Join 3,514 readers in helping fund MetaFilter (Hide)


My domain was spoofed I am becoming blacklisted, help!
February 1, 2007 5:40 AM   Subscribe

I assume someone has spoofed my domain for spam! I am becoming blacklisted...what to do?

I started getting emails bounced back from servers...started as a few now its at least ten to twenty a day. I also have tried emailing a few people (including a classmate at Citigroup) and have seen it bounced back marked as "spam". It cannot be the content as I sent a normal message with no works or attachments that would flag a spam sensor.

Is there anything I can do? Becoming blacklisted as a spammer is begining to cause problems.
posted by UMDirector to Computers & Internet (19 answers total) 6 users marked this as a favorite
 
I should add that the emails are coming back with random email addresses such as Gwcb@MyDomain.com and Xwgg@MyDomain.com.
posted by UMDirector at 5:41 AM on February 1, 2007


Ask your domain host to set up SPF dns record for your domain's web servers, they should be able to do that for free imho (it's just a text file...). This wont completely stop the problem but will make it that much more difficult to other web servers that check for SPF validity.
posted by ronmexico at 5:53 AM on February 1, 2007


Problem is my current host is Network11.com and they have disappeared. There is no body home...not answering trouble tickets or emails, voice mail is full...it has been like that for months. I am hoping to find a new hosting local but so far have not due to lack of time...
posted by UMDirector at 6:09 AM on February 1, 2007


Those things (forged domain in spam, blacklisting) don't usually go together; the people that maintain the blacklists know that sender information isn't reliable, and blacklist based on source address which is reliable.

That means that there is a definite possibility that the problem isn't one of spammers spoofing your domain, but one of spammers finding a way to relay mail through your systems somehow.

When you say "blacklisted", what exactly have you observed? Were there specific error messages? Do you know which blacklists?
posted by mendel at 6:09 AM on February 1, 2007


It's called a "Joe Job" - unfortunately there isn't much you can do to avoid being marked as a spammer on your domain... One easy thing you can do to avoid getting those bouncebacks is to get rid of the catchall on your domain, though that can be a big of a pain in the ass if you use it extensively. And you would be surprised what gets marked as spam these days.. my girlfriend's work email server blocks the words "I Love You", due to the I Love You virus... but it allows those words in the subject of the email, which is specifically where the I Love You virus put them! Ridiculous.
posted by antifuse at 6:12 AM on February 1, 2007


As mendel says, blacklists tend to be based around servers rather than domains, so chances are it's the SMTP server you use that's the problem.

Have you tried sending emails from your domain via another method, e.g. using Gmail? If that works then you'll know it's not a domain block.
posted by malevolent at 6:34 AM on February 1, 2007


No, this is not an example of a joe job. The OP isn,t just getting random bounces, he's getting back specific bounces from emails he's sent saying that his domain has been blacklisted.

I concur with the above poster who suggested that you might have an open relay in your network. Another alternative is that you have a machine that's been compromised within your network and is now part of a botnet.

Check your IP addresses against some of the bigger spam blacklists out there, such as Spamhaus to see if your on the list.

(Sorry for the lack of links, posting from my phone.)
posted by Inkoate at 6:36 AM on February 1, 2007


Your "nobody's home" ISP is likely allowing spam within their network and you're probably blacklisted along with the rest of their network.
posted by wierdo at 7:14 AM on February 1, 2007


i third the leaky SMTP server. i've seen this happen to clients of mine and by the time they call me in, it's a messy process to get everything fixed (un-blacklisted, etc)

if you don't have a reverse DNS lookup registered with your ISP, do so. close open SMTP relay. require a login (don't do the POP3 delay route.) change the port by which you can actually send messages (mine's in the 1400 range and anything coming in on port 25 cannot have our domain name attached to it, among other things)

This is a pretty easily remedied problem, but the fact is that most mail servers aren't properly set up from day one. hopefully you can get it in order.
posted by quadrinary at 7:31 AM on February 1, 2007 [1 favorite]


Well here is whats interesting...I have another email address that sends through the same account but from a different domain and it works fine. That is to say I have a different email address with different domain but going out from the same outgoing mail server. Those work fine.

I have sent the exact same email from both accounts...the domain getting the bouncebacks gets the email back marked as spam...the other domain/email combo goes through fine.
posted by UMDirector at 8:03 AM on February 1, 2007


Assuming I switch providers and stop the flood of spam going out (whether spoofed or the SMTP issue) who do I contact to be removed from the theoretical blacklist? I must be on one...I literally could send the word "the" to my friend at citigroup and it gets bounced.
posted by UMDirector at 8:05 AM on February 1, 2007


Try webmaster@[the domain of the email addresses that you can't send to]. They might not be able to remove you from the blacklist themselves if it's being operated by a 3rd party but they can at least tell you who runs the blacklist.
posted by EndsOfInvention at 8:15 AM on February 1, 2007


Sorry, I should have elaborated further - chances are pretty good that those "Gwcb@MyDomain.com and Xwgg@MyDomain.com" bounces are, in fact, the result of a joe job. The bouncing back specifically from the friend at citigroup is likely a blacklisting. As for switching providers and getting yourself de-blacklisted, that's really going to depend on the blacklist in question. For the citigroup one, it could be that citigroup's internal IT folks have their own blacklist setup, and you need to contact them directly. If the outgoing SMTP server isn't blacklisted, then it would seem to me that it *is* a joe job happening, as opposed to a leaky SMTP server... either that, or whomever blacklisted you did a very sloppy job of it.
posted by antifuse at 8:16 AM on February 1, 2007


If it's the blacklisted SMTP issue (and I almost guarantee it is), switching providers should take care of it. In fact, just try relaying your outgoing mail through a different server (smtp.gmail.com works well if you have an account) and that should take care of being rbl-ed.

Check the IP address of your mail-server on an rbl lookup tool like this one. If you show up there, contact each of the list admins to be removed. Each of the major ISPs (Comcast, AT&T, MSN, etc.) run internal blacklists too, so you'll need to contact them too. When your mail gets bounced it should contain a link that explains what to do.

Good luck; I manage a few mail-servers and I can attest that being blacklisted is most annoying.
posted by maniactown at 8:17 AM on February 1, 2007


EndsOfInvention writes: "Try webmaster@[the domain of the email addresses that you can't send to]"

postmaster@the-blocked-domain.com is often a good bet.
posted by maniactown at 8:51 AM on February 1, 2007


Maniactown: UMDirector already said that he can send through the same mail server using a different domain's email address, so it would appear that it's *not* a problem with the SMTP server.
posted by antifuse at 9:04 AM on February 1, 2007


Problem is my current host is Network11.com and they have disappeared. There is no body home...not answering trouble tickets or emails, voice mail is full...it has been like that for months.

Exactly why would you want to continue to be their customer, then? Perhaps step one of any solution you use should be to move somewhere more responsible.
posted by phearlez at 10:34 AM on February 1, 2007


I had the same issue last week, the problem resulting from a shared hosting at a cheap host. It wasn't my DOMAIN, it was the IP OF THE SERVER, which is deal-with-able the same way.

I simply applied for google apps for your domain:
http://www.google.com/a/

And changed my MX records in Cpanel to point to my new home @ google. Now not only do we have the luxury of a gmail web interface, we have 2Gb of storage each and can still download via SSL over POP3 and SMTP. My favorite part is that google's spam filters ROCK.

Problem solved...for us anyway.
posted by TomMelee at 11:34 AM on February 1, 2007 [1 favorite]


First off, SPF doesn't work. It is broken by design, and we've known this for a long time (see http://bradknowles.typepad.com/considered_harmful/2004/05/spf.html).

Second, the individual bounces are definitely the result of a "Joe Job".

As for getting off the blacklists, some will happen automatically when the spam flood stops and the spammers move on to Joe-Jobbing someone else. Some blacklists are permanent, and you'll never get off those. Some blacklists are done on the basis of your IP address, so moving your domain somewhere else will help with those. But some other blacklists are by domain, so for them it won't matter where you have your domain hosted.

In short, you're pretty much screwed. Even the big operations spend a hell of a lot more time and money filtering out the spam (and the Joe Jobs) than handling real mail, and sometimes even the biggest of sites can't handle the load. Even if you put together just a small fraction of the all the spammers together, if they concentrate all their attention on you then that's still way, way bigger than any site can possibly handle.

There are no silver bullets. This is not a technical problem. There is no amount of technical solutions which you can implement which will actually solve this problem.

So long as you restrict yourself to purely technical means, you're involved in an arms race against cyber terrorists -- and they are much more numerous than you are, they are much better funded than you could ever possibly be (spam is now big business for organized crime syndicates), they are much better organized than you are, they are much more diverse in their culture than you are (so they are immune to mono-culture type solutions), and they are much more dispersed than you are (so even a nuclear strike would take out only a few at a time). Most spam attacks are controlled from places where they can slip through the local laws, and that makes them pretty much untouchable.

Basically, they are the cockroaches of the Internet, they are intelligent, and they have bigger and more effective weapons than you can ever hope to have.
posted by bradknowles at 4:51 PM on February 1, 2007


« Older What blogging service to use f...   |  Web Forum Filter: We have sta... Newer »
This thread is closed to new comments.