What to do about someone spoofing my email?
April 18, 2006 10:02 AM   Subscribe

Recently I have been getting emails from my domain bounced back to me from other peoples' automated anti-spam catchers. The problem is that I am not sending these emails...

I own my own domain but use gmail as my main email. As such I have a catchall that delivers any email from my domain to my gmail account. Lately i've been getting emails bounced back that say they were sent from salesATuntuckedshirts.com which I don't use. The email headers look like this:

From: Servage Antispam System
Reply-To: antispam@servage.net
To: salesATuntuckedshirts.com
Date: Apr 4, 2006 3:21 PM
Subject: Autoreply: Ever tried that?

I don't think anyone actually has access to my dreamhost account so could this just but somone "spoofing" my address? I don't know exactly how that works but i've heard it's possible.
posted by untuckedshirts to Computers & Internet (14 answers total)
 
This is commonly referred to as a 'joe job'. Little to nothing you can do about it, although posting full headers might help trace the real source.
posted by bhance at 10:05 AM on April 18, 2006


See also previously and previously.

In short, nothing you can really do about it except hunker down and wait it out.
posted by unixrat at 10:18 AM on April 18, 2006


FWIW, I've noticed that my domains hosted on DH seem to get jobbed slightly more than average. My pet theory is that jobbers use DH domains because of the good reputation of DH and the less likely for one of their domains to be blacklisted.
posted by unixrat at 10:20 AM on April 18, 2006


Ditto, nothin' you can do. But it might help you to know that you're not alone, toward which I'll offer that it happens to me a couple of times a year. You learn to treat the bounces just like regular spam.
posted by cribcage at 10:28 AM on April 18, 2006


Minor terminology question: I thought a "joe job" was when the spammer is spoofing your address (or linking to your website in the spam, or whatever) specifically to get you in trouble. People who run anti-spammer sites tend to get joe-jobbed, for example. This sounds more like the spammer is spoofing untuckedshirts' address just because they needed a plausible source address and they randomly picked untuckedshirts --- they have no specific desire to draw attention there, as long as they draw attention away from the actual spam source. Do other people make this same distinction?
posted by hattifattener at 10:44 AM on April 18, 2006


hattifattner: They're pretty much the same thing. Often times spammers aren't even aware that they're doing this, because the spam-software they're using is filling in the blanks for them.

Sad but true fact. :-(
posted by drstein at 10:50 AM on April 18, 2006


I would kill the catch all account and only forward the addresses that you actually use. Everything else should either bounce or drop at the server. This will at least minimize the number of bounces that you have to look at.
posted by COD at 10:54 AM on April 18, 2006


It's pretty easy to filter out most of these bounces at the server level, assuming they are being sent to random e-mail addresses at your domain and you're getting them because you have a catch-all.

Return-Path is <> (i.e. this is a bounce)
Message-ID does not contain @ (i.e. no message ID)
To is not your@real-email-address (i.e. it's to one of your catchalls)

(If spammers would just send messages out with an empty return-path to begin with, nobody would have to deal with the bounces, because there wouldn't be any.)
posted by kindall at 10:57 AM on April 18, 2006


Agree about the catch-all; it should be disabled. It is also vulnerable to a dictionary spam attack where the spammer simply tries sending email to every word in the dictionary at your domain. I once received over 100,000 pieces of spam in a single day from some spammer who tried this and I had a catch-all in place.
posted by camworld at 11:11 AM on April 18, 2006


Another vote to ditch the catch-all. I had it in place (at DH) for years, and it was great for site-specific addresses (amazon@, mefi@), but joe-jobbing killed it for me.
posted by mkultra at 11:36 AM on April 18, 2006


Response by poster: mkultra: yeah the site specific email addresses is why I have the catch-all in the first place. In theory it was meant to cut down on spam, the idea being that each website that requires a registration would get their own ****ATuntuckedshirts.com email address so that if I started to get spam from a site I registered for I could just have that address go to the trash.

It made sense to me at the time but there are other ways to do it and it looks like now is the time.

What I worry about is that if these companies have my end of the road gmail account and are spamming it directly there is little I can do as they generally switch up where the email is coming from, etc.

Thanks for the prompt replies.
posted by untuckedshirts at 12:10 PM on April 18, 2006


As far as site-specific spam goes, I actually found that I got little or no spam from individual sites where I had registered. If I was getting any, it was certainly getting lost in the torrent of 200+ daily emails to 'randomname@greenlightgo.com'.
posted by mkultra at 1:00 PM on April 18, 2006


This is happening to me too, right now. I hate those spamming bastards.
posted by tomble at 10:04 PM on April 18, 2006


Yeah, this really sucks. It started about a week ago for me. I've had my own domain for about 5 years now and I've been using it the same way as you (amazon@blah, mefi@blah, etc.). This is the first time this has happened to me and it was very confusing at first.

I use outlook to grab my catchall as well as a number of "defined" e-mail addresses from my domain. I threw together this outlook rule and it seems to be taking care of the majority of bounced spam coming in. I'm just hoping my domain doesn't get blacklisted before this is over.

Apply this rule after the message arrives with "postmaster" or "Delivery" or "DAEMON" or "undeliverable" in the sender's address
delete it
and mark it as read
except with "real name 1" or "realAddress2" or ..."realAddress5" in the recipient's address.

This seems to remove about 98% of the bad stuff so that I'm back to only a couple sneaking through in a day. I should also recieve any real bouncbacks with this in place as I'm keeping any bouncebacks with my real name/address in them.

Hopefully they'll move on to another address soon.

I'm normally anti-death penalty, but I'm reconsidering my stance when it comes to these bastards.
posted by freshgroundpepper at 11:15 PM on April 18, 2006


« Older WinXP install on an iMac: OEM vs Full Retail Boxed...   |   Recommendations for International Group... Newer »
This thread is closed to new comments.