Domain intentionally targeted by mail spammers
I got an e-mail, that I thought was interesting enough to use here, with my reply. Munged, of course:
I need some help tracking down a spammer, and I found your site, and I was wondering if I could hire you to help me solve this problem.
I’m being attacked intentionally (for reasons that are not clear) by a spammer who is using some of my domains as their forged return address, causing me to be overwhelmed by bounces.
I know they are targeting me specifically, because I just added SPF to the main domain DNS records they were hitting, so they just switched to one of my other domains.Due to the nature of their spam (random email addresses) and how I processed email on my site (allowing wildcard addresses) it has been very difficult to filter out the bounces.
Because they are using random email addresses and because I was already using a large collection of email addresses at my domains, it has become very difficult to filter out the bounces. Furthermore, the bandwidth is choking my little server.
Could I hire you to help me figure out who the actual human being is behind this spam? I have endless bounces to look at, and I’m getting pretty desperate.
Thanks for your time.
My reply (and remember I had his headers to look at, so I had more information than what was in his e-mail):
Hi xxxx,
You said you’re being targetted intentionally, but that the reasons are not clear.
Well, that tells me it’s not intentional.
Spammers would switch FROM domains with SPF for good reason. It’s got nothing to do with you, and everything to do with SOP (Standard Operating Procedure).
Check for IP addresses on the bounces that include the original mails. Chances are extremely good that they come from all over the place.
They would rather pick domains with catch all e-mail, and without SPF, all things being equal.
If Exim doesn’t allow you to switch off catch all, I’d advise you to do set up another server instead. Postfix runs fine on Debian, and allows you to bounce mail to non-existing addresses in the SMTP handshake. Which means no more bounces, but quite a bit of handshake activity.
You can add another server as an SMTP gateway, and shunt the mail to your primary POP3 server (which can be your existing Exim server). Just change the MX records to point to the new server.
If you set it up like that, chances are extremely good they’ll stop targetting your domains.
Because this isn’t about you, it’s about maximizing the chances their spam will reach the intended targets.
If you’re not satisfied I’ve hit the nail on the head, forward some samples of spam. Including the bodies and subject lines.
Finding out exactly who’s behind the spam can be done in two ways:
1) Backwalk from an exploited machine to the IRC channel used to feed info to the zombie, then figure out who the hacker is (and yes, it’s usually a hacker hired by a spammer). This can be done from a spam, as long as you’ve got the clout to make the ISPs or companies harboring the zombies listen. But you need resources and clout to really pull it off. Even so, the incentive to keep beating the odds are enormous, because of the payoff for some types of spam.
2) Or track the payoff. Who hired the spammer or benefits from the spam.But like I said, I think I’ve cracked your case. It’s really no different from anyone else with catch all e-mail, lacking SPF or anything else that makes the domain less palatable to spammers.
December 10th, 2005 at 6:49 pm
I have thought the same in the past when I first got hit by one of these. It really sucks, but unless you have more proof, I doubt it is purposely targeted at you. Spammers just happen to be using your domain as the from address in their spam for now. They will likely move on to some other victim in a few days if they haven’t already.
December 11th, 2005 at 6:24 am
The spammers will move on, yes. But he has enough domains to keep them busy for a while. He also have done stuff to make him wonder about intentional retribution.
It’s just that this is not cruel and unusual punishment. It’s just par for course. If you have a mail server, you WILL be “targeted” this way.
On the other hand, spammers sometimes single out people for punishment, as I’ve seen. But using domains as from addresses isn’t typical of personal retribution. I’d look out for other things.
Well, actually, joe jobs (ie the LINK in the body of the spam pointing to one of your domains) might be considered personal retribution, while using your domain in the from field might not.
December 11th, 2005 at 6:33 am
Are they going through all of his domains? Usually you are just unlucky and they happen to pick one of your domains. If it is more than one that is unusual and certainly would seem like he is being targeting.
December 11th, 2005 at 7:01 am
Joe:
I don’t agree. I’ve seen them pick through several domains on a server, up to two at a time. I think they like certain setups, and if there are many domains, why not use them all one after another?
And no, I don’t know that they’re picking through all of his, but I wouldn’t count that out.
December 11th, 2005 at 7:42 am
Well, you are in a position to see more of that in action than I am. But if they are just using a forged From address I don’t see why they would care how the victim’s servers are setup.
December 11th, 2005 at 8:01 am
I’m speculating:
A mailserver that’s set up with catch all e-mail will happily receive bounces from mailservers that receive the mails. Mailservers may theoretically apply a number of tests before accepting an e-mail. It’s common for mailservers to refuse mail from non-existing domains. It’s not unconceivable that they’ll start testing that the sending e-mail account exists.
An e-mail server without catch all may refuse to receive a bounce to a non-existing address, refusing it in the SMTP handshake. That’s immediate feedback that something’s wrong with mails from that IP address, and may theoretically trigger checks and dynamic blacklisting.
I don’t know if any of this is in place on servers today, but it’s theoretically possible.
If the mailserver has catch all e-mail, the bounce will be triggered AFTER the SMTP handshake. Mail to non-existing addresses may even be silently discarded (known as blackhole). All of that means less immediate feedback.
Bottom line, my speculation is that spammers prefer from addresses from domains that use catch all e-mail. But they even use non-existing domains sometimes, so they’re a too diverse bunch for me to know for sure.