Someone has spoofed my domain name to send spam.:mad: I am getting hundreds and hundreds of bounce backs because of this.

Can anyone suggest a way of finding the culpret, shutting them down, or even just preventing it from happening again? :confused:

Any suggestions will be greatly appreciated.

Thanks,

DRP :(

You can't, unfortunately. Email was invented when the internet was a much nicer place and you could trust people to say they were who they really were. The only thing that you could really do is turn off catch-all so you're not getting all those returned emails. Also don't put your email in plain text on websites. Encode it or put it in an image. (You can get PHP to do this for you.)

Anyone in the world can send email that completely looks like they're you.

HM has SPF records set up for every customer they have. The default SPF record only allows the outgoing mailserver cluster, but they also allow you to have extra hosts added by calling customer service. But it's not really relevant. Why? It's kind of a chicken-and-egg thing. Hosts need to support having SPF records set on a widespread basis before people can reliably start blocking for it.

As I said, they have SPF records set up for all hosts on HM. Every single domain they host has an SPF record set. As you can see, this didn't stop this from happening. I don't expect to see SPF actually working for another 3-5 years.

What it really boils down to is that the entire email protocol is kinda messed up. There's the "To" and "From" fields in the email headers, and then there's the envelope to and envelope from address. Mailservers keep track of this information as they're sending the email between eachother, but they (mostly) never actually put the envelope information into the headers. In fact, according to the mail protocols, you don't even have to have a valid To or From header. You can put "From: cows" and "To: basketball" if you want, and the mail should still be delivered if you're playing by the rules the RFCs say you should.

SPF kind of works to fix that, but it's really the wrong solution. I feel that the only way we'll really get around it is to replace the Email protocols altogether and just start from scratch on a new, secure protocol which guarantees that you are exactly who you say you are. That, of course, is never going to happen.

I remember reading something about this very thing a few weeks ago. It's a shame I can't remember what it said though. I do recal a few things they said to consider:


Spammers often spoof domains arbitrarily (a.k.a. guessing) and if you are getting returned mail you didn't send, this might be the cause
You site could have contracted a worm or something similar that has set up shop and is using your site as a mail relay.
The server could have the same thing, in which case, all accounts are being affected (most likely) in the same manner.There was more, but I can't remember everything. Since you said you are getting hundreds and hundreds of returned emails, I believe you should take this up with support and have them look at the logs. They may be able to pin down a rouge process, or at least tell you if all those emails are being sent from your site or not.

I am not sure if it is possible to find those that are spoofing your domain or not. It's kind of like trying to find a real IP address from a spoofed one.

regards,
Shadmego

...

I feel that the only way we'll really get around it is to replace the Email protocols altogether and just start from scratch on a new, secure protocol which guarantees that you are exactly who you say you are. That, of course, is never going to happen.

...


Actually, it is available today in the form of digital signatures. If you are using them, once the email is sent, ANY change to either the header, body, or any attrachments is going to be noticed, and noted, by the signature. The receiver will then know not to trust the email and can safely discard it.

Like you alluded to though, people want easy. Though once set up, digital signatures are realtively easy, they are kind of difficult to set up. Add to that you should really know at least the basics of how they work before you can use them well and you get a technology that can go a very long way in combating spam, but can wind up costing a small fortune (if you are a medium-sized company).

One thing I love about Hostmonster is that they offer free GnuPG keys (signatures) for all email addresses in each account. I only wish we had a webmail client other than Horde that supported them.

~regards,
Shadmego

I recently was bombarded with spam as well. I compiled a list of all the URLs used in the spam and added them to the blacklist in Spamassassin, then disabled the catchall.

I think a script could be written to collect URLs from a catchall address and automate the process of blacklisting them. Legitimate email containing URLs has a low likelihood of being delivered to the wrong address, and only the URL would be blacklisted rather than the sender's email address or SMTP server address. The same could be done for embedded images, which are the current trick of the trade for phishing scams.

I've been suffering from this with a few of my domains for years.
Like RDM says, all you can do is remove the default email catchall
and create a separate redirect for each email address you wish to use.
When a spammer starts using one of the addresses, change it and delete the old one.

I wish they'd go after spammers and lock them up.

I've been suffering from this with a few of my domains for years.
Like RDM says, all you can do is remove the default email catchall
and create a separate redirect for each email address you wish to use.
When a spammer starts using one of the addresses, change it and delete the old one.

I wish they'd go after spammers and lock them up.


Would you mind stepping through this and explaining how this works to stop your domains from being used for spam?

~regards,
Shadmego

shadmego,
I don't think it stops the domain from being used for spam, it just stops the bounce back e-mails from filling up your box and waisting your time.