Proving You Are Not a Spammer? 127
tfinniga asks: "A spammer has recently started using my domain name as 'From:' addresses when sending out spam. I'm worried about my domain being blacklisted, and I'm annoyed by the bounces — I'm getting about 1000 bounce messages a day. Unfortunately, I give out a different email address to each site I visit: slashdot@example.com, paypal@example.com, amazon@example.com, etc., and the spammer is using a different address for each mail, so simple address filtering doesn't work. What is the best way of avoiding being put on a blacklist, and dealing with the flood of bounces?"
Procmail helps a lot (Score:5, Informative)
Here are the current regexp lines I have in my
* ^From:.*majordomo
* ^Subject:.*Returned.mail
* ^From:.*mailer-daemon
* ^Subject:.*mail.could.not.be.delivered
* ^From:.*(postmaster|devnull)
* ^Subject:.*autoreply
* ^From:.*spamarrest
Re:Procmail helps a lot (Score:5, Informative)
* ^Return-Path: <>
Darn HTML-like comments.
Re: (Score:2)
1) Procmail can actually detect mail sent from daemons.
2) It matters not that you give out many different addresses to different entities so long as you keep only a small list of addresses to SEND mail.
Based on this, you can tell procmail to filter anything that comes form a daemon (bounces, in particular) and is not addressed to one of your sender addresses.
Example
Re: (Score:2)
Use whitelisting (Score:5, Interesting)
As far as stopping the bounces... The only way I've found that works is to use a whitelist system... filter all of the addresses that you know are good (paypal@example.com, etc) into folders, and everything else goes into a generic catchall folder that you give a quick scan to before moving it to a long term keep folder.
Just a note... I highly recommend the keep folder over just trashing the message. When's it's morning and you are groggily mass deleting messages, sometimes good messages get axed accidentally... If you have your own domain, it's likely that you have POP so long term storage shouldn't be a problem.
Josh
Re: (Score:2)
But here's what I was thinking:
PGP signatures. A spammer can't fake that, and you can register a single signature to use in all your emails with a specific email like authentication@example.com. That way, since the signature is present, they are guaranteed it's from your domain, and a filter can throw out mails that don't have those.
Granted, there's not enough PGP signature use on the net, but it's a step that I think would work
Re: (Score:2)
Normally that's not a problem. I typically get about 100 bounces a day, which are easy to delete. Yesterday I got home to find > 2000 messages in my inbox; all bounces to the same forged email address. Whil
SPF, backscatter howto (Score:5, Insightful)
If the sender is forging your From address, chances are they're not using your mail server. Most decent blacklists (e.g. SpamCop, Spamhaus) will blacklist the offending server's IP address, not your mail domain.
Consider implementing SPF (home page [openspf.org] wiki [wikipedia.org]) so recipient mail servers can drop the message if it wasn't sent from a server authorized to send mail from your domain.
Most bounce messages will not include your outgoing server's signature. You can consider dropping those messages using the techniques described in the Postfix Backscatter Howto [postfix.org].
Re: (Score:2, Interesting)
Re: (Score:2)
Also, stop using a catchall account. Spammers will dictionary attack your domain and you will continue to get more and more spam for the rest of your life. Instead of *@yourdomain.com, set it up so your catchall accounts look like username-*@yourdomain.com.
Blacklisting (Score:4, Interesting)
It's pretty much standard practice for spammers to set the "from:" to some random, existing e-mail address. This generates a lot of bounces if one of the "to:" accounts doesn't exist and there is still some crappy anti-spam filtering software that bounces (which is stupid in more ways than I can count) to the "from:". But other than that, no blacklist is idiotic enough to still believe the "from:" is reliable.
Re: (Score:2)
That might be true of RBL maintainers, but it's hardly true of mail admins in general. Unfortunately there are still providers who believe their users' reports of spam. My SMTP server is blacklisted on some server in Canada, though we have SPF records and are not on any public RBL. A visit to their website shows that they employ users' reports, among other things, to determine what to block. I've even had a problem with Verizon black
Your bad... (Score:5, Funny)
Also you're breaking RFC 2606.
Let's just say this was your poor judgment and move on.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Run a web host (Score:5, Informative)
all of the good and 99% of the bad network admins will know better than to trust a "From" header in an email. I can't think of anyone that will block a domain based on the From header. Most network admins who setup blacklists blacklist server IPs that email comes from, and not email headers.
As for your catch-all address, you can use some of the techniques that others have mentioned in previous comments. I usually tell my customers to just wait it out. The spammers will stop using your domain after a day or two. give it another couple of days for the mail queue's to empty out, and you'll stop getting bounces.
Re: (Score:1)
That's a bit optimistic. I'm in the exact same position and I've been getting roughly 1000-2000 bounces a day for over a month.
Wait maybe two months, or three. (Score:2)
This is oddly close to home.... (Score:1, Flamebait)
Re: (Score:2, Insightful)
Re: (Score:2, Funny)
You know, I was just thinking of the same thing. How odd
Joe Jobbed (Score:5, Informative)
http://www.spamfaq.net/terminology.shtml#joe_job [spamfaq.net]
3.2.22 What's a "Joe Job"?
The act of faking a spam so that it appears to be from an innocent third party, in order to damage their reputation and possibly to trick their provider into revoking their Internet access. Named after Joes.com, which was victimized in this way by a spammer some years ago.
You will not wind up on a blacklist. This is a well known phenomenon among mail admins.
--
BMO
Re: (Score:1)
You will, however, receive lots of angry emails (containing inept threats of lawsuits from clueless individuals who just don't understand that you're not spamming them.
Re: (Score:2)
Re: (Score:2)
No luck, not one reply from a real person. A zillion bounce back messages and a slew of automated messages. None of the messages give any of the original info. The one bounceback was especially nice tho, explaining the faking of headers, and apologizing for sending more crap but it just couldn't be sure if it was
Re: (Score:2)
Joe jobbing is when the purpose of the work is to discredit. The purpose of this work is simply to provide a semi-reliable intrusion vector for spam. Joe jobbing refers to an early attack of the proprietor of Joe's Cyberpost, Joe Doll. One of his users was a spammer, and had his email account revoked. As revenge, the spammer started spamming while imitating Joe, in order to make
Re: (Score:2)
More like his domain just managed to get in the hopper for a while.
Easy (Score:5, Funny)
DomainKeys and DKIM (Score:4, Informative)
This has happened to me not once but twice, and I really was at a loss at what to do. Well, and angry and annoyed. The second time I decided enough was enough and set up DomainKeys [yahoo.com] and DKIM [dkim.org] (both because DKIM hasn't quite caught on enough yet). Both of them are ways to sign your e-mail so the receiving server can be sure that it actually came from your domain. It's not yet a real solution because not enough people/sites use it or validate against it, but encouraging adoption is always a good thing.
Of course, signing mail isn't really enough to stop it, so you may have to turn off the "catch-all" feature of your mail just to avoid mail bounced to "xycjdfedf@mydomain.com"
yup spamassassin (Score:1, Informative)
Use Google Apps (Gmail for your own domain) (Score:2, Informative)
I use the same catchall feature as mentioned above and I also get a lot of bounce messages. The spam filtering of gmail is amazing. I get a few thousand spam a week and sometimes one falls escapes th
Re:Use Google Apps (Gmail for your own domain) (Score:4, Informative)
Re: (Score:2)
We switched to GMail here at work and that's been the biggest problem it. I've taken to just using the web mail client for my account, just as if there was no pop access at all.
Yes, I used P
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
(Overall, not a horrible thing to do, but could be a deal-breaker for some.)
Old IPs (Score:2, Informative)
So because we were lucky enough to have another site to send from, we weren't screwed... I'd hate to be there without a backup!
Re:Old IPs (Score:4, Interesting)
A fair number of blacklists (at least a few years ago) had a we-won't-ever-remove-you - unless-you-send-us-lots-of-proof - that-your-IP-range-is-no-longer-used-for-spam policy. IP ranges ought to expire from blacklists when there haven't been many complaints for a while.
In fact, blacklists ought to e-mail admin@mailserver when your IP range is blocked, and e-mail you monthly to remind you you're on a blacklist. Why? Most mail systems are polite and tell you if they're rejecting your messages because of a blacklist, but some will silently reject your messages and you might not realize your mail isn't being delivered for a long time, hence you might not realize you've been blacklisted somewhere.
An alternative is that you can poll the blacklists periodically for your IP ranges to see if you've been blocked, but this seems like it places a burden on you and is somewhat irresponsible for the blacklists to do (I know, most of them say "we're a private org, we do what we want, if an ISP is using us for a blacklist then that's the ISP's prerogative, and we don't care," but if you know your blacklist is being used by others, especially by major ISP's, I still think it's somewhat irresponsible to not notify admins that you're blacklisting their IP ranges.)
Re: (Score:1)
Re: (Score:2)
Next time, prefix them (Score:5, Interesting)
Re: (Score:2)
For those that don't know: Spamgourmet lets you have unlimited aliases, so you just create a new alias for every site you put your email address on. The creation is automatic (happens the first time that email addy is mailed to) and if you later decide it's sending spam, you can turn it
Re: (Score:3, Informative)
Re: (Score:2)
Unfortunately, most people who write webapps are total idiots (some are geniuses, to be fair). 9 times out of 10 an email address with a + in the name will be rejected as invalid when you try to sign in, because they chose an overly conservative regexp for valid
Re: (Score:2)
It is easy if you live in Washington State (Score:5, Funny)
Apparently if you are in Washington, all you have to do is sue yourself for being a spammer [slashdot.org]. The judge will chew you out for wasting the court's time, and then drop the charges without even opening the documents. Once the court has vindicated you, you can demonstrate to everyone how non-spammy you are. I don't think you'll even need a lawyer, although you may need some antacid after seeing the US judicial process up close and personal.
If you don't live in Washington, I think you'll need to move there first.
Good luck. Let us know how the trial goes.
- dougWashington State --DON'T MOVE HERE! (Score:2)
Please do NOT encourage any more people to move here. The traffic is worse than LA, and all the beutiful forests are now tract housing. That and the RAIN is never ending!
Re: (Score:2)
Dunno. How many years is "new here"?
Re: (Score:2)
Simple: You wont be blacklisted (Score:3, Informative)
Filtering is your only problem (Score:4, Informative)
You might want to investigate "Sender Policy Framework", which allows you to add a DNS record to your domain specifying who (in terms of IP addresses) is allowed to send emails that claim to come from your domain. You will probably find that it doesn't decrease your spam bounces, however.
The other option that may be feasible depending on your setup is ensuring that all outgoing emails have a Message-ID with some sort of token in it that you can recognise. All incoming bounces that are not replying to a Message-ID with your token in it are spam.
Just some ideas.
Make a CODE for the subject line:-) (Score:2, Funny)
Re: (Score:3, Funny)
Sorry you can be blacklisted (Score:5, Informative)
I posted this exact question to slashdot about 4 years ago, back then you were just pretty much screwed.
I was actually recieving threating return mail for sending spam, which is why I posted here.
My domain did end up on a bunch of black lists and is still on a few to this day.
I will say that the better ISP's use a mailserver based black list and not a domain based one, but there are still some out there.
Now what you can do.
Go to the FTC ID theft complaint form
https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_OR
Yes spoofing your e-mail is a form of ID theft.
The company advertised is just as legally responsible as the spammer.
If you keep fileing complaints the spammers learn not to use your e-mail. The ones in the US and Canada you can actually sue to recover damages.
Good luck
Re: (Score:2)
Simple plan. (Score:2)
I can't see how it can fail
Don't use a catch-all (Score:2)
After examining my mail history
Solutions (Score:2)
2. You can mitigate the bounce problem with Sender Policy Framework (SPF). Many of the larger mailers will drop messages where the SPF records indicate that the sender address is forged. Many more will suppress b
Interesting bug (Score:2)
Dissable Open Relay (Score:1)
Re: (Score:2)
I had the exact same problem (Score:1)
I went through my procmail logs with some awk/grep/sort -c and found most of the legit addresses I h
Bounces are to MAIL FROM, not From: (Score:2)
Since not all recipients check SPF, you may also wish to sign your mail from. This adds a timed hash token to th
whitelist prefix (Score:2)
Don't worry. (Score:2)
Your real problem is the backscatter (Score:4, Informative)
Your real problem is the backscatter (those 1000 bounce messages you get per day). My solution follows:
I still have all of my mail logs since time immemorial, so I wrote a script to parse out all of the From email addresses in outgoing email and made a list. Going forward, each outgoing email from my server gets its From address added to that list.
In other words, I have a list of every possible From address ever used to send email from any of my domains (and the domains of the folks I host because they were jealous of my spam filtering).
Part of incoming email processing is a rule that if your envelope sender is <> (that is the envelope sender for bounce messages), and the envelope recipient is not on that magic list of my outgoing senders, then the message must be blowback, and you get an SMTP rejection code and a message that explains why your email was backscatter and to please fix your server.
Before you respond and say, "What about email addresses that you put in webforms? Hello!" Remember, I only apply this rule to envelope sender <>. If you're bouncing email to an address that has never been used to send email, then you are sending blowback.
A desperate plea to mail admins out there: For the love of all things holy, stop sending delayed bounces! When you reject a message, reject it during the SMTP session! Do you have any idea how much pain you are causing others? More information here [spamcop.net].
Some suggestions (Score:2)
Unfortunately, there isn't going to be much I can do to help you. I am not a sysadmin either, and the only MTA that I know is qmail. I'd probably get flamed for saying this if people were still reading this thread, but qmail is outdated. It lacks many features, probably many that you rely upon, and is basically worthless without a standard set of patches. In other words, I do not recommend that you learn qmail.
My solution invo
Five Things I do: (Score:2)
No need to prove you are not a spammer (Score:1)
Me too (Score:2)
Just 1000? (Score:2)
Re:me too (Score:4, Informative)
Re: (Score:2)
Come to think of it - I haven't gotten one of those types of emails in a while.
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
"Online, a joe job (or Joe job) is a spam attack using spoofed sender data and aimed at tarnishing the reputation of the apparent sender and/or induce the recipients to take action against him (see also e-mail spoofing). For a related phenomenon that is not targeted directly at a particular victim, see backscatter of email spam."
Re:me too (Score:5, Interesting)
Dealing with the hundreds or thousands of bounces was inconvenient, but I noticed one string of bounces was coming from a regular user who had a script set up to bounce about a hundred spammy messages of their own in response to each spam they detected.
I mailed them telling them what a useless idea that was, and all I got back was the same bounce - a hundred messages all with the line "PISS OFF WITH YOUR SPAM AND TAKE IT ELSEWHERE", and my original message quoted.
Figuring it was email from my domain (now blacklisted on their server/client somehow), I emailed from another email account, telling them the same thing, and got the same bounces. Third time I tried, I emailed them without describing my domain anywhere in the email, letting them know their spam bounces weren't going to real spammers, rather to the email addresses of those that the spammer had spoofed.
The string of abuse I got back was essentially two pages of ranting, telling me a spammer couldn't fake a From: address, my domain must have been hacked, calling me an idiot who should be banned from the net. The usual teenager response.
The simple fix? Sending email to their account with my domain listed in the body so it triggered their hundred-message spam bounce, but with the From: field set to the idiot's own email address.
I only had to send one. My next message to them reminding them their From: address could indeed be faked bounced back with a mailbox full message from their ISP. Seems his spam-bounce script had seen my email to him with my domain listed in the body, sent back 100 rude messages all to the From: field address (which was himself), each of which also carried my domain in the text. those hundred emails to himself also each must have triggered his spam bounce script, making 10,000 emails to himself from himself... and so on.
Gave me some amusement to make up for having spammers using my domain
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:1)
Re: (Score:3, Insightful)
No, but if I saw a guy going around kicking random people because someone once kicked him, you can be sure that I'd give him a good talking to, and if he didn't stop then... Well ok, so the analogy kinda breaks down here, since I wouldn't actually kick him back. But if there were some devilishly cunning way to trick him into kicking himself, you can be damned sure I'd do that.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But then it wouldn't be slander!!
Re:me too (Score:4, Insightful)
The recipient of the backscatter abuse received unsolicited (he never sent mail to the asshat's domain) bulk (100 messages for 1 sent) email.
He didn't do anything to the ORIGINAL spammer. He taught a moron script-kidde-turned-spammer a valuable lesson.
Re: (Score:2)
Joe Jobbed myself (Score:3, Informative)
Re: (Score:2)
I'm not sure how to go about doing that, but it's something to l
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Mail forwarding breaks spam filter assumptions (Score:2)
For instance, SPF lets you say "all mail from example.com comes from IP address 1.2.3.4", but if fred@ex
Re: (Score:2)
For instance, SPF lets you say "all mail from example.com comes from IP address 1.2.3.4", but if fred@example.com sends mail to yourdad@yourdomain.com, and you forward it to yourdad@hotmail.com, hotmail is going to receive mail claiming to be from fred@example.com with your IP address on it, and reject it as a forgery.
Actually, from my understanding, the correct term for what you describe is "redirect," not "forward." "Forward" means to create a new message that has the contents of the original message, setting the "From" field to the address of the person forwarding the message. What you are describing is "redirecting," which means to send an exact copy of the original message, with the "From" field unchanged--set to the address of the sender of the original message--but with a new "To" or "Bcc" field. In this case,
Re: (Score:3, Informative)