Forum Moderators: phranque
The thing is the emails were sent from say blahblah@mydomain.com to blahblah@aol.com
and returned to me as I have the catch all for my domain.
Obviously I received some people who were angry with me for sending them spam.
I am preying that no one has reported my domain on any blacklist, does anyone know what I can do to protect myself from such attacks and from any blacklist?
I’m rather worried as I don’t want to be in trouble for something I haven’t done!
Cheers.
Steve.
If the mail is originating from your server, you will need to lock down your mail server and also look for any form mail scripts that need to be secured.
If they are using you as a return address you can set up an SPF (Sender Policy Framework) Record [spf.pobox.com].
Here is a little background on SPF if you don't know what it is:
SPF fights return-path address forgery and makes it easier to identify spoofs.
Domain owners identify sending mail servers in DNS.
SMTP receivers verify the envelope sender address against this information, and can distinguish authentic messages from forgeries before any message data is transmitted.
Haven't these losers got anything better to do?
I get spam "from" myself once in awhile- me@mydomain dot com, from me@mydomain dot com.
I get those too.
It's better than me @mydomain to everyone everywhere. (which has happened before... not through my server, but I got all of the bounces.)
Could this be an attempt to get me reported as a spam sender?
My messages that were returned looked like this....
subject:
Returned mail: see transcript for details
Body:
The original message was received at Wed, 16 Nov 2005 13:45:34 +1300
from localhost.localdomain [127.0.0.1]
----- The following addresses had permanent fatal errors -----
<lfbarr20721@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<larindalarinda@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<lamar580@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<ladecastro@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<kwalley2000@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<kurai434@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<kpmerideth@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<knepper117@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<kimcwall@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jsimms8539@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jokasonu@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<john53064@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jillywilly990@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jhufker@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jergerchild@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jennifersclawed@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jenjjbathome@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jecx00@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jdpressleyjr@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jdawg10161@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jclowe74@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<janeafletcher@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<jalele4@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<icecream2345@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<ibangladesh1@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<hunt2124@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<humbirdjlw@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<herakles93@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<guitar592@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<grannyhoneytate@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<georkli@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<funnymedic@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<freakydee30@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<fotojet@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<fishcreekshane@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<fickymaus@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<fallout8016@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<expertflirt@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<evro@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<ericrhoderick@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<eggandjelly@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<ebeman123@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<dw3sketti@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<dvprobag@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<dpmedsys@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<donnieosborn@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<docdrewsi4@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<deni18@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<deeemcc@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<debwalters@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<cynthiajane22@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<cynthiadolier@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<cuttielicious23@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<cphatygirl02@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<collectintexan@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<cindyboldt@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<chubbmande@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<chryz120986@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<centuryintermod@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<carqwest@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<campagna349@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<c4dokof@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<bummer1957@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<bridii@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<bpappas1000@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<bouttym@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<bignbeauty69@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<biggaloot999@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<bessieshepard@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
<beacon5919@aol.com>
(reason: 554 (RLY:B1) [postmaster.info.aol.com...]
----- Transcript of session follows -----
... while talking to mailin-02.mx.aol.com.:
>>> QUIT
<<< 554 (RLY:B1) [postmaster.info.aol.com...]
... while talking to mailin-01.mx.aol.com.:
>>> QUIT
<<< 554 (RLY:B1) [postmaster.info.aol.com...]
... while talking to mailin-03.mx.aol.com.:
>>> QUIT
<<< 554 (RLY:B1) [postmaster.info.aol.com...]
... while talking to mailin-04.mx.aol.com.:
>>> QUIT
<<< 554 (RLY:B1) [postmaster.info.aol.com...]
554 5.0.0 Service unavailable
One of our neighbors got a spam email at work, spoofed to look like it was from me. Only I never even knew the person's work email address and it was not stored anywhere on my PC, so I could not have possibly sent her spam even if I had wanted to.
We eventually figured out that her home PC had gotten infected and everyone in her email address book on her home PC was getting their address spoofed by email being sent out with viruses attached.
Our neighbors are Filipino, so for a few months I kept getting weird email rejected or returned messages due to viruses from antivirus software belonging to people with Filipino surnames.
I recieved thousands upon thousands of returned emails on the first day (no real limit on the email box on my server, and no real rules set up at the time as there seemed no need). I thought that they would move on to a different address soon enough so I did nothing on the first day.
On the second day it got worse! So I did a little digging and found the company that was responsible. They weren't a legal target that I could easily deal with so I simply set my catch all email address to forward to their email box. I honestly thought that they would get around that easily. However, it turns out that it must have been easier for them to send emails posing as a different sender than deal with someone who was fighting back.
There is thepossibility that the sender will get upset and try to get their own back in some way but I suspect that they get 'annoyed' by many people and just move on.
I mean what is the point of sending out thousands of emails pretending you are someone else?
Dosent make sence!
The following is going on that assumption. One or two stabs at a domain email address is nothing, but thousands indicate some sort of script abuse.
One attack is to send hundreds of emails to these scripts with somename@yourdomain.com in each of the fields until they find one that they can violate by adding a newline and their own BCC: field. In this bcc field they dump thousands of email addresses to send out spam in your name. Many programmers mistakenly point their screening attention at the recipient (to) and sender (from) fields, but the violated field can be any part of a valid mail header, including the subject or even message body fields (if the message body immediately follows the headers in your configuration.) Some attacks even print their own multipart mime-type headers and muck up the works that way.
If successful, remember what a BCC field does: those of you that get one or two of these may think no harm done, but being a BCC, you didn't get to see the thousand AOL addy's that were spammed.
Anything you do on the web page itself can be irrelevant. For example, if your "subject" field is a select list you might think you're safe because they can only select the values from the list. But the way this is done is to make a request to your script across the internet from a command line or program that never actually hits the form page.
Chances are good that "they" aren't mad at you; they don't care who you are, nor how much damage it causes. Why? Most simply, "because they can." If they can con one of those recipients out of five bucks, it's worth it. If they can slow down the AOL mail server for a millisecond, it's worth it. If they can ruin someone's day, brag to their circle of hackers that they did it, anything, it's worth it.
It can get you blacklisted or ignored, yes, but most likely you'll get a warning from AOL or someone that your scripts are being abused to spam AOL users. Review your code, close up the holes, accept only valid input and they will go away. Or at least not be able to use your server to do their dirty work.
This is all, of course, only if they are using your mailer scripts to do so. BUT! By the tone and nature of your original post - If you are sending spam, kharma's a nasty bug. :-)
I will have to look into a way that i can stop the abuse then.
Cheers.
Steve.
and if I am on one doe this effect search engines?
Cheers.
Steve.
Thanks for the opportunity for my first post to this forum. Wish it was under better circumstances...
Please, do yourself a favor. From my own personal experience - get in touch with your host asap and let them know about this spoofing. Talk with them and get a catch-all set up.
They'll know what is happening. And they'll know how to stop it. But it's very important they know it's not you! They have to reply to complaints! If you haven't communicated with them, it is entirely possible they'll assume the worst.
More important than a black list at the moment would be your hosting privileges. You CAN be shut down.
HTH,
Mark
[openspf.org...]
It lists which servers are allowed to send email for your domain name. Not everyone is using SPF, though, but some of the "big boys" (Yahoo, Hotmail, AOL) do, so it would help against forged emails being sent to recipients at those sites.
