Protecting Your Small Domain from Spam Hijacking? 103
"My domain hosting service, CubeSoft, has been a good host for my domain for the past three years, and they have been very helpful in re-enabling most of my account, but at the moment they don't want to re-enable my e-mail because of the flood of returned spam coming in (30,000 messages per day). Since the return addresses are all invalid (e.g. 'nonexistent_address@gelhaus.net'), I would think it would be simple to filter out all messages that aren't specific ones I've set up (e.g. 'valid_address@gelhaus.net'). I can't believe my domain is the first to have experienced this problem. It would be a tragedy to have to just shut down my domain because of this. CubeSoft says there isn't any way to prevent it because there is nothing that stops a spammer from using a fake return e-mail address. What have others with small domains done to protect themselves?"
Just wait it out (Score:5, Informative)
All the above is conjecture, of course. But it may be something for your ISP to think about. It may be possible to re-enable the MX for your domain in a short while without having to do anything.
Re:Just wait it out (Score:3, Interesting)
The only upside is the hate mail I periodically receive, especially the threats of lawsuits, invoic
Re:Just wait it out (Score:1)
get your ISP to change your MX record (Score:1)
Re:get your ISP to change your MX record (Score:2)
Re:get your ISP to change your MX record (Score:1)
Re:get your ISP to change your MX record (Score:2)
Re:get your ISP to change your MX record (Score:5, Funny)
That still exists?
Re:get your ISP to change your MX record (Score:4, Informative)
Set rules in yer MDA. Alias work for this. Legitimate addressies get delivered to the appropriate box. Yer last alias is *. This one has a mailbox /dev/null.
Any mail not intended for a named recipient /will/ use bandwidth - then go "poof"...
Get a new domain host. (Score:4, Informative)
BTW, this is generally known as a Joe Job [everything2.com].
Re:Get a new domain host. (Score:4, Interesting)
Luckily, in my case every email hawked generic viagra from China. After a week and a half I finally called Pfizer and reported the website. The emails stopped shortly after that and I was never sure if they were related. The website is gone now too.
I have seen spam for anti-spam software, but why not for anti-spam retribution services. Of course, I would never advocate violence. :-/
One small thing that you can do (Score:5, Informative)
The long and short of it is that we couldn't do much about it, other than try to minimize the resource waste. In our exim configuration we turned on "receiver_verify" in our exim configuration, which means before the incoming message enters the delivery phase, it's verified that there is a valid receiver. (Before doing this, the incoming message would run through spamassassin and then generate a bounce, using CPU time, memory, etc.) I know it's not much; I hope someone comes up with more suggestions.
Use SPF to protect against "Joe Jobs" (Score:5, Interesting)
See http://spf.pobox.com [pobox.com] You can publish your DNS now, indicating which legitimate IPs are in use for mail from your domain.
Re:Use SPF to protect against "Joe Jobs" (Score:2, Funny)
If everyone uses SPF, it will cut down on spam and joe-jobs.
Of course, if everyone would stop spamming, it would also cut down on spam.
It's a good idea, but SMTP without SPF is far too integrated into our lives to eliminate any time soon.
Re:Use SPF to protect against "Joe Jobs" (Score:2)
Re:Use SPF to protect against "Joe Jobs" (Score:2)
Re:Use SPF to protect against "Joe Jobs" (Score:2)
Re:Use SPF to protect against "Joe Jobs" (Score:1)
No, if only the domains which a spammer is joe-jobbing support SPF, then you can block those emails.
That's not going to cut down on spam by any significant amount.
But if you publish SPF records yourself, you can be protected from spammer pretending to be you and spamming a million people and you getting all the bounces!
Instead you'll get 999,000 bounces from all but the 1,000 people who bother to check the SPF records.
Re:Use SPF to protect against "Joe Jobs" (Score:2)
Re:Use SPF to protect against "Joe Jobs" (Score:1)
And then the next time you get 880000 bounces, and then the next time you get 770000, and so on until everyone is running an MTA that supports SPF.
Next time? I've only been joe-jobbed once so far. By the time the bounces go down to 550,000 it'll be 2050.
Your argument is one of those "we can't solve all the problems right now so we should just sit here and contemplate our navel" arguments.
No, my argument is one of those "why bother wasting your time implementing a solution which isn't going to actua
Re:Use SPF to protect against "Joe Jobs" (Score:2, Informative)
Re:Use SPF to protect against "Joe Jobs" (Score:1)
Isn't that exactly what SPF is supposed to control?
the site [pobox.com] explains quite clearly it is to avoid spammers (from unknown IP adresses) from claiming that "From" (or "ReternTo: ") adresses are inside your domain.
Re:Use SPF to protect against "Joe Jobs" (Score:2)
As long as email isn't replaced... (Score:5, Insightful)
Re:As long as email isn't replaced... (Score:4, Informative)
But nobody seems interested in a modern-day email alternative.
Just about everyone is interested in a modern-day email alternative. The problem is getting everyone to agree on which particular one to use.
Re:As long as email isn't replaced... (Score:2, Insightful)
If the spam comes from china, find their mailservers, routers, and even fiber links, and solve the problem in the most american way I can think of. Hot, fast lead. If it comes from florida, really with that state why aren't we testing our nuclear stockpile there instead of wasting valuable cpu cycles that could be running doom III? Russia? Disperse some anthrax, and leak a story about how some dumbass russian researcher trying to
Re:As long as email isn't replaced... (Score:1)
--
Why are you using their SMTP server (Score:2)
This won't solve the 30K messages a day problem, you will still have to suffer under that bandwidth, but your destiny is in your hands, you can get spamassasin, or your favorite filtering application to handle the problem. It has sucked the last few days for me as well... Something like 400 copies of sobig coming a
Re:Why are you using their SMTP server (Score:2)
Not everyone has a permenant net connection that lets them set up a personal mail server, and even if you do have that, those 30k messages will have to be routed via a service provider of some sort - okay, so you stop annoying your hosting provider, but you'll very quickly get on the wrong end of your network provider with that sort of traffic coming into a home account.
Which is worse? Having your hosting provider pull the plug on your email,
Re:Why are you using their SMTP server (Score:1)
Cable Modems are not ISPs (Score:2)
The reason that I say this is that with their Terms of service these WSP'ers remove the ability to use the internet the way that I want too. I want to be able to run VPNs, I want to be able to run services that are usefull to me as their custommer. About the only thing that the TOS allow is to surf the web for porn, and use their e-mail server to download mail to m
Re:Why are you using their SMTP server (Score:1)
You have the Michael Bolton problem (Score:5, Funny)
Samir: You know, there's nothing wrong with that name.
Michael Bolton: There WAS nothing wrong with it. Until I was about 12 years old, and that no-talent-ass-clown because famous and started winning Grammys.
Samir: Why don't you just go by Mike, instead of Michael?
Michael Bolton: No way! Why should I change it? He's the one who sucks.
MX Trickery (Score:5, Insightful)
Re:MX Trickery (Score:1)
Re:MX Trickery (Score:2)
Re:MX Trickery (Score:1)
Re:MX Trickery (Score:2)
Re:MX Trickery (Score:1)
Re:MX Trickery (Score:2)
Re:MX Trickery (Score:2)
Hey, that's my address! What did I ever do to you?!
Re:MX Trickery (Score:2)
Re:MX Trickery (Score:1)
Re:MX Trickery (Score:2)
You're smart... (Score:3, Insightful)
At the moment it looks like I may never be able to have any @gelhaus.net e-mail again.
Since the return addresses are all invalid (e.g. 'nonexistent_address@gelhaus.net'), I would think it would be simple to filter out all messages that aren't specific ones I've set up (e.g. 'valid_address@gelhaus.net').
See that, you answered your own question. Just block invalid addresses.
I've had this happen before to my domain, and eventually it died down. If it doesn't die down for you maybe you could track the spammer down and sue her.
Any sane protocol would never suffer from this problem. Yet people still claim that email is not broken...
Re:You're smart... (Score:5, Informative)
Add one for each falsified account. You will still get the incoming SMTP connections, but your server will reject the mail before the sending host transmits the whole thing. Advantage: you lose the bandwidth that it takes to build a TCP connection and send a single RCPT line, rather than losing the bandwidth and storage required to process and bounce a whole message.
My SMTP bandwidth graphs dropped about 85% after adding those filters. Do the same on your end (or have your ISP do it for you) and sit back while the storm blows over.
Oh, yeah: you may want to put a prominent notice [honeypot.net] on your website's main entry point stating that you are not the originator of the spams. The flood of mail to my "abuse@" address tapered off greatly once I explained things to visitors. I still get a few twits with an axe to grind but there's not much you can do about that.
Re:You're smart... (Score:1)
damn women and their spam.
Oh no, I use CubeSoft too! (Score:2)
Can't you just get a different host, then go to your registrar and change your DNS? That will work until your new hosting provider cries "Uncle" under the SPAM flood 8^)
Re:Oh no, I use CubeSoft too! (Score:4, Informative)
Re:Oh no, I use CubeSoft too! (Score:1)
Re:Oh no, I use CubeSoft too! (Score:1)
BTW, we're now in the process of reinstating my val
There's not much you really can do (Score:3, Informative)
If you find that the jobber is indeed an American, though, if I recall correctly, you can sue for damages. Of course, you generally have to find the scumbag first.
Not much you can do at all (Score:5, Informative)
So, what happens when the receiving e-mail server tries to verify account name too? The spammer has to use someone's real account name (which has happened to me more than once). Since the spammer is using his own mail server to send the messages, your account and domain names don't only get checked ageanst your mail server when the recipient server tries to verify that they exist and not when the spam is originally sent. Thus, it's almost impossible to prevent.
Your only hope is finding the spammer somehow and making them miserable in some way (getting their ISP to cut them off, legal action), but that usually leads to the spammers friends making an exaple out of you (yet more unfortunate personal experience). I would just wait it out. Your ISP is doing the only thing they can by disabling your domain's e-mail. Soon, the "from" lookups will start failing for the spammer and he/she'll have to pick someone else to impersonate. I hope that your ISP will let you re-enable your domain's e-mail when it blows over. Good luck!
An Idea (Score:5, Interesting)
Bounce (Score:1)
Re:An Idea - which does not work (Score:3, Informative)
So either you scan already while receiving the email (as several people mentioned before, scan the header for invalid sender ips and then discard the bounces immediately BEFORE the whole email is accepted) or just wait
Eureaka! (Score:3, Funny)
All you need to do is get a *really* long domainname.
For instance, would you expect any spam to originate from llanfairpwllgwyngyllgogerychwyrndrobwllllantysili
I think not!
Yet I'm sure there's at least a postmaster account running there (and surely a real account or two, even if just for fun's sake).
Re:Eureaka! (Score:2)
Similar experiences (Score:4, Interesting)
I have two domain names, one personal, one business.
The personal one was 'hijacked' in a very bizarre way a few years ago. I annoyed the owner of a popular site (by publishing an article about him swindling his visitors) so he posted my address dozens of times, all over the front page of his site. Obviously he wanted anyone who still believed his side of the story to send me hate mail, and that's exactly what happened. That was mailbombing though. The 'hijacking' was secondary, because of course my e-mail address is now in the address book of hundreds, if not thousands of people who are, let's say, not spectacularly bright. You can imagine how many e-mail viruses I get as a result of being in those address books.
The problem with my other domain is someone sending out viruses with my business address as the return address. This results in lots of auto-rejections from ISP spam filters. It's an inconvenience but it is NOTHING like as bad as the 30,000 you're getting, so you have my sincere sympathy. It must be very depressing to have something like this happen on such a large scale, and I do hope you figure out a way to prevent it.
Protection? (Score:1)
First of all, I'd recommend finding a hosting company which understands e-mail headers. To someone with basic knowledge of how e-mail works, it would be obvious that you haven't been spamming these people and that your account is innocent.
Second, how about putting a link to this article somewhere on your site, with a little explanation to your visitors about what ha
Publish 'spf' records for your domain(s) (Score:4, Informative)
Sure, not many MTA/MUAs check SPF records yet, but the fact that you are working to keep people from 'joe-jobbing' you should make your isp happy.
Host your own domain (Score:3, Informative)
If you are technically inclined, and you have a broadband connection, this is definitely the best way at present to take control of spam.
Incidentally, I believe the ultimate solution to spam must involve banks and financial institutions - basically, an international mandate for these to not honor payment requests (e.g. credit card payments) to spammers. In the mean time, a mandatory upgrade or replacement to the SMTP protocol, to provide foolproof sender validation (by way of private/public keys or similar), will certainly go a long way towards solving the problem.
-tor
Re:Host your own domain (Score:2)
Re:Host your own domain (Score:2)
Nothing. I guess I forgot to mention the whole point of hosting your own MTA - namely, that:
So, it does not solve the problem with fo
Just get rid of the email addresses (Score:3, Informative)
You shouldn't be so SOL, in my opinion.
Push the emails back toward the spammer (Score:5, Interesting)
A brief investigation of a few of the bounces revealed that the spammer was using a variety of email addresses and domains in the message as their contact point. Many of the domains shared the same mail server, which was obviously a co-lo box, so she simply pointed all of the MX records for her domain towards the spammers primary email server. Unfortunately it wasn't misconfigured to actually accept the bounces, but each bounce was tying up resources and bandwidth belonging to the spammer. When she reset the MX records back a month or so later it was all over.
This is only applicable if you have your own domain like in this instance of course, I doubt an ISP would even consider this course of action with one of their subdomains as it's a dubious course of action to say the least. You also lose all use of your domain while the MX records as repointed, so you better be *damn* sure nothing sensitive is going to be received in legit email because the spammer could, if they wanted, accept and read your email.
Interesting and apparently effective strategy though.
Re:Push the emails back toward the spammer (Score:1)
Re:Push the emails back toward the spammer (Score:4, Informative)
Setting the MX record has no bearing on whether the email is legit or not though, MX records are purely concerned with delivery, not dispatch. True, someone doing some investigation might notice the IPs matching and jump to the wrong conclusion, so you might want to use something like this in DNS:
Which should make it a little clearer what's going on to anyone doing any digging.Secure Mail (Score:3, Interesting)
Re:Secure Mail (Score:2)
my server is configured with a self signed cert to advertise TLS and use it where possible, but to also allow normal SMTP too so that I can actually get most of
Re:Secure Mail (Score:2)
Re:Secure Mail (Score:2)
often the functionality is there, it just needs configuring. after all, you do have to tell it what certificates to use (or to generate some if the software offers that option).
I know that notes supports TLS. this needs checking but I beleive that some versions advertise TLS out of the box but then fall over as they have no cert's configured
Have you seen the BELPS site? (Score:2)
It seems to be describing a situation very similar to yours and a large number of actions taken to resolve it.
here's what you do (Score:1, Funny)
Even better, you could find out who he is, and then start sending letters in his name to major organized crime members demanding money or taunting them.
Find a lawyer (Score:3, Informative)
It is a long shot, but if you can track these people down, you have plenty of grounds for a lawsuit against them. Just prove they used your idenity without your permission. Even if they are in one of the few countries that won't help you out, there is a good chance that they have backers in a country, and you can sue the backers. Or if you can find who they are, and who the customers are, you can get the goverment to watch money transfers, and force all customers money inro your account (A very big maybe here). But you need a lawyer to 1) win the case for you, and 2) tell you how you can collect.
Good luck, but I urge you to do this. You should have plenty of grounds, and you might join the few guys who have actually shut down a spammer.
Sue! (Score:2)
Here's what would be fun. Find out what product is being sold by what company. Then, talk to a lawyer and see if there is a such thing as "accomplice to identity theft" or something along those lines. Sue the company who's product is being spammed. Profit? Who knows. It might get said company to either dump said spammer or tell them to clean up their act.
Who knows, it might work!
Re:Sue! (Score:2)
Most likely the spammer himself is taking advantage of an affiliate scheme, and is long gone.
Thanks for the replies (Score:5, Informative)
By the way, I should mention that my hosting service, CubeSoft, has been very good through all this. I've been in constant contact with them through e-mail (but not my domain e-mail, hah), and they have been very helpful in suggesting solutions and in trying to work with me rather than just blowing me off as not their problem. After this, I can strongly recommend them as a hosting provider.
Re:Thanks for the replies (Score:3, Informative)
Hint: RFC821 states that address must have angle brackets like <test@somewhere>. Legit MTAs always put these in -- I've only seen bulk mailers and people telnetting omit them.
And to continue the example (with a very dumb mailer that ignores error codes):
what would happen if... (Score:2, Insightful)
My general opinion is that a division of labor should be kept between web page hosting and email hosting, even tho, of course, the server is desi
I'm going to try this, I think (Score:2)
I was thinking since we host our own DNS, we could put in ACLs in our bind setup to disallow queries to the affected domain from the netblock that the spammer is operating from, and perhaps the first level of smtp servers that they are using. (If those are consistent.) This might provide a way to selectively DOS the people who are generati
ah-ha! (Score:1)
Disable catch-all (Score:3, Informative)
You should also be able to set up filters in your accounts control panel. If your host does not support this, you need a new host [liquidweb.com].
Re:Disable catch-all (Score:1)
Thank you, thank you, thank you.
E-Mail is starting to suck (Score:3, Interesting)
To get around this, I changed Sendmail to start sending out mail directly inside of using a smarthost. Now I get bounces from people with AOL addresses because AOL somehow knows that I am using a dynamic IP address to send mail from.
The only reason I am having any of these problems at all is because of spam. Spam is ruining the Internet and what's worse, I can see no way of fixing it that doesn't destroy privacy.
Thanks for letting me vent.
Csoft is very user hostile (Score:2)
I think the suggestion mentioned elsewhere about setting up a subdomain is best.
Get a better host (Score:1)
First rule... (Score:1)
Why go for the spammers? (Score:1)
MX records at the web site they are publicising.
If their employer gets hit, perhaps they will be fired...
Follow the money (Score:2)
Work forward until you find the place where the credit card number goes in. Obtain a disposable credit card number from a cooperative bank and use it. Obtain the transaction information from the bank. Follow the money. Use subpoenas when necessary. Find out where the money goes. Sue.
As for joe-jobs, first, trademark your domain name. (You can do this on line. [uspto.gov]) Then, a joe-job is a Lantham Act v
Having said that... (Score:2)
switch hosts.. (Score:2)