Spam problem

[seppoman]

Hi all,

I´ve got a way off-topic question  ::)

My main domain ("lastname".net) seems to have found a way to some spam bot. In the last weeks I´m getting an increasing amount of non-delivery notifications, out-of-office replies and content-rejection mails to random generated jkhgskjgfagk@.... mail adresses. My mail is (still) configured to forward any mails to my domain, because I used various email adresses for subscribing to newsletters etc (to be able to block adresses when there´s no way to unsubscribe or if a company sells them to spammers). Because I want to receive most of these newsletters, I didn´t block mail forwarding yet and just made a filter to put all different adresses to a separate folder so that I can collect used adresses before switching off.

But after I was away for two days last weekend, I´ve  found 1200 mails in my inbox, and every hour around 50 mails are coming, so now is the time to do something against it...

What I want to ask: am I living in danger to get sued falsely for distributing spam/viruses and so ought to do more than just blocking unused adresses? Can I do anything else at all? Can it happen that because of this my domain gets blacklisted as a whole so that my normal mails wouldn´t reach their recipients anymore? I don´t want to give up this domain just because of some criminal assholes...

HELP! :)

Seppoman

[stryd_one]

This sounds like your server allows relay to anonymous clients, aka it's an open relay. It's one of the first things we turn off with all our web-facing mailservers because you can be sued as you are considered responsible for ensuring the legality of data transferred to you server.

You should be able to disable relaying without stopping you from receiving mail for different domains and addresses. What server is it?

[audiocommander]

haha, welcome to the club :)

I experienced this some months ago and I'm really sorry to say this: the only help for me was to disable the catchall and to set up a hundred forwarders, 'cause I also used an emailing-address system where I could track down the filthy mail-traders*.

But apparently there are so many idiots clicking on "I'm not there, address is wrong" buttons in their mail proggies and amateur-admins setting up bouncers, that this becomes a huge problem, 'cause the spam is answered with spam to the wrong senders.

I don't think you will get blacklisted or sued, 'cause anyone can send mail with faked addresses and IMHO that's the case here (there are even some anonymous mailer programs in the internet... though to the ones that want to use this: you're not anonymous, if you don't know exactly how to use these ;) )

I remember that time when there have been these ugly Nazi-Virus mails around with faked sender-addresses. That's been really disgusting. :(

I whish a nice anti-catchup-forwarding-typing-session ;D hehe...

Cheers!

Michael

* I have to admit that 99% haven't given away my address. And I guess the 1% where I got spam are virus-victims that got their address-book robbed...

[stryd_one]

Buh... I am confused... is the spam going in or out?

[audiocommander]

I´m getting an increasing amount of non-delivery notifications' date=' out-of-office replies and content-rejection mails to random generated jkhgskjgfagk@....[/quote']

so obviously there's a database of known domain-names - and spammers use these as faked sender addresses. I don't think they are using the SMTP of the servers. They just fake the sender. If they'd hijack the SMTP, it wouldn't be xyzwroxsw@... but rather a valid username, wouldn't it?

Cheers,

Michael

[smashtv]

Hi guys

It is probably just faked sender addresses, rather than an open relay.

I had this problem in a big way, at the worst getting thousands of non-delivery messages per hour.  :(

As for getting sued, as long as you make a documented effort to ensure your not funding an open relay you have probably covered yourself legally.  It all depends on local law. 

So far nobody has stepped up to sue me over this, and save a few clueless admins* people seem to understand what is going on.

On blacklisting, you can safely assume it has already happened.

Mail sent from my domains has little chance of even being seen by people using larger providers.....A huge issue for me if I can't reply to an email.

I never imagined that I would need gmail just to get a message out. 

Turning off the catch-all and defining the forward(s) is very good advice, after you do this your server will correctly bounce all of the undeliverable messages, "Clue sticking" those sysadmins that your address was forged.  That will greatly reduce your odds of further blacklisting.

* Clueless admins:  A few of them were so green that they did not realize my domain was forged, proceeded to yell at and threaten me.....not smart at all considering their own open relays could set them up for legal liability.

Very interested in how this plays out on your end Seppo....

Best

Smash

[audiocommander]

oh, and btw:

do you know http://www.spamgourmet.com/  ?

I'm using this for a while now since I can't use my own specialized addresses without hassle anymore and I really like this service :)

If, for example, you register with the name johnsmith and enter your normal email address at spamgourmet, then your basic spamgourmet address is johnsmith @ spamgourmet.com and messages get forwarded to your normal pop account.

Now you want to download a driver from microsoft, but are forced to register, you simply choose the address microsoft.10.johnsmith@spamgourmet.com and you get exactly 10 messages forwarded from spamgourmet and will never hear again from m$ them after the 10th mail ;D

Of course you might also type microsoft.1.johnsmith@spamgourmet.com and you only get a single mail ;)

Cheers,

Michael

[seppoman]

Hi guys,

thanks for your comments! It doesn´t look like an open relay at my side - the domain is hosted at 1&1 (the largest service in Germany), I can´t imagine they could afford having open servers. And some of the bouncing mails have full headers showing different (often Polish) originating servers.

I just turned off the catch-all and made a few forwards. Don´t know if I´ve got all newsletter adresses, but if I don´t notice something´s missing, it was probably not important anyway... So my inbox has peace again for now and I hope my normal adress is not blacklisted yet...

Thanks again,

Seppoman

[AndrewMartens]

Yeah, this is the classic combo:

- catch-all email system so that you get everything going to @yourdomain.com

- spammers forging addresses from yourdomain

- admins configuring their email systems to bounce spam instead of just directing it to /dev/null

Fortunately you don't need to worry about being blacklisted.  Anyone who actually handles the blacklists will check the IP address of the spammers, and not the forged addresses.

The downside is that this ruins the catchalls to a certain extent.  Either set up lots of forwarders (in my case this requires remembering which "username" portions of the address that I have used over the past 5 years while signing up for crap online), or run SpamAssassin (or some other filter) on your mail server.  I'm lazy, so right now SpamAssassin plus Thunderbird's spam filter is filtering the vast majority of my spam.  I get maybe two or three messages per day that I have to manually delete.

Unfortunately this doesn't address the issue of spam hitting your mail server in the first place...

[stryd_one]

Ahhh OK. I think I'm too used to the hosting/admin side of things from work, and when you said they were NDR's... Yeh :P

As far as stopping the emails hitting your server, you can only really check the headers, and take action against the host sending them. You might want to ask your host if they can assist in this matter, and the police... But in the end, you might not have any luck, if the spamming host is not in a country which cooperates with others on these matters.

This won't stop NDR's of mail sent with faked reply-to addresses unfortunately :(