Comments on: How can we stop spammers from using our domain?

Question: How can we stop spammers from using our domain?

Count Ziggurat — Sun, 06 Nov 2005 07:36:53 -0800

I think someone is using our domain name to send spam from. What can I do about this? Our catch-all email account has been getting hundreds of "mail delivery failed" messages, which appear to have been sent from non-existant email addresses on our domain to all sorts of regular email addresses (like this). The emails are regular spam: MBAs, rolexes, viagra, etc.

I don't really want our domain blacklisted as spam. What can we do about it?

By: tyllwin

tyllwin — Sun, 06 Nov 2005 07:46:55 -0800

Do you have the headers from a couple of the bounced messages? If they're simply forging your domain name into the "from" field there's not much you can do about it. Tale a look at http://members.cox.net/joejob/

The real worry is that they may also be using your org's mail SERVERS as an open relay. THAT you can stop.

By: andrew cooke

andrew cooke — Sun, 06 Nov 2005 07:49:24 -0800

see here (it appears to be slightly different, but the answers cover this case too)

By: Sharcho

Sharcho — Sun, 06 Nov 2005 07:57:49 -0800

Catch-all accounts==a lot of spam
You shouldn't be using them.

By: cillit bang

cillit bang — Sun, 06 Nov 2005 08:19:44 -0800

Spammers can put any text they like in the from field and there's nothing you can do about it.

By: WestCoaster

WestCoaster — Sun, 06 Nov 2005 08:45:32 -0800

Spammers can put any text they like in the from field and there's nothing you can do about it.

Correct, but the domain won't be blacklisted because of that. Blacklisting occurs because mail truly originates from the domain, as shown in the headers.

(Think of "from" addresses as what someone could put as a return address on the outside of a envelope being sent via the U.S. Postal Service. If someone else decides to write your name and address as the return address, there isn't much that you can do about it. But the post office isn't going to stop accepting your outgoing mail if someone in (say) Alaska is writing your address on their outgoing mail.)

By: Count Ziggurat

Count Ziggurat — Sun, 06 Nov 2005 09:55:07 -0800

Hi. This is the qmail-send program at smp.voyagerco.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 16319 invoked from network); 6 Nov 2005 16:48:34 -0000
Received: from 201-1-39-233.dsl.telesp.net.br (HELO mmm2.com) (201.1.39.233)
by smp.voyagerco.com with SMTP; 6 Nov 2005 16:48:34 -0000
Message-ID:
From: "Dennis Beltran"
Subject: =?ISO-8859-1?b?UGFzc2VkIHVwLCBhZ2Fpbj8=?=
Date: Sun, 06 Nov 2005 16:44:10 +0000
MIME-Version: 1.0
X-Sender:
In-Reply-To:
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit

Hey there,
UNIVERSITY DIPLOMAS
Receive a successful future, money-earning power, and the prestige that comes with having the position and career you have always dreamed of!
Diplomas from universities based on your present knowledge and life experience.
If you qualify, no classes, books, examinations or tests!
Degrees available.
Bachelors
Masters
MBAs
Doctorate
PhD.
Confidentiality assured!
CALL RIGHT N0W to receive your diploma within two weeks!
(313)772.7099

Whois from mmm2.com:

Domain Name.......... mmm2.com
Creation Date........ 2003-02-15
Registration Date.... 2003-02-15
Expiry Date.......... 2006-02-15
Organisation Name.... HARUNOBU YAMAMOTO
Organisation Address. Kamihukuoka-shi
Organisation Address.
Organisation Address. Saitama-ken
Organisation Address. 356-0005
Organisation Address. Saitama-ken
Organisation Address. JAPAN

Admin Name........... HARUNOBU YAMAMOTO
Admin Address........ Kamihukuoka-shi
Admin Address........
Admin Address........ Saitama-ken
Admin Address........ 356-0005
Admin Address........ Saitama-ken
Admin Address........ JAPAN
Admin Email.......... halhalha@rd6.so-net.ne.jp
Admin Phone.......... 049-264-1829
Admin Fax............

Tech Name............ HARUNOBU YAMAMOTO
Tech Address......... Kamihukuoka-shi
Tech Address.........
Tech Address......... Saitama-ken
Tech Address......... 356-0005
Tech Address......... Saitama-ken
Tech Address......... JAPAN
Tech Email........... halhalha@rd6.so-net.ne.jp
Tech Phone........... 049-264-1829
Tech Fax.............
Name Server.......... ns1.alphastyle.jp
Name Server.......... ns2.alphastyle.jp

Herm.

By: gemmy

gemmy — Sun, 06 Nov 2005 11:53:19 -0800

Pretty much anyone who uses email has had this happen to them, and there is not much you can do about it.

Sometimes, if I keep getting consistent messages that are from the same IP address, I will contact the ISP that has control of that IP address and complain. Sometimes it works and it will stop, but most of the time it does not...

By: intermod

intermod — Sun, 06 Nov 2005 13:18:55 -0800

In looking at mail headers, usually it's the very first (bottommost) "Received" header that tells you where the email originated:

Received: from 201-1-39-233.dsl.telesp.net.br

Came from a DSL connected computer in Brazil, probably a zombie, using MS Outlook. I don't know enough about headers to say whether the mmm2.com is relevant. You might be barking up the wrong tree with that one.

Anyway, forged From headers are cake for spammers. You just have to ignore it. Usually your spam filter (or your ISPs) will catch on quick enough and you'll stop seeing the bounces.

By: Malor

Malor — Sun, 06 Nov 2005 14:04:49 -0800

When this happened to me, from my tiny vanity domain, I of course got a hurricane of bounces, and some complaints and unsubscribe requests... which of course I couldn't honor, since I wasn't actually sending the mail. All I could do was apologize and explain, which got old.

I've implemented SPF(Sender Permitted From) on my domain now... that's a special record that goes into the DNS that says "mail is allowed to originate for this domain from these addresses." I haven't had the problem since... though of course correlation doesn't imply causation.

It's not hard to do this at all, but you do have to have the ability to manually edit your own DNS files. You need to add a TXT record for your domain. The syntax for this TXT record is kind of complex, but there are websites out there that will ask you some questions about how you want your SPF configured, and then generate the right line for you.

The line I use is:

example.com IN TXT "v=spf1 mx"

That means 'record type SPF1, allow mail from mailservers for this domain'.

This means that by listing an MX record for your domain:

example.com IN MX 10 mail.example.com.

And listing an IP address for mail.example.com:

mail.example.com IN A 127.0.0.1

That will A) have incoming mail go to mail.example.com, and B) allow outgoing mail to be sent from that IP address.

This only works if the recipient domains do SPF checking, but the big guys mostly do this now. So just by listing a valid SPF record, you make your domain a lot less interesting for joe jobs.