2 likely cases:

1. Someone is sending spam through your mail server.
Solution - secure your mail server.

2. Someone is faking the header to look like it's coming from your mail server.
Solution - not very much you can do about it, except contact your isp to explain it's not you, before they cancel your account.

Loki has it right. Check both but you said:

<each email has different jumbled text before the @ sign>

which means it is probably number 2, which is not your fault. In that case the one thing you can and should do is to set up a rule on your inbox to delete all incoming emails that have whatever common characteristics you can find in the emails now coming to you by the thousand. Even better, you should stop your "catch all" account for a while.

This happened to us and it went on for a week or two, so you better get a handle on the swarm of emails you are gonna get if it is a serious spammer.

[edited by: Receptional at 5:46 pm (utc) on Oct. 13, 2003]

I've been having this same problem with one of my domains for a few days now. In my case the problem is related to Loki99's second suggestion. I know the owners of my host and have alerted them to this issue. They've assured me they know I'm not a spammer and they'll stand behind me 100%.

Hi guys, thanks for those super quick replies.

I contacted the ISP and it looks like it is #2. They said it's also possible that this is the work of a virus.

They say that I could report it to spamcop. But outlook express is deleting the attachments as unsafe and apparently I do need the headers of the original mails if I am going to report it.

So for the moment it looks like turning off the "catchall" is the best thing to do.

Maybe I'll do a ghost of my hard disk so I have a spare disk. I could then turn off anti-virus on the spare disk and collect mail on that. (Ghosting/Anti-virus kind of stuff is very familiar to me). That'll give me the headers which I could copy into a text file on floppy. Then I could "shred" the spare hard disk.

This has also happened to a couple of my domains in the past week (and has happened several times in the past).

The emails are being sent from dsl lines all around the world - a different one each time, so it's likely a virus on those (probably Windows...) machines is sending them without the owners being aware. I'm getting many hundreds of these each day, so it's impossible to report them all (and essentially futile to report any). Every false reply address is a random non-existant name at the domains.

I've set up a procmail rule to filter off most of them, have reported them to the hosting company, and have made a clear announcement on the web pages of the domains concerned that they're nothing to do with me. Other than that, I can't see anything that can be done.

This type of organized crime using viruses and trojans will kill the internet (make many ordinary users scared to go online).

I noticed in one spam filter they give extra points (more spammy) if the mail mentions a .biz domain, judging by these it looks a good idea! But no spam filter can do anything against these: they are fraud / identity theft, and there are too many countries involved for anybody to do anything at all.

Here's an example of message that was bounced, innocent domains munged:

Return-Path: <pak-Jong.masottisk@----.com>
Received: (qmail 4122 invoked by uid 104); 13 Oct 2003 14:55:57 -0000
Received: from pak-Jong.masottisk@----.com by buffy.midrand.----.com by uid 101 with qmail-scanner-1.16 
 (clamscan: 20030317. Clear:. 
 Processed in 1.535094 secs); 13 Oct 2003 14:55:57 -0000
X-Qmail-Scanner-Mail-From: pak-Jong.masottisk@----.com via buffy.midrand.----.com
X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.535094 secs)
Received: from cp167842-a.mill1.lb.home.nl (HELO thorsee.com) ([217.120.107.214])
 (envelope-sender <pak-Jong.masottisk@----.com>)
 by ----.com (qmail-ldap-1.03) with SMTP
 for <antusher@---.co.za>; 13 Oct 2003 14:55:55 -0000
X-vSMTP: ---.com
Message-ID: <42de01c3919b$5f98fd7a$cc87d6df@nyzhtmd>
From: "Pak-Jong Masotti" <pak-Jong.masottisk@-------.com>
To: antusher@----.co.za
Subject: You blocked my email
Date: Mon, 13 Oct 2003 15:04:23 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00A5_BA3A10CC.A5E68131"
This is a multi-part message in MIME format.
------=_NextPart_000_00A5_BA3A10CC.A5E68131
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_00A5_BA3A10CC.A5E68131
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-1251">
<META content=3D"MSHTML 6.00.2800.1226" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>
<DIV>Wholesale prescription medications at bargain prices</DIV>
<DIV>Our doctors will write you a prescription</DIV>
<DIV>Get all your prescription meds online</DIV>
<DIV><A href=3D"http://www.vpachka.biz/vpr6636/">http://www.vpachka.biz/vpr6636/</A></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>If you don't want to hear from us again please follow the link below</DIV>
<DIV><A href=3D"http://www.vpachka.biz/rm.html">http://www.vpachka.biz/rm.html</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>shfqbidzvjsav</DIV>
<DIV>ewjycvkoyu xjvuzgdhgnhh fogamxhzaf vorpvzddtb jkooyxdccyo</DIV>
<DIV>ecbrjpcyicoem cwdtgwbparc</DIV>
<DIV>tgpyhpsspn cuitlpblgolqd enqqhbyudey ocsekoqtldo brikjudchaqq hjdiqlbixtavq xiawuoddrhkysb</DIV>
<DIV>esjropbygv hbxodfbxps uffhpvcuxv</DIV>
<DIV>xbraevbuifwmx ykqmxsffptgwd</DIV>
<DIV>svcquqcdvsazp aytzspcjhwli</DIV>
<DIV>zxmmijdsqgwv rslflqcveo tslyylmjkwcd</DIV>
<DIV>ljxxzmdpxvj ikgsoegobhrrdd gddqbodqxvun hifpqpfdztqd tefiqudfhbvyr wqtslgbbzje tsjolvdfupt uzztlgbdmtj</DIV>
<DIV>Thanks, bye.</DIV></FONT></DIV></BODY></HTML>

I get hundreds of these everyday and have responded by removing the catchall address for the domain. It gets rid of almost everything.

The messages are sent by virus infected windows machines, so there is no point in reporting it to spamcop. Besides, spamcop usually refuses to handle bounced messages.

René.

Help! The problem gets worse.

I've managed to control the problem of getting tons of emails by removing the catchall account and using Rules in Outlook Express.

But I'm getting genuine emails returned by ISPs like AOL. AOL says that my server is generating "a lot of complaints from members" and in keeping with their "unsoliticited bulk email policy" they will not accept mail from me.

But it's not my server! They have no proof it's my server. My ISP assures me their servers haven't been used. AOL should know that spammers fake the "from" address. I don't send bulk mail. I don't send unsolicited mail. The newsletter we have is opt-in, not opt-out, and we promise to send only 1-2 mails a year. We haven't sent a newsletter out in about 10 months! We don't sell/rent our list.

How can I find the spammers using our domain in their from address? Is there a company that provides this service? Can I do it myself? Is there a site where I could learn how to do it? Is there anything I can do to protect ourselves? Our genuine replies to customer enquiries are being bounced and it will shortly start affecting our business badly :-(

CATCH ALL:
1) Someone somewhere sends out emails. A lot of them.
2) These emails has an email address @ your domain in the "Return Path", "Reply To", "From" or all.
3) Some of these emails will not reach the intended recipient and they bounce back to the sending address.
4) With a catchall address, this is where you see them
5) Without a catchall address, the bounce-back will lead to yet another bounce-back from your domain in the special case of a fake address @ your domain.
6) using random senders, the bounce-back-bounce-back loop is the most likely.
7) some mailservers will cope with this, others will crash

... so even though disabling the catchall will reduce the amount of incoming mail, it will not necessarily reduce the impact of the problem.

AOL:
1) AOL gets email. AOL members too - probably just these.
2) AOL staff handling abuse issues should know how to read a mail header.
3) They will be able to see that this mail is not from you
4) AOL members don't know about mail headers. They see your domain in the "From" field and complain about you.

... so: write a polite real email to abuse@aol.com (or whatever their address is) and explain that you are currently being attacked (you are) and that the forged emails are not sent from your mail server. You have no interest in being recorded as a spammer or in sending spam, do make that clear to them.

Explain further that you know that this might confuse some AOL customers, as these will probably not know how to read mail headers properly. Do include the full source of one of the bounce-backs, ie. one that includes the full headers from the message that was assumed to be sent from you (not all bounce-backs include the full information.)

>> How can I find the spammers using our domain in their from address?

Look at the mail headers, specifically the "Received:" lines. These should be read bottom-up. The topmost one is the most recent, while the lowest one is the original sender. In post #6 (robho) it would be "cp167842-a.mill1.lb.home.nl" and in post #1 (Macro) it would be "m09.them.net".

One caveat here: the message in post #1 is a bounceback. this means that this is not the right header, as the address that is revealed here is actually the address of the mailserver sending the bounceback. You should look for that part of the bounceback message that contains the headers of the original email.

That's the senders. These are the ones that are sending out the spam messages. The real spammers might be somebody else, that are just using the machines of the senders to send out spam, eg. by means of a virus or a trojan software. Anyway, as tracking this is beyond your reach, you should report the senders as being spammers (which they are, even though it might not be on purpose).

Normally you can write to "abuse@" and the domain, eg. abuse@home.nl - the whois records of the domain will show you this info. Do include the full spam email (without attached viruses) and especially the full headers in raw text.

>> Is there a company that provides this service?

As mentioned before: Spamcop can do it. Assuming it is spam and not virus, as spamcop does not accept virus reports. All you do is to copy and paste the source code of the email (this is not the same as the message) into the spamcop webpage. Or, you can simply forward the spam to your special spamcop email address.

>> Outlook Express -> apparently I do need the headers of the original mails if I am going to report it.

1) Right click the spam email.
2) Choose "Properties"
3) Select the tab "Details"
4) Click the button "View Source" or "Message source"
5) Place your cursor in the source text, type "Ctrl+A" (select all) and "Ctrl+C" (copy)
6) Open notepad or similar pure text editor
7) Type "Ctrl+V" (insert)

Hope this helps.
/claus

Thanks for that detailed info claus.

... so: write a polite real email to abuse@aol.com (or whatever their address is) and explain that you are currently being attacked (you are) and that the forged emails are not sent from your mail server. You have no interest in being recorded as a spammer or in sending spam, do make that clear to them.

I have done that. It was a good suggestion. Let's see how they respond. In the meanwhile any genuine customer with an AOL address is being sent their mail from a different domain. It's a pain.

Somebody should do something about the pathetic state email is in generally. If almost anybody can hijack anybody else's domain - or make it appear the mail is from there - then the system is screwed up.