Coping with joe jobs
I was contacted by someone who’s been under a heavy deluge of faked sender spam bounces for months. He wanted help in making it go away.
I have a few tips that can be used, and I’ll put some of them here:
First of all, a faked sender spam is different from the classic Joe Job. You can read more about the Joe Job here, and some advice on handling it:
Sabotage! Coping With The Joe Job
There’s also advice there that you can use for fake sender spams, but he doesn’t address the faked sender bounces many domain owners experience today. Those spamruns are done with non-existant addresses at your domain.
Perhaps the biggest perpetrator of large scale faked sender spams is Leo Kuvayev. He’s tagged some of my customer’s domains, so I know how bad it can get until you take countermeasures.
1) Turn off catch all, so you don’t receive all those bounces.
2) Verify that your mailserver REJECTS mail to non-existent e-mail addresses, instead of BOUNCING them. This will significantly reduce the load on the server. This is default if you’ve got cpanel with catch all turned off. Send yourself an e-mail to a nonsensical address at your domain, and verify that your local mailserver is the one sending you the bounce.
3) Put up a notice (small textlink)on your website with information about the spamruns, if it keeps on going.
4) If your domain is used for very few e-mail accounts, and you’ve got full control over where people send legitimate mail from with your domain as sender, you can check out SPF (Sender Policy Framework). Also investigate other techniques like DomainKeys etc.
All of my suggestions will make your domain less palatable to the spammers. But if they’ve been using it for some time, they may not notice, since they don’t get the bounces anyway. However, if you act proactively and remove catch all before the first faked sender spamrun, they may bypass your domain altogether.
And remember: Unless you’ve got access to your mailservers logs, you won’t know if the spamruns continue after you’ve removed catch all - unless they tag an existing e-mail address by mistake.
Another factor you should remember, is that a faked sender spamrun will increase the total spam load against your domain. Some people have rules that put all sender addresses into their address books. When they get hit by a virus, that address book gets copied by spammers. Whammo, lots of mail to non-existent addresses. So removing catch-all will take care of that too.
April 1st, 2006 at 12:09 am
The most interesting anti-blowback defense I’ve seen is BATV (http://mipassoc.org/batv/).
The basic idea is encoding the envelope sender of your outbound mail. Bounces/autoresponses of that mail will be sent to the encoded address, not the bare address. If a bounce comes to the bare address, you know it was in response to a message not sent through your outbound relays. If it comes to an improperly-encoded address, you know somebody’s trying to pull something…
April 4th, 2006 at 6:54 pm
One of my domains has been seeing bounces for a few months. I didn’t keep a valid MX there (MXes for top-level names are Really Bad News) but I started noticing a ton of MX lookups for that domain. I set up a temporary mailserver to see what was going on…
Some Russian spam setup has been using this domain in From:/Return-Path: along with several other domains. They’re advertising a Moscow travel agency and their spam operation. I don’t think it’s a revenge job, they’ve apparently chosen many small domains and just rotate through them. (I found many other copies of the spam on the web with different domains.)
Ultimately there isn’t much to be done in this situation, especially as the spammers appear to have a large botnet. I’ve made that domain as unattractive as possible by using SPF and DomainKeys to indicate it never sends email, along with a mailserver and webserver running at that domain with appropriate messages. (The mailserver rejects all bounces with “We didn’t send the spam, but here’s the telephone and ICQ numbers of the people who did”… that info was in their ad for their spam service.)
But of course the bounces just keep coming in, and probably will ’til the spammers become bored. I don’t care very much, it’s not like the name is particularly important to me–it just sucks that we have to put up with the collateral damage from these parasites.
It would be a really good thing if sites would a) quit !&#$% bouncing spam and b) start rejecting it. Not only do I have to deal with these stupid spam filters’ bounced messages, but also have to wonder if my email’s actually getting through or just silently being dropped.
April 16th, 2006 at 12:44 pm
I’ve just found two of my domains “hijacked” by a joe job. The second one receieved approaching 400 bounced mails today so far alone.
I have traced mine to a Bulgarian Spammer, and since Bulgaria has signed up with the EU accords on anti-spam, I intend taking this b*st*rd to court.
If Microsoft can do it - so can I!
Rob.