Emails being blocked - possible domain hijack

[chrig]

I noticed a few weeks back that I had a couple of 'mail delivery' reports for bounced emails and, being ignorant of all this at the time, I was confused because they weren't emails I had sent.

Roll on a couple of weeks and some people don't seem to be receiving my emails, they're showing as 'delayed' in a lot of cases. Now all of a sudden, on certain domains, no-one is receiving my emails at all! I even had one showing as blocked and the delivery report cites the reason as "abuse". Now, when I receive orders via my website I send out a 'standard' email that will have a couple of PDF attachments but we're talking maybe 8 a day - there's no abuse going on the my system is clean.

A friend mentioned the 'hijack' possibility where people are spamming and using my URL as the reply address - this rang true with the delivery report mentioned above.

To start off I've been reading through what posts I can - I've emailed Yahoo for a start who are the provider completely blocking my emails but I've also ran my URL through a few of the checkers. The spamcop and mxtoolbox.com scanners show it as clear but one I tried this morning showed my email reputation as "poor" (sorry, I can't remember which this was, I think it was from a link here).

My livelihood is dependent on my site so you can imagine I'm pretty worried about this (I'm especially worried about the possibility of it effecting my google rating).

Is there anything else I can do?

[Wazoo]

This forum section is for issues with the SpamCopDNSBL, which you have not mentioned at all.

In fact, you've not offered much of anything specific for anyone that felt like getting involved to do any research at all.

Bottom line, your 'web-site' has very little to do with someone 'blocking' your e-mail. A 'web-site' does not 'send e-mail' .... what needs to de defined here is the e-mail server involved.

The "Why am I Blocked?" FAQ and Pinned entries would have offered some explanation of how e-mail might be 'blocked' and some of the reasons why, but again, this is directed against use of the SpamCopDNSBL, which was not mentioned at all in your query.

Topic is being moved to the Lounge area as it does not appear to be a SpamCopDNSBL issue.

[rconner]

A friend mentioned the 'hijack' possibility where people are spamming and using my URL as the reply address - this rang true with the delivery report mentioned above.

More than likely some spammer has forged your domain name (NOT your "URL") into the from addresses of his spam. Almost all spam is forged in this fashion, so welcome to the club. See http://www.rickconner.net/spamweb/notmyaddress.html for some more info, and feel free to point your correspondents to this page if it suits the bill.

It seems very unlikely that a competent mail administrator would block mails or assign poor reputations based on forged e-mail addresses, but such things do happen. Not much to be done about this, unless you care to write the operators of the blocking list and point out your innocence.

What we don't know (since you've given no details) is whether the mails are actually being transmitted through machines or IP addresses under your control. This could go on, for example, if one of these machines were infected with open proxy malware.

However, it is not necessary for the spammer to have any contact with machines in your domain in order to forge the from-address.

-- rick

Added on edit:

You might find following information from this forum to be helpful. It is describing the problem of misdirected bounces due to spammers' address forgery, but it also deals with the problem of from-address forgery in general.

[chrig]

Hi Rick,

Thanks, that's very helpful. Sorry for the confusion, I meant someone was using my domain in their reply address, not URL. Forgive me if I wasn't overly forth-coming with any details (tbh I'm not sure what was required given the straight-forward nature of my question) but surely it's understandable, given the circumstances, that I'm cagey that any further links or references may be made with my site/email (and I'm not talking hyperlinks here).

I had read the "why am I blocked" FAQ and didn't see anything there I had contravened, pointers suggested if that was clear I shouldn't have a problem but I obviously do - and it's a pretty urgent problem for me, I'm currently working 16 hour days and an a hour of reading didn't turn much up, hence why I posted, so thanks for pointing me in the right direction

[turetzsr]

<snip>

Now, when I receive orders via my website I send out a 'standard' email that will have a couple of PDF attachments but we're talking maybe 8 a day

<snip>

Hi!

...Oh, on first reading, I blew right past this bit; perhaps others did, as well.

...Some questions:

• How do you take orders -- is it done via a web site? With some sort of form?
  
• How do you determine the e-mail address to send out your "'standard' email" -- is it from user entries on your web site? How do you know the e-mail addresses to which you are sending your "'standard' email" are addresses of people who really want your information and not forged by someone who is trying to get you blacklisted?
  

<snip>

I had read the "why am I blocked" FAQ and didn't see anything there I had contravened, pointers suggested if that was clear I shouldn't have a problem but I obviously do - and it's a pretty urgent problem for me, I'm currently working 16 hour days and an a hour of reading didn't turn much up, hence why I posted, so thanks for pointing me in the right direction

...Seems like these sections of the "End user version" of "Why am I Blocked?" from the SpamCop FAQ should have given you some good direction:

• Q: Why me? A: It Happens to the best of us
  
• Q: Who do I contact to correct this problem? A: Your ISP (email service provider) first
  

Please let us know what else we could have placed there to help you.

[Wazoo]

Thanks, that's very helpful. Sorry for the confusion, I meant someone was using my domain in their reply address, not URL. Forgive me if I wasn't overly forth-coming with any details (tbh I'm not sure what was required given the straight-forward nature of my question) but surely it's understandable, given the circumstances, that I'm cagey that any further links or references may be made with my site/email (and I'm not talking hyperlinks here).

Still not mentioned/defined is the outgoing e-mail server involved. Thusly, there is no way for anyone 'here' to do any research on your behalf on just what and why things might be blocked.

Entries provided like "How to ask a Question" point to details like this .. the thousands of existing Topics/Discussions include dialog from those that that provided this needed data and other Discussions where it took much work to get the needed data available.

Again, what is waiting for identification is the outgoing e-mail server('s IP Address) that's involved with your 'blocked' e-mail. You stated that you wanted help with "blocking list" scenarios, but have yet to actually mention 'any' BLs involved with the 'blocking' ....

[Farelf]

...Thanks, that's very helpful. Sorry for the confusion, I meant someone was using my domain in their reply address, not URL. Forgive me if I wasn't overly forth-coming with any details (tbh I'm not sure what was required given the straight-forward nature of my question) but surely it's understandable, given the circumstances, that I'm cagey that any further links or references may be made with my site/email (and I'm not talking hyperlinks here). ...

Certainly the SCbl would not be involved in any email blocking based on a forged email address however the forged address(es) and misdirected non-delivery reports may be quite coincidental to other problems which are more likely to affect your email and the non-deliveries of the same which you have mentioned. If, for instance, you are using a bethere.co.uk server for your outwards mail (of which there are more than 70 and this is the same provider you are using to access these forums) some of these have indeed been on black/block lists, including the SCbl, the cause has been spam originating from that network (and not due to trivially forged message headers) and that cause may or may not be anything to do with you even though it certainly affects you. Your question is not at all "straight-forward" in the absence of the necessary information by which to address it and you should understand that if you need to take further action.

... Again, what is waiting for identification is the outgoing e-mail server('s IP Address) that's involved with your 'blocked' e-mail. You stated that you wanted help with "blocking list" scenarios, but have yet to actually mention 'any' BLs involved with the 'blocking' ....

The SCbl is sometime described as "hair trigger" in that it (fairly) rapidly lists a delinquent ISP address (which may be used by any number of individuals, most of whom will be innocent). It almost as rapidly delists in the absence of offending traffic. And it just as readily re-lists if spam again is seen (if anything, a little more readily) - that is, if the offending/originating machine on the network has not been found and fixed. If your problems have gone, well and good you have "merely" been affected, not involved. If they continue then you may need to start the ascent of the learing curve. Many here will assist if you wish it.

[Miss Betsy]

IP addresses are not the same as domain names. As Farelf has pointed out, the IP address that you are posting from is known to anyone who wants to know it. IP addresses are what competent blocklists are built on.

It may have seemed to you that you asked a straightforward question, but the answer to your question is technical and requires the use of the proper technical terms and information.

If you read the 'Why Am I Blocked' FAQ, then you know that your emails do not need to be spam to be blocked, but can be blocked because of the activity of others on the mail server that sends your email. If you do not share the IP address with others, then it is more than likely that a computer on your network is compromised.

The use of your domain in the forged FROM is almost never a cause of blocking by server administrators. Only individuals who don't know any better block the FROM (though it can be used, on occasion, in end user filters by those who understand how filters work).

If your livelihood depends on the use of email, it would be a good idea to take a crash course in how email works and what are best practices for the use of email in commercial enterprise. This site has either the information you need or links to sites that would help you. Not knowing how email works is like an offline mail order entrepreneur not knowing how to package merchandise or what the various rates and what the various services offered entail. If you bring a poorly wrapped package to the post office, they will reject it. If you use the cheapest rate, your package will take longer to get to its destination. If you don't use enough postage, the recipient will have to pay postage due.

The internet began as a very friendly place where everyone trusted everyone and went out of their way to help each other. There is still a spirit of neighborliness in some places. Even though some of the people who read these posts make their living by providing their email expertise to non-technically fluent people who want to use the internet for their livelihood, they may answer some of your questions, as you learn, for free.

Miss Betsy

[chrig]

Hi,

First, thanks for all the replies. Again, apologies as I knew this wasn't specifically relating to SC, I posted here a little out of hurried desperation but I also figured from reading it was a good resource.

Turetz - yes, orders are taken via a php form over the site. When a customer orders they input their email address - the site then automatically sends an acknowledgement email which I follow up with a manual detail containg the order details (though this does have standard/identical sections of text in it). The emails it's sending to are the customers legit address - as I said, it's only a handful a day and I speak to them all eventually one way or another.

As I said, I had read all the FAQ's and the first thing I did was contact the main problem recepient server (yahoo - no response yet). One thing I wasn't sure about was whether I should be contacting my ISP due to the fact I don't use my ISP's SMTP server, I use the one for my domain (e.g. smtp.mydomain.co.uk) - should I instead be contacting my hosting company?

Wazoo - I realise you're cleaning up after newbies all the time on this forum and that's frustrating but I wasn't being ignorant. As I said, I'm cagey about what's safe to provide and thought I may be able to get helpful pointers without providing IP/server specifics. I was upfront about the fact that no BL's threw anything up, it was the 'reputation' aspect I mention which I pressumed was a direct result of being added to a BL.

Anyway, here's some specifics from 2 delivery reports, if anyone would like to know anything else just ask:

This message was created automatically by mail delivery software.

A message that you sent has not yet been delivered to one or more of its

recipients after more than 24 hours on the queue on knopfler.uk-noc.com.

The message identifier is: 1ImR9B-0006Vf-F3

The subject of the message is: Re: Order

The date of the message is: Mon, 29 Oct 2007 09:46:24 -0000

The address to which the message has not yet been delivered is:

xxx[at]btinternet.com

Delay reason: SMTP error from remote mail server after initial connection:

host mx2.bt.mail.yahoo.com [217.146.188.189]:

421 Message from (83.223.117.180) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

xxx[at]chudesign.com

SMTP error from remote mail server after RCPT TO:<xxx[at]chudesign.com>:

host mx1c7.megamailservers.com [69.49.109.34]:

550 5.7.1 <xxx[at]chudesign.com>... H:MXB<83.223.117.180>Connection refused due to abuse

Farelef - I have 3 machines on my office network, only 1 machine has pop email set up on it. This 1 machine I carry back and forth between home and office - this machine is using the NTL ISP during the day and for personal use it's using bethere.co.uk in evenings. As mentioned, I don't use my ISP's SMTP servers - also this primary machine's firewall is set to block email abuse (e.g. more than 10 recipients, more than 5 emails in 2 seconds). All the machines on the office network have been scanned and are currently clean - another machine picked up a virus last week - I didn't think this would factor as it doesn't have pop3 email set up on it, though maybe that was the wrong assumption to make. It was only infected for 1 day and is now clean.

[turetzsr]

<snip>

Turetz - yes, orders are taken via a php form over the site. When a customer orders they input their email address - the site then automatically sends an acknowledgement email which I follow up with a manual detail containg the order details (though this does have standard/identical sections of text in it). The emails it's sending to are the customers legit address - as I said, it's only a handful a day and I speak to them all eventually one way or another.

...From what you describe, you seem to have left yourself open to indirect spamming (with you as the apparent spammer). Consider the following scenario: someone who doesn't like you, let's call him individual x, navigates to your web site, enters my, not hers/his, e-mail address. You send me an acknowledgement, which I report as spam, since I never requested anything from you, and then order details, which I also report as spam. Individual x does this several times, with several different e-mail addresses, some of whom are SpamCop users and some of whom also report you for spamming. Perhaps individual x even writes a little scri_pt, executing thousands of times, to do this same evil deed. Perhaps individual x even has the e-mail addresses of some spam traps and you send e-mails there, as well.

<snip>It was only infected for 1 day and is now clean.

...Are you certain you have cleaned any malware, including root kit infections, that may have been introduced during that period?

...Pretty much any PC. not just those running POP, can be turned into a spambot these days, usually without the owner being any the wiser. I hope your PCs have good protection!

[Miss Betsy]

Have you read anything about spambots and how they get on computers? I don't know a lot about the technical aspect, but I don't think they only get on a computer via email.

Are you sure that you are the only person who uses that IP address for email? I think that yes, you should be contacting your host. Unless you are running a mail server yourself, then it is the person who is running the email server you are using who should be finding out why you are not getting service.

Although, getting a virus on a machine on your network that does not access the internet (possibly - since you say it doesn't do email) is a little bit scary since that means it got it from some other computer on your network, I would think. It is strange that your IP address is not on any blocklists, yet you are getting rejection messages.

I also don't know much about forms, but I do know that there are some forms that can be exploited.

And I don't think firewalls block emails, but attempts to enter your computer some other way.

Good Luck in finding out what the problem is.

Miss Betsy

[Wazoo]

Anyway, here's some specifics from 2 delivery reports, if anyone would like to know anything else just ask:

This message was created automatically by mail delivery software.

A message that you sent has not yet been delivered to one or more of its

recipients after more than 24 hours on the queue on knopfler.uk-noc.com.

xxx[at]btinternet.com

Delay reason: SMTP error from remote mail server after initial connection:

host mx2.bt.mail.yahoo.com [217.146.188.189]:

421 Message from (83.223.117.180) temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

xxx[at]chudesign.com

SMTP error from remote mail server after RCPT TO:<xxx[at]chudesign.com>:

host mx1c7.megamailservers.com [69.49.109.34]:

550 5.7.1 <xxx[at]chudesign.com>... H:MXB<83.223.117.180>Connection refused due to abuse

This is the needed data. Both issues point to the same IP address ... noting that the Yahoo item shows as a "temporary" issue .... the megamailservers.com 'error' commentary sucks a lot, as it doesn't identify just what that decision was based on (i.e. a BL or a personal thing ???)

83.223.117.180 => knopfler.uk-noc.com

http://www.senderbase.org/senderbase_queri...&show_rbl=1

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 2.6 .. -83%

Last month .. 3.4

First glance, something caused traffic to drop. Closer glance, all 6 IP addresses showing at the bottom of that page 'all' seem to show a similar reduction. (The 'same' issue resolved on all the servers?) Note that the (small) list of some popular BLs is showing that this IP isn't listed.

Farelef - I have 3 machines on my office network, only 1 machine has pop email set up on it. This 1 machine I carry back and forth between home and office - this machine is using the NTL ISP during the day and for personal use it's using bethere.co.uk in evenings.

Neither of your identified ISPs here seem to 'match' the above data. NTL relates to uk.com ?????

another machine picked up a virus last week - I didn't think this would factor as it doesn't have pop3 email set up on it, though maybe that was the wrong assumption to make. It was only infected for 1 day and is now clean.

Most nasties these days use their own SMTP engines. However, the issue there would have been the IP address that computer was using (or your gateway'd IP address ??? not knowing how you've got those multiple machines wired up) would be the one showing the problem ... In this case, I'd rather guess that it's the 'shared' server knopfler.uk-noc.com that's at the heart of the matter.

The folks you'd probably want to talk to .. your ISP that's connecting you to uk.com or uk.com directly at ipabuse[at]uk-noc.com or perhaps noc[at]gyron.net based on WHOIS data. Signs would indicate that the problem may actually be over, but ...?????

[chrig]

Turetz - yes, they're all definitely clean and all have numerous anti-spyware etc programs installed.

Betsy - I haven't read about spambots as yet though I can imagine they don't just get on their via email, I did, however, think they required pop to propogate.

I'm the only user of pop email on this IP that I know of. One thing I'm not too clear on yet, does a domain itself have an IP? In which case are you referring to my own office network IP (just 3 machines plugged into a router) or other domains on the same host server?

My zonelarm firewall has the features to restrict out-going mail (with the features previously mentioned).

Wazoo - thanks, the Ntl ISP may be listed under ntlworld.com but has also just been bought over by virgin, so may have an entry relating to that. I have 3 machines hooked up to a router via ethernet. The uk-noc is my website's host (I think). Strangely enough, I'd received another bounced email today that actually contained a forward of the auto order confirmation email my site sends out:

This is an automatically generated Delivery Status Notification.

Unable to deliver message to the following recipients, because the message was forwarded more than the maximum allowed times. This could indicate a mail loop.

Followed by another for the same email:

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

xxx[at]theprnetwork.co.uk

SMTP error from remote mail server after end of data:

host mail2.theprnetwork.co.uk [88.208.204.4]:

557 This email is rejected. It contains content rejected by the antispam filter.

[petzl]

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

xxx[at]theprnetwork.co.uk

SMTP error from remote mail server after end of data:

host mail2.theprnetwork.co.uk [88.208.204.4]:

557 This email is rejected. It contains content rejected by the antispam filter.

Sounds like some software is reading email and deciding your content is spam?

[DavidT]

Sounds like some software is reading email and deciding your content is spam?

...and just to be clear, there's nothing inherently wrong with that. The people who repeatedly chant "it's not content, it's consent" drive me a bit nutty.

DT

[Farelf]

...I'm the only user of pop email on this IP that I know of. One thing I'm not too clear on yet, does a domain itself have an IP? In which case are you referring to my own office network IP (just 3 machines plugged into a router) or other domains on the same host server?...

Most (outwards mail) IP addresses are associated with a large number of domains and "other" users. Yours is no exception. You could imagine that if you considered the SenderBase statistics Wazoo quoted (a bit of homework required). Look also at

http://www.robtex.com/dns/mx1.email-cluster.com.html

(or http://www.robtex.com/dns/knopfler.uk-noc.com.html)

which show only partial results for shared mailserver because there are so many of them (and I don't think your own one is even listed - but no, I don't really know). We are talking about "mail" here. If you substitute your own domain name into one of the links (immediately above) in your browser's address bar, leaving out the .html at the end and hit Enter, you will (probably) see many IP addresses associated with the different services for your hosting (address, name servers, etc. as well as mail exchange(s))

If your problems are over, good. If not ... well, you may not be "the problem", as said before but there are several areas of (mild-ish) concern

• unknown potential for exploit of webforms
  
• possible compromise of infected machine
  

Of course it is all too easy to be excessively paranoid about these things. There again, they really are out to get you - and it seems to me that the most knowledgeable of the good guys are those who make the fewer claims that they might know it all (the rest of us are, very likely, merely deluded if we have such illusions).

[Miss Betsy]

I was going to suggest, like Wazoo, that the senderbase data indicated that possibly the infection had been cleared, but wasn't sure enough.

Content filters do pick out what looks like it might be spam. However, lots of people may want to use those same words or phrases in solicited email. I disagree with DavidT that content can be a criteria for spam. The only criteria is that it is unsolicited and unwanted. However, content filters are necessary to control spam where the source of the spam isn't yet known.

OTOH, I get spam frequently that has 'your order' or 'thanks for your order' or variations. It may be that your autoreply is too generic and is getting picked up by those who use content filters.

Someone else is going to have to explain domains and IP addresses and mail servers, but I think that having a domain is not equal to having a mail server. A domain has an IP address, but when you send email, it has to go through a mail server which can have a different IP address. There can be lots of domains using the same email server.

You might try learning about email headers. That might make it clearer to you.

Miss Betsy