Slashdot Mirror
Proving You Are Not a Spammer?
tfinniga asks: "A spammer has recently started using my domain name as 'From:' addresses when sending out spam. I'm worried about my domain being blacklisted, and I'm annoyed by the bounces — I'm getting about 1000 bounce messages a day. Unfortunately, I give out a different email address to each site I visit: slashdot@example.com, paypal@example.com, amazon@example.com, etc., and the spammer is using a different address for each mail, so simple address filtering doesn't work. What is the best way of avoiding being put on a blacklist, and dealing with the flood of bounces?"
Here are the current regexp lines I have in my
* ^From:.*majordomo
* ^Subject:.*Returned.mail
* ^From:.*mailer-daemon
* ^Subject:.*mail.could.not.be.delivered
* ^From:.*(postmaster|devnull)
* ^Subject:.*autoreply
* ^From:.*spamarrest
I run my email the exact same way that you do, and I have had the same problems. Fortunately, I've never been rejected as a spammer based on my domain name alone, and if you are hopefully someone else here can help you solve that problem.
As far as stopping the bounces... The only way I've found that works is to use a whitelist system... filter all of the addresses that you know are good (paypal@example.com, etc) into folders, and everything else goes into a generic catchall folder that you give a quick scan to before moving it to a long term keep folder.
Just a note... I highly recommend the keep folder over just trashing the message. When's it's morning and you are groggily mass deleting messages, sometimes good messages get axed accidentally... If you have your own domain, it's likely that you have POP so long term storage shouldn't be a problem.
Josh
Open Your Mind. Open Your Source.
If the sender is forging your From address, chances are they're not using your mail server. Most decent blacklists (e.g. SpamCop, Spamhaus) will blacklist the offending server's IP address, not your mail domain.
Consider implementing SPF (home page wiki) so recipient mail servers can drop the message if it wasn't sent from a server authorized to send mail from your domain.
Most bounce messages will not include your outgoing server's signature. You can consider dropping those messages using the techniques described in the Postfix Backscatter Howto.
no, a joe-job is when a competitor sends spam advertising (in the actual message body) your website/product/service/whatever, in hopes to discredit you. what the original poster complains about is simple from-spoofing; i don't believe anybody would block his domain due to its use in spoofed from: headers. my domain has been used this way by spammers in the past, and i haven't noticed anybody blocking my mails.
I don't think you have to worry about blacklisting.
It's pretty much standard practice for spammers to set the "from:" to some random, existing e-mail address. This generates a lot of bounces if one of the "to:" accounts doesn't exist and there is still some crappy anti-spam filtering software that bounces (which is stupid in more ways than I can count) to the "from:". But other than that, no blacklist is idiotic enough to still believe the "from:" is reliable.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Also you're breaking RFC 2606.
Let's just say this was your poor judgment and move on.
I run a web hosting business...small but large enough that this happens on a regular (read: daily) basis for the people I host.
all of the good and 99% of the bad network admins will know better than to trust a "From" header in an email. I can't think of anyone that will block a domain based on the From header. Most network admins who setup blacklists blacklist server IPs that email comes from, and not email headers.
As for your catch-all address, you can use some of the techniques that others have mentioned in previous comments. I usually tell my customers to just wait it out. The spammers will stop using your domain after a day or two. give it another couple of days for the mail queue's to empty out, and you'll stop getting bounces.
You are being joe-jobbed. Do not worry about it.
http://www.spamfaq.net/terminology.shtml#joe_job
3.2.22 What's a "Joe Job"?
The act of faking a spam so that it appears to be from an innocent third party, in order to damage their reputation and possibly to trick their provider into revoking their Internet access. Named after Joes.com, which was victimized in this way by a spammer some years ago.
You will not wind up on a blacklist. This is a well known phenomenon among mail admins.
--
BMO
This is an easy one ... just send an email to everyone explaining the situation. And I just happen to have some mailing lists of people who opted-in to receive just this kind of notification, which I can provide to you at a very reasonable costs.
This has happened to me not once but twice, and I really was at a loss at what to do. Well, and angry and annoyed. The second time I decided enough was enough and set up DomainKeys and DKIM (both because DKIM hasn't quite caught on enough yet). Both of them are ways to sign your e-mail so the receiving server can be sure that it actually came from your domain. It's not yet a real solution because not enough people/sites use it or validate against it, but encouraging adoption is always a good thing.
Of course, signing mail isn't really enough to stop it, so you may have to turn off the "catch-all" feature of your mail just to avoid mail bounced to "xycjdfedf@mydomain.com"
I recently switched my domain email to Google Apps and couldn't be happier about it. I don't need to deal with the spam and email administration anymore and all of my family and friends get their own accounts. Everything's free and works great. The downside is not having a regular IMAP or POP access to my email.
:)
I use the same catchall feature as mentioned above and I also get a lot of bounce messages. The spam filtering of gmail is amazing. I get a few thousand spam a week and sometimes one falls escapes the spamfilter.
Of course, this doesn't solve the issue of proving you're not a spammer, but I haven't been accused of that anyway
This isn't entirely on topic, but it's related to my experience of having spammers use my domain in the From: field.
:)
Dealing with the hundreds or thousands of bounces was inconvenient, but I noticed one string of bounces was coming from a regular user who had a script set up to bounce about a hundred spammy messages of their own in response to each spam they detected.
I mailed them telling them what a useless idea that was, and all I got back was the same bounce - a hundred messages all with the line "PISS OFF WITH YOUR SPAM AND TAKE IT ELSEWHERE", and my original message quoted.
Figuring it was email from my domain (now blacklisted on their server/client somehow), I emailed from another email account, telling them the same thing, and got the same bounces. Third time I tried, I emailed them without describing my domain anywhere in the email, letting them know their spam bounces weren't going to real spammers, rather to the email addresses of those that the spammer had spoofed.
The string of abuse I got back was essentially two pages of ranting, telling me a spammer couldn't fake a From: address, my domain must have been hacked, calling me an idiot who should be banned from the net. The usual teenager response.
The simple fix? Sending email to their account with my domain listed in the body so it triggered their hundred-message spam bounce, but with the From: field set to the idiot's own email address.
I only had to send one. My next message to them reminding them their From: address could indeed be faked bounced back with a mailbox full message from their ISP. Seems his spam-bounce script had seen my email to him with my domain listed in the body, sent back 100 rude messages all to the From: field address (which was himself), each of which also carried my domain in the text. those hundred emails to himself also each must have triggered his spam bounce script, making 10,000 emails to himself from himself... and so on.
Gave me some amusement to make up for having spammers using my domain
I inherited a class C that formally belonged to a spammer. Made it almost impossible to get outbound mail accepted. Since we were a small org (50 people), out going was relayed over a T1 to a host in another network. Almost a year and a half later, and I'd estimate 90% of the mail gets accepted. Some old firewalls and blackholes block them still.
So because we were lucky enough to have another site to send from, we weren't screwed... I'd hate to be there without a backup!
It's a little late now, but the real problem is how you picked your email aliases. Start them all with the same prefix. Like, if I'm wordplay@foozle.com (I'm not, btw, so don't mail me), I might use wp-paypal@foozle.com, wp-ebay@foozle.com, etc. Then I can filter anything that's not addressed to wordplay or wp-*.
Apparently if you are in Washington, all you have to do is sue yourself for being a spammer. The judge will chew you out for wasting the court's time, and then drop the charges without even opening the documents. Once the court has vindicated you, you can demonstrate to everyone how non-spammy you are. I don't think you'll even need a lawyer, although you may need some antacid after seeing the US judicial process up close and personal.
If you don't live in Washington, I think you'll need to move there first.
Good luck. Let us know how the trial goes.
- dougHostnames / IP addresses are blacklisted. Domainnames are not. Next question.
This sig is intentionally left blank
Domain blacklisting probably isn't a problem---Every sane sysadmin these days know that the address in the "From" field of a spam email has nothing to do with the origin of the spam.
You might want to investigate "Sender Policy Framework", which allows you to add a DNS record to your domain specifying who (in terms of IP addresses) is allowed to send emails that claim to come from your domain. You will probably find that it doesn't decrease your spam bounces, however.
The other option that may be feasible depending on your setup is ensuring that all outgoing emails have a Message-ID with some sort of token in it that you can recognise. All incoming bounces that are not replying to a Message-ID with your token in it are spam.
Just some ideas.
There are 6 billion people on this planet. It would be very strange, if multiple similar events did not happen at any given time.
I now recognize the importance of an email provider that accepts ALL email addressed to you if you can't afford to lose messages. Use your own spam filtering so at least you can check your own junk mail folder if you're missing something important that you're expecting. And if you need your messages to go out reliably then you need to send by a method that won't be rejected by the major email providers.
I use a special code in the subject line, so that everyone that I e-mail knows it's from me. I use ALL CAPS in my subject line among other things, like ":-)", and I have instructed all the people that I e-mail on a regular basis that if they receive an e-mail from me without all caps, or other identifying codes, then it is probably not from me, and don't open it under any circumstance. This works, and once everyone is onboard for recognizing the code, then they can relax about who sent what. I should point out that this is mainly used for your friends, but if you're really having problems, then you should use it in your professional e-mails as well. It actually brings a more personal service to your clients because they'll feel that your e-mails are special, and that no one is going to get at them. The "us against the world," so to speak, will bring you to the forefront over your competitors.
No, but if I saw a guy going around kicking random people because someone once kicked him, you can be sure that I'd give him a good talking to, and if he didn't stop then... Well ok, so the analogy kinda breaks down here, since I wouldn't actually kick him back. But if there were some devilishly cunning way to trick him into kicking himself, you can be damned sure I'd do that.
To all the people saying domains don't get black listed. Sorry you are wrong.
G _CODE=PU03
I posted this exact question to slashdot about 4 years ago, back then you were just pretty much screwed.
I was actually recieving threating return mail for sending spam, which is why I posted here.
My domain did end up on a bunch of black lists and is still on a few to this day.
I will say that the better ISP's use a mailserver based black list and not a domain based one, but there are still some out there.
Now what you can do.
Go to the FTC ID theft complaint form
https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_OR
Yes spoofing your e-mail is a form of ID theft.
The company advertised is just as legally responsible as the spammer.
If you keep fileing complaints the spammers learn not to use your e-mail. The ones in the US and Canada you can actually sue to recover damages.
Good luck
The Lunatick, Carpe Corpus!
Actually he *has* done something to a spammer. If I were to get 100 auto-replies when I send someone a message, those would be Unsolicted Bulk Email - that is, spam. The guy with his funky auto-responder *is a spammer*.
Wrong.
The recipient of the backscatter abuse received unsolicited (he never sent mail to the asshat's domain) bulk (100 messages for 1 sent) email.
He didn't do anything to the ORIGINAL spammer. He taught a moron script-kidde-turned-spammer a valuable lesson.
Not true. They can send; but recipient mail servers which use SPF can check the records and reject accordingly. Unfortunately with SPF, and DomainKeys/DKIM the majority of servers don't bother.
You know, I was just thinking of the same thing. How odd
The cesspool just got a check and balance.
As others have pointed out, everyone knows that spammers forge the From: header, so your domain would not be blocked except by the dumbest of mail admins.
Your real problem is the backscatter (those 1000 bounce messages you get per day). My solution follows:
I still have all of my mail logs since time immemorial, so I wrote a script to parse out all of the From email addresses in outgoing email and made a list. Going forward, each outgoing email from my server gets its From address added to that list.
In other words, I have a list of every possible From address ever used to send email from any of my domains (and the domains of the folks I host because they were jealous of my spam filtering).
Part of incoming email processing is a rule that if your envelope sender is <> (that is the envelope sender for bounce messages), and the envelope recipient is not on that magic list of my outgoing senders, then the message must be blowback, and you get an SMTP rejection code and a message that explains why your email was backscatter and to please fix your server.
Before you respond and say, "What about email addresses that you put in webforms? Hello!" Remember, I only apply this rule to envelope sender <>. If you're bouncing email to an address that has never been used to send email, then you are sending blowback.
A desperate plea to mail admins out there: For the love of all things holy, stop sending delayed bounces! When you reject a message, reject it during the SMTP session! Do you have any idea how much pain you are causing others? More information here.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
And the delicious irony of it is... once he manages to clean out his inbox, there's probably a few dozen other messages in the send queue to start it all over again! Depending how busy his mailserver is, he may be safe for a few minutes before his email client again says "Retrieving email 1 of 192,390,372,302...".
Or, I wonder if the ISP got fed up with their mailserver queue being suddenly flooded by a billion messages from one user...