Am I an unwitting spammer?
June 1, 2006 12:59 AM   Subscribe

Email and spam question - who is sending this email and how?

I own a domain name and set up all mail addressed to that domain to be forwarded to my main email account (a yahoo address).

Just lately I've been finding a lot of 'address not found' type email that has apparently bounced back into my inbox, claiming that it was originally sent from an email address on my domain.

Thing is, the email addresses used aren't ones I've set up, and just seem to be random works like,, etc. The contents of each email are fairly typical random spam text, but I'm worried that some of this email is actually getting through to people and appears to come from my domain address.

What's going on? Has someone hijacked my account to send out spam, and if so, can I stop it?
posted by jonathanbell to Computers & Internet (14 answers total) 1 user marked this as a favorite
What's going on?
Someone is spoofing your address so they don't receive the bounce backs, and to hide their identity. It's a common problem.

Has someone hijacked my account to send out spam?

and if so, can I stop it?
You can't stop it.

To trace where the email came from, you need to examine the email headers of the sent emails. These may be held as attachments, or in text in the returned emails. Here is an article about reading those headers. From these, you may get an idea of where the emails are coming from, but that's unlikely to help as spammers can use botnets to send the emails.
posted by seanyboy at 1:06 AM on June 1, 2006

Response by poster: Thanks Seanyboy, reassuring to know that I'm not sending out reams of rubbish all over the world without realising it. I've added 'spoofing' to the tags.
posted by jonathanbell at 1:13 AM on June 1, 2006

You're using a catchall domain. That's one of your problems right there. You shouldn't be.
posted by justgary at 1:40 AM on June 1, 2006

Response by poster: What does 'catchall domain' mean, and how do I stop using one? Sorry to be dim.
posted by jonathanbell at 2:18 AM on June 1, 2006

You say to your domain host "please just enable jonathanbell@ , " for example, "on my domain. I don't want it be a catchall domain anymore."

"Catch-all" means that an email sent to any address @ your domain will be sent to your regular email address. This means spammers can be sure that emails they send to any email address at your domain e.g. will reach a legitimate user.
posted by zaebiz at 2:31 AM on June 1, 2006

do spammers generate names then and then just add them on to the valid domain ?

how do you know if you have a catch-all email address ?
posted by jacobean at 2:47 AM on June 1, 2006

This catch-all thing is a setting that should be in your domain control panel, or else you can just email/phone and ask your host.

Essentially, there are two possible settings:
1) Only allow email addresses that I create.
2) Allow [anything] to work, forwarding any such emails to [my yahoo account].

If you change your setting to #1, spammers who send spam from will be less annoying to you as presumably you'll only have a few email addresses (eg: working.
posted by Marquis at 3:18 AM on June 1, 2006

The problem is emails being spoofed from "". If the bouncebacks are coming to "", then you can stop receiving these bounced messages by changing from a catchall address. It won't stop the emails being sent out though.

Sometimes bounced messages get returned to "". You shouldn't disable this address, and so will continue to receive bounced messages.

Personally, I use a catchall address and use e-mail filters to stream bounced messages into my trash folder.
posted by seanyboy at 3:38 AM on June 1, 2006

I've had the same problem with my domain name. Does this mean that my domain name has now been marked as spam, and further emails from that domain name are unlikely to get to the actual receivers?

If so, is there a fix or a solution? :)
posted by badlydubbedboy at 4:06 AM on June 1, 2006

Heck, I had this problem with a plain old Yahoo! email account a half dozen years ago. (

It's a common problem. It didn't used to be so bad, but it seems like around 1998-1999 it became non-trivial to spoof headers and the gates of crapflooding opened up.

While it might seem like the kind thing to do, under no circumstances should you email any of the target addresses you can see in the CC fields of your bounceback messages and apologize and attempt to explain that you're not actually issuing the spam.

I learned that lesson the hard way.

Your chances of (more or less randomly) reaching someone technical enough to even remotely understand what the fuck is going on and what you're trying to apologize for is slim to none.

I tried that with some poor lady who got spammed in my spoofed Yahoo messages debacle, back when spam wasn't quite the overwhelming problem it was today, and it only ended in confusion.

Even worse, shortly thereafter she picked up the ILOVEYOU or Melissa virus, her computer sent me about 200 copies of the payload since I was now in her address book. I was dealing with IT/Helpdesk at the time and had the fixes, so I wrote back and patiently (and precisely) tried to explain that she had unwittingly picked up said virus(es) from an email message with an attachment and that they could be fixed and eliminated.

She wrote back. Extremely pissed off and accusing me of giving her the virus. And hacking her computer. And worse. And even threatening to take it to the DA or some shit, 'cause she was some kind of hot shit prosecution lawyer or something. (As discerned by her .sig.)

I'm pretty sure she was self-convinced I even sodomized her dog at some point, which would have undoubtably been some yappy, beady-eyed toy breed whom she lavished enough expensive gifts on to fund an entire chain of clinics in a third world country.

Anyway. I strongly suggest you refrain from even considering attempting to contact any of these targets. It'll only end in tears. Or fruitlessly suck up your valuable time.
posted by loquacious at 4:33 AM on June 1, 2006

Does this mean that my domain name has now been marked as spam
Probably not, but the fun thing about email is you never do know.
Also, what loquacious said. Don't be sending emails to people explaining that its not you spamming them. That way leads madness.
posted by seanyboy at 6:00 AM on June 1, 2006

By the way, you may find that, properly used, enabling a catchall domain can reduce the amount of time you spend dealing with spam.

Basically, everytime I have to give out an e-mail address, I make up a new one linked to the place I'm listing the address. So, the address listed on my metafilter user page is "". If I start getting spam to that address, I know exactly where they found it. And I can then just set up my mail filter to direct all mail to "" to my Junk folder. This requires doing a quick scan of my Junk folder before trashing it, in order to ensure I haven't lost anything legit, but on the balance, it's a huge time saver.
posted by yankeefog at 6:11 AM on June 1, 2006

It's strange that nobody is considering the possibility that your server is sending out emails. If your website has an interactive elements, like Wordpress, phpBB, etc, hackers could be using exploits to send out mail from your domain. They run automated scripts that test various domains to see if they have any commonly exploitable applications. They also brute force attack through SSH to see if any of your passwords are easy to guess.

Take a look at the bouncebacks you're getting, and examine the headers. If the mail is coming from some other domain, but just has your domain as the return address, I wouldn't be that worried. But if it originates from your server's IP, you should be a little more concerned.

Whatever the case, you should always make sure any software or scripts you're using are patched up to the latest version if there are any known security flaws.
posted by fcain at 6:45 AM on June 1, 2006

You're using a catchall domain. That's one of your problems right there. You shouldn't be.

The term is catchall address not catchall domain. "catchall domain" dosn't make any sense.
posted by delmoi at 10:31 AM on June 1, 2006

« Older running scripts on godaddy acount...   |   What can a linguistics Ph.D. do outside academia? Newer »
This thread is closed to new comments.