You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Predrag Lezaic <pl...@lutefisktechnologies.com> on 2004/09/11 18:47:42 UTC
Spammer using my domain name in FROM field
Spammer apparently is using something@domainname.com in the FROm field
of the emails he is sending out. Domain is one of my customers virtual
domain, spammer made up the username in the email address. Now I am
getting burried by mail notifications returning to sender...obviously
wrong person.
How do you people deal with this? Is there anything I can do? Email
addresses in FROM field as we all know are fake when spammers use them.
But if you don't do it if someone misspelled an email address that is
legitimate and sent it to user they won't know it didn't make it.
I am at a loss what to do.
Any ideas?
Thanks,
Predrag
PS My spamd process still shoots up in CPU usage at least once a day and
I have to kill the process and restart spamassassin. :(
Re: Spammer using my domain name in FROM field
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Predrag,
Saturday, September 11, 2004, 9:47:42 AM, you wrote:
PL> Spammer apparently is using something@domainname.com in the FROm
PL> field of the emails he is sending out. Domain is one of my customers
PL> virtual domain, spammer made up the username in the email address.
PL> Now I am getting burried by mail notifications returning to
PL> sender...obviously wrong person.
Understood. I'm not being flooded, but have a steady stream of similar
spam. Same thing happens with virus warnings/bounces.
PL> How do you people deal with this? Is there anything I can do? Email
PL> addresses in FROM field as we all know are fake when spammers use them.
PL> But if you don't do it if someone misspelled an email address that is
PL> legitimate and sent it to user they won't know it didn't make it.
Grab http://www.timj.co.uk/linux/bogus-virus-warnings.cf -- does a good
job of catching virus warnings/bounces. I've had a couple of FPs on it,
but not bad.
SARE has a set of rules we're reviewing that enhance/extend Tim's file
above, covering a lot of spam bounce and spam reject notices. Haven't yet
decided how to publish them, but they should be out by end of month.
(Tim -- if you're reading this, please contact me -- my first attempts to
email you have bounced.)
Bob Menschel
Re: Spammer using my domain name in FROM field
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> Welcome to the real world, this is you wakeup call ;)
>> This is happening all the time, not much you can do about this. A
>> countermeasuer could be using SPF records, so people at least have a way
>> to check if its you or not.
> Or you could get a digital ID and sign all your outgoing mails :)
Sure, or PGP sign all messages, but that wont stop you from getting the
bounces. Since he's most likely been joe jobbed...
Bye,
Raymond.
Re: Spammer using my domain name in FROM field
Posted by "Michele Neylon :: Blacknight Solutions" <mi...@blacknightsolutions.com>.
<quote who="Raymond Dijkxhoorn">
> Hi!
>
>> Spammer apparently is using something@domainname.com in the FROm field
>> of
>> the emails he is sending out. Domain is one of my customers virtual
>> domain,
>> spammer made up the username in the email address. Now I am getting
>> burried
>> by mail notifications returning to sender...obviously wrong person.
>>
>> How do you people deal with this? Is there anything I can do? Email
>> addresses
>> in FROM field as we all know are fake when spammers use them. But if you
>> don't do it if someone misspelled an email address that is legitimate
>> and
>> sent it to user they won't know it didn't make it.
>
> Welcome to the real world, this is you wakeup call ;)
>
> This is happening all the time, not much you can do about this. A
> countermeasuer could be using SPF records, so people at least have a way
> to check if its you or not.
Or you could get a digital ID and sign all your outgoing mails :)
--
Mr.Michele Neylon
Blacknight Solutions
Hosting, Co-location & Email solutions
http://www.blacknight.ie/
Tel. +353 59 9137101
--
Email scanned by Blacknight for viruses and dangerous content.
Visit http://www.blacknight.ie for more information
Re: Spammer using my domain name in FROM field
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> Spammer apparently is using something@domainname.com in the FROm field of
> the emails he is sending out. Domain is one of my customers virtual domain,
> spammer made up the username in the email address. Now I am getting burried
> by mail notifications returning to sender...obviously wrong person.
>
> How do you people deal with this? Is there anything I can do? Email addresses
> in FROM field as we all know are fake when spammers use them. But if you
> don't do it if someone misspelled an email address that is legitimate and
> sent it to user they won't know it didn't make it.
Welcome to the real world, this is you wakeup call ;)
This is happening all the time, not much you can do about this. A
countermeasuer could be using SPF records, so people at least have a way
to check if its you or not.
Bye,
Raymond.
Re: Spammer using my domain name in FROM field
Posted by Matt Kettler <mk...@comcast.net>.
At 10:59 PM 9/11/2004 -0400, Vivek Khera wrote:
>But even if *I* don't use forwarding, one of my customers may. For
>example, if I need to email a customer of mine who is using, say, ieee.org
>forwarding, and it is redirecting to AOL, my SPF records will cause AOL to
>reject my message to my customer. The email recipient really has no
>control over any of the SPF records, since he owns none of the domains in
>question. I publish SPF records because we're forged constantly.
True, but I'd argue this situation is a problem with AOL's implementation
of SPF checks, and it's something the AOL subscriber is going to have a lot
of trouble with until it's fixed.
Eventualy the person using forwarding is not going to be able to get *any*
email via the forwarder, at which point he's going to have to ask AOL to
put ieee's forwarder on their exception list. Ether that or put it on a
list of "trusted forwarding relays" so it knows to check the next Received:
header back.
Really, for sites which implement SPF blocking, this is going to be a
problem they WILL have to deal with. I'm quite sure you and your customer
aren't going to be the only users in the world with the problem. Checkers
will end up with implementation tweaks to avoid problems with this.
Worst case you could add ieee's forwarding servers to your SPF record on a
temporary basis so you can send the guy an email telling him that AOL has
issues with his forward and ask him to complain.
Re: Spammer using my domain name in FROM field
Posted by Vivek Khera <vi...@khera.org>.
On Sep 11, 2004, at 8:56 PM, Matt Kettler wrote:
> At 12:18 PM 9/11/2004 -0700, p dont think wrote:
>> BEWARE, however, that SPF is a hotly contested technology that breaks
>> forwarding in many cases
>
> True, but if your domain is used for forwarding, you can simply not
> publish SPF records, or publish wide-open ones. However, this is
> really something for the administrator of the domain to decide based
> on how his/her domain works.
But even if *I* don't use forwarding, one of my customers may. For
example, if I need to email a customer of mine who is using, say,
ieee.org forwarding, and it is redirecting to AOL, my SPF records will
cause AOL to reject my message to my customer. The email recipient
really has no control over any of the SPF records, since he owns none
of the domains in question. I publish SPF records because we're forged
constantly.
Re: Spammer using my domain name in FROM field
Posted by Matt Kettler <mk...@comcast.net>.
At 12:18 PM 9/11/2004 -0700, p dont think wrote:
>BEWARE, however, that SPF is a hotly contested technology that breaks
>forwarding in many cases
True, but if your domain is used for forwarding, you can simply not publish
SPF records, or publish wide-open ones. However, this is really something
for the administrator of the domain to decide based on how his/her domain
works.
>and may not be the all-in-one spam savior that the lazy sysadmin is
>looking for.
I agree. It's definitely NOT a spam savior.
IMO, anyone who thinks SPF is an anti-spam technology is completely
confused, misinformed or just an idiot.
SPF is an anti-forgery technology, nothing more. Forgery may be a
persistent problem related to spam, and preventing forgery makes tracking
spam easier, but that doesn't make anti-forgery technologies anti-spam
technologies.
I also feel anyone who argues against the use of SPF on the basis of it not
being effective in preventing spam to be missing the point. (but the
forwarding issue IS a very valid point). Of course spammers can still spam
with SPF around, it just becomes harder for them to pretend your domain
sent the spam.
If you keep in mind what SPF is, and view it as that and nothing more
grandiose, it's quite useful.
>Just have a look over the mailing list archives for any MTA to see the
>range of opinions about SPF.
Agreed.
Re: Spammer using my domain name in FROM field
Posted by p dont think <pd...@angrynerds.com>.
>> Spammer apparently is using something@domainname.com in the FROm
>> field of the emails he is sending out. Domain is one of my customers
>> virtual domain, spammer made up the username in the email address. Now
>> I am getting burried by mail notifications returning to
>> sender...obviously wrong person.
>>
>> How do you people deal with this? Is there anything I can do? Email
>> addresses in FROM field as we all know are fake when spammers use
>> them. But if you don't do it if someone misspelled an email address
>> that is legitimate and sent it to user they won't know it didn't make it.
>>
>> I am at a loss what to do.
>>
>> Any ideas?
>
>
> Not much.. However you can publish SPF records in your DNS zones for
> that domain. This way at least the sites which check SPF will realize
> that it's a forgery right off. Admittedly not many sites do this
> currently, but more are doing it every day and every little bit doesn't
> hurt.
>
> See http://spf.pobox.com/ They have a little web wizard which will
> create a DNS TXT record entry for you that you can copy-paste into your
> zonefile.
BEWARE, however, that SPF is a hotly contested technology that breaks
forwarding in many cases and may not be the all-in-one spam savior that
the lazy sysadmin is looking for. Just have a look over the mailing
list archives for any MTA to see the range of opinions about SPF.
Re: Spammer using my domain name in FROM field
Posted by Matt Kettler <mk...@comcast.net>.
At 11:47 AM 9/11/2004 -0500, you wrote:
>Spammer apparently is using something@domainname.com in the FROm field of
>the emails he is sending out. Domain is one of my customers virtual
>domain, spammer made up the username in the email address. Now I am
>getting burried by mail notifications returning to sender...obviously
>wrong person.
>
>How do you people deal with this? Is there anything I can do? Email
>addresses in FROM field as we all know are fake when spammers use them.
>But if you don't do it if someone misspelled an email address that is
>legitimate and sent it to user they won't know it didn't make it.
>
>I am at a loss what to do.
>
>Any ideas?
Not much.. However you can publish SPF records in your DNS zones for that
domain. This way at least the sites which check SPF will realize that it's
a forgery right off. Admittedly not many sites do this currently, but more
are doing it every day and every little bit doesn't hurt.
See http://spf.pobox.com/ They have a little web wizard which will create a
DNS TXT record entry for you that you can copy-paste into your zonefile.