You mention that the site (or at least its mail) is on a shared server. Are you being blacklisted by IP, so the problem is (as is commonly the case) caused by somebody else residing on the same server?

Eliz.

If you are sure it's the site's email addresses that are at the root of this, then - at least for a while - use different ones; spammers tend to change the addresses they spoof periodically, you are reinforcing their usage by increasing the traffic; likely your attempts will be in vain, as it is pretty unlikely the spammers are in your country, so they will be out of reach.

If mail is seriously disrupted, a few dollars for a related domain for mail purposes is money well spent; eg mail-oldname.com.

Protect the address using Quadrille's 24th Law:

Never place an undisguised email address on a web site.

It's just an invitation to spammers. Use a simple javascript snippet to obfiscate the address in the page code, while still appearing to visitors - and still working.

If you are concerned about those who will not use javascript (all 22 of them), then use an image. The downside is that some users will not bother to copy it, and it may also go out of date.

Note - this will not guarantee that spammers will not use your address - but it makes it much less likely. Unless you have an enemy!

Personally I hide all email addresses behind a contact form that gets processed and mailed from the server side. Also, make sure to protect contact forms from BCC and CC insertion spamming attacks by completely validating all contact form fields on the server side and blocking the processing of forms that contain "BCC" or "CC" in email header fields (e.g. email address, subject, etc.) and rejecting any form that tries to submit header fields that contain multiple lines.

Spammers are using BCC instertion tricks to send spam out via unsuspecting and unprotected website forms. This could result in your domain name getting blacklisted.

This ideas are appreciated, but of little use.

The site is 10 years old and the email addresses are well known. Most of the spam is a variation of actual valid accounts, ie-

john.public@domanxyz.tld (valid)

john-public@domainxyz.tld (spoofed)

Also, I see in the headers that where the valid mail server address is-

pop.domainxyz.tld (valid)

the spoofed messages use the following-

mailhost.domainxyz.tld (spoofed)

Some times the IP addresses match the actual IP of the server, other times they don't... the problem is many-fold.

It seems the large ISPs, (Verizon and Comcast so far) are buying into the spoofing and simply blacklisting the domain based on the "domainxyz.tld" portion of the address.

I spoke with the hosting company who "assures me", (yeah right) that the mail was not tossed or scanned by their server, and that if it was that it may possibly be because they have not recieved updated filter files from Symantec (they use Brightmail for filtering).

Anyway, I size it up to shear volume of spam and spoofing and laziness on the part of the ISPs... it's easier to just add the domain to the blacklist and avoid 100 or 1000 or 1,000,000 complaints from their users who receive the spam/spoofed messages.

The sad part is, it is these large ISPs who are in the best position to track down and kill the spam --- they are simply "mowing down weeds and not pulling them out roots and all"... and as with gardening -- the weeds just grow back quicker, bigger and stronger.

o.k.. I realize at this point I am talking to myself in public, but I figure if I put this out there, it may help someone else out, or someone may help me.

I had the "catch all" set to collect up all the spam. Tonight I pulled 2000+ message off the server (after it maxed out the quota for that mailbox), and went through all the email looking for some patterns.

Here's some hints:

#1 - 1650+ messages contained the word erecxction (note spelling and add this word to your filters).

#2 - 250+ messages contained the word erection (correct spelling -- but unless you suffer from E.D. and discuss it by email, you should probably add it to your filters too).

#3 - links in HTML messages --- hey, they are sending spam hoping you will click a link and they can phish you, spam you more, or sell you something... set filters to can messages with embedded HTML which contain a link and the anchor contains "www." or "http://" (or [)...] and the HREF does not match the anchor.

NOTE: this only stops you from having to read the junk, but it got me thinking...

Here's a new business for someone with capability to handle large amounts of data and has lots of bandwith:

Setup a server to accept ALL incoming mail. Allow ANYONE to set a catch-all forward to your server --- you will get million of emails a day. Why would anyone do this? As I found in checking through 2000 messages, the bulk of them are very simillar --- the person with this "send us your spam" server would have an incredible opportunity to catch or thwart spammers, spoofers and phishermen within minutes. They could charge a fee to ISPs, backbone providers and large site owners to report to them instantly when a bulk spammer uses their servers... maybe even catch a few in the act -- if nothing else they could sell filter lists and software.

If this is already available, let me know where I can forward my spam --- with the no catch-all we are bouncing back thousands of messages a day that contain a lot of good info...