For anybody who runs a mail server...

[Motoman]

I have recently become aware that someone is "spoofing" fake email addresses with one of my domains, and sending out spam with that fake address...

...I don't think there's really anything I can do about it - but if anybody has any ideas, let me know...

[Pestilence]

Is he also spoofing the IP address that those spoofed email addresses come from?

[Motoman]

No...and maybe "spoof" is the wrong word to use...

Nothing is getting routed through my server - they're just making up fake email addresses with my domain name on them and sending them out from wherever. So I keep getting "no such user" and other error messages from AOL's servers, etc.

...what worries me is that AOL might decide that I'm the spammer, and ban my domain, since they're getting all this crap that *appears* to be coming from users on my domain.

[ua549]

Welcome to one of the latest pieces of malware spreading throughout the net. There is nothing you can do about it except filter it at your post office. I log several thousand of these per day at my post office. I've started blocking some IP ranges at my router because they are the surce of multiple originators.

[Motoman]

Yeah, it's not so much the traffic I get, but the spam these people are sending from wherever they send them from. Since they don't route through my server (I use SMTP authentication, and none of the addresses they use are valid), I don't really think that there is anything I can do about it. Was just wondering if anybody had any brilliant revelations for me...

[gameboy1234]

The answer:

Buy a gun. Shoot a spammer.


Seriously, sorry to hear that you've run afoul of these creeps. Maybe someday we'll get an elected official who will make spam illegal like it should be.

[FunctionX]

Originally posted by gameboy1234
The answer:

Buy a gun. Shoot a spammer.


Seriously, sorry to hear that you've run afoul of these creeps. Maybe someday we'll get an elected official who will make spam illegal like it should be.

It will never be 'illegal' per say. It is somewhat protected under the 1st admendment. The sneaky methods in which they do it though, that may/should one day be illegal.

[ua549]

Originally posted by Motoman
Yeah, it's not so much the traffic I get, but the spam these people are sending from wherever they send them from. Since they don't route through my server (I use SMTP authentication, and none of the addresses they use are valid), I don't really think that there is anything I can do about it. Was just wondering if anybody had any brilliant revelations for me...

I block several IPs from geographic regions I will never receive legit mail from such as China, Korea, South America. It really cuts down on the traffic. You can also use black lists so your server will automatically refuse connections to known spam IPs.

[anfpunk]

Hopefully some day they'll make email not suck. Wouldn't it filter almost all of the spam if the receiving server just checked that the domain it's coming from and the server match up? Not even rdns, but just checking the mx record then resolving the ips. This would create more traffic, but once all servers did it, wouldn't it ultimately create less due to no spam. Viruses would still suck though.

[ua549]

That won't do. The new legally compliant spammers (very few) still change IP addresses frequently and use thousands of different FQDNs that actually match the IP of the moment. The FQDN is not used in the mail headers. Instead they comply by using XYZ Company as a mail from header.

Those that don't comply with the law (most), there isn't much you can do except keep your filters up to date.

It is easy to block mail from certain regions of the world using the IP address. The address allocations are in RFC 1466 and subsequent RFCs. Most of the Orient is within the 202, 203, 210 and 211 address ranges.

There are some exceptions, but here are some of the major divisions -

Code:

   Multi-regional          192.0.0.0 - 193.255.255.255
   Europe                  194.0.0.0 - 195.255.255.255
   Others                  196.0.0.0 - 197.255.255.255
   North America           198.0.0.0 - 199.255.255.255
   Central/South
    America                200.0.0.0 - 201.255.255.255
   Pacific Rim             202.0.0.0 - 203.255.255.255
   Others                  204.0.0.0 - 205.255.255.255
   Others                  206.0.0.0 - 207.255.255.255

[Motoman]

Originally posted by anfpunk
Hopefully some day they'll make email not suck. Wouldn't it filter almost all of the spam if the receiving server just checked that the domain it's coming from and the server match up? Not even rdns, but just checking the mx record then resolving the ips. This would create more traffic, but once all servers did it, wouldn't it ultimately create less due to no spam. Viruses would still suck though.

My mail server (Argosoft) can check the return address provided in the header against it's domain to make sure it's a legitimate address before it relays the message...and it also checks the ORDB for open-relay servers and can block messages from them.

My problem is that none of the offending stuff actually hits my server at any time - well, except for the "don't spam me" and various "user not found" return messages from various mail servers...

If some major ISP like AOL or Earthlink was to decide that I was a spammer due to this stuff, I would be seriously POd. And there probably wouldn't be anything I could do about it either...

[ua549]

I don't think ISPs use the FROM email header for anything. After all it is data. They look at their connection logs and the connection mail headers to determine where the mail originated and the path it followed. What you are seeing are automated returned mail. If you don't know anyone at AOL simply put AOL on your black list so you don't have to look at the returns.

Have you corresponded with AOL's security department or postmaster?

[Motoman]

I've sent a number of emails to what seemed like logical places, and to be fair to AOL they seem to have stemmed the flood of administrative messages I was getting from them...so maybe they believe me. I'm just wondering what happens when the spammers move on to Earthlink, AT&T, Compuserve, etc. Somebody may just decide that I'm the problem and block my domains...and that would suck.

[anfpunk]

Originally posted by ua549
That won't do. The new legally compliant spammers (very few) still change IP addresses frequently and use thousands of different FQDNs that actually match the IP of the moment. The FQDN is not used in the mail headers. Instead they comply by using XYZ Company as a mail from header.

Good point, all this would do is make legal spammers rich.

Those that don't comply with the law (most), there isn't much you can do except keep your filters up to date.

At this time there isn't. Under my quickly thought up solution, this would force people to relay off others servers and use their own domain name. You would be guaranteed that the fqdn and the mailserver it was sent from matched. Which would deny most of the virus emails to be received since they're sent from other people, not yourself and never touch your mail server. Basically all it would do is force people to use your mail server when they sent from your domain name. A virus would destroy the root servers probably though due to overhead on email created by checking.

I dont know which service needs an overhaul more, SMTP or FTP. :o) They're both very outdated and in need of revamping. And also so entrenched that it'll be difficult to replace full scale.

[ua549]

The inductry is trying to stop relaying! Relaying allows one to disguise the origin of the message.

Your solution won't force anything because SMTP mail headers are strictly data and have no bearing on actual mail routing through the internet.