SPAM using your site's good name - two distinct problems

Discussion in 'Site Security & Legal Issues' started by Libertate, Aug 31, 2007.

  1. Libertate

    Libertate Devotee

    2,041
    655
    +16
    • Your members complain, they are not receiving your weekly newsletter.
    • Other site administrators send you nasty mail demanding you stop sending spam.
    • Most e-mail you send out suddenly do not arrive.
    • You receive tons (and it is weighted in electrons!) of bounce messages in your postmaster or catch-all mailbox.
    Has any or all of the above happened to you?

    Most likely a spammer is using your domain name in the "From:" or "Reply-to:" fields in their spam e-mails, and/or spamming from the same IP address as your mail servers is on.

    This can often result in black listing by various anti-spam organizations. These organization's black list databases are used by many to pro-actively block messages.

    Where can you find out if your precious site is black listed?

    DNSStuff has an excellent consolidating page of the most often used databases, under the "IP Tools >> Spam Database Lookup".

    Simply enter your domain name (without www.) and press the "Lookup" button.

    You will be rewarded by a daunting list of databases. Do you see any red?

    Read the instructions why it is red, then follow the link to the site.

    Most sites will have detailed explanation how a site can be added, and how it can be removed.

    Note that most black list databases store the information as IP address, not as a domain name!

    Why is this important to you?

    Because if you are on a shared server, others on that same server (and same IP address) can soil your good name!

    If this is the case, you might want to contact your ISP first. A good ISP will find the culprit, block or remove them, then follow up with the black list database(s) to remove the IP(s).

    So, you are not in the IP list, which should give you a great relief. Shared hosting is inexpensive, but at a price...

    You may not be getting bounced messages, and e-mail is flowing, yet you get a lot of people "yelling" at you to stop sending them body part enhancement pill spam!

    How can that be?


    Few receiving mail servers check if the IP address of the source IP matches the named address in the From: and Reply-to: fields match.

    Because of this, spammers can put anyone's domain name in these important fields. E-mail readers (Outlook, Outlook Express, Eudora, Citadel, Pegasus, etc.) presume to be valid and use the From: and Reply-to: fields.

    The only known solution that I am aware of is the above mentioned IP to name verification. There is a specific format which can be added to [ame="http://en.wikipedia.org/wiki/Dns"]DNS - Wikipedia, the free encyclopedia@@AMEPARAM@@/wiki/File:Disambig_gray.svg" class="image"><img alt="Disambig gray.svg" src="http://upload.wikimedia.org/wikipedia/commons/thumb/5/5f/Disambig_gray.svg/30px-Disambig_gray.svg.png"@@AMEPARAM@@commons/thumb/5/5f/Disambig_gray.svg/30px-Disambig_gray.svg.png[/ame]which provides service for your [ame="http://en.wikipedia.org/wiki/Mail_server"]Message transfer agent - Wikipedia, the free encyclopedia[/ame], called SPF record or [ame="http://en.wikipedia.org/wiki/Sender_Policy_Framework"]Sender Policy Framework - Wikipedia, the free encyclopedia[/ame].

    The SPF allows a receiving mail server to ask the purported source in the From: field, if the actual sender's IP is allowed to use that domain name.

    Example:
    1. Spammer at 10.1.1.1 sends e-mail with From:yoursite.com to destination.com
    2. destination.com asks (gets SPF record) yoursite.com if 10.1.1.1 is approved to send e-mail with yoursite.com in the From: field.
    3. yoursite.com responds "No way!"
    4. Spammer at 10.1.1.1 is refused and dropped by destination.com
    As you can see, the whole mechanism very much depends on step 2. If the destination mail server does not do any verification, you cannot help out.

    So what do I do with individuals yelling at me?

    Always be courteous when responding to irate individuals.

    Most likely they do not understand how mail transfer agents (mail servers) work.

    Send them a template e-mail explaining it in plain language that the e-mail was a forgery, and that you will try to track it down.

    Request the e-mail header. This can be accomplished by most modern e-mail software, and it contains crucial information for the tracking.

    Track the offending source from the header and block them from your site.

    Contact the ISP of the spammer about the problem (if you speak that language and have the testicular fortitude), politely.

    Follow up with the individual, and let them know what you have accomplished. Thank them for their patience and tolerance with you for someone else's sins.

    This will not do anything to stop further spam, but will make you feel warm all over.

    Next article will describe how to find an e-mail or forum spammer. No lead pipe required, unless you live near by, weigh 250#s at 6'6".

    Good luck.
     
  2. minstrel

    minstrel Tazmanian Veteran

    9,983
    917
    +105
    Good post.

    Although you mention this, you don't really elaborate on it. But in recent weeks and months, increasingly ISPs are rejecting email from sources which are not using SPF. An example of this is DigitalPoint: This is a good size forum but notifications from DP stopped arriving for me and numerous other members weeks ago. The problem has still not been fixed, although it's not a difficult one to implement.
     
    Last edited: Aug 31, 2007
  3. Libertate

    Libertate Devotee

    2,041
    655
    +16
    Good find. I didn't realize DP had such problems, and considering what niche they are in, I would have thought they took care of it long time ago.

    Bigger problem would be members do NOT complain that no weekly mailer. They just leave...

    I don't use the e-mail notification for threads. :D I get enough e-mail already.
     
  4. Zepplin

    Zepplin Neophyte

    2
    1
    +0
    Is the below an example of a spammer using TAZ domain?

    If so this guy From: the Sandman <syclone@tampabay.rr.com> is a smart asse!

    Received: from ipmail01.adl2.internode.on.net (unverified [203.16.214.140])
    by mail.internode.on.net (SurgeMail 3.8f2) with ESMTP id 313478310-1927428
    for < .net>; Sun, 18 Nov 2007 06:47:29 +1030 (CDT)
    Return-Path: <syclone@tampabay.rr.com>
    X-IronPort-Anti-Spam-Filtered: true
    X-IronPort-Anti-Spam-Result: Aj0KADvYPkdGLyQEcGdsb2JhbACITQSGOgEKCSoibYs3Cg
    X-IronPort-AV: E=Sophos;i="4.21,431,1188743400";
    d="scan'208";a="234506376"
    Received: from styx.site5.com ([70.47.36.4])
    by ipmailmx01.adl2.internode.on.net with ESMTP; 18 Nov 2007 06:47:27 +1030
    Received: from hrndva-omtalb.mail.rr.com ([71.74.56.123])
    by styx.site5.com with esmtp (Exim 4.68)
    (envelope-from <syclone@tampabay.rr.com>)
    id 1ItU6P-0006Wp-QG
    for .net; Sat, 17 Nov 2007 15:17:22 -0500
    Received: from [127.0.0.1] (really [65.34.75.192])
    by hrndva-omta04.mail.rr.com with ESMTP
    id <20071117201715.MIFQ9427.hrndva-omta04.mail.rr.com@[127.0.0.1]>
    for <.net>; Sat, 17 Nov 2007 20:17:15 +0000
    Message-ID: <473F4C4E.6090201@tampabay.rr.com>
    Date: Sat, 17 Nov 2007 15:17:18 -0500
    From: the Sandman <syclone@tampabay.rr.com>
    User-Agent: Thunderbird 2.0.0.6 (Windows/20070828)
    MIME-Version: 1.0
    To: .net
    Subject: Re: Your email requires verification verify#wH5IuhWZ_9zLLZmLc8GUDSMhtTqbtR3o
    References: <E1ItU45-0006Be-Q3@styx.site5.com>
    In-Reply-To: <E1ItU45-0006Be-Q3@styx.site5.com>
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    X-Spam-Status: No, score=-0.0
    X-Spam-Score: 0
    X-Spam-Bar: /
    X-Spam-Flag: NO
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - styx.site5.com
    X-AntiAbuse: Original Domain - zepplins.net
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - tampabay.rr.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-Rcpt-To: <.net>
    X-Vpipe: Scanner said clean (/local/app/clamav/bin/vscand-clamav)
    X-IP-stats: Incoming Last 1, First 32, in=38, out=0, spam=0 ip=70.47.36.4
    X-Originating-IP: 70.47.36.4
    Status: U
    X-UIDL: 1195330650.7879_174970.bld-mail02

    net wrote:
    > The message you sent requires that you verify that you
    > are a real live human being and not a spam source.
    >
    > To complete this verification, simply reply to this message and leave
    > the subject line intact.
    >
    > The headers of the message sent from your address are show below:
    >
    > >From nobody@host.theadminzone.com Sat Nov 17 15:14:53 2007
    > Received: from host.theadminzone.com ([69.16.210.2])
    > by styx.site5.com with esmtps (TLSv1:AES256-SHA:256)
    > (Exim 4.68)
    > (envelope-from <nobody@host.theadminzone.com>)
    > id 1ItU41-0006B6-7d
    > for .net; Sat, 17 Nov 2007 15:14:53 -0500
    > Received: from nobody by host.theadminzone.com with local (Exim 4.68)
    > (envelope-from <nobody@host.theadminzone.com>)
    > id 1ItU3u-0002Bx-QE
    > for .net; Sat, 17 Nov 2007 15:14:42 -0500
    > To: .net
    > Subject: Admin Zone Newsletter
    > From: "webmaster@theadminzone.com" <webmaster@theadminzone.com>
    > Message-ID: <200711172042.590043191297@www.theadminzone.com>
    > MIME-Version: 1.0
    > Content-Type: text/plain; charset="ISO-8859-1"
    > Content-Transfer-Encoding: 8bit
    > X-Priority: 3
    > X-Mailer: Admin Zone Forums
    > Date: Sat, 17 Nov 2007 15:14:42 -0500
    > X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    > X-AntiAbuse: Primary Hostname - host.theadminzone.com
    > X-AntiAbuse: Original Domain - zepplins.net
    > X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    > X-AntiAbuse: Sender Address Domain - host.theadminzone.com
    > X-Spam-Status: No, score=3.9
    > X-Spam-Score: 39
    > X-Spam-Bar: +++
    > X-Spam-Flag: NO
    >
    >
    >
     
    Last edited: Nov 17, 2007
  5. Alex.

    Alex. The Ancient Dragon

    11,478
    1,222
    +1,137
    No, that's an email from one of the Admins here. :p
     
  6. minstrel

    minstrel Tazmanian Veteran

    9,983
    917
    +105
    It's the standard email informing you that before your registration is complete you need to verify your email address.
     
  7. Zepplin

    Zepplin Neophyte

    2
    1
    +0
    Strange I Joined - Join Date: 12-03-06

    Must be a slow mail system lol or was lost then found then sent he-hee :bonk:
     
  8. Alex.

    Alex. The Ancient Dragon

    11,478
    1,222
    +1,137
    Did you request a password reset?
     
  9. Currawong

    Currawong Aspirant

    18
    51
    +0
    Just to add to this thread, DNSStuff now charge for looking up the spam databases. :(
     
  10. HYSNET

    HYSNET Enthusiast

    180
    26
    +0
    I noticed that, any other sites to look it up?
     
  11. motokochan

    motokochan Habitué

    1,128
    545
    +20
    If you know your server's IP, you can always use OpenRBL to see if your server is on a blacklist. It's a handy and free tool.

    I know of no blacklists that block by reported address (it's too easy to spoof), most are by IP.

    If you don't know your server's IP there are plenty of tools you can use to look it up.
     
  12. Secure

    Secure Adherent

    484
    128
    +1
    That sucks considering how difficult it makes it for normal forum users to register with issues like that.
     
  13. minstrel

    minstrel Tazmanian Veteran

    9,983
    917
    +105
    I don't agree. It doesn't make it more difficult for valid forum members. It does make it a bit more difficult for spambots and malicious registrants.
     
Verification:
Draft saved Draft deleted