Spammers using my domain

[FamilyTreks]

Someone is using my domain to send out virus-infected spam, as I am receiving dozens of bounced email messages.

Is there any way I can prevent this? I run a small business, and I am afraid of the PR damage it may be doing.

[Rye Seronie Oh]

Are they actually using YOUR server or are they just forging the address and sending? It's probably more of forging rather than them actaully going through your mailserver. You could post the mail headers from the message to make sure that they're not going through your mail server.

About the PR though... There really isn't anything you can do other than tell your clients that you're not responsible for it. If someone is using that address, you would have to track them down and then contact their ISP. I used to get virus and spam emails to myself from my own email address a while back. I changed addresses since then.

It's very easy for a spammer or something to just pickup your address from the web and use it to send out junk...

[FamilyTreks]

I think they are just forging the address. Here is the header from the latest message:

X-Persona: <Family Treks - Suzette>
Return-path: <>
Envelope-to: hostmaster@family-treks.com
Delivery-date: Wed, 04 May 2005 04:38:08 -0500
Received: from [24.29.99.40] (helo=nycmx01.mgw.rr.com)
by excelsior.nocdirect.com with esmtp (Exim 4.44)
id 1DTGKV-0001x7-SA
for hostmaster@family-treks.com; Wed, 04 May 2005 04:38:08 -0500
Received: from localhost (localhost)
by nycmx01.mgw.rr.com (8.12.10/8.12.8) id j449cCjS028991;
Wed, 4 May 2005 05:38:12 -0400 (EDT)
Date: Wed, 4 May 2005 05:38:12 -0400 (EDT)
From: Mail Delivery Subsystem <MAILER-DAEMON@nycmx01.mgw.rr.com>
Message-Id: <200505040938.j449cCjS028991@nycmx01.mgw .rr.com>
To: <hostmaster@family-treks.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="j449cCjS028991.1115199492/nycmx01.mgw.rr.com"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)


The original message was received at Wed, 4 May 2005 05:38:00 -0400 (EDT)
from 69-174-9-65.chvlva.adelphia.net [69.174.9.65]

[jason]

A recent tactic, but one that is quickly becoming more common, in the virus propagation "game" is to send infected emails that look like they are bounces when they really aren't. The idea behind it is that a recipient will see the bounce message and say "what's this?" and open the infected attachment hoping to find out why they got it. So these may not be actual bounces from someone forging your domain, they could very well be virus infected emails disguised as bounces. Unfortunately virus writers are among the most sophisticated of programmers, so it can be very difficult to tell if these are the result of header forging or not.

Regardless, as Rye pointed out, if these are the result of forged headers, it can be pretty much impossible to track down, especially since many spammers are using distributed methods to send their spam from multiple computers on different ISPs. If you looked at the headers of 20 of those messages, I'd bet you'd find they originated from 20 different places.

--Jason

[Connie]

A recent tactic, but one that is quickly becoming more common, in the virus propagation "game" is to send infected emails that look like they are bounces when they really aren't.

I have seen a lot of that as well. For about 2 weeks I was getting 3 or 4 a day.

Another possibility is a client has picked up a virus that is sending virus infected e-mail with various forged headers that are in their address book.

[Vin DSL]

Okay... you picked a snappy title... now is the time to speak my mind... been biting my 'tongue' for a week...

E-mail at these mass web hosters sucks! It isn't Jag's fault. It isn't your fault. It's just the way it is. What 'you' (collectively) need to do is forget about using your account, on some shared server, as a basis of your e-mail communication.

Personally, I have NEVER used e-mail at my web host (and I've had many) for anything important. To do so is silly, in my humble estimation. Doing so is just asking for trouble. This has been born out over 'n over again since I've been on the web.

I don't feel like belaboring the point, so let's simply talk about 'blacklisting', which has nothing to do with THIS discussion, but is forefront on my mind, at this moment in time.

Amongst my many mail accounts, I have a couple on Google G-mail. I also have one on Yahoo, and another on Lycos U.K., et cetera. Do you think some RBL dick is going to 'blacklist' any of these places, no matter what happens? So, I keep my important mails there, there, and there, not HERE at my mass web host, which is regularily crapped on with impunity. This place could go belly-up tomorrow, and I wouldn't miss a beat...

So, forget using JagPC for mail. Dog sh!t and bare feet don't get along! Maintain your important mail accounts elsewhere, and you will be much happier in the long run...

[Connie]

Boy Vin you must have got up on the wrong side of the bed today. Have some red dogs
It appears to me from your last 2 post that you are in withdrawal.

[jason]

Wow, hate to agree with a useless post like Vin's, but I kinda have to. Unfortunately this is kind of off topic, too. My experience with mass web hosts shows that email is often a secondary priority. Web hosts sell web space; they host websites. Email goes hand-in-hand with websites, but you probably didn't make your choice to host with JPC becasue they offered a nice email package. It is like buying a car just it has a good radio--you expect there to be a radio in a car you buy off a lot, but you don't expect it to be a top of the line model.

Like Vin said, it isn't likely that a service like Gmail, AOL, or Yahoo is going to get blacklisted, even though tons of spam probably goes out from them. Conversely mass web hosts are probably highly targeted because of the ease of setting up an acount with one and using it for spam. Also you can be pretty much assured that the service is going to be there when you need it and that a server failure isn't going to mean that incomming mail might get lost. However, (and this is where I stop agreeing with Vin) if you are running a business, it looks a lot more professional if your business communiqué is comming from your own domain and not mybiz1234@gmail.aol.hotmail.com, not to mention most of the free mail services prohibit you from using their services for anything of a commercial nature, so there is still a lot of merit to using your JPC email.

If you are using your mail for business purposes and you need better features and/or reliability than your mass web host gives you, there are several companies around that offer email hosting services. I have clients who use mass web hosts for their sites, but source their email to a different provider so that they can have an Exchange server and the groupware benefits of Outlook/Exchange. Its easy to do if you have the need and the cash.

OK, I realize this has noting to do with the original point of virus email bounce messages, but I had to add my 2 cents. In actuality, this side discussion has nothing to do with the original topic--there is nothing to stop someone from forging header to send messages from your Gmail (or other email serive account), nor is theyre anything to keep someone from sending you fake bounce messages to those services (although they may have spam/virus blocking features that delete these before you see them [you can set up spam assassin on your JPC server to do th same thing if you want]).

On that note, I think it is time to call it a night.

--Jason

[Vin DSL]

Hrm...

I was doing a little checking and family-treks.com is 'clear' in the RBL's, so I wouldn't worry about it. I get tons of bogus 'bounces' at Yahoo - always have.

What IS somewhat problematic, maybe, sorta, kinda, is 'your' (shared) cert is about to expire. That is, if you use 'secure55.nocdirect.com' for SSL, it expires in 42 days.

I wonder if JagPC is aware of this...

[Vin DSL]

Just curious...

Are most of these bounces coming from Roadrunner (rr.com)?

[Gwaihir]

There is something you can do: tracking them down to the source isn't all that impossible. Usually a bounce has the original message (or at least the start of it, headers included) attached. You can copy-paste that right into spam cop, reporting the spam in that way, adding a note about them abusing your domain as the from in the comments.

In the info spamcop gives you, you find the ISP/hosting provider where it orginated, so you could try to follow up in a more elaborate way, but I don't think that will do you any good. Either the hosting provider is a good one and will throw the spammer of their systems based on your spamcop report, or they won't bother acting anyway, whatever fuss you kick.

[FamilyTreks]

I don't see anything from RoadRunner. In one of my earlier posts are the headers from the most recent one.

Pardon my ignorance, but what does this mean:

What IS somewhat problematic, maybe, sorta, kinda, is 'your' cert is about to expire. That is, if you use 'secure55.nocdirect.com' for SSL, it expires in 42 days.

Is there something I should do?

[Rye Seronie Oh]

The SSL thing is something that JaguarPC has to resolve. They own the certificate for the server.

[jason]

quotes in bold

I don't see anything from RoadRunner. In one of my earlier posts are the headers from the most recent one.

When you look at the headers of an email, look for the "Received: from ... by ..." lines to determine the path that the message took to get to you. There will usually be at least two of these, one added when the message leaves the senders computer and one when it goes from the sender's server to your's. Generally the lowest one in the list identifies where the the message originated.

In the case of the headers you posted, the message originated from "localhost." This is actually an illeagal entry as far as email standards are concerned because the sending host should identify itself with either a host name or an Internet-reachable IP address. This leads to my suspicions that this is a spam message and that the sender is trying to cover his tracks.

Note the next part of this header: " by nycmx01.mgw.rr.com (8.12.10/8.12.8)"--this shows the server that the message was sent to, in this case a server in the "rr.com" domain, or RoadRunner, likely in the New York City area (from the nycmx01 portion of the address). The part in parenthesis is not valid, though. This should be the IP address of that server. IP addresses consist of four sets of numbers from 0-255 each, not three and there should be no other characters besides periods in the address. Plus, since this is a RoadRunner server the IP should start with 24. Again, this invalid address is obviously forged and leads me to believe the message is spam. The server is a real sever with the IP 24.29.99.40 and it did transport the message (as evidenced by the other Received: header which shows this RoadRunner server connecting to your JPC server.


Pardon my ignorance, but what does this mean:

What IS somewhat problematic, maybe, sorta, kinda, is 'your' cert is about to expire. That is, if you use 'secure55.nocdirect.com' for SSL, it expires in 42 days.

Is there something I should do?

No, there's nothing you need to do. This just the certificate that enables your to make secure web connections to your server. It has nothing to do with the issue we are discussing. JPC will probably install a new certificate sometime between now and when it expires. Don't worry about it.

--Jason