My email address being forged for sending out spam Options

[thomasw98]

I have been receiving around 10 emails per day from various email system autoresponders responding to email (spam) that was sent to them with a forged email address as the sender. The bad news is that the forged address is using my domain name. The flow is something like this:

Email (spam) is sent out using a forged "sender" email address that appears to be from my domain, e.g. "abdc[at]mydomain.com". (Just one example; each batch of emails seems to use a different set of randon letters in the first part of the address)

The email system for the receipient autoresponds that the recipient address does not exist or the email has been blocked for being spam. The email system autoresponds to "abcd[at]mydomain.com" since that is the forged sender address.

I have a "catch all" set up on my server that forwards all email send to any name "@mydomain.com" to my real address "thomas[at]mydomain.com" So when the email system autoresponds to "abcd[at]mydomain.com", it is then forwarded to my real email box.

OK....so far, easy to solve the problem: Just turn off the catch-all default on my server.

But I am still worried that eventually my domain will be misidentified as a spam source. Could this be possible? Is there anything I can do about it?

Why are they using my domain as the forged sender? My gut feeling tells me that one of my complaint letters sent to "abuse[at]senderofspam.com" probably annoyed a spammer so he decided to take his little petty revenge and use my address as the forged sender address in his future spams.

Any help or idea would be greatly appreciated! Thanks.

[StevenUnderwood]

First: Don't take it personally, right now the basic feeling is that it is simply a random pick of the addresses on the spammers list that get chosen for the return address. It will usually be someone else for the next run. There seem to be too many reporters for the spammers to care about retaliation in general. There may ba a few trying that, however.

Second: Any one who knows how email is sent will know you are not the originator of the spam. You may get a few nasty emails from clueless end user who simply reply to the spam and ask you to take them off your lists. You can report those bounces through spamcop if you are so inclined as the system sending you the bounce has sent you unsolicited messages. I generally feel a personal report to the admin works better than getting them listed. Pleasepoint out that their current setup is likely to get them onto blacklists that use spamtraps, however.

[JoeShmo]

10 messages a day? I wish we were that lucky. As I type, my email server is essentially being DDOS'd by poorly configured email servers around the world. Apparently a major spam operation has used my domain in the "From:" address, and now I'm getting 13,000 bouncebacks an hour to users who do not exist on my system. I'm dropping the connection right there with a 450 error, rather than accepting the message then trying to bounce back to the "From" address (which apparently, alot of email servers still like to do).

I'm a small time ISP, with about 200+ users. My little mail server cant quite handle all this. I've done my part and have spam filters in place, use various DNSBL services, have SPF rules in DNS, etc.. I wish other email server admins would do the same.

I'm not trying to figure out if I can put up another mail server just to "proofread" incoming messages so my users will still be able to open an SMTP connection to the real mail server. Normal operations I allow 30 smtp connections. We're now allowing 180, and its not enough.

(For anyone wondering, its the WEXE thing. which in my book, I now consider as a virus/internet worm).

This post has been edited by JoeShmo: Nov 27 2006, 10:13 PM

[Wazoo]

I'm dropping the connection right there with a 450 error, rather than accepting the message then trying to bounce back to the "From" addres.

In general, a 4xx response signifies a "Temporary" failure, so a heck of a lot of those (in today's world, misconfigured) servers are going to keep re-trying to send those e-mails .....

A 5xx type error says "don't waste your time trying again, this is a 'hard' failure" ......

[JoeShmo]

Darn... I wish all those silly sites out there listing SMTP error codes would have mentioned its meant for a "temporary error", and it makes the sending MTA queue for a retry... oh well, I should have looked at the RFC or something...

Anyway, I'm now sending 553 errors..

[turetzsr]

Darn... I wish all those silly sites out there listing SMTP error codes would have mentioned its meant for a "temporary error", and it makes the sending MTA queue for a retry... oh well, I should have looked at the RFC or something...
<snip>

... (IMG:style_emoticons/default/google_lt.gif) is your friend! http://www.google.com/search?hl=en&q=%22SMTP+Error%22 (IMG:style_emoticons/default/smile.gif) <g>

[GraemeL]

... (IMG:style_emoticons/default/google_lt.gif) is your friend! http://www.google.com/search?hl=en&q=%22SMTP+Error%22 (IMG:style_emoticons/default/smile.gif) <g>

Or straight to the horses mouth in RFC1893.

[turetzsr]

Or straight to the horses mouth in RFC1893.

...Already mentioned (at least indirectly):

<snip>
oh well, I should have looked at the RFC or something...
<snip>

[GraemeL]

...Already mentioned (at least indirectly):

It was also the wrong RFC. (IMG:style_emoticons/default/tongue.gif) Those are extended codes.

The basic codes are in RFC821 or RFC2821.