spam being sent using my domain

Corey Edwards tensai at
Fri Jan 19 09:15:18 MST 2007

On Thu, 2007-01-18 at 22:04 -0700, Doran Barton wrote:
> Derek Davis wrote:
> > Thanks.  I'd hate for people to think that I've turned into a spammer.
> A common tactic for spammers is to send e-mail through an open relay using
> the From: address of a completely arbitrary e-mail address like
> skjshdf at If and when this e-mail bounces, where does the bounce
> notification go? In this case, it goes to you.

The way to tell the difference is with the headers. Just follow the
trail of Received lines and see where the bounce message originated. For
example, here is the path fozzmoo's message took:

Received: from ([] by with esmtp  (Exim 4.50 #1 (Debian)) id
        1H7lvK-00045E-TM for <tensai at>;
        Thu, 18 Jan 2007 22:04:23 -0700
Received: from (
        by (Postfix) with ESMTP id AE10DE3C89 for
        <plug at>; Thu, 18 Jan 2007 22:04:14 -0700 (MST)
Received: from [] ( [])
        (authenticated bits=0) by (8.13.7/8.13.7)
        with ESMTP id l0J54DCd031977 (version=TLSv1/SSLv3
        cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for
        <plug at>; Thu, 18 Jan 2007 22:04:14 -0700

Start at your server and trace your way back. Be careful because
spammers will throw in bogus Received headers trying to fool you. So
this message went joanna <-- orodruin <-- castro <-- moo. If this had
been the bounce message, then moo would be the culprit.

> What can be done about it? Frameworks like Sender-ID and SPF have made some
> progress. SMTP servers use these methods to verify a message is coming from a
> valid relay for your domain. For example, if e-mail purporting to be from
> skjshdf at comes through some address and the SPF
> record for says only the IP is a valid relay for
> the domain, a SPF-enabled SMTP server will know to reject the message.
> Unfortunately, until the whole world standardizes on some kind of relay
> validation system there will always be some spam that seeps out disguised as
> being from someone at your domain.

And more unfortunately, servers which are still running as open relays
aren't likely to properly implement SPF, Sender-ID or Domain Keys.
Running an open relay went out of fashion years ago and these guys still
haven't caught up. I'll be their admins wear Hammer Pants and have
mullets too.

I strongly recommend against anybody (yes, anybody) using a catchall on
a domain. I've removed them on a few of my customer's domains and seen
spam levels drop by 90% or more. If you want another email address,
either set your server up to accept suffixes (the common +suffix trick)
or explicitly add the aliases.


More information about the PLUG mailing list