Blocking sending emails

Forum Moderators: phranque

Message Too Old, No Replies

Blocking sending emails

Who use my domain to spam?

duskdawn

1:23 pm on Oct 13, 2006 (gmt 0)

Hi guys,
I found in my spam folder many rejected emails and the "from:" line is actually my domain like abc@mydomain.com or xyz@mydomain.com. Obviously somebody is spamming using my domain. This is quite dangerous I assume so how can I stop any sent email without my authorization or from non-presigned emails. And how could this happen?
Thank you for your help.
I'm using cpanel for my hosting btw.

Romeo

2:35 pm on Oct 13, 2006 (gmt 0)

Given that your server is configured safe and not sending spam:

... it is like in real life since 100 years: you can't stop anyone to write down your name on an envelope as sender and drop it into a letter box anonymously. Not in your own town, and even not in remote places like Shanghai or Timbuktu.

And how could this happen?

As I said above. You can write anything into the 'From:' field, may it be your address, the address of 'Mickey Mouse', or my address.

Is it dangerous? Yes and no. Yes, if some uninformed people think *you* are spamming. No, because many people already know that 99% of all 'From:' lines in spam mails are faked.

Is it annoying? Yes, definitely.
If you get 10 or 100 of these during the day, you are lucky. Delete and forget. Others get 10000.

Can you do anything against it? Not much. You could add an SPF record to your domain's zone file, if you handle your domain's DNS stuff by yourself. Most web hosting providers may not offer this, though, and not much MTAs on the receiving end honour it at all. You may search for 'SPF DNS records' in search.yahoo.com or google to learn more about that.

Kind regards,
R.

[edited by: Romeo at 2:38 pm (utc) on Oct. 13, 2006]

duskdawn

10:49 pm on Oct 13, 2006 (gmt 0)

Thanks for your reply.
This is strange because out of 10 of my sites, only this one is hooked by the spammer. I hope my domain will not be listed in spam list because of this.

jtara

11:09 pm on Oct 13, 2006 (gmt 0)

It's an unfortunate artifact of the naively cooperative beginnings of the Internet (Arpanet at the time). Everybody was presumed to be "playing nice".

The from: field is nothing but an arbitrary text field that any sender can fill with anything.

There IS something you can do to partially prevent this: make sure you have an SPF DNS record.

The SPF record specifies what servers can originate your mail.

Use of SPF records is voluntary, but many large and small ISPs do observe them. Let's say your domain is example.com, and your email is all sent through your local ISP's SMTP server, smtp.myexampleisp.com. You put this in your SPF record.

Now, some AOL, Hotmail, etc. customer sends mail with a return address of spammer@example.com. AOL, etc. will look-up the SPF record for example.com, and see that you only send mail from smtp.myexampleisp.com, and so will drop the mail on the floor or reject it.

In addition to egress control, SPF records can also be used for ingress control, so, again, many ISPs will check SPF records on incoming mail as well.

As time goes on, more and more ISPs will make use of SPF records.

It's not perfect. For example, any other customer of myexampleisp.com could send mail using your return address. But it can catch a lot of spam with forged domain names.

This is a subject near and dear to my heart, as I had this happen to me. I offered a reward, which was picked up by news services, and as a result found the culprit and disgorged his profits. (I like that word, "disgorged". It sounds like something much worse happened to him! :) )

For a decent explanation of SPF, see:

[en.wikipedia.org...]