Spammers pretending to email from my domain

Forums › IT Pro and developers › Spammers pretending to email from my domain

craft1

77 posts

Master Geek

#116586 3-May-2013 12:11

I couldn't find anywhere else to put this so hopefully "Off topic" is a suitable spot.

This morning I have started receiving thousands of emails bounced back from various email addresses that have 'apparently' been sent from 'info@<my domain>'.

This is attached to my domain but not an email account I have setup. I don't how or why these emails are coming back to me apart from maybe a spammer using 'info@<my domain>' as the reply address.

I have just created an info@<my domain> now with a limit of 1MB to stop them coming to me but I am concerned that this will somehow affect my other email accounts due to being marked as spam

I have emailed this through to my Email Hoster (GoDaddy) also and will apparently hear back in the next day. Assuming they have any advise here.

Is there anything else I can do here?

Thanks in advance

Darren

Edit: corrected the subject text

1 | 2

BDFL - Memuneh
79310 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#810740 3-May-2013 12:41

Nothing much you can do to prevent people sending or trying to send emails from a domain name. You can though specify a SPF record in your DNS to make sure those receiving servers that can check DNS will look at the record and know where email for your domain is allowed to come from or not.

mattwnz

20165 posts

Uber Geek

#810745 3-May-2013 12:46

It's possible your email account is hacked. Check the email headers for the ip it is being sent from. Possibly time to change providers if the support is to slow. You shouldn't have to wait more than a few hours for support.

SteveON

1916 posts

Uber Geek

#810746 3-May-2013 12:48

Not really much - it happens all the time. Check the headders for the route.

freitasm

BDFL - Memuneh
79310 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#810748 3-May-2013 12:50

A "hacked account" is a lot less likely than a spoofed email address in the sender field, which anyone can use. Also if the OP didn't have an info@ email account it couldn't be hacked.

craft1

77 posts

Master Geek

#810751 3-May-2013 12:53

Here is the contents of one of the many emails I have received so far, not sure exactly how to read it as far as if it sates where it came from, etc...

---------------
Message from yahoo.co.nz.Unable to deliver message to the following address(es).

<nz_procurement@yahoo.co.nz>:

This user doesn't have a yahoo.co.nz account (nz_procurement@yahoo.co.nz) [0]

<nz_redrooster2004@yahoo.co.nz>:

This user doesn't have a yahoo.co.nz account (nz_redrooster2004@yahoo.co.nz) [0]

--- Original message follows.

The original message is over 5K. Message truncated.

Return-Path: <info@fnd.co.nz>

X-YahooFilteredBulk: 70.43.63.18

Received-SPF: none (domain of fnd.co.nz does not designate permitted sender hosts)

X-YMailISG: fEtHutIWLDsdkwA8R54jG8F.Xss8GajAse5I.VZC0Xydb9xV

hKNFBK7uBXDwDDr9zm3PtFgC6EWYZq0Cjhwlvoio54zQPXGvrF761CqBkxT7

LQsloxrwx8rm_PRyl5wjr3Npn_fSq2Zmd48BTNYKVWH30YbcTNvN2W6PDIPy

JuVOFEbihlkUFMPlAKberP7VAJL1JtXEQfRearbRgGgTzgQ2lt218n.QbnoO

lRKkpaub4ghSbP_ZgpPvexe2f_4iJTKkEqBV4E6IW4fSJL13fWxQgKaJC2Ar

l8cBKNsG1J0lr1zMOTQAmpgQOM39KeEZSW2BIucDasoBz7HL0Z8Io.58l1cB

9AeEAox8UmS0pdnrZr8H1nopR9d05MEC2gzwUm7J2VZtTEvC1IQZ1coC4WUZ

JscKniQqPR_I7ry6ZU2jEvCkx5fv5ldpugameLQrNtAKaCw5ADmiu.2CojHF

VoRDH19VKqig_EYt5GY.71Q645bFDuhynZ.1eiL92C9LgqSmXrJp2esOHG28

vElV12QKt0pxLzsgdno9KF7vQPVoGdprtGmG5gmmKkjg6x217XfPck6N8RL3

5mfj8NlDZCG0tuazAZHxEx0pTQbWVndn.sCH0OfT0gAHCmksYfSAVfod7BM4

xzTofyezB1q8dxLf1URglI.MwhNZz6MTjBNCdXT9DwtyYttUannmvwcQuQdk

XL3eyM.JPa.sK.wEFu9zdM9dUs6c8.L0h_oYqs4aYzp2l3PEevVWF.ajSxpt

OHCgpZm5QhlhfVFLcNQBFbNnpRrXJw8cI6sv7cswNRureAWeVxVCjpPZ6mdC

bJ4BK4BH5UyASgc.S1I92YD8Z4EyPYp75HrNSJAX16WTtkuXaV5zNs0iZ_vC

rwkWb0ISxxpYAa7U9hCgGwLqLBw9rw_hSCHwCKkZzkKXbQr27JbWKheij6yJ

0dRFGARuRaoxBNez15yAu3rRgexHMfkbKKSgPLrzNGAfe6WBxPQUtJXzoVC1

3iZzQQJFb.TfI9cOH5j7RlDEqDWKL.o2aozMx6nn_OOqBttS8.CmhR7dtq_L

5XZMTfmkf7wRD88yTNLoOJW90ag7QCtytIEQ08lZBWFnU.V46ArmVvHc6brS

LNaQ3m.rRWzbaa6GdAV7gNd89W3.k1yGOSC1.Eg3nC.Y4yTUcPYKTPtfV.vo

KZPpOqRKgcoq3hbSLoyHJhPGhaTR2ryBQamQ0k13QVFTLAJB_9QtoDJa_mrw

NaYh_Y14w9gzNAy5GItqB4EPFNcmAjzCGUj38YYTphEPu.tavbPDiNQbaAgK

KRYisum2tDKbtixyeLW08L1p3OPI9XMSGw0nOx8ZALVu6qKBCGULMpmO8zIn

TQ_udS_aBtyNo7MsHSzwHM3YS.zvNRqytM9R7PaijjezMJlQ2SLMKhkXLe9i

E_jwS1_sknKZTh2sNWl2P1x82epkwhA8VKUeZli.FtOWii9Xqb2mv7HJl9nl

RwfbwArLLnHuWkNcwhQrzSW_a_DmZvROQJmxLfc8c2tzASn487MF7Kg_BOnS

3A--

X-Originating-IP: [70.43.63.18]

Authentication-Results: mta1268.mail.bf1.yahoo.com from=fnd.co.nz; domainkeys=neutral (no sig); from=fnd.co.nz; dkim=neutral (no sig)

Received: from 127.0.0.1 (EHLO smtp01.atlngahp.sys.nuvox.net) (70.43.63.18)

by mta1268.mail.bf1.yahoo.com with SMTP; Thu, 02 May 2013 16:44:04 -0700

Received: from artots01.ARTO.local (66.148.214.220.nw.nuvox.net [66.148.214.220])

      by smtp01.atlngahp.sys.nuvox.net (8.13.1/8.13.1) with ESMTP id r42NP82k023490;

      Thu, 2 May 2013 19:39:19 -0400

Message-Id: <201305022339.r42NP82k023490@smtp01.atlngahp.sys.nuvox.net>

Content-Type: multipart/alternative; boundary="===============0375986271=="

MIME-Version: 1.0

Subject: Resolve The Issue On Your Account.

To: Recipients <info@fnd.co.nz>

From: "ASB" <info@fnd.co.nz>

Date: Thu, 02 May 2013 18:45:59 -0500

You will not see this in a MIME-aware mail reader.

--===============0375986271==

Content-Type: text/plain; charset="iso-8859-1"

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable

Content-Description: Mail message body

    =

=

Dear Valued Customer:

=

We need your help resolving an issue with your ASB account. To give us tim= e to work together on this, we've temporarily limited what you can do with = your ASB account until the issue is resolved.

=

To help us with this and to find out what you can and can't do with your a= ccount until the issue is resolved. click on the link below to resolve issue =

Log in here to Resolve issue.

=

=

=

   Yours sincerely =

=

=

ASB Bank Limited,

Digital Banking Director     =

    =

=20

--===============0375986271==

Content-Type: text/html; charset="iso-8859-1"

MIME-Version: 1.0

Content-Transfer-Encoding: quoted-printable

Content-Description: Mail message body

<html><

*** MESSAGE TRUNCATED ***
---------------

freitasm

BDFL - Memuneh
79310 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#810757 3-May-2013 12:54

Just someone spoofing the sender address it seems.

craft1

77 posts

Master Geek

#810760 3-May-2013 12:55

And after checking quite a lot of emails, none of the addresses are any that I have ever seen before so I am confident it isn't coming from my address book.

Some emails have a large number of similar email addresses but don't appear to be randomly generated. Must have a massive email database somewhere.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

chiefie

I iz your trusted friend
5877 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#810764 3-May-2013 12:59

This happens all the time...

Internet is my backyard...

«Geekzone blog: Tech 'n Chips Takeaway» «Personal blog: And then...»

Please read the Geekzone's FUG

craft1

77 posts

Master Geek

#810782 3-May-2013 13:04

chiefie: This happens all the time...

So what do people normally do here?

I have created the account with a 1MB limit to stop all the spam coming back to me. Do i just assume that the spammer will move on to another address after a day or two?

kiwitrc

4123 posts

Uber Geek
Inactive user

#810799 3-May-2013 13:26

On our email server (Mdaemon) we have enabled backscatter protection to stop this happening.

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#810800 3-May-2013 13:33

http://en.wikipedia.org/wiki/Joe_job

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#810824 3-May-2013 14:28

As Mauricio has noted, SPF records will help with this. The majority of email platforms (especially the large ones) will check these for mail from a domain, and if the sender is not listed will reject the mail out of hand (and likely blacklist the server attempting to spoof your email address). So the SPF record is not just good for your reputation, but bad for spammers too.

There is also DKIM - but it's a bit more complicated to set up and SPF is probably good enough for these purposes.

As for the bounce backs, all you can really do is ignore them :)

Edit: Just note that if you're using SPF records, don't use SMTP servers to send mail that you've not put in your SPF record - for obvious reasons!

craft1

77 posts

Master Geek

#810860 3-May-2013 15:13

ubergeeknz: As for the bounce backs, all you can really do is ignore them :)

Thanks for that. I won't see them anymore they have been diverted away from any accounts I check, I was more concerned that my domain would get marked as a spammer and affect my actual emails. Hopefully that isn't the case.

gehenna

8520 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#810864 3-May-2013 15:16

You can check if your domain has been blacklisted and request it be whitelisted by using some online searches. One is at MXToolbox.com. Just click on the Blacklists tab and put in your domain name or server IP address.

Shindig

1587 posts

Uber Geek

Trusted

#810866 3-May-2013 15:16

Alot of email filter software has inbuilt spoofing rules.

Where it will block email that appears to be from its own domain, but the IP is different.

if that makes sense.

The little things make the biggest difference.

1 | 2