Forged from address
I got a cry for help from a fellow Norwegian whose domain had been used as the forged from addresses in a spam run. Since I’m acquiring more of an interest in e-mail spam these days, for various reasons, I decided to address that scenario.
First of all, if you’re drowning in bounces, chances are you’ve got catch-all set on your domain. You should familiarize yourself with your admin functions, and at least temporarily disable catch all (unless you’re as anally interested in statistics as I am…). I’ll post how to do that with cpanel, and maybe others will help us post howtos for other admin panels?
Disable catch-all e-mail in cpanel:
Locate and click on Default Address
(cpanel comes with lots of different skins, so I can’t tell you exactly where that link is. Usually along with the other mail controls)
Click on Set Default Address
If you want the mail to silently disappear, write in:
:blackhole:
If you want mail to bounce, write in:
:fail:
Click Change.
My skin also tells me I can route the mail to several addresses, which means I can receive the mail AND bounce it. Interesting…
But before you get this far, you should have set up POP3 mailboxes or forwarders for those addresses you actually use. Otherwise ALL mail will be lost. Most will probably have done this a long time ago, but some still only use catch-all.
OK, once you’ve freed yourself from the avalanche of bounce messages, it’s time to think about the damage:
Most domains will probably be misused this way at one time or another. Both of my oldest domains have been misused at least once. I don’t know if the spammers are even interested in how your mailserver is configured. Probably not. The point is deflecting the bounces to someone else, and making the mail seem more legitimate. So they won’t misuse your domain for a long period of time. Which brings me to the next point:
During the spamrun, some mailservers WILL blacklist your domain name. I’ve seen it happen, so I know it happens. Usually large servers that have automated blocking systems, and enough statistical material to actually make use of that. But as you’ll see from the bounces, the IP numbers are usually from all over the globe, and the HELO or message ID is usually faked (well, on the last such spamrun I had a chance to study in detail the message ID was faked, while the latest virus to make the rounds has a faked HELO).
And don’t sneeze at the number of bounces you could suffer from a forged from domain spamrun. If you’ve got catch-all, it could reach many thousand messages. I’ve got a mailbox with the combined mails from two domains misused in such a way (same time period), as well as other mail not addresses to the any existing address. In the course of about 14 days, that mailbox numbers just over 8000 mails! (and the bounces are still coming in).
There’s one thing you can do to distinguish between spammers’ use of the domain, and your legitimate users: Sender Policy Framework. I haven’t tested it out. It would require semi-cluefull users… Any comments from other geeks on SPF?
One last issue: Expect more incoming spam as a result of the spamrun. I see spam addressed to the forged addresses now.
I believe the favored term is “joe job.” My last joe-job taught me about turning off catch-all forwarding, but the shocking part of it is how many people are answering their spam with angry replies or futile unsubscribe requests.
Funny, I never thought of SPF as a tool for users to take advantage off. As it has to be implemented on DNS level for me it always has been made for admins. But it makes sense. Client-side filtering can check DNS records too…
I for my part am sending mail off a dialup hosts, which makes me quite unpopular with especially the bigger servers. When I heard about SPF I immediately added a TXT record to my domains DNS. Unfortunately I started using a smarthost at the same time, so I can’t tell if SPF makes a difference. Though I heard that AOL and MSN are using SPF themselves, so maybe they’re making use of SPF when receiving mail also.
Paolo:
I thought so too, but got corrected on NANAE. It’s a joe job when they do a spamrun FOR your domain (ie, a link to your domain in the body of the message), but it’s forged from headers or forged from address when they have their own link in the mail but use your address.
Funny: I just mentioned that I’m experiencing something like this in my blog and someone sent me the link to this entry. Looking at the date I notice that this is a current entry, just one day after it started for me.
Good timing
I don’t want to turn off catch-all (yet) for other reasons, so I’ll have to wait and see how bad it gets. From Friday morning to Sunday lunchtime I had approx 230 bounces.
The only thing I’m really worried about is potential blacklisting of the domain.
I use SPF for my personal domain. It breaks forwarding on badly configured servers (but the problem is not on my side); that’s the only problem I saw, it is supposed to be addressed with STS which is rather experimental.
Unfortunately, few MTA check SPF record, AFAIK.