Comments on: What to do about someone spoofing my email?

Question: What to do about someone spoofing my email?

untuckedshirts — Tue, 18 Apr 2006 10:02:48 -0800

Recently I have been getting emails from my domain bounced back to me from other peoples' automated anti-spam catchers. The problem is that I am not sending these emails...

I own my own domain but use gmail as my main email. As such I have a catchall that delivers any email from my domain to my gmail account. Lately i've been getting emails bounced back that say they were sent from salesATuntuckedshirts.com which I don't use. The email headers look like this:

From: Servage Antispam System
Reply-To: antispam@servage.net
To: salesATuntuckedshirts.com
Date: Apr 4, 2006 3:21 PM
Subject: Autoreply: Ever tried that?

I don't think anyone actually has access to my dreamhost account so could this just but somone "spoofing" my address? I don't know exactly how that works but i've heard it's possible.

By: bhance

bhance — Tue, 18 Apr 2006 10:05:25 -0800

This is commonly referred to as a 'joe job'. Little to nothing you can do about it, although posting full headers might help trace the real source.

By: unixrat

unixrat — Tue, 18 Apr 2006 10:18:19 -0800

See also previously and previously.

In short, nothing you can really do about it except hunker down and wait it out.

By: unixrat

unixrat — Tue, 18 Apr 2006 10:20:44 -0800

FWIW, I've noticed that my domains hosted on DH seem to get jobbed slightly more than average. My pet theory is that jobbers use DH domains because of the good reputation of DH and the less likely for one of their domains to be blacklisted.

By: cribcage

cribcage — Tue, 18 Apr 2006 10:28:38 -0800

Ditto, nothin' you can do. But it might help you to know that you're not alone, toward which I'll offer that it happens to me a couple of times a year. You learn to treat the bounces just like regular spam.

By: hattifattener

hattifattener — Tue, 18 Apr 2006 10:44:52 -0800

Minor terminology question: I thought a "joe job" was when the spammer is spoofing your address (or linking to your website in the spam, or whatever) specifically to get you in trouble. People who run anti-spammer sites tend to get joe-jobbed, for example. This sounds more like the spammer is spoofing untuckedshirts' address just because they needed a plausible source address and they randomly picked untuckedshirts --- they have no specific desire to draw attention there, as long as they draw attention away from the actual spam source. Do other people make this same distinction?

By: drstein

drstein — Tue, 18 Apr 2006 10:50:08 -0800

hattifattner: They're pretty much the same thing. Often times spammers aren't even aware that they're doing this, because the spam-software they're using is filling in the blanks for them.

Sad but true fact. :-(

By: COD

COD — Tue, 18 Apr 2006 10:54:03 -0800

I would kill the catch all account and only forward the addresses that you actually use. Everything else should either bounce or drop at the server. This will at least minimize the number of bounces that you have to look at.

By: kindall

kindall — Tue, 18 Apr 2006 10:57:30 -0800

It's pretty easy to filter out most of these bounces at the server level, assuming they are being sent to random e-mail addresses at your domain and you're getting them because you have a catch-all.

Return-Path is <> (i.e. this is a bounce)
Message-ID does not contain @ (i.e. no message ID)
To is not your@real-email-address (i.e. it's to one of your catchalls)

(If spammers would just send messages out with an empty return-path to begin with, nobody would have to deal with the bounces, because there wouldn't be any.)

By: camworld

camworld — Tue, 18 Apr 2006 11:11:48 -0800

Agree about the catch-all; it should be disabled. It is also vulnerable to a dictionary spam attack where the spammer simply tries sending email to every word in the dictionary at your domain. I once received over 100,000 pieces of spam in a single day from some spammer who tried this and I had a catch-all in place.

By: mkultra

mkultra — Tue, 18 Apr 2006 11:36:07 -0800

Another vote to ditch the catch-all. I had it in place (at DH) for years, and it was great for site-specific addresses (amazon@, mefi@), but joe-jobbing killed it for me.

By: untuckedshirts

untuckedshirts — Tue, 18 Apr 2006 12:10:25 -0800

mkultra: yeah the site specific email addresses is why I have the catch-all in the first place. In theory it was meant to cut down on spam, the idea being that each website that requires a registration would get their own ****ATuntuckedshirts.com email address so that if I started to get spam from a site I registered for I could just have that address go to the trash.

It made sense to me at the time but there are other ways to do it and it looks like now is the time.

What I worry about is that if these companies have my end of the road gmail account and are spamming it directly there is little I can do as they generally switch up where the email is coming from, etc.

Thanks for the prompt replies.

By: mkultra

mkultra — Tue, 18 Apr 2006 13:00:27 -0800

As far as site-specific spam goes, I actually found that I got little or no spam from individual sites where I had registered. If I was getting any, it was certainly getting lost in the torrent of 200+ daily emails to 'randomname@greenlightgo.com'.

By: tomble

tomble — Tue, 18 Apr 2006 22:04:26 -0800

This is happening to me too, right now. I hate those spamming bastards.

By: freshgroundpepper

freshgroundpepper — Tue, 18 Apr 2006 23:15:37 -0800

Yeah, this really sucks. It started about a week ago for me. I've had my own domain for about 5 years now and I've been using it the same way as you (amazon@blah, mefi@blah, etc.). This is the first time this has happened to me and it was very confusing at first.

I use outlook to grab my catchall as well as a number of "defined" e-mail addresses from my domain. I threw together this outlook rule and it seems to be taking care of the majority of bounced spam coming in. I'm just hoping my domain doesn't get blacklisted before this is over.

Apply this rule after the message arrives with "postmaster" or "Delivery" or "DAEMON" or "undeliverable" in the sender's address
delete it
and mark it as read
except with "real name 1" or "realAddress2" or ..."realAddress5" in the recipient's address.

This seems to remove about 98% of the bad stuff so that I'm back to only a couple sneaking through in a day. I should also recieve any real bouncbacks with this in place as I'm keeping any bouncebacks with my real name/address in them.

Hopefully they'll move on to another address soon.

I'm normally anti-death penalty, but I'm reconsidering my stance when it comes to these bastards.