• Hi Guest: Welcome to TRIBE, the online home of TRIBE MAGAZINE. If you'd like to post here, or reply to existing posts on TRIBE, you first have to register. Join us!

Spamming **FROM** my domain?

Robb G

TRIBE Promoter
Can anyone shed some light? I've been getting these "mail failure reply" emails for the last week. At first I thought it was just another worm making it's rounds but a closer look reveals someone is using my domain to spam.

It's always from a random string of letters @mydomain.com (such as "zqqjlxq@robbg .com")

Here's an example below, what can I do?



Original Message:
-----------------
From: MAILER-DAEMON@correo.ceginfor.com
Date: 7 Jun 2006 21:34:43 -0000
To: zqqjlxq@robbg .com
Subject: failure notice


Hi. This is the qmail-send program at correo.ceginfor.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<vhduguh@campingelfaro.com>:
204.9.174.100 does not like recipient.
Remote host said: 553 5.3.0 <vhduguh@campingelfaro.com>... No such user here
Giving up on 204.9.174.100.

--- Below this line is a copy of the message.

Return-Path: <zqqjlxq@robbg. com>
Received: (qmail 32538 invoked by uid 1000); 7 Jun 2006 21:34:37 -0000
Received: from zqqjlxq@robbg. com by mergablo.enterpyme.com by uid 1002 with qmail-scanner-1.22
(spamassassin: 3.1.3. Clear:RC:0(86.131.80.34):SA:0(?/?):.
Processed in 4.513088 secs); 07 Jun 2006 21:34:37 -0000
X-Spam-Status: No, hits=? required=?
Received: from host86-131-80-34.range86-131.btcentralplus.com (86.131.80.34)
by correo.ceginfor.com with SMTP; 7 Jun 2006 21:34:32 -0000
Received: from rm.de ([86.131.184.71])
by host86-131-80-34.range86-131.btcentralplus.com (8.13.6/8.13.6) with SMTP id k57LZRlH048566;
Wed, 7 Jun 2006 22:35:27 +0100
Message-ID: <002401c68a7a$252d8079$47b88356@rm.de>
From: "Clementina Morrow" <zqqjlxq@robbg.com>
To: <vhduguh@campingelfaro.com>
Subject: Small-Cap News
Date: Wed, 7 Jun 2006 22:27:26 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="Windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158

WINNER**WINNER**WINNER**WINNER**WINNER

To All Investors.

Put HRRP on your Radar Screens immediately
Now is the time to do your research. 5:1 Forward Split
The forward stock split will be effective on or about June 15, 2006, at which
time the additional shares in certificate form will be mailed directly to
shareholders without action on their part.

Date: Thursday, June 8, 2006
HE-5 Resources, Corp.
Symbol: HRRP
Price: $0.47
Position: Positive Buy
Gold, Silver, Copper, Zinc and Platinum

Breaking News was Released
HE-5 Resources, Corp. Extends Record Date of Forward Split

For pennies you can participate in a ST0CK that could yield results over
and over again just based on the trading patterns if the company is
able to effectuate it's business model.

WATCH OUT!!!
We could see a GREAT STORY IN THE MAKING.

GOOD LUCK AND TRADE OUT AT THE TOP!!!!

Sincerely,
Jose Mckinley
RVG Group
 

oh toro

TRIBE Member
it's called spoofing... it's rather common. you can report the user to his/her isp (which in many cases goes nowhere).

you can do something that will prevent you from appearing as the source... disable the "catch-all" email for your domain. i know a lot of people like having a catch-all email address, but it works against a few RFCs and is NOT recommended.

here's the culprit...

-snip-

host86-131-80-34.range86-131.btcentralplus.com

-snip-
 

Robb G

TRIBE Promoter
oh toro said:
it's called spoofing... it's rather common. you can report the user to his/her isp (which in many cases goes nowhere).

you can do something that will prevent you from appearing as the source... disable the "catch-all" email for your domain. i know a lot of people like having a catch-all email address, but it works against a few RFCs and is NOT recommended.

here's the culprit...

-snip-

host86-131-80-34.range86-131.btcentralplus.com

-snip-

THANK YOU VERY MUCH! :)
 
tribe cannabis goldsmith - gold cannabis accessories

oh toro

TRIBE Member
~atp~ said:
Good lord do we ever need a new RFC that revamps 821.
i don't think it's unreasonable for email to bounce when sent to a non-existent user. it actually makes sense. it's no different than sending snail mail to an incorrect address or if you make a phone call to the wrong number. the problem is with the sender, not the recipient.

catch-alls are bad in that the sender can never know if the email actually reached the intended recipient. sure it goes through, but it may go through to the wrong mailbox.

that said, in the case of spoofing a domain and using a non-existent user, if a catch-all is not enabled, then there would be a bounce so it can easily be ascertained that the spam is not originating from the spoofed domain. most people don't know how to read headers, so this is the best way and it makes most sense to not have a catch-all.
 

X_Door

TRIBE Member
I also agree with the idea of disabling the email catch-all feature. A while ago one of my domains was spoofed by a spammer and I was getting hammered with hundreds of bounce messages every day. I was spending quite a bit of time deleting them even after junk filtering with Moz TBird. After disabling the catch-all, no more weird bounce messages and back to doing some real work!

Interestingly, I didn't receive a single complaint mail from any of the recipients during the spoofing incident. Ten years ago something like that would have generated an avalanche of complaints. Would this indicate that users are becoming more sophisticated and they know how to read the headers and send their complaints directly to the sender's ISP. Or is this user apathy whereas recipients no longer bother to report spam?
 
Top