spam being sent using my domain

Corey Edwards tensai at zmonkey.org
Fri Jan 19 09:15:18 MST 2007


On Thu, 2007-01-18 at 22:04 -0700, Doran Barton wrote:
> Derek Davis wrote:
> > Thanks.  I'd hate for people to think that I've turned into a spammer.
> 
> A common tactic for spammers is to send e-mail through an open relay using
> the From: address of a completely arbitrary e-mail address like
> skjshdf at dnadavis.net. If and when this e-mail bounces, where does the bounce
> notification go? In this case, it goes to you.

The way to tell the difference is with the headers. Just follow the
trail of Received lines and see where the bounce message originated. For
example, here is the path fozzmoo's message took:

Received: from plug.org ([63.108.71.211] helo=orodruin.plug.org) by
        joanna.zmonkey.org with esmtp  (Exim 4.50 #1 (Debian)) id
        1H7lvK-00045E-TM for <tensai at zmonkey.org>;
        Thu, 18 Jan 2007 22:04:23 -0700
Received: from castro.iodynamics.com (castro.iodynamics.com
        [166.70.63.2])
        by orodruin.plug.org (Postfix) with ESMTP id AE10DE3C89 for
        <plug at plug.org>; Thu, 18 Jan 2007 22:04:14 -0700 (MST)
Received: from [192.168.2.6] (moo.iodynamics.com [166.70.238.250])
        (authenticated bits=0) by castro.iodynamics.com (8.13.7/8.13.7)
        with ESMTP id l0J54DCd031977 (version=TLSv1/SSLv3
        cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for
        <plug at plug.org>; Thu, 18 Jan 2007 22:04:14 -0700

Start at your server and trace your way back. Be careful because
spammers will throw in bogus Received headers trying to fool you. So
this message went joanna <-- orodruin <-- castro <-- moo. If this had
been the bounce message, then moo would be the culprit.

> What can be done about it? Frameworks like Sender-ID and SPF have made some
> progress. SMTP servers use these methods to verify a message is coming from a
> valid relay for your domain. For example, if e-mail purporting to be from
> skjshdf at dnadavis.net comes through some comcast.net address and the SPF
> record for dnadavis.net says only the IP 216.163.188.58 is a valid relay for
> the domain, a SPF-enabled SMTP server will know to reject the message.
> 
> Unfortunately, until the whole world standardizes on some kind of relay
> validation system there will always be some spam that seeps out disguised as
> being from someone at your domain.

And more unfortunately, servers which are still running as open relays
aren't likely to properly implement SPF, Sender-ID or Domain Keys.
Running an open relay went out of fashion years ago and these guys still
haven't caught up. I'll be their admins wear Hammer Pants and have
mullets too.

I strongly recommend against anybody (yes, anybody) using a catchall on
a domain. I've removed them on a few of my customer's domains and seen
spam levels drop by 90% or more. If you want another email address,
either set your server up to accept suffixes (the common +suffix trick)
or explicitly add the aliases.

Corey





More information about the PLUG mailing list