homepage Welcome to WebmasterWorld Guest from 54.226.213.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Server Email Spam. Something must be wrong here
Frank_Rizzo




msg:3075252
 7:01 pm on Sep 7, 2006 (gmt 0)

About a year ago I started having a real influx of spam mail. I posted here at the time that someone had decided to use hundreds of email addresses all starting with a and my domain.

e.g. email messages sent to aza34323@mydomain.com, anna77777@mydomain.com, azir100@mydomain.com etc.

This was a bit of an annoyance at first as each morning the email client would download the messages and move them into the junk folder.

Solution
The solution to stop that was to turn off the catch all addressing. I was using catch all so obviously all messages were being downloaded.

Changing to explicit names (sales, information, marketing etc.) solved that mailbox influx but didn't stop the messages arriving at the server.

Knock on Effect
I thought that solution would be a double edged sword and that it would eventually stop the spam messages from reaching the server.

At the time I had assumed the spammers were using some tricks to determine if the email addresses were genuine or not. If there was no bounce from the spam email then the email adress must be genuine!

So turning off catch all meant that all those a*@mydomain.com would be rejected and that the spammers would receive thousands of bounces and then eventually remove the a*@mydomain.com from their list.

But it never happened. I'm still getting those email address - today 58,000 of them!

Maybe I got it all wrong
58,000 emails were rejected today but the average is around 35,000. That works out at nearly a quarter of a million rejects a week, 12 million a year.

That's a crazy situation to be in so clearly I made a mistake somewhere. Maybe the server is relaying, maybe I left something open somewhere.

Why do some spammers consider it worthwhile associating my server with a quarter of a million spam messages each week?

<snip>

[edited by: Frank_Rizzo at 7:06 pm (utc) on Sep. 7, 2006]

[edited by: trillianjedi at 2:49 pm (utc) on Sep. 10, 2006]
[edit reason] Please repost with the specifics if needed. Ta! [/edit]

 

MatthewHSE




msg:3075273
 7:25 pm on Sep 7, 2006 (gmt 0)

Is it possible that a contact form on your website has been exploited to send spam using email form injection techniques? At those numbers it seems unlikely to me, but it would be the first thing I'd check for. See if your server logs have a lot of suspicious POST requests to any form processing scripts.

FalseDawn




msg:3075372
 8:39 pm on Sep 7, 2006 (gmt 0)

Possible log spammers maybe?

Just make sure your MTA is set to ":fail:" unknown recipients so the load on your server is minimal.

Also, to make sure relaying is disabled, use:
[abuse.net...]

If someone has uploaded a spam script on your server, it should be fairly easy to track down.

Frank_Rizzo




msg:3075587
 12:14 am on Sep 8, 2006 (gmt 0)

That relay link passes all tests fine.

There is nothing in the apache access logs to indicate a rogue script.

So what is the score here? I assumed it was a joe job scenario where a spammer has forged the from: address to make it look like mydomain is sending the mail but it is not the case!

What is happening is thousands of spams are going to a*@mydomain.co.uk and this has gone on for the best part of 10 months.

It is a crazy situation. I tried just ignoring the mail, I tried bouncing the mail but it is not receding. Maybe someone just sold 1000 duff email address with my domain in it and it will take years to clear off the list?

[edited by: Frank_Rizzo at 12:15 am (utc) on Sep. 8, 2006]

FalseDawn




msg:3075598
 12:33 am on Sep 8, 2006 (gmt 0)


I tried just ignoring the mail

Try harder. ;-)

lammert




msg:3075623
 1:03 am on Sep 8, 2006 (gmt 0)

You are doing the right thing. In many configurations mail servers bounce a message--i.e. they send an error mail message back to the sender After the message has been accepted and processed--but you are sending a 550 error code directly to the sending mailer, before the message was even uploaded.

This is the best way according to the Anti Spam RFC2505 [ietf.org] because it saves bandwidth and gives the sending mailer the opportunity to correct it's error (what you hoped for).

There is not much more you can do, besides disconnecting your mail server from the internet or change domainnames.

trillianjedi




msg:3078029
 2:49 pm on Sep 10, 2006 (gmt 0)

*bump*

Pibs




msg:3078052
 3:15 pm on Sep 10, 2006 (gmt 0)

I'm not really up on web-based techie stuff but could you perhaps set up an auto-responder and send em 58,000 "Thank you for your interest, will get back to you shortly" mails?

Not long term but just on the off-chance a few hours of that might encourage em to get you off their list?

P.

kwngian




msg:3078135
 5:00 pm on Sep 10, 2006 (gmt 0)

I remember reading somewhere that they are paid on per delivery so it doesn't matter if they deliver the same message to you thousands of time.

They use infected PCs so there is virtually no cost to them. The infected machine owners pay for the bandwidth.

Are you accepting the spam and then letting it bounce? If you are, you are swarming someone else inbox with bounces. They don't go through a properly MTA for sending mails, the infected PCs they own connect directly to your server to dump the spam.

Try greylisting. Block them hard enough, they will eventually disappear, not completely but they'll try less frequently. They have no motivation to waste so much time on a 'single account'.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved