How can we stop spammers from using our domain?
November 6, 2005 7:36 AM Subscribe
I think someone is using our domain name to send spam from. What can I do about this?
Our catch-all email account has been getting hundreds of "mail delivery failed" messages, which appear to have been sent from non-existant email addresses on our domain to all sorts of regular email addresses (like this). The emails are regular spam: MBAs, rolexes, viagra, etc.
I don't really want our domain blacklisted as spam. What can we do about it?
Our catch-all email account has been getting hundreds of "mail delivery failed" messages, which appear to have been sent from non-existant email addresses on our domain to all sorts of regular email addresses (like this). The emails are regular spam: MBAs, rolexes, viagra, etc.
I don't really want our domain blacklisted as spam. What can we do about it?
see here (it appears to be slightly different, but the answers cover this case too)
posted by andrew cooke at 7:49 AM on November 6, 2005
posted by andrew cooke at 7:49 AM on November 6, 2005
Catch-all accounts==a lot of spam
You shouldn't be using them.
posted by Sharcho at 7:57 AM on November 6, 2005
You shouldn't be using them.
posted by Sharcho at 7:57 AM on November 6, 2005
Spammers can put any text they like in the from field and there's nothing you can do about it.
posted by cillit bang at 8:19 AM on November 6, 2005
posted by cillit bang at 8:19 AM on November 6, 2005
Spammers can put any text they like in the from field and there's nothing you can do about it.
Correct, but the domain won't be blacklisted because of that. Blacklisting occurs because mail truly originates from the domain, as shown in the headers.
(Think of "from" addresses as what someone could put as a return address on the outside of a envelope being sent via the U.S. Postal Service. If someone else decides to write your name and address as the return address, there isn't much that you can do about it. But the post office isn't going to stop accepting your outgoing mail if someone in (say) Alaska is writing your address on their outgoing mail.)
posted by WestCoaster at 8:45 AM on November 6, 2005
Correct, but the domain won't be blacklisted because of that. Blacklisting occurs because mail truly originates from the domain, as shown in the headers.
(Think of "from" addresses as what someone could put as a return address on the outside of a envelope being sent via the U.S. Postal Service. If someone else decides to write your name and address as the return address, there isn't much that you can do about it. But the post office isn't going to stop accepting your outgoing mail if someone in (say) Alaska is writing your address on their outgoing mail.)
posted by WestCoaster at 8:45 AM on November 6, 2005
Response by poster:
posted by Count Ziggurat at 9:55 AM on November 6, 2005
Hi. This is the qmail-send program at smp.voyagerco.com.Whois from mmm2.com:
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
:
Sorry, no mailbox here by that name. vpopmail (#5.1.1)
--- Below this line is a copy of the message.
Return-Path:
Received: (qmail 16319 invoked from network); 6 Nov 2005 16:48:34 -0000
Received: from 201-1-39-233.dsl.telesp.net.br (HELO mmm2.com) (201.1.39.233)
by smp.voyagerco.com with SMTP; 6 Nov 2005 16:48:34 -0000
Message-ID:
From: "Dennis Beltran"
Subject: =?ISO-8859-1?b?UGFzc2VkIHVwLCBhZ2Fpbj8=?=
Date: Sun, 06 Nov 2005 16:44:10 +0000
MIME-Version: 1.0
X-Sender:
In-Reply-To:
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
Hey there,
UNIVERSITY DIPLOMAS
Receive a successful future, money-earning power, and the prestige that comes with having the position and career you have always dreamed of!
Diplomas from universities based on your present knowledge and life experience.
If you qualify, no classes, books, examinations or tests!
Degrees available.
Bachelors
Masters
MBAs
Doctorate
PhD.
Confidentiality assured!
CALL RIGHT N0W to receive your diploma within two weeks!
(313)772.7099
Domain Name.......... mmm2.comHerm.
Creation Date........ 2003-02-15
Registration Date.... 2003-02-15
Expiry Date.......... 2006-02-15
Organisation Name.... HARUNOBU YAMAMOTO
Organisation Address. Kamihukuoka-shi
Organisation Address.
Organisation Address. Saitama-ken
Organisation Address. 356-0005
Organisation Address. Saitama-ken
Organisation Address. JAPAN
Admin Name........... HARUNOBU YAMAMOTO
Admin Address........ Kamihukuoka-shi
Admin Address........
Admin Address........ Saitama-ken
Admin Address........ 356-0005
Admin Address........ Saitama-ken
Admin Address........ JAPAN
Admin Email.......... halhalha@rd6.so-net.ne.jp
Admin Phone.......... 049-264-1829
Admin Fax............
Tech Name............ HARUNOBU YAMAMOTO
Tech Address......... Kamihukuoka-shi
Tech Address.........
Tech Address......... Saitama-ken
Tech Address......... 356-0005
Tech Address......... Saitama-ken
Tech Address......... JAPAN
Tech Email........... halhalha@rd6.so-net.ne.jp
Tech Phone........... 049-264-1829
Tech Fax.............
Name Server.......... ns1.alphastyle.jp
Name Server.......... ns2.alphastyle.jp
posted by Count Ziggurat at 9:55 AM on November 6, 2005
Pretty much anyone who uses email has had this happen to them, and there is not much you can do about it.
Sometimes, if I keep getting consistent messages that are from the same IP address, I will contact the ISP that has control of that IP address and complain. Sometimes it works and it will stop, but most of the time it does not...
posted by gemmy at 11:53 AM on November 6, 2005
Sometimes, if I keep getting consistent messages that are from the same IP address, I will contact the ISP that has control of that IP address and complain. Sometimes it works and it will stop, but most of the time it does not...
posted by gemmy at 11:53 AM on November 6, 2005
In looking at mail headers, usually it's the very first (bottommost) "Received" header that tells you where the email originated:
Received: from 201-1-39-233.dsl.telesp.net.br
Came from a DSL connected computer in Brazil, probably a zombie, using MS Outlook. I don't know enough about headers to say whether the mmm2.com is relevant. You might be barking up the wrong tree with that one.
Anyway, forged From headers are cake for spammers. You just have to ignore it. Usually your spam filter (or your ISPs) will catch on quick enough and you'll stop seeing the bounces.
posted by intermod at 1:18 PM on November 6, 2005
Received: from 201-1-39-233.dsl.telesp.net.br
Came from a DSL connected computer in Brazil, probably a zombie, using MS Outlook. I don't know enough about headers to say whether the mmm2.com is relevant. You might be barking up the wrong tree with that one.
Anyway, forged From headers are cake for spammers. You just have to ignore it. Usually your spam filter (or your ISPs) will catch on quick enough and you'll stop seeing the bounces.
posted by intermod at 1:18 PM on November 6, 2005
When this happened to me, from my tiny vanity domain, I of course got a hurricane of bounces, and some complaints and unsubscribe requests... which of course I couldn't honor, since I wasn't actually sending the mail. All I could do was apologize and explain, which got old.
I've implemented SPF(Sender Permitted From) on my domain now... that's a special record that goes into the DNS that says "mail is allowed to originate for this domain from these addresses." I haven't had the problem since... though of course correlation doesn't imply causation.
It's not hard to do this at all, but you do have to have the ability to manually edit your own DNS files. You need to add a TXT record for your domain. The syntax for this TXT record is kind of complex, but there are websites out there that will ask you some questions about how you want your SPF configured, and then generate the right line for you.
The line I use is:
example.com IN TXT "v=spf1 mx"
That means 'record type SPF1, allow mail from mailservers for this domain'.
This means that by listing an MX record for your domain:
example.com IN MX 10 mail.example.com.
And listing an IP address for mail.example.com:
mail.example.com IN A 127.0.0.1
That will A) have incoming mail go to mail.example.com, and B) allow outgoing mail to be sent from that IP address.
This only works if the recipient domains do SPF checking, but the big guys mostly do this now. So just by listing a valid SPF record, you make your domain a lot less interesting for joe jobs.
posted by Malor at 2:04 PM on November 6, 2005
I've implemented SPF(Sender Permitted From) on my domain now... that's a special record that goes into the DNS that says "mail is allowed to originate for this domain from these addresses." I haven't had the problem since... though of course correlation doesn't imply causation.
It's not hard to do this at all, but you do have to have the ability to manually edit your own DNS files. You need to add a TXT record for your domain. The syntax for this TXT record is kind of complex, but there are websites out there that will ask you some questions about how you want your SPF configured, and then generate the right line for you.
The line I use is:
example.com IN TXT "v=spf1 mx"
That means 'record type SPF1, allow mail from mailservers for this domain'.
This means that by listing an MX record for your domain:
example.com IN MX 10 mail.example.com.
And listing an IP address for mail.example.com:
mail.example.com IN A 127.0.0.1
That will A) have incoming mail go to mail.example.com, and B) allow outgoing mail to be sent from that IP address.
This only works if the recipient domains do SPF checking, but the big guys mostly do this now. So just by listing a valid SPF record, you make your domain a lot less interesting for joe jobs.
posted by Malor at 2:04 PM on November 6, 2005
This thread is closed to new comments.
The real worry is that they may also be using your org's mail SERVERS as an open relay. THAT you can stop.
posted by tyllwin at 7:46 AM on November 6, 2005