There's been a lot of that lately; they're digging out and using the formmail script, which has a security hole.

If you host with someone else, let them know what happened so you won't be blamed, and either get a more secure mail script or change the name completely so they can't find it.

>(1)

It's easy, just fake the return headers.

>(2)

Probably not

>(3)

About all you can do is educate your clients and those on your mailing lists that it's bogus.

I had this happen. It was from abuse@mysite.com. I was able to get my hands on the orginal message which had the full header. I saw where the message originated from. I emailed the isp's abuse email.

(1) How is it possible to send email under a domain name that belongs to someone else (me)? You just change your address in your mail program to any mail address you want.
(2) Isn't this illegal, and if not, why not? No. It is usually against isp's term of service. If you can track them down you may be able to get them booted from their isp.

(3) What can you do as a webmaster if someone is doing this?Make an apology page that explains what happened. I really never had a backlash. Most people just delete it. Try not to put emails on your site that can be harvested.

One possible bad consequence is getting your domain banned by individuals or network administrators. If they get spam that appears to come from your domain, they might just ban the whole domain as a precaution. Not a lot you can do about it, though.

Here are the re-writes of Matt Wright's scripts:

[nms-cgi.sourceforge.net...]

There's a lot of security written into the re-done formmail, including being able to use an alias and not even have to put any email address in the form. The script name should still be changed.

Thanks for the quick replies everyone. I am contacting my host and getting them to look into it.

Cheers

I'm having the same problem, and it sounds like it's the same people.

I don't think your host is responsible, and I'm not sure they can do anything but not punish you for it.

• How can I tell what ISP the spammer is using to send out the mail from the header?
  
• How can I tell what host a website is on knowing its domain/IP?
  

Thank god for WebmasterWorld ;)

[edited by: alexjc at 3:48 pm (utc) on June 24, 2002]

I got two of those "returned mail" messages this morning as well.

Makes me feel a little sick to my stomach ...

Just gotta wait for the extra sick feelings when you start getting the emails saying STOP SPAMMING me when you didnt even do it and then the ones threatening to sue you. And when you respond saying you didnt do it you think they actually believe you ;)

To clear yourself, you'll need an article or two from a reputable 3rd party, like BusinessWeek

Spammers use two tricks to cloak their location: forging the return address and the message's headers, which indicate the path the mail takes across the Internet. Changing the return address is easy.

Inside the Spammers' Arsenal [businessweek.com]

I had bulk spam mail sent out to multiple AOL addresses. I thought I got hacked and posted here about it. It took several emails to get through to AOL that I wasn't one of their members getting email spam when I reported it to their abuse@aol but they finally got the picture and sent it on to security.

Well I took out all form mail scripts but I am still getting a deluge of returned info-rates mortgage spam that I never sent, but claim to originate from some bogus sjfhfhfg@mysite.com email address. Is there no recourse for this? I have a registered bsuiness license for my site. . . it seems like sending out bogus emails under somebody else's domain is committing fraud. Imagine if I started sending out legal advice under another law firms name and letterhead. Wouldn't that be fraud? Is there no way to launch an investigation or report this?

I've had two more emails bounced back to me this morning. How do I locate the little scoundrels from the headers?

You have to look at the full headers. It should have the originating mail server. It will be happening more and more as time goes on. You can try and report them to the originating isp in the header.

I got half a dozen such returned mails this morning, bounced back from non-existent AOL addresses.

Here's the headers from one of them. I don't exactly know what all this means, so I'd be grateful for advice. How can one protect one's brand against this kind of abuse?

Return-Path: <>
Delivered-To: ikijnxhgl@buckworks.com
Received: (qmail 30734 invoked from network); 26 Jun 2002 11:49:45 -0000
Received: from omr-d10.mx.aol.com (205.188.156.78)
by 0 with SMTP; 26 Jun 2002 11:49:45 -0000
Received: from rly-xi05.mx.aol.com (rly-xi05.mail.aol.com [172.20.116.10]) by omr-d10.mx.aol.com (v83.35) with ESMTP id RELAYIN4-0626074919; Wed, 26 Jun 2002 07:49:19 2000
Received: from localhost (localhost)
by rly-xi05.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
with internal id HAE27953;
Wed, 26 Jun 2002 07:49:19 -0400 (EDT)
Date: Wed, 26 Jun 2002 07:49:19 -0400 (EDT)
From: Mail Delivery Subsystem <MAILER-DAEMON@aol.com>
Message-Id: <200206261149.HAE27953@rly-xi05.mx.aol.com>
To: <ikijnxhgl@buckworks.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="HAE27953.1025092159/rly-xi05.mx.aol.com"
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)

The company being mentioned is "Quote Pool Mortgage"

The URL being promoted is aol.2nd-mortgage-loans.org/etc/privacy.htm but if you go to that page it's a dead end, there's a privacy statement but no link to go anyplace!!

They're ever-so-clever in one way but totally stupid in others!

Aaaak is right!

Yup. They're the guys who are out there destroying my brand image. I wish I could decipher that . . .

They appear to have a whois record out of russia. The sub domain of aol I think is to record how their aol spam is doing. I can't see anything you can do here.

So it's probably an AOL user using one of their mail servers, though it could be an external hacker i suppose.

I can't determine which user it is though, as the possible names in the headers I have are different...

Ideas?

You need to read the Received headers backwards:

Received: (qmail 30734 invoked from network); 26 Jun 2002 11:49:45 -0000
your mail server
Received: from omr-d10.mx.aol.com (205.188.156.78)
by 0 with SMTP; 26 Jun 2002 11:49:45 -0000
accepts the message from an AOL mail exchange node.
Received: from rly-xi05.mx.aol.com (rly-xi05.mail.aol.com [172.20.116.10]) by omr-d10.mx.aol.com (v83.35) with ESMTP id RELAYIN4-0626074919; Wed, 26 Jun 2002 07:49:19 2000
the AOL exchange node accepts the message from a host on an AOL-internal private network.
Received: from localhost (localhost)
by rly-xi05.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
the AOL-internal node accepts the message from a process running on the same machine. That process is most likely the server accepting the message from the AOL client software.

This looks like it was sent through AOL. The system rly-xi05.mx.aol.com (172.20.116.10) is an internal AOL machine, that can't be accessed directly from the rest of the internet, so it must be a forwarder that processes e-mail by AOL subscribers.

Take it up with them at [aol.com...]

It may require some patience until you get in touch of someone who actually understands what you're talking about, though...

If they try to brush you off with "all headers in a spam message are forged", just get a little louder. The above sequence is extremely unlikely to be forged.

I received an email fom my ISP leting me know that they had changed the formmail script to NMS.

I did two things, actually three things, to cure this which was becoming an enormus problem

1. I changed all my email addresses

2. Wrote and installed a feedback php form after cleaning off all instances of my email address and encrypting those that had to remain.

3.Changed to the most secure formmail script AND placed it in the secure folder I was assigned on the secure server.

Result: Only ordinary everyday spam (from putting email addresses into public boards...no more outrageously prolific emails to the whole world under my email address!

It certainly improved my rep. and NO they do not believe you did not send them.

Ann