Comments on: Domain intentionally targeted by mail spammers

By: Administrator

Administrator — Sun, 11 Dec 2005 14:01:24 +0000

I’m speculating:
A mailserver that’s set up with catch all e-mail will happily receive bounces from mailservers that receive the mails. Mailservers may theoretically apply a number of tests before accepting an e-mail. It’s common for mailservers to refuse mail from non-existing domains. It’s not unconceivable that they’ll start testing that the sending e-mail account exists.

An e-mail server without catch all may refuse to receive a bounce to a non-existing address, refusing it in the SMTP handshake. That’s immediate feedback that something’s wrong with mails from that IP address, and may theoretically trigger checks and dynamic blacklisting.

I don’t know if any of this is in place on servers today, but it’s theoretically possible.

If the mailserver has catch all e-mail, the bounce will be triggered AFTER the SMTP handshake. Mail to non-existing addresses may even be silently discarded (known as blackhole). All of that means less immediate feedback.

Bottom line, my speculation is that spammers prefer from addresses from domains that use catch all e-mail. But they even use non-existing domains sometimes, so they’re a too diverse bunch for me to know for sure.

By: Joe

Joe — Sun, 11 Dec 2005 13:42:23 +0000

Well, you are in a position to see more of that in action than I am. But if they are just using a forged From address I don’t see why they would care how the victim’s servers are setup.

By: Administrator

Administrator — Sun, 11 Dec 2005 13:01:51 +0000

Joe:
I don’t agree. I’ve seen them pick through several domains on a server, up to two at a time. I think they like certain setups, and if there are many domains, why not use them all one after another?

And no, I don’t know that they’re picking through all of his, but I wouldn’t count that out.

By: Joe

Joe — Sun, 11 Dec 2005 12:33:16 +0000

Are they going through all of his domains? Usually you are just unlucky and they happen to pick one of your domains. If it is more than one that is unusual and certainly would seem like he is being targeting.

By: Administrator

Administrator — Sun, 11 Dec 2005 12:24:55 +0000

The spammers will move on, yes. But he has enough domains to keep them busy for a while. He also have done stuff to make him wonder about intentional retribution.

It’s just that this is not cruel and unusual punishment. It’s just par for course. If you have a mail server, you WILL be “targeted” this way.

On the other hand, spammers sometimes single out people for punishment, as I’ve seen. But using domains as from addresses isn’t typical of personal retribution. I’d look out for other things.

Well, actually, joe jobs (ie the LINK in the body of the spam pointing to one of your domains) might be considered personal retribution, while using your domain in the from field might not.

By: Joe

Joe — Sun, 11 Dec 2005 00:49:16 +0000

I have thought the same in the past when I first got hit by one of these. It really sucks, but unless you have more proof, I doubt it is purposely targeted at you. Spammers just happen to be using your domain as the from address in their spam for now. They will likely move on to some other victim in a few days if they haven’t already.