Why am I suddenly getting hundreds of undeliverable email messages?
January 4, 2007 3:48 PM   Subscribe

For the last few days I've been getting hundreds of "undeliverable email" messages. The sender of the undeliverable email is a garbage name at my domain. I think some bot is just cranking out these names, having found out my domain name. I'm pretty sure there is no virus on my computer; also I've been using only webmail for a while. Is there any way to make this stop?
posted by maggiemaggie to Computers & Internet (28 answers total) 5 users marked this as a favorite
You're not the only one. When i got back from my Christmas break last Tuesday, I had 500 in my inbox.

see this link for more info

Your only way of stopping it is by turning off your "catch-all" e-mail feature for your domain. That way when a bot forges "zxy@yourdomain.com" as the sender, the undeliverable e-mails you're getting will bounce as well!

In a few days the bots will pick another poor bastard to pick on
posted by derbs at 3:55 PM on January 4, 2007

Does it look like email backscatter? If so, there's not really anything you can do to make it stop; either filter out any email addresses to arbitrary accounts in your domain, or ask your service provider to.
posted by ardgedee at 3:56 PM on January 4, 2007

You got "JoeJobbed".

I had this problem a long time ago and just had to remove *@mydomain.com and only use actual aliases that I set up.
posted by subclub at 3:58 PM on January 4, 2007

And don't be concerned about your machine for viruses or whatever. The spammers are just using your domain as the reply-to address. They're likely not using your server to send it.
posted by Dave Faris at 4:00 PM on January 4, 2007

This is also called a dictionary attack.
posted by camworld at 4:04 PM on January 4, 2007

This started happening to me a couple years ago. The only solution is, as mentioned, to turn off the catch-all.

This was annoying to me, because I'd been using many e-mail aliases for different purposes (e.g., to set up an account with the Daily Times newspaper's site, I'd give them dailytimes@mydomain.com as my e-mail address). The goal of this was to prevent my primary address from being acquired by spammers and marketers.

When I stopped using the catch-all, I had to manually create all the aliases that were still important to me. But it's worth it not to deal with tons of JoeJob messages.
posted by Artifice_Eternity at 4:06 PM on January 4, 2007

Thanks! I just went and turned off my catch-all.

I'm glad to hear I'm not the only one but this spam thing really sucks.
posted by maggiemaggie at 4:33 PM on January 4, 2007

Same thing that happens to me. Did you know over 85 % of e-mail is now spam? It's pretty sickening.

I kept my catchall on because I often register for sites as sitename@mydomain, but I use gmail so I don't get a lot of spam actually in my box.
posted by jesirose at 4:44 PM on January 4, 2007

It just happened to one of my domains a few days ago. I *really* don't want to turn off the catch-all feature. I find it very annoying, but I'm hoping I can outwait them.
posted by Lame_username at 4:48 PM on January 4, 2007

I'm having the exact same problem with my domain. Thing is, I really use that catchall, so I can't turn it off. I'm getting 40-50 bounces a day, which I suppose isn't too bad as these things go, but still sucks.

A partial fix, which I've already implemented, is the "Sender Permitted From" framework. Not everyone uses it (many don't, in fact), but my DNS server reports that only one server in the whole world is allowed to send mail on my domain's behalf. If mailservers look up SPF on first connection, they'll refuse mail that's not from my server. I don't know how many receiving servers use it, but I presume it's at least helping, since I don't seem to be getting as many as the rest of you.

SPF is pretty easy to set up, if you have the ability to publish a TXT record for your domain. There's a couple of 'cookbook' sites that will build the proper SPF record for you, based on how you fill out a (simple) web form.

I hope admins don't block on domain name anymore. I'm definitely not sending any spam...but it's my third joejob in as many years.

In prior years, lame_username, it lasted only about three days... this is the longest attack so far.
posted by Malor at 4:54 PM on January 4, 2007

This happened to me years ago. In fact, I now find myself in the wonderful position of having my legit email automatically routed to the trash folders on any and all microsoft owned sites, like MSN, hotmail, and microsoft.com, presumably because my domains are on some precious internal list they keep, despite SPF records and all that. Makes it difficult to do business. So if people stop replying to your emails, make sure you ask them to check their trash folders...
posted by maxwelton at 5:26 PM on January 4, 2007

This is also called a dictionary attack.

I don't think that is correct in the situation presented. A dictionary attack in this case would be someone trying to get an email through to maggiemaggie's inbox. They aren't doing that. What is happening, is what is stated above. They have just used one or more random "names" at "@maggiemaggie.com" (or whatever the name of her domain is). Her domain setup is letting through all emails to anything with "maggiemaggie.com" at the end. Changing the settings to only accept known addressee's will stop the emails coming through - unless, of course, they guess one of her actual addresses.
posted by qwip at 5:29 PM on January 4, 2007 [1 favorite]

It doesn't appear to be a dictionary attack. The spoofed "from" addresses are all random letters like XFGHGDS@mydomain.com

Malor, I'm getting about 40 or 50 a day too.
posted by Lame_username at 5:43 PM on January 4, 2007

>Did you know over 85 % of e-mail is now spam?

Got a cite for that?
posted by AmbroseChapel at 6:06 PM on January 4, 2007

I like my domain's catchall as well, using the catchall feature for transient or newly tracked or routed e-mail addresses. And, frankly, I don't think my domain has been in a benign state of non-Joe Jobbing for more than a few days in all of 2006. That's an unfortunately side-effect of having multiple public addresses in multiple public venues spanning years, all tied to the domain. When I bother to check the trash stats, spam counts consistently run from 200-400+ per day with undeliverable bounces to nonexistent addresses being well-represented.

Two things worked for me. Of lesser importance, I sampled the spammed and bounced To addresses over a week's time and discovered a few addresses which I no longer used, but which spammers loved: stuff like old Usenet addresses, ancient vendor contacts, and so on. E-mails to those addresses were set to be silently discarded at my host -- any decent domain host for e-mail should have basic low-level discarding and bouncing available. The e-mails are not bounced, please do not ever bounce unsolicited mail. It doesn't work and it's not nice. You most likely burden another innocent domain with your own bounces or have the bounce sit as one of a few billion of ignored missives clogging the tubes.

The second, and most important thing is I implemented aggressive whitelisting via smart filtering in the e-mail client. I use Mozilla Thunderbird for this nowadays. Thunderbird has pretty powerful filtering capability that can be applied to each part of an e-mail and its easy to learn. No programming required. Also, sets of filters can (optionally) be applied differently depending on your To address, which can come in handy.

Now all my incoming e-mail has to run the filter gauntlet before it makes it to a non-trash folder to trigger my attention. For my situation, it required a modicum of thought and planning. I know who my relatives, friends, clients, and vendors are, so their From addresses get through. Next step was determining what reasonably unique phrases or keywords are of a business or personal interest. Messages with those phrases in the content come through (though if you ran a sex-based business this level of filtering will probably be a lot more difficult to fine-tune). As a final fail-safe I have a filter which catches could-be-maybe-not situations, e.g a family/friends' nickname. Those go into a Probable Junk filter, with attention status just above that of Trash. Everything else auto-filters to Trash.

Obviously you can extend the filtering concept to whatever works for you as far as attention levels and exceptions, framed in your own priorities and anxieties. I've heard of people with over 100 filtering rules -- I have a couple of dozen. Unless you have a completely open e-mail situation where you often receive legitimate messages from totally unknown people of totally unknown content with no chance to predict anything about who, what, where, or why, you can probably derive basic rules which will filter out most of the mess. Currently I get an average of two or three spams a day making it through my filters. Over a 99% kill rate, easily manageable.

It probably goes without saying, but not to assume, even with whitelisted smart filtering it still behooves you to perform a quick perusal of the trash folder every so often to catch any stray legit e-mail. Particularly at the beginning or when you're tweaking things. Then update the filters to patch the hole.
posted by mdevore at 6:20 PM on January 4, 2007

Could the high level of bounceback be due to the Taiwan earthquake and subsequent Asian internet crash?
posted by Pollomacho at 6:26 PM on January 4, 2007

I'm having the same problem and have implemented some pretty aggressive filtering via procmail. The joejobbing started about five months ago and the levels of crap just keep increasing: I'm thinking that waiting it out isn't going to work. Like maxwelton, I'm also beginning to have problems with the legit emails I write from my domain getting filtered as spam.

Dunno about 85% but this source cites 72.9% in October '06.
posted by jamaro at 6:54 PM on January 4, 2007

Exactly the same thing here over the past week and I'm also not prepared to turn off the catch all. The thing that pisses me off is I white list aggressively at the server and this stuff gets through (I obviously don't have those settings right yet) and thunderbird is only putting about a third into the spam folder. I'm going to have to enable server side spam filtering, which I really don't like (last time I had it on it deleted a formal job offer, nearly screwing up like my entire future), and I guess I'm going to have to learn how to use it more effectively.

It's my fault though, I was very careful with this domain for years and kept it very clean. But when I changed to thunderbird last year I didn't notice for a couple of months that emails I sent, even replies to a different address, were defaulting to this address rather than the other domain I use more widely (I've since fixed that). So the domain got out to people I don't know in person and it was tainted. After that crap like this is inevitable.

I have noticed that most or all the bouncebacks are from aisan domain names (e.g. .jp extensions) so I wonder if Pollomacho's comment may be onto something.
posted by shelleycat at 7:23 PM on January 4, 2007

I have noticed that most or all the bouncebacks are from aisan domain names (e.g. .jp extensions) so I wonder if Pollomacho's comment may be onto something.

OK scratch that. It was the case when this started but apparently not any more (I just had a look).

I also figured out my white list is only catching things directly to my account name and not the catch all stuff so I'm going to seperate that out into a different account with it's own folder like I do for the internet-posted email address.
posted by shelleycat at 7:31 PM on January 4, 2007

If you like the behaviour of the catch-all, but don't like this obvious downside, see if your host allows you to use addresses like this:


Where "anything" and "something" are made up on the spot. Anything can come between the plus and the @ symbol, and all of it will be delivered to name@domain.com. Many mail servers offer this feature, and using it will allow you to turn off the catch-all.
posted by odinsdream at 8:05 PM on January 4, 2007

> Could the high level of bounceback be due to the Taiwan earthquake and subsequent Asian internet crash?

Not unless the original poster had been sending mail to southeast Asia at a rate of four or five dozen messages a day, each with a unique reply-to address containing arbtrary character strings.

> name+anything@domain.com

The plus symbol is legal in an email address, but many website forms will not accept it.
posted by ardgedee at 8:19 PM on January 4, 2007

Your only way of stopping it is by turning off your "catch-all" e-mail feature for your domain.

Assuming your mail server lets you use procmail or some other server-side filtering, you can instead simply drop everything that looks like a bounce and is being sent to an address that you don't send mail from.

Example: I own the domain example.com and when I send mail, it is always from bob@example.com. I start getting random bounces to other addresses thanks to my catchall. So, I set up a filter on the server: if it's from mailer-daemon@* or postmaster@* (i.e., a bounce), but is not to bob@example.com, the filter just discards it.
posted by kindall at 10:37 PM on January 4, 2007

This happened to me in the last few months.

What spam was it that you are getting bounced? Most of mine was pump & dump stock scams. I asked about this a while ago, because I was having such trouble filtering it out.

What I worked out thanks to some good replies here was not to try and blacklist it all, but instead to whitelist good email.

Therefore, my filters in Eudora moved everything with a real email address my company used to an approved folder. This got about 90% of it, because it was all bouncing from randomcharacters@mycompany.com.au

I then went through the rest of it and started stripping out anything else that was common. Words like `undeliverable' `daemon' and so on. The filtering for valid names ensured that I would see valid bounced emails. I also discovered that almost all of the bounced emails had one of several fake names in it, or certain key words that I could work out.

In three months I received around 35,000 bounced emails. By the second month though, I saw almost none of them in my real email inbox. There's not much you can do other than filter it.

Good luck, I know very well how frustrating this is.
posted by tomble at 11:09 PM on January 4, 2007

I use MailWasher - it lets you peek into your mail accounts without actually downloading all the mail, and so it's much faster to delete all the spam. The filters and learning system will also auto-mark for deletion, or auto-delete, depending on your settings. There's a freeware version that will work with one account (I think the free version does NOT work with Hotmail/Yahoo/Gmail accounts), but for multiple accounts you'll need the paid version - it's $37 but there's a coupon code floating around on Google to get it for $24.95.
posted by IndigoRain at 11:56 PM on January 4, 2007

Yup, I'm in a similar joe job experience as well. It's really hitting hard the last month or so... I'm tempted to turn off my catch-all, but I have literally hundreds of aliases that I've setup (I do one for every single webpage I sign up for) and I'm extremely neurotic about losing emails, even if they're from sites that I haven't visited in years.
posted by antifuse at 7:00 AM on January 5, 2007

I've been subject to the same treatment over the last month or two. And it's been driving me nuts.

I also love the catch-all, and use the @mydomain.com as a way to give websites/companies with whom I associate individual addresses. On top of that, I forward all mail from lou@mydomain.com to my GMail account. Holy redirections!

This week, I decided to go through the last 6 months of e-mail checking for companies whose e-mail I needed to receive; e-mails delivered to addresses like mybank@mydomain.com. I created mail aliases that send them to lou@mydomain.com, then shut off the catch-all feature. It has decreased my spam/undeliverable notices from ~200 per day to ~50 per day.

My only concern is that I missed one of the faux e-mail addresses I had given out. But it's a chance I'm willing to take.

In the future, I'll be using the mygmail+something@gmail.com or lou+something@mydomain.com technique.

posted by LouMac at 7:01 AM on January 5, 2007

This is NOT a dictionary attack.

What are you getting is e-mail backscatter as described above. There are two possible situations which could be causing this 1) Knowing Mailer and 2) Unknowing Mailer

1) Knowing Mailer - A spammer has a mail program which is generating spam e-mail and is either using your domain name in the sending address (aka MAILFROM) of the SMTP conversation or in the From address of the mail headers.

In this scenario you maybe able to check the headers of the bounce back message and find the originating IP address of the e-mail which triggered the bounce back and report them to their ISP. The ISP can take care of shutting down the Knowing Mailer.

2) Unknowing Mailer - A machine on the Internet has been compromised and is generating spam e-mail and is either using your domain name in the sending address (aka MAILFROM) of the SMTP conversation or in the From address of the mail headers.

Typically, in this scenario, the compromised machine is owned by someone who has your e-mail address somewhere on their harddrive. Maybe you sent them an e-mail of they sent you one. The malicious software searches the whole harddrive for e-mail addresses and then starts sending out copies of it's payload to random addresses and from random addresses at a breakneck pace.

Again the originating IP will typically be somewhere in the headers and you if you get the IP you can locate the ISP and notify them of the issue. In very rare cases you'll find an IP which will map to a company which you can actually call and tell them that they have a machine which is spewing out spam.
posted by dgeiser13 at 9:39 AM on January 5, 2007

This whole spam lark from bots is a royal pain in the ass.
posted by Johnny Showbiz at 10:29 AM on January 5, 2007

« Older Why does standing in front of an elevator give me...   |   What is this thing? Newer »
This thread is closed to new comments.