Catch all great for spamhunters
I get one piece of advice over and over:
Make up a new e-mail address every time you have to register at a new service, or even post on someone else’s blog. Then you can just turn off that e-mail address if it ever gets harvested by a spammer.
That’s bad advice for regular people for one very good reason: To make it work, you’ll need to configure your domain as catch all. No matter what you put in front of the @, it’ll end up in your inbox, until the day you “turn that particular address off”. One day you’ll wake up to in excess of (wildly estimated) five thousand mails in your inbox, because a spammer decided to misuse your domain as the from address, or decided to do a dictionary attack - sending mail to thousands of made up addresses on your domain while trying to find valid ones. Also, turning off an address may not be all that easy unless you know a thing or two about the mail setup you’re using.
But it’s a very good idea if you’re a spamhunter, and live for tracking down people who sell their e-mail lists, or whose databases get hacked or whatever.
Pascal Van Hecke found out that Performancing.com’s database somehow ended up in the hands of a spammer. His findings were confirmed by another user.
March 1st, 2007 at 3:00 am
Ann, I think you misunderstood the solution. You don’t need to configure/have catch-all. Just add another alias at your server. Then, after it gets harvested delete the alias. You may also add a human readable message instead “550 user not found” SMTP rejection message, somethink like “550 due to heavy spam load this address is no longer available, see http…”
You just need a full controll (root) over your server to do it.
March 1st, 2007 at 5:04 am
You can use an alias as shown above. If I send a message to a non existing e-mail address on my website’s server I get a address rejected mail and it doesn’t show up on the website-email. What you’re describing is something like joe-jobbing. I know there are programms out there to generate a lot of fake e-mail addresses with configuration options like @yourdomain.com. But getting them on you’re website-email if they don’t exist, I don’t understand.
Please tell me how they accomplish this.
March 1st, 2007 at 5:42 am
To Jan:
I can’t tell you how to accomplish that, because it differs based on what kind of mail server and setup you’re using. But the technical term is catch all - instead of rejecting or bouncing (two different way of handling it) mail to non-existing addresses, the server will happily receive ANY mail to that domain. With some mail setups, it’s possible to have catch all and still reject mail to some addresses - configured separately.
Like Lemat says, it’s also possible to configure a specific address for each new address you give out - without catch all enabled. If you have your own Postfix server, that’s a pretty elegant way of doing it.
March 2nd, 2007 at 10:18 am
a variation that sidesteps the catch-all problem, which i recognize, and doesn’t require full control on a server, is using a qmail or gmail address.
then you can use address+addition@domain to “tag” different sources, having a restrictive .qmail-default and deleting additions (qmail) or filter out additions (gmail) when spam increases
March 3rd, 2007 at 5:49 pm
There are other methods, I use pookmail.com, it is a seriously good tool, it enables you to have a throw away email address you can connect it to an RSS feed. You have to check it out gang, it is awesome
March 4th, 2007 at 11:56 am
Indeed a catch-all email address can be a real pain. Personally I wouldn’t recommend it unless you have extremely good spam filtering software.
March 21st, 2007 at 5:14 pm
Hi Ann,
Thx for your idea, never thougth about it that way.
In my case, my catchall is forwarded to my Gmail account, and Gmail still is a good spam filter - I guess an identical or slightly varying mail sent to 5000 accounts@mydomain would end up as in the spam folder anyway.
I think most people (or ISP’s) use a spam filter nowadays, and a “brute-force” attack (guessing possible user names on a domain) is detected very easily. A spam run using actual mail addressses harvested somewhere is a lot harder to detect (because it’s not different from a regular newsletter).
I don’t consider myself as a spam hunter really - I just discovered the performancing thing because that particular mail _did_ slip trough the spam filter - so I was curious where I got it from.
Best Regards,
Pascal
(BTW if this works, then I found a way to get around Akismet, who doesn’t like my domain anymore)
April 17th, 2007 at 10:51 am
You simply have an email address for each site…
And NO catch-all….
For example:
For your account on the rssfwd.com site, you use rssfwd@yourdomain.com
For your account on the sharedcopy.com site, you use sharedcopy@yourdomain.com
And NO catch-all address!
You have those addresses forwarded into your main Gmail account (or whatever), just as your “real” email address is…
If you ever get spammed at one of those addresses, you simply delete it.
This is all VERY simple to set up if you have a hosting account on godaddy.com Their they give you 100 email forwarding accounts FREE for each hosting account you have.
That’s more than enough for my needs.
HOWEVER, I don’t do this myself. Why?
Because I don’t care about spam. Why?
You folks seem to understand little about how it all works…
The BEST solution to spam, so far, are spammer server blacklists. They are blacklists of KNOWN spammer servers. These lists are well-maintained and sold on a subscription basis. And they are widely used.
Simply click REPORT SPAM button inside your gmail. That’s the best solution.
I have a catch-all account, and I VERY little problem with spam.
May 27th, 2007 at 5:57 pm
‘best solution is spammer server blacklists.’
Well, how about botnets..?
July 14th, 2007 at 12:56 am
For a while, I too, was using throw-away addresses at my domain whenever I needed to submit an email for a service / page that I didn’t completely trust. My plan was to simply have no catchall defined, but explicitly map each of my active addresses back to my primary email provider.
However, this doesn’t appear to work very well. The problem? It seems that Hotmail’s spam filtering system will not accept emails originated from a domain that doesn’t have a catchall defined!
If I turned off the catchall, the outgoing messages (from my domain) never arrive at Hotmail, but re-enable the catchall and and subsequent emails will pass.
I haven’t seen this mentioned elsewhere and wondered if this is a typical practice?
October 9th, 2007 at 11:52 am
[…] Forget about a catch-all solution when you do not have an adequate spam filter (from SpamHuntress). I forward the Catch-all mail to Gmail, which works great so far. Leave a comment if you have other solutions that work for you. […]