|
| | | Forum Newbie
Group: Forum Members
Last Login: 4/18/2008 7:37:03 PM
Posts: 6, Visits: 35 |
| So today i was looking through my spam account, where i forward all the spam, and i noticed ton of failure notices coming from one of our e-mail address. I know that that user did'nt send these e-mails...as theres all kinds of spam HTML and ADs on the e-mails..... and the contact details are different from e-mail to email....also the from server doesnt appear to be mine....so whats going on ?
Is someone spoofing or changing the form ? and the replies get forwarded back to us ? or ?
any ideas ?
|
| |
| | | Forum Member
Group: Forum Members
Last Login: 8/25/2008 12:27:59 PM
Posts: 25, Visits: 331 |
| We have experienced the same issue with 3 different accounts over the last few months. Someone seems to use a persons email address
for a day or a few days and then it's over. |
| |
| | | Supreme Being
Group: Forum Members
Last Login: 10/6/2008 1:17:05 PM
Posts: 92, Visits: 125 |
| | Yeah, that's the behavior we see when someone spoofs one of our client's accounts. If there isn't an SPF record on the domain, we add one. But that doesn't mean that the varmints will stop spoofing the accounts. |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 4/18/2008 7:37:03 PM
Posts: 6, Visits: 35 |
| Hmm so basically theres nothing i can do about it then... ? they can just keep spoofing ?
Does this run the risk of me getting put on URL blacklists ? |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 4/28/2008 12:07:27 PM
Posts: 5, Visits: 26 |
| | I hope that no one who runs a blacklist would be moronic enough to add a domain based on the from address of the email. This is always a spoofed email address and it just looks like its your turn to be spoofed. There isn't a single thing you can do to prevent spammers from spoofing your address. You can add some countermeasures such as SPF records in the DNS. They will define what servers are allowed to send mail using your domain name. The bigger problem is the backscatter from clueless mail hosts who bounce the spam and generate an NDR back to your from address. This IS fully preventable. Everyone who is reading this: Please do not set up your mail server to bounce spam. Delete it or forward it to a spam account/folder and use the nobody alias to stop bounces for nonexistent accounts. If you don't, you can get you listed on backscatterer.org. I'll get down off my soap box now... http://spamlinks.net/prevent-secure-backscatter.htm |
| |
| | | Forum Guru
Group: Forum Members
Last Login: 10/11/2008 5:22:27 AM
Posts: 1,667, Visits: 876 |
| snarf0101 (4/18/2008)
The bigger problem is the backscatter from clueless mail hosts who bounce the spam and generate an NDR back to your from address. This IS fully preventable. Everyone who is reading this: Please do not set up your mail server to bounce spam. Delete it or forward it to a spam account/folder and use the nobody alias to stop bounces for nonexistent accounts. If you don't, you can get you listed on backscatterer.org. I'll get down off my soap box now...<SHAKING HEAD IN DISGUST> Your intention is good, but your method is hypocritical. Sorry!   NEVER EVER EVER NEVER USE THE NOBODY ALIAS FOR ANTI-SPAM PURPOSES! You are completely misunderstanding something, which if you would read the link you provided will show you what you stated above is OPPISATE of what you need to do. If the recipient email address DOES NOT EXIST on your server, your server will REJECT the incoming email, which is the correct and proper action. By using the NOBODY alias, your server will ACCEPT it. Rejecting an incoming email during the SMTP session is rejecting it, which is different than bouncing it. Bouncing is an action that is taken AFTER your server has accepted and recieved the incoming email in its entirety.
John T
eServices For You"Life is a succession of lessons which must be lived to be understood." Ralph Waldo Emerson (1802-1882) |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 4/28/2008 12:07:27 PM
Posts: 5, Visits: 26 |
| | I actually just went back to review a few of my domains. It looks as though I don't actually have a nobody alias defined for any of them. It will reject at the SMTP RCPT level. Not sure why I thought they were there. However, wouldn't allowing the SMTP to reject the mail result in an NDR being sent to the spoofing victim as backscatter? Does the rejecting SMTP server send the NDR based on actual header data or the spoofed from address? With the nobody alias resolved to root-NUL, the invalid messages are just dropped. No dictionary attacks or backscatter. The intention of this thread is to prevent mail from being sent BACK to the spoofing victim. I'm not sure I follow on exactly how the nobody alias produces the OPPOSITE results. |
| |
| | | Forum Member
Group: Forum Members
Last Login: 7/18/2008 12:44:41 PM
Posts: 36, Visits: 41 |
| | Correct the victem will receive the backscatter from the offending server. Which is not technically your problem. Enabling the nobody alias, will accept all incoming email. I suppose, if you really want all the messages you are welcome to them, but for example, if someone mistypes an email account. The sender, will never know you didnt get that clandestine wedding proposal via email that was sent to the wrong address. |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 4/28/2008 12:07:27 PM
Posts: 5, Visits: 26 |
| | The NDRs generated at the SMTP level are, sometimes, the actual goal of the spammer. They know that most hosts will send out a Reverse NDR attack for them. So, you are fully correct that its really not my problem if my server sends the NDRs. However, eventually all of us sys admins (or one of our clients) will be on the receiving end of all of those messages. We are getting more and more clients on our servers who are getting their email address spoofed. BTW, the questions were rhetorical. |
| |
|
|