Tags:





Advertise here: Contact FM.


But I Didn't Send Any E-Mails!
September 15, 2006 9:59 AM   RSS feed for this thread Subscribe

How can I get my website back after it was "attacked" by someone sending e-mails using my domain name?

1. Noticed yesterday afternoon that my website (mydomain.com) was down.
2. Got home from work, checked my GMail, and saw 197 messages waiting for me; 99% of them were of the “Returned Mail, Sender Unknown” variety. When I opened them, they were from e-mail addresses that I have never seen/heard of/etc. They were RETURNED to my domain e-mail, but to weird addresses such as WarrenGHarding@mydomain.com and mike4brown@mydomain.com
3. Shot an e-mail to my host (cedant.com) and asked WTF?
4. Reply from Cedant was that the high volume of sent e-mail from mydomain.com had triggered an automatic “lockdown” of my site and made it inaccessible. They told me to fix it.
5. I replied to Cedant and said that I hadn’t sent any of the messages, and didn’t know how it happened, and would love any advice on fixing it. Haven’t heard from them since last night.
6. Went back into GMail about 15 minutes later and found 1,200 new messages, same situation.
7. ??? Please help me!
posted by davidmsc to computers & internet (16 comments total) 1 user marked this as a favorite
1) What's in the emails?
2) What kind of setup do you have? Is it just web hosting or do you have a private server?
3) Are there any forms or whatever on your site that send email?
posted by cillit bang at 10:05 AM on September 15, 2006


You may just be getting joe-jobbed.

Search for it here, it's happened many, many times.
posted by unixrat at 10:09 AM on September 15, 2006


Cedant needs a clue. This is backscatter or you're getting Joe-Jobbed.

What's in the email headers? Are the original emails coming from your mailserver?
posted by bshort at 10:13 AM on September 15, 2006


Yeah, either you're being joe-jobbed and the hosting firm is being stupid/harsh, or there's some kind of vulnerability on the server that's being exploited.

Check the headers of the emails (More options > Show original) for any sign of your server being involved. If it seems to be a joe-job, send the headers to the hosting firm and ask them to reactivate your site.

Oh, and if you stop using catch-all (which is always a magnet for spam and bouncebacks) then the flood of messages won't reach your Gmail.
posted by malevolent at 10:18 AM on September 15, 2006


Your webhost is saying that some script on your webserver - perhaps one which normally allows website visitors to fill out a form and send you an email? - is being used to send out email to the world, and you need to alter that script to be more secure.
posted by jellicle at 10:35 AM on September 15, 2006


You may be getting joe jobbed, but it's also possible a spammer is using your server to send mail. Can you post the full text of Cedant's email to you? You can remove your domain and any personal info. If they shut you off because you're sending too much mail then it isn't a joe job.
posted by justkevin at 10:39 AM on September 15, 2006


This is how my host responded to my inquiry:

Your site was suspended by our spam watchdog. There are watchdog scripts on the server that look for excessive usage and will automatically suspend accounts for various things including sending over 500 email per half hour.

Wed Sep 13 13:09:46 PDT 2006 'davidmsc' suspended for spam (1189 messages sent)
Wed Sep 13 13:14:52 PDT 2006 'davidmsc' suspended for spam (1227 messages sent)

I've un suspended this for you now. Please keep your mailings under 500 / half hour. If you need to send more than this, please either stagger them out over time or use the mailing list that comes with your account. This can hold up to 5,000 email address, but runs differently as it's set to a lower priority on the server so it automatically staggers the emails based on system load.

And here is a sample of what was in my GMail inbox yesterday:

From: *Mailer-Daemon@poplar.cedarville.edu
> * < br> > Mailer-Daemon@poplar.cedarville.edu
> >
> Date: Sep 13, 2006 2:42 PM
> Subject: Message status - undeliverable
> To: BertiezssTrejo@davidmsc.com
>
> The message that you sent was undeliverable to the following:
>
> bcolas (User not on post office)

And no, my name is not "BertiezssTrejo" :-)
posted by davidmsc at 10:47 AM on September 15, 2006


If your web host saw that much *outgoing* mail, then something on your website is presumably being exploited by spammers. What software are you running? Any form-mail type stuff?
posted by mendel at 10:55 AM on September 15, 2006


If you were suspended for emails sent, then it's almost certainly a vulnerability in some script you're running somewhere on your site. davidmsc.com seems to be down right now, so I can't really check, but the chances are it's an email form that wasn't secured properly.
posted by reklaw at 11:46 AM on September 15, 2006


A common way to exploit a form mail is Email Header Injection. The simplest way to avoid that is to filter out symbols that are needed in a header:

http://www.nyphp.org/phundamentals/email_header_injection.php
posted by RobotHero at 12:13 PM on September 15, 2006 [1 favorite]


Actually, it may not be from an exploitable script. If you have your address @davidsmc.com set to forward all mail to your gmail, every inbound mail you get is going to generate an outbound mail so if a lot come back within 1/2 hr that's going to trip their monitoring scripts. Can you post a full message? The header you put up just has the information from the bounce, I'd need to see the header from the original message to tell you if it came from your server or not.
posted by TungstenChef at 12:44 PM on September 15, 2006


+1 to TungstenChef.
posted by adamrice at 1:56 PM on September 15, 2006


You know, you could just host your email with GMail and not have to worry about the forwarding.

I bet TungstenChef is right.
posted by bshort at 2:22 PM on September 15, 2006


Thanks for all the input, gang...still trying to get a response from my host -- once they get the site back up, I'll investigate all of the possibilities that you mentioned. Grrr. Very frustrating.

Seriously - thanks, all.
posted by davidmsc at 3:44 PM on September 15, 2006


I get joe jobbed all the time, because I have had a particular account forever, and until recently it was available to the world. I've never gotten this kind of message; I tend to agree that someone's exploiting a vulnerability on your server.
posted by lackutrol at 4:39 PM on September 15, 2006


I have Comcast Business Internet and run my own mail server, but it forwards through Comcast's because too many blacklists think Comcast Business Internet is the same as regular Comcast. I got throttled by their SMTP server and was unable to send mail at all for quite some time because a domain i host got joe-jobbed -- and that domain was set up to forward mail to an account at another ISP. So, to Comcast's SMTP server it certainly looked as though I was sending a hugely unreasonable number of messages.

Since I never send mail with a return address from this domain, I just set up filters on my server to throw away anything that looks like a bounce message on that domain. If your domain host has server-side filters for mail, that might work. Otherwise, yeah, just sign up to have Gmail handle your whole domain.
posted by kindall at 6:32 PM on September 15, 2006


« Older What can I do to increase my h...   |   Help me write a threatening le... Newer »

You are not logged in, either login or create an account to post comments



Related Questions
Do you have any cool suggestions for renaming a... May 29, 2008
Client shafted me? How can I legally get even? September 27, 2007
Can I get an address with no www to work with... August 8, 2007
Self-hosting For Fun And Profit April 12, 2006
Client has forgotten where he registered domain.... February 25, 2004