists).
But the original statement said "I decided to pay the extra money to have email for the domain I registered" WFT?! Go to something like directnic.com, get your domain for $15/yr and get mail forwarding included (including wildcard)!
You are so close to the right solution. Spam almost universally will have a spoofed address, so sending something back to the 'sender' will not net you any more spam. Sending back is OK.
The trick is to put useful info into the reply. Try setting up a message in the 'this address does not exist' autoreply. Put in something like 'bob@domain.com does not exist. If you are trying to reach Robert Smith, please resend to robert@domain.com. If you want to reach someone in an administrative capacity, send an e-mail to admin@domain.com'.
You can extend this to all the positions that matter, postmaster, webmaster etc, and a few key people at the domain. The bad guys shouldn't get it, and the poor twinks who have their domain name spoofed will probably ignore it.
The people who DO need to contact you and did either screw up or guess wrong will simply get the info that they need to do right. Win/Win.
-Charlie
For example, if you want to register at example.com for something, you give them the address me.example@yourdomain.com (or some structure which has a prefix or postfix, the 'me.', and the site name for which you are registering).
What I've been doing for the last couple of years is using a catchall at a subdomain of my actual domain. The typical dictionary spams (postmaster, sales, etc) don't come in, because they only work on top level domains (otherwise spammers would be wasting a large amount of time spamming "sales@www.domain.com" which pretty much never exists..
When I sign up for an account at example.com, I just register as example.com@catch.mydomain.com. If I get spam, I can block it, and it doesn't interfere with my actual domain. If I decided one day I get too much spam to it, I could just switch to another subdomain name.
Speak before you think
Forget the "Catch All" e-mail address. Use Mailinator.
FYI -- mailinator is a non-passworded public catch-all system. Perfect for temporary site registrations. I use it frequently and its an unbelievably good service...
------ The best brain training is now totally free : )
Make sure addresses like postmaster@ and abuse@ work. They're unlikely to get spammed, but may well receive important messages.
postmaster@ is actually required by rfc2821, btw.
As for the subject of the discussion; my catch-all addresses have been fine, but YMMV. If I was that worried about dictionary attacks, but still wanted the ability to give a new address out to each company, I'd do something like *-signup@mydomain or *@signup.mydomain or similar, but you might not have that level of control (in which case I'd recommend finding somewhere better to host your email, but *shrug*).
If you have 1000s of messages coming to a person computer it doesn't mean squat what your filtering scheme is. Even if you don't "see" these messages, you machine is still going to have to read messages to evaluate them, or at the least download the headers (though header analysis isn't going to get you 100% filtered spam )
Accepting email from 1000's of possible email addresess @ your domain when you know they're all bogus is just asking for punishment.
I used to use my catchall for precisely that (e.g. slashdot@mydomain.
It DID help me bust someone for passing on an address which was instantly traced back to them.
Spam however has completely ruined it though for the problems outlined in this article. Unfortunately I can't turn off the catch-all as there are so many 'legacy' addresses from which I might only hear once a year but don't want to miss their email.
I now use http://www.spamgourmet.com/ instead to create disposable accounts as I have the luxury of being able to kill them (or let them die) if need be. It's free and I highly recommend it.
Do you or your partner snore? - Visit www.snoring.com.au
I run a friends-and-family hosting site (DNS, mail, web) for about 50 domains, almost all of which have catchall enabled. One user was getting 500+ spams a day, day in and day out. I was seeing 200-300 per day myself.
Four weeks ago I built the latest sendmail with Milter turned on and installed relaydelay.pl. The next day that user received two (2) emails, both of which were from friends. I got 7 emails, only one of which was spam.
Greylisting is the single most powerful anti-spam system out there. It blocks over 95+% of the spam and it doesn't "false positive" because it isn't doing pattern matches, Bayesian filtering or anything like that. It simply gives a TEMPFAIL to any email that has an unknown (from, to, server-IP) triple. If they come back more than X minutes later and less than Y minutes later, they are let through. Spammers almost always are using fire-and-forget SMTP servers so they don't retry, and so you never see their garbage. Positively elegant.
If you are the sysadmin, check it out and install it. Otherwise, hound your admin/ISP to install it. It saves bandwidth, aggravation, and time.
The corks just don't come out the way they used to.
-- My Wife, dealing with one of the new Corqs(tm)
There are better ways to do this. First off there's Sendmail "plus notation," also known as "user+detail" format. If you haven't heard about this you should do some research on Sendmail's website. The other method if you own your own domain, which obviously you do if your using a catch-all address, is to simply use aliases. Add your custom alias to your local aliases file, rerun newaliases, and you're set. Personally I use a little of both. I use aliases all the time. I can add an alias in a matter of seconds at any given point and time. A quick look at my current aliases file shows me aliases for dictionary.com, outdoorsuperstore.com, The Wall Street Journal, The New York Times and more. The best part about aliases is I can turn off the flow of spam by simply removing the alias. To stop the flow of spam to an address using plus notation I have to whip up a procmail recipe. I've seen more than one spammer strip the plus notation from outgoing addresses though so it isn't always going to stop the flow of spam. Not all web forms accept the plus sign as a valid email character. YMMV, no, I take that back. I can guarantee your mileage won't vary. Catch-all addresses have only one valid use: to collect spam. Plus notation will work much of the time. Aliases will work all of the time.
I own the domain of my last name, for example jones.com. Most spammers guess that a catchall will be placed upon that root domain. However, I create an MX record for my full name, john.jones.com, and then do a catchall of (at)john.jones.com pointing to my account. Spammers seem less aware (zero guesses so far) of MX domains. Then, wherever I have to give out my email address for a registration, I give a "unique" address used just for that site, such as slashdot(at)john.jones.com. This way, if any one address becomes abused, I just put a nouser entry in virtusertable for that address.
;-P . That would really reduce the effectiveness of this method as spammers would catch on. In which case, unique addresses would have to be explicit (many aliases) as opposed to implicit (via catchall). Slightly more time consuming.
I just hope this doesn't catch on too well
I am MuchTall
You don't understand correctly, I'd suggest you read the RFCs regarding SMTP.
When an SMTP session is started, two pieces of data MUST be sent before the message. Those fields amount to "from" and "to" fields and are sent sequentially by "MAIL FROM:" and "RCPT TO:" fields in that order. The "from" portion may be forged, but the "to" field must be correct as it is the address that the server delivers the message to or uses for further forwarding/processing. If the server does not recognize the to field, it will usually return a simple error (550) and may the session at that point. Also, if the server does not like the "from" field (for any reason you can program for), an error can be returned and the session ended.
Again, this is all before the body of the message is sent with the "DATA" command, thus saving potentially megabytes of data transfer. This does note require the "return" address to be correct, as this is happening at the time of delivery and the servers are talking directly about the message.
The body of a message may (but is not required to) contain other headers such as subject, to, from, received, date, content-type, message-id etc, but these fields in the data area have nothing to do with delivery as far as the receiving server is concerned.
Now.. it's possible to configure a server to operate differently, accepting all mail blindly, buffering the messages, then later figuring out where they should go.
My personal server takes the "MAIL FROM:" data and parses it, checking that the remote domain exists and there is an SMTP server that accepts mail for that domain. If any of those checks fail, I return a "not available" error (421) and close the connection.
Article X: The powers not delegated... by the Constitution...are reserved...to the people