Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proving You Are Not a Spammer?

Posted by Cliff on from the smtp-from-header-validation dept.

tfinniga asks: "A spammer has recently started using my domain name as 'From:' addresses when sending out spam. I'm worried about my domain being blacklisted, and I'm annoyed by the bounces — I'm getting about 1000 bounce messages a day. Unfortunately, I give out a different email address to each site I visit: slashdot@example.com, paypal@example.com, amazon@example.com, etc., and the spammer is using a different address for each mail, so simple address filtering doesn't work. What is the best way of avoiding being put on a blacklist, and dealing with the flood of bounces?"

17 of 127 comments (clear)

  1. Procmail helps a lot by Ted+Cabeen · · Score: 4, Informative
    I've had a lot of luck setting up a procmail script on the address I use for emails that match the domain wildcard. If you drop messages with a null Return-Path, you'll get all true bounces. Add to that some From header matching for things like mailman lists and mails from mailer-daemon (for those mail systems that don't follow the RFCs) and you should be able to eliminate pretty much all bounce traffic from emails that hit your domain wildcard. Don't forget to forward everything that doesn't hit the rules back to your primary email address. An SPF record can also help, although not enough people are using it to make it really helpful, and it breaks mailing lists. Also, most mail admins understand that nearly all spam From headers are forged, and you shouldn't be blacklisted for being the subject of a Joe-Job.

    Here are the current regexp lines I have in my .procmailrc for that user (all of these send the offending message to /dev/null):

    * ^Return-Path:
    * ^From:.*majordomo
    * ^Subject:.*Returned.mail
    * ^From:.*mailer-daemon
    * ^Subject:.*mail.could.not.be.delivered
    * ^From:.*(postmaster|devnull)
    * ^Subject:.*autoreply
    * ^From:.*spamarrest
    1. Re:Procmail helps a lot by Ted+Cabeen · · Score: 4, Informative

      The first line above should be:
      * ^Return-Path: <>

      Darn HTML-like comments.

  2. Re:me too by lanzz · · Score: 4, Informative

    no, a joe-job is when a competitor sends spam advertising (in the actual message body) your website/product/service/whatever, in hopes to discredit you. what the original poster complains about is simple from-spoofing; i don't believe anybody would block his domain due to its use in spoofed from: headers. my domain has been used this way by spammers in the past, and i haven't noticed anybody blocking my mails.

  3. Run a web host by adamstew · · Score: 4, Informative

    I run a web hosting business...small but large enough that this happens on a regular (read: daily) basis for the people I host.

    all of the good and 99% of the bad network admins will know better than to trust a "From" header in an email. I can't think of anyone that will block a domain based on the From header. Most network admins who setup blacklists blacklist server IPs that email comes from, and not email headers.

    As for your catch-all address, you can use some of the techniques that others have mentioned in previous comments. I usually tell my customers to just wait it out. The spammers will stop using your domain after a day or two. give it another couple of days for the mail queue's to empty out, and you'll stop getting bounces.

  4. Joe Jobbed by bmo · · Score: 5, Informative

    You are being joe-jobbed. Do not worry about it.

    http://www.spamfaq.net/terminology.shtml#joe_job

    3.2.22 What's a "Joe Job"?
    The act of faking a spam so that it appears to be from an innocent third party, in order to damage their reputation and possibly to trick their provider into revoking their Internet access. Named after Joes.com, which was victimized in this way by a spammer some years ago.

    You will not wind up on a blacklist. This is a well known phenomenon among mail admins.

    --
    BMO

  5. DomainKeys and DKIM by jediknil · · Score: 4, Informative

    This has happened to me not once but twice, and I really was at a loss at what to do. Well, and angry and annoyed. The second time I decided enough was enough and set up DomainKeys and DKIM (both because DKIM hasn't quite caught on enough yet). Both of them are ways to sign your e-mail so the receiving server can be sure that it actually came from your domain. It's not yet a real solution because not enough people/sites use it or validate against it, but encouraging adoption is always a good thing.

    Of course, signing mail isn't really enough to stop it, so you may have to turn off the "catch-all" feature of your mail just to avoid mail bounced to "xycjdfedf@mydomain.com"

  6. yup spamassassin by Anonymous Coward · · Score: 1, Informative

    I have the exact same problem.. Spam assassin and careful ip blocklists (ie all of china, florida, koreanet, etc) from headers has reduced it to but a trickle. You can also set it to reject it to common addresses like admin@domain

  7. Use Google Apps (Gmail for your own domain) by snowtigger · · Score: 2, Informative

    I recently switched my domain email to Google Apps and couldn't be happier about it. I don't need to deal with the spam and email administration anymore and all of my family and friends get their own accounts. Everything's free and works great. The downside is not having a regular IMAP or POP access to my email.

    I use the same catchall feature as mentioned above and I also get a lot of bounce messages. The spam filtering of gmail is amazing. I get a few thousand spam a week and sometimes one falls escapes the spamfilter.

    Of course, this doesn't solve the issue of proving you're not a spammer, but I haven't been accused of that anyway :)

    1. Re:Use Google Apps (Gmail for your own domain) by Anonymous Coward · · Score: 4, Informative

      Umm.. Google Apps has POP access for all accounts, including the free stuff.

  8. Old IPs by Zack · · Score: 2, Informative

    I inherited a class C that formally belonged to a spammer. Made it almost impossible to get outbound mail accepted. Since we were a small org (50 people), out going was relayed over a T1 to a host in another network. Almost a year and a half later, and I'd estimate 90% of the mail gets accepted. Some old firewalls and blackholes block them still.

    So because we were lucky enough to have another site to send from, we weren't screwed... I'd hate to be there without a backup!

  9. Simple: You wont be blacklisted by AlXtreme · · Score: 2, Informative

    Hostnames / IP addresses are blacklisted. Domainnames are not. Next question.

    --
    This sig is intentionally left blank
  10. Filtering is your only problem by trumplestone · · Score: 4, Informative

    Domain blacklisting probably isn't a problem---Every sane sysadmin these days know that the address in the "From" field of a spam email has nothing to do with the origin of the spam.

    You might want to investigate "Sender Policy Framework", which allows you to add a DNS record to your domain specifying who (in terms of IP addresses) is allowed to send emails that claim to come from your domain. You will probably find that it doesn't decrease your spam bounces, however.

    The other option that may be feasible depending on your setup is ensuring that all outgoing emails have a Message-ID with some sort of token in it that you can recognise. All incoming bounces that are not replying to a Message-ID with your token in it are spam.

    Just some ideas.

  11. Joe Jobbed myself by mrcaseyj · · Score: 2, Informative
    I did a sort of Joe job on my own domain. I set up an alias under my domain for my dad that forwarded everything to his hotmail account. The problem was that spam which came into the alias was redirected along with everything else to his hotmail account. Now I can't send email to hotmail addresses from my domain even if I'm on the recipient's whitelist. My mail doesn't even get to the recipient's junk mail folder. I've even set up an SPF record for my domain and it doesn't help. I guess when hotmail got all that spam forwarded from my domain they concluded I was a spammer.


    I now recognize the importance of an email provider that accepts ALL email addressed to you if you can't afford to lose messages. Use your own spam filtering so at least you can check your own junk mail folder if you're missing something important that you're expecting. And if you need your messages to go out reliably then you need to send by a method that won't be rejected by the major email providers.

  12. Sorry you can be blacklisted by lunatick · · Score: 5, Informative

    To all the people saying domains don't get black listed. Sorry you are wrong.

    I posted this exact question to slashdot about 4 years ago, back then you were just pretty much screwed.
    I was actually recieving threating return mail for sending spam, which is why I posted here.

    My domain did end up on a bunch of black lists and is still on a few to this day.

    I will say that the better ISP's use a mailserver based black list and not a domain based one, but there are still some out there.

    Now what you can do.

    Go to the FTC ID theft complaint form

    https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG _CODE=PU03

    Yes spoofing your e-mail is a form of ID theft.
    The company advertised is just as legally responsible as the spammer.

    If you keep fileing complaints the spammers learn not to use your e-mail. The ones in the US and Canada you can actually sue to recover damages.

    Good luck

    --
    The Lunatick, Carpe Corpus!
  13. Re:SPF by blowdart · · Score: 3, Informative

    Not true. They can send; but recipient mail servers which use SPF can check the records and reject accordingly. Unfortunately with SPF, and DomainKeys/DKIM the majority of servers don't bother.

  14. Re:Next time, prefix them by orangesquid · · Score: 2, Informative

    Clever trick: most mail systems are configured so that USERNAME+anything will always be delivered to USERNAME (e.g., bob+ebay, bob+paypal, bob+cray-cyber, etc). This way, you don't have to deliver *@domain to your inbox nor set up forwarding aliases.

    --
    --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  15. Your real problem is the backscatter by Slashdot+Parent · · Score: 3, Informative

    As others have pointed out, everyone knows that spammers forge the From: header, so your domain would not be blocked except by the dumbest of mail admins.

    Your real problem is the backscatter (those 1000 bounce messages you get per day). My solution follows:

    I still have all of my mail logs since time immemorial, so I wrote a script to parse out all of the From email addresses in outgoing email and made a list. Going forward, each outgoing email from my server gets its From address added to that list.

    In other words, I have a list of every possible From address ever used to send email from any of my domains (and the domains of the folks I host because they were jealous of my spam filtering).

    Part of incoming email processing is a rule that if your envelope sender is <> (that is the envelope sender for bounce messages), and the envelope recipient is not on that magic list of my outgoing senders, then the message must be blowback, and you get an SMTP rejection code and a message that explains why your email was backscatter and to please fix your server.

    Before you respond and say, "What about email addresses that you put in webforms? Hello!" Remember, I only apply this rule to envelope sender <>. If you're bouncing email to an address that has never been used to send email, then you are sending blowback.

    A desperate plea to mail admins out there: For the love of all things holy, stop sending delayed bounces! When you reject a message, reject it during the SMTP session! Do you have any idea how much pain you are causing others? More information here.

    --
    They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock