abyrne Posted May 22, 2007 Posted May 22, 2007 I received an email from a lady who asked to be removed from our email list, and discovered she is not on our list. When I asked her to send me the original mail she received, she replied she had already deleted the email, but the address she had added to her "block" list is not one of ours, but it did use our domain name "[at]cptigers.org". I assume there is nothing I can do without header information to track this down, but wanted to verify that is correct. Users don't even have to use your mail server to use your domain in the "Sent from" address, do they? Is there anything I can do to prevent this? Thanks, Amanda Amanda Byrne IT Administrator www.cptigers.org
Farelf Posted May 22, 2007 Posted May 22, 2007 ...I assume there is nothing I can do without header information to track this down, but wanted to verify that is correct. Users don't even have to use your mail server to use your domain in the "Sent from" address, do they? Is there anything I can do to prevent this?Hi Amanda, You need the header information to track down the source/sources - assuming that almost certainly they are multiple if you could see all the forgeries in your domain name (most people know it is not really "you" so won't even complain), forging the From: address is trivial and a widely-used tactic (almost universally-used) of spammers. It is generally held to be pointless trying to get to the bottom of it though that might depend on the actual circumstances. Some past discussions here that may be of interest (just a few of the many): http://forum.spamcop.net/forums/index.php?showtopic=5937 http://forum.spamcop.net/forums/index.php?showtopic=806 http://forum.spamcop.net/forums/index.php?showtopic=7314 http://forum.spamcop.net/forums/index.php?showtopic=478
rconner Posted May 22, 2007 Posted May 22, 2007 (...) the address she had added to her "block" list is not one of ours, but it did use our domain name "[at]cptigers.org". I assume there is nothing I can do without header information to track this down, but wanted to verify that is correct. Users don't even have to use your mail server to use your domain in the "Sent from" address, do they? Is there anything I can do to prevent this? You are right, there isn't much you can do to stop someone forging your domain into the "from" line. They don't need to have any association or interaction with your mail server. This is a pretty standard tactic among spammers, who need to use a valid-looking from-address so that their messages at least look kosher to some spam filters. This info is easy to forge and is therefore quite untrustworthy as you have learned. Since you did not indicate that you got any bounces on this mailing (just the one personal reply), you may already have taken the biggest countermeasure you can -- namely, turning off "catchall" e-mail addresses for your domain (i.e., a catchall is where your mail server will forward all mails to your domain that aren't addressed to a valid username). This spares you from getting hundreds (or more) of bounces for undeliverable spams. If you had the header of the original message, you would be able to tell where the message originated (i.e., what IP address), and you might be able to use this as the basis for a report to the provider responsible for this address. However, there's only a slim chance that any action would be taken on such a report. This sort of thing happens to many, many domain owners every day. The spammers like to spread the joy around, however, so chances are that you won't be bothered again for awhile (at least not by this spammer). -- rick (edited to fix a goof)
DavidT Posted June 1, 2007 Posted June 1, 2007 This sort of thing happens to many, many domain owners every day. The spammers like to spread the joy around, however, so chances are that you won't be bothered again for awhile (at least not by this spammer). ...unless your domain is used by the "Russian girlfriend" spammers that have been forging my wife's address on their outgoing spew for about three months. They don't show much of a sign of letting up. I've tried complaining to the responsible parties for source IPs, but even more importantly to the hosts of the spamvertised sites, who did nothing. :-( So, we get lots of NDRs headed for my wife's address, but most of them wind up in her Held Mail folder (SC email account). I'm seeing a LOT of similar activity related to random addresses I own/monitor. I've noticed a rather large increase of spam, both in my Held Mail and getting through to my inbox. DT
Recommended Posts
Archived
This topic is now archived and is closed to further replies.