Slashdot Mirror
Proving You Are Not a Spammer?
tfinniga asks: "A spammer has recently started using my domain name as 'From:' addresses when sending out spam. I'm worried about my domain being blacklisted, and I'm annoyed by the bounces — I'm getting about 1000 bounce messages a day. Unfortunately, I give out a different email address to each site I visit: slashdot@example.com, paypal@example.com, amazon@example.com, etc., and the spammer is using a different address for each mail, so simple address filtering doesn't work. What is the best way of avoiding being put on a blacklist, and dealing with the flood of bounces?"
Was this type of thing called a "joe-job"? (cant
:)
remember, sorry)
I wish I could help, but I am also in the same position
as you and I also was not able to find a solution.
Fellow readers, your input would be valuable
thanks in advance...
GUI == Graphical User Interference
Here are the current regexp lines I have in my
* ^From:.*majordomo
* ^Subject:.*Returned.mail
* ^From:.*mailer-daemon
* ^Subject:.*mail.could.not.be.delivered
* ^From:.*(postmaster|devnull)
* ^Subject:.*autoreply
* ^From:.*spamarrest
I run my email the exact same way that you do, and I have had the same problems. Fortunately, I've never been rejected as a spammer based on my domain name alone, and if you are hopefully someone else here can help you solve that problem.
As far as stopping the bounces... The only way I've found that works is to use a whitelist system... filter all of the addresses that you know are good (paypal@example.com, etc) into folders, and everything else goes into a generic catchall folder that you give a quick scan to before moving it to a long term keep folder.
Just a note... I highly recommend the keep folder over just trashing the message. When's it's morning and you are groggily mass deleting messages, sometimes good messages get axed accidentally... If you have your own domain, it's likely that you have POP so long term storage shouldn't be a problem.
Josh
Open Your Mind. Open Your Source.
If the sender is forging your From address, chances are they're not using your mail server. Most decent blacklists (e.g. SpamCop, Spamhaus) will blacklist the offending server's IP address, not your mail domain.
Consider implementing SPF (home page wiki) so recipient mail servers can drop the message if it wasn't sent from a server authorized to send mail from your domain.
Most bounce messages will not include your outgoing server's signature. You can consider dropping those messages using the techniques described in the Postfix Backscatter Howto.
I don't think you have to worry about blacklisting.
It's pretty much standard practice for spammers to set the "from:" to some random, existing e-mail address. This generates a lot of bounces if one of the "to:" accounts doesn't exist and there is still some crappy anti-spam filtering software that bounces (which is stupid in more ways than I can count) to the "from:". But other than that, no blacklist is idiotic enough to still believe the "from:" is reliable.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Also you're breaking RFC 2606.
Let's just say this was your poor judgment and move on.
I run a web hosting business...small but large enough that this happens on a regular (read: daily) basis for the people I host.
all of the good and 99% of the bad network admins will know better than to trust a "From" header in an email. I can't think of anyone that will block a domain based on the From header. Most network admins who setup blacklists blacklist server IPs that email comes from, and not email headers.
As for your catch-all address, you can use some of the techniques that others have mentioned in previous comments. I usually tell my customers to just wait it out. The spammers will stop using your domain after a day or two. give it another couple of days for the mail queue's to empty out, and you'll stop getting bounces.
This began happening to a co-worked yesterday.... did the spams include Project Gutenberg donation requests?
You are being joe-jobbed. Do not worry about it.
http://www.spamfaq.net/terminology.shtml#joe_job
3.2.22 What's a "Joe Job"?
The act of faking a spam so that it appears to be from an innocent third party, in order to damage their reputation and possibly to trick their provider into revoking their Internet access. Named after Joes.com, which was victimized in this way by a spammer some years ago.
You will not wind up on a blacklist. This is a well known phenomenon among mail admins.
--
BMO
This is an easy one ... just send an email to everyone explaining the situation. And I just happen to have some mailing lists of people who opted-in to receive just this kind of notification, which I can provide to you at a very reasonable costs.
This has happened to me not once but twice, and I really was at a loss at what to do. Well, and angry and annoyed. The second time I decided enough was enough and set up DomainKeys and DKIM (both because DKIM hasn't quite caught on enough yet). Both of them are ways to sign your e-mail so the receiving server can be sure that it actually came from your domain. It's not yet a real solution because not enough people/sites use it or validate against it, but encouraging adoption is always a good thing.
Of course, signing mail isn't really enough to stop it, so you may have to turn off the "catch-all" feature of your mail just to avoid mail bounced to "xycjdfedf@mydomain.com"
I have the exact same problem.. Spam assassin and careful ip blocklists (ie all of china, florida, koreanet, etc) from headers has reduced it to but a trickle. You can also set it to reject it to common addresses like admin@domain
I recently switched my domain email to Google Apps and couldn't be happier about it. I don't need to deal with the spam and email administration anymore and all of my family and friends get their own accounts. Everything's free and works great. The downside is not having a regular IMAP or POP access to my email.
:)
I use the same catchall feature as mentioned above and I also get a lot of bounce messages. The spam filtering of gmail is amazing. I get a few thousand spam a week and sometimes one falls escapes the spamfilter.
Of course, this doesn't solve the issue of proving you're not a spammer, but I haven't been accused of that anyway
Why don't you add a SPF record? With a SPF record you can prevent them from being able to send mails in the name of your domain. This will kill the problem and you will not be forced to deal with all the bounce messages.
I inherited a class C that formally belonged to a spammer. Made it almost impossible to get outbound mail accepted. Since we were a small org (50 people), out going was relayed over a T1 to a host in another network. Almost a year and a half later, and I'd estimate 90% of the mail gets accepted. Some old firewalls and blackholes block them still.
So because we were lucky enough to have another site to send from, we weren't screwed... I'd hate to be there without a backup!
It's a little late now, but the real problem is how you picked your email aliases. Start them all with the same prefix. Like, if I'm wordplay@foozle.com (I'm not, btw, so don't mail me), I might use wp-paypal@foozle.com, wp-ebay@foozle.com, etc. Then I can filter anything that's not addressed to wordplay or wp-*.
Apparently if you are in Washington, all you have to do is sue yourself for being a spammer. The judge will chew you out for wasting the court's time, and then drop the charges without even opening the documents. Once the court has vindicated you, you can demonstrate to everyone how non-spammy you are. I don't think you'll even need a lawyer, although you may need some antacid after seeing the US judicial process up close and personal.
If you don't live in Washington, I think you'll need to move there first.
Good luck. Let us know how the trial goes.
- dougHostnames / IP addresses are blacklisted. Domainnames are not. Next question.
This sig is intentionally left blank
Domain blacklisting probably isn't a problem---Every sane sysadmin these days know that the address in the "From" field of a spam email has nothing to do with the origin of the spam.
You might want to investigate "Sender Policy Framework", which allows you to add a DNS record to your domain specifying who (in terms of IP addresses) is allowed to send emails that claim to come from your domain. You will probably find that it doesn't decrease your spam bounces, however.
The other option that may be feasible depending on your setup is ensuring that all outgoing emails have a Message-ID with some sort of token in it that you can recognise. All incoming bounces that are not replying to a Message-ID with your token in it are spam.
Just some ideas.
Yup. I got 18,500 in two months until the rate of spam went down again.
I now recognize the importance of an email provider that accepts ALL email addressed to you if you can't afford to lose messages. Use your own spam filtering so at least you can check your own junk mail folder if you're missing something important that you're expecting. And if you need your messages to go out reliably then you need to send by a method that won't be rejected by the major email providers.
I use a special code in the subject line, so that everyone that I e-mail knows it's from me. I use ALL CAPS in my subject line among other things, like ":-)", and I have instructed all the people that I e-mail on a regular basis that if they receive an e-mail from me without all caps, or other identifying codes, then it is probably not from me, and don't open it under any circumstance. This works, and once everyone is onboard for recognizing the code, then they can relax about who sent what. I should point out that this is mainly used for your friends, but if you're really having problems, then you should use it in your professional e-mails as well. It actually brings a more personal service to your clients because they'll feel that your e-mails are special, and that no one is going to get at them. The "us against the world," so to speak, will bring you to the forefront over your competitors.
To all the people saying domains don't get black listed. Sorry you are wrong.
G _CODE=PU03
I posted this exact question to slashdot about 4 years ago, back then you were just pretty much screwed.
I was actually recieving threating return mail for sending spam, which is why I posted here.
My domain did end up on a bunch of black lists and is still on a few to this day.
I will say that the better ISP's use a mailserver based black list and not a domain based one, but there are still some out there.
Now what you can do.
Go to the FTC ID theft complaint form
https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_OR
Yes spoofing your e-mail is a form of ID theft.
The company advertised is just as legally responsible as the spammer.
If you keep fileing complaints the spammers learn not to use your e-mail. The ones in the US and Canada you can actually sue to recover damages.
Good luck
The Lunatick, Carpe Corpus!
Send a billion e-mails to everyone you're getting bounces from, saying you didn't do it.
:D
I can't see how it can fail
Hello! I'm a disaster waiting to happen!
I did this too for the same reason. I would use all sorts of e-mail address as I need them so I just opened up the mail server to accept To: *.anything in my domain. However after suffering for years with the problem you are seeing now I learned that spammers love domains like this. After sending a few messages to your server to determine if it accepts any user then they are more likely to use your domain as the From: because they can use any user name and it will be valid.
After examining my mail history I figured out that it's pointless you use a different e-mail address for everything. I rarely used it for what I expected. I original plan was that if one address started getting spammed to death I could simply block that address. That never really happened though. The addresses that get spammed to death are the same ones I use a lot. Spamassassin has done a near perfect job of blocking spam and letting through the ham for many years anyway.
So I closed up my mail server. I just have a handful of addresses now. Basically I have my main e-mail address, an addresses I use for sites that might spam me, and then a couple administrative addresses. Obviously since I closed up the mail server I stopped getting bounces and any incorrectly configured server that bounces mail will at least get an error stating there is no such user.
The ratio of people to cake is too big
1. Blacklisting is generally done on the originating IP address, not the allegedly originating domain name. Its unlikely that your forged from address will be picked up by any filters. The forgery problem is, of course, why blacklisting is not generally done on the allegedly originating domain name.
2. You can mitigate the bounce problem with Sender Policy Framework (SPF). Many of the larger mailers will drop messages where the SPF records indicate that the sender address is forged. Many more will suppress bounce messages as a consequence of SPF failure. See http://www.openspf.org/ . SPF is not universal by any stretch of the imagination, but using it will decrease the number of bogus bounce messages you receive.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
We ran into a Postfix bug on our systems the other month. Apparently spammers can trigger a bounce by including an extra "Mailed-To" line, and that bounce will be sent to the target of their choice. This was exploited to send a bunch of bounce messages from our system to other systems. It's simply part of Postfix's loop detection. Spammers are beginning to use it more and more, but there aren't any plans to fix it by the developers, so far as I know. We wound up fixing this with a Postfix header filter.
The only crime that deserves a death penalty should be spamming. They should be hunted down and have their companies and personal homes, cars and all possesions lit on fire and/or terrorized. Seriously, in all honesty I would have a guilt free conscience after killing one of these fuckers with a sniper rifle. I actually think I would grow spiritually from the experience.
That being if you are running an exchange server.
The greatest revenge in life is massive success.
I used a spamtrap domain for about 5 years, then the same thing happened 2 years ago. I have not yet had my entire domain blacklisted. I did have to get rid of the wildcard that allows any local-part though. If your MTAs bounce after receipt for invalid local-part, instead of at SMTP time, you're more likely to hit a blacklisting spamtrap address (see spamcop) than if you just happen to be getting spoofed.
:)
I went through my procmail logs with some awk/grep/sort -c and found most of the legit addresses I had used over the years. This took a few hours, as you might expect. Then I changed my virtual file to allow only those addresses and dropped the wildcard. Now all new addresses I give out have to be added before I sign up, etc. I missed a few, but since anything important had high counts (e.g. netflix@example.com) I caught all the ones that really mattered. The spam/bounce volume has been reduced by 99%. The amount of crap w/ wildcard made the inbox totally unusable anyway. It's worth the time. I did have one company I missed go out of their way to call me and get a new address when it started bouncing.
With good spam filtering, I now give out my main email address to many signups whom I trust. My main is kevin@somewhere.com, which obviously gets a lot of guesswork thrown at it anyway, so it's not like it will get much worse. It's interesting to note that over the years, I only had two entities leak my address to spammers, and they were caught, larted and the address blacklisted. Not really worth the pain.
BTW, never give your address to tickemaster. They will never stop. I had to threaten their legal department to make them quit.
Since not all recipients check SPF, you may also wish to sign your mail from. This adds a timed hash token to the local part, and bounces must have the proper token in the RCPT TO or they are rejected. I use sendmail and the pysrs package from the pymilter project for this purpose.
Pick a prefix you're going to use for all the emails you're giving out; ex. d.slashdot@example.com, d.paypal@example.com, d.amazon@example.com, etc. Then filter out anything not beginning with "d." (and any particular address a spammer may have used).
Anyone dumb enough to block you based on a forged header is too stupid to worry about. None of the serious blacklists are going to care about the address unless there's real evidence that it's not a forgery.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
As others have pointed out, everyone knows that spammers forge the From: header, so your domain would not be blocked except by the dumbest of mail admins.
Your real problem is the backscatter (those 1000 bounce messages you get per day). My solution follows:
I still have all of my mail logs since time immemorial, so I wrote a script to parse out all of the From email addresses in outgoing email and made a list. Going forward, each outgoing email from my server gets its From address added to that list.
In other words, I have a list of every possible From address ever used to send email from any of my domains (and the domains of the folks I host because they were jealous of my spam filtering).
Part of incoming email processing is a rule that if your envelope sender is <> (that is the envelope sender for bounce messages), and the envelope recipient is not on that magic list of my outgoing senders, then the message must be blowback, and you get an SMTP rejection code and a message that explains why your email was backscatter and to please fix your server.
Before you respond and say, "What about email addresses that you put in webforms? Hello!" Remember, I only apply this rule to envelope sender <>. If you're bouncing email to an address that has never been used to send email, then you are sending blowback.
A desperate plea to mail admins out there: For the love of all things holy, stop sending delayed bounces! When you reject a message, reject it during the SMTP session! Do you have any idea how much pain you are causing others? More information here.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Of course domains get blacklisted. There are thousands and thousands of private blacklists with all kinds of funny rules for who is added. I block everything from "mail.ru" because there is just so much spam with that FROM address. I and my tiny user base don't know anyone in Russia so it is a reasonable trade-off for us. If enough people make the same decision, it could be a problem for mail.ru, even if they don't send a single piece of spam.
Nathan's blog
(A) At least 95% of spam is sent using fraudulent "From" addresses, most of them being addresses (like yours) taken often from the same list being spammed to. None of the major blocklists ever block based on the "From" domains in spams, nor indeed do we pay any attention to "From" addresses on spams. What gets blacklisted is the sending IP address or the IP of a web server hosting the spammer's website advertized in the spam. There has never, ever, been a case of a major blocklist listing someone based on the "From" address of spams, therefore this is not something to worry about.
(B) Thousands of people worldwide are bombed every day with 'undeliverable' bounces due to spammers using their addresses as the "From". The way to handle it is to never accept mail for non-existent usernames (anyone accepting mail for anyuser@ these days is nuts) and use a filter that can block on text strings such as "From: *daemon*", "Subject: *returned*|*undeliverable*", etc. Then, simply ignore it, the spammer will move on to using a different address tomorrow.
Steve Linford
The Spamhaus Project
http://www.spamhaus.org/
The same thing happens to me - I have the address myfirstname@university.edu - and unfortunately, my first name is also a dictionary word. So someone is sending out a ton of spam in my name, and I get all the bounces. My school's spam system catches about half of them, luckily when I use Mail.app at school it's good at catching the rest. Unfortunately, though, when I use the school's webmail I have to manually delete them all. And the daily number has continually gotten higher since September. I hate to think how much I'll be getting by the time I get my degree in 2011.
Warning: Apple/Nintendo fangirl. Likes her electronics cute & cuddly. May be rabid.
IDIOT.
Please do NOT encourage any more people to move here. The traffic is worse than LA, and all the beutiful forests are now tract housing. That and the RAIN is never ending!
How much is your data worth? Back it up now.
What's worse is getting blacklisted by the self-righteous NJABL. I'd been summarily blacklisted as being on a dynamic IP and therefore automatically a spammer, and after following all of their directions to the letter, being met with angry responses from people who obviously didn't check my rDNS, and being further blacklisted from even emailing them, I gave up and had my IP address changed, at great expense and downtime.
Spam blacklists are awful things. It's too bad more people aren't using Jabber.
-Benjamin Vander Jagt
-Vander Jagt Computers -- Not a spammer
I just blacklist anything from..
Postmaster
MAILER-DEAMON
MAILER-DEMON
Etc.
Iv'e got a HUGE blacklist and an even bigger spambust.dat, spambust2.dat and so on.
And in Windows I use Spampal for the final filtering.
Seems to work!
I killed da wabbit -Elmer Fudd
For instance, SPF lets you say "all mail from example.com comes from IP address 1.2.3.4", but if fred@example.com sends mail to yourdad@yourdomain.com, and you forward it to yourdad@hotmail.com, hotmail is going to receive mail claiming to be from fred@example.com with your IP address on it, and reject it as a forgery. And since any recipient of a mailing list could be a forwarded address, the folks who run mailinglist@example.com can't just use SPF to prevent forgers from imitating them. (That's especially annoying if mailinglist@example.com is a good phishing target, e.g. paypal, ebay, online banks.) It's actually somewhat ironic that SPF has this problem - one of its main authors and proponents, Meng Weng Wong, runs pobox.com, an early mail forwarding service...
One of the other people commented that his university does spam filtering on outgoing forwarded mail. It's not a really precise approach, since you lose some of the information about where the mail came from, but if you're already using sender-IP-based spam filters on the inbound side you're covering most of that need. (Also, you really should be greylisting incoming mail to chase off the anklebiters.) I use pobox.com as an email forwarding provider, and they provide a fairly extensive set of spam filter options that their users can select. For instance, I don't want any email that originated in Nigeria or is in a Chinese or Russian character set, but your university may have students from Nigeria and students who read Chinese and Russian, so you wouldn't just block those messages wholesale.
Back when I ran a Cypherpunks Remailer, I was considering setting it to only forward encrypted messages; that way they not only would be private, but it wouldn't look like *my* system was sending spam or abusive emails so I wouldn't have to deal with complaints. A related idea was to automatically encrypt any email to known recipients; if you have a working mail encryption system, you could do the same for forwarding email, but of course that's not a good match for a Hotmail account where the recipient may not have PGP or similar tools.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I see 4x that on a daily basis to my home domain. and 10x that at the office domain.
---- Booth was a patriot ----
Unfortunately, there isn't going to be much I can do to help you. I am not a sysadmin either, and the only MTA that I know is qmail. I'd probably get flamed for saying this if people were still reading this thread, but qmail is outdated. It lacks many features, probably many that you rely upon, and is basically worthless without a standard set of patches. In other words, I do not recommend that you learn qmail.
My solution involved custom qmail coding, which probably will not help you at all. What you might try doing is going to find the exim users email list or forum (there must be one) and describe your problem. They may have a solution for you.
You can obviously point them to my solution as well to see if they can tell you how to implement it in exim. Unfortunately, I know absolutely nothing about exim. If I knew exim, I would have ditched qmail years ago. But as it stands, I have no incentive to learn another MTA. I am not a sysadmin.
Good luck!
P.S. I really do wish that I could help you because I understand the pain of thousands of blowbacks per day. Here is the relevant code from my greylisting system, which you can see just does exactly what I described before. Maybe it will help you, but I doubt it. Again, good luck!
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock