Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proving You Are Not a Spammer?

Posted by Cliff on from the smtp-from-header-validation dept.

tfinniga asks: "A spammer has recently started using my domain name as 'From:' addresses when sending out spam. I'm worried about my domain being blacklisted, and I'm annoyed by the bounces — I'm getting about 1000 bounce messages a day. Unfortunately, I give out a different email address to each site I visit: slashdot@example.com, paypal@example.com, amazon@example.com, etc., and the spammer is using a different address for each mail, so simple address filtering doesn't work. What is the best way of avoiding being put on a blacklist, and dealing with the flood of bounces?"

7 of 127 comments (clear)

  1. Use whitelisting by chatgris · · Score: 5, Interesting

    I run my email the exact same way that you do, and I have had the same problems. Fortunately, I've never been rejected as a spammer based on my domain name alone, and if you are hopefully someone else here can help you solve that problem.

    As far as stopping the bounces... The only way I've found that works is to use a whitelist system... filter all of the addresses that you know are good (paypal@example.com, etc) into folders, and everything else goes into a generic catchall folder that you give a quick scan to before moving it to a long term keep folder.

    Just a note... I highly recommend the keep folder over just trashing the message. When's it's morning and you are groggily mass deleting messages, sometimes good messages get axed accidentally... If you have your own domain, it's likely that you have POP so long term storage shouldn't be a problem.

    Josh

    --
    Open Your Mind. Open Your Source.
  2. Blacklisting by mwvdlee · · Score: 3, Interesting

    I don't think you have to worry about blacklisting.
    It's pretty much standard practice for spammers to set the "from:" to some random, existing e-mail address. This generates a lot of bounces if one of the "to:" accounts doesn't exist and there is still some crappy anti-spam filtering software that bounces (which is stupid in more ways than I can count) to the "from:". But other than that, no blacklist is idiotic enough to still believe the "from:" is reliable.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. Re:me too by Amiga+Lover · · Score: 5, Interesting

    This isn't entirely on topic, but it's related to my experience of having spammers use my domain in the From: field.

    Dealing with the hundreds or thousands of bounces was inconvenient, but I noticed one string of bounces was coming from a regular user who had a script set up to bounce about a hundred spammy messages of their own in response to each spam they detected.

    I mailed them telling them what a useless idea that was, and all I got back was the same bounce - a hundred messages all with the line "PISS OFF WITH YOUR SPAM AND TAKE IT ELSEWHERE", and my original message quoted.

    Figuring it was email from my domain (now blacklisted on their server/client somehow), I emailed from another email account, telling them the same thing, and got the same bounces. Third time I tried, I emailed them without describing my domain anywhere in the email, letting them know their spam bounces weren't going to real spammers, rather to the email addresses of those that the spammer had spoofed.

    The string of abuse I got back was essentially two pages of ranting, telling me a spammer couldn't fake a From: address, my domain must have been hacked, calling me an idiot who should be banned from the net. The usual teenager response.

    The simple fix? Sending email to their account with my domain listed in the body so it triggered their hundred-message spam bounce, but with the From: field set to the idiot's own email address.

    I only had to send one. My next message to them reminding them their From: address could indeed be faked bounced back with a mailbox full message from their ISP. Seems his spam-bounce script had seen my email to him with my domain listed in the body, sent back 100 rude messages all to the From: field address (which was himself), each of which also carried my domain in the text. those hundred emails to himself also each must have triggered his spam bounce script, making 10,000 emails to himself from himself... and so on.

    Gave me some amusement to make up for having spammers using my domain :)

  4. Next time, prefix them by Wordplay · · Score: 4, Interesting

    It's a little late now, but the real problem is how you picked your email aliases. Start them all with the same prefix. Like, if I'm wordplay@foozle.com (I'm not, btw, so don't mail me), I might use wp-paypal@foozle.com, wp-ebay@foozle.com, etc. Then I can filter anything that's not addressed to wordplay or wp-*.

  5. Re:Old IPs by orangesquid · · Score: 3, Interesting

    It annoys me how long blacklists will keep you on, even after they haven't gotten any reports of spam from your IP range. Why is this so?

    A fair number of blacklists (at least a few years ago) had a we-won't-ever-remove-you - unless-you-send-us-lots-of-proof - that-your-IP-range-is-no-longer-used-for-spam policy. IP ranges ought to expire from blacklists when there haven't been many complaints for a while.

    In fact, blacklists ought to e-mail admin@mailserver when your IP range is blocked, and e-mail you monthly to remind you you're on a blacklist. Why? Most mail systems are polite and tell you if they're rejecting your messages because of a blacklist, but some will silently reject your messages and you might not realize your mail isn't being delivered for a long time, hence you might not realize you've been blacklisted somewhere.
    An alternative is that you can poll the blacklists periodically for your IP ranges to see if you've been blocked, but this seems like it places a burden on you and is somewhat irresponsible for the blacklists to do (I know, most of them say "we're a private org, we do what we want, if an ISP is using us for a blacklist then that's the ISP's prerogative, and we don't care," but if you know your blacklist is being used by others, especially by major ISP's, I still think it's somewhat irresponsible to not notify admins that you're blacklisting their IP ranges.)

    --
    --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  6. Re:SPF, backscatter howto by schoaff · · Score: 2, Interesting

    Just want to second the suggestion for SPF. Since I added SPF records for all my domains the amount of bounces from formed From fields has dropped significantly. Not a perfect solution but a big improvement.

  7. Re:me too by tlhIngan · · Score: 2, Interesting

    I only had to send one. My next message to them reminding them their From: address could indeed be faked bounced back with a mailbox full message from their ISP. Seems his spam-bounce script had seen my email to him with my domain listed in the body, sent back 100 rude messages all to the From: field address (which was himself), each of which also carried my domain in the text. those hundred emails to himself also each must have triggered his spam bounce script, making 10,000 emails to himself from himself... and so on.


    And the delicious irony of it is... once he manages to clean out his inbox, there's probably a few dozen other messages in the send queue to start it all over again! Depending how busy his mailserver is, he may be safe for a few minutes before his email client again says "Retrieving email 1 of 192,390,372,302...".

    Or, I wonder if the ISP got fed up with their mailserver queue being suddenly flooded by a billion messages from one user...