|
Author
|
Topic: My mail address used for massive spam attack!!
|
Steinar Gregertsen
Member From: Arendal, Norway
|
posted 09 December 2006 07:51 PM
profile
Well, not exactly 'my' email address, but my domain "gregertsen.com" and they've simply added various silly names before the @... What's happened is that I have received literally hundreds of "Undelivered mail notification" mails the last couple of days, only in the last 24 hours it's been 92 of them, so it seems like some spambot has picked up the "gregertsen.com" and used it to send out who knows how many spam mails. If I get hundreds in return I don't dare to think of how many we're talking about, probably several thousand..... Anything I can do about this?
I believe this happened because I signed up at MySpace a week ago and the link to my website shows "gregertsen.com", but I don't want to remove the link since the main purpose of being on MySpace is to promote yourself and draw traffic to your website and wherever you sell your music.... Should I just hope it calms down and that there's no damage done? Or how does this work? 
Steinar ------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights [This message was edited by Steinar Gregertsen on 09 December 2006 at 07:53 PM.]
|
Bobby Boggs
Member From: Pendleton SC
|
posted 10 December 2006 08:36 PM
profile
This happen to me several years back.I had to get a new e-mail address. Friday, I found out my E-mail address had been black listed by several E-mail providers. I'm guessing someone is using my e-mail address to send spam or even worse.I'll know more when finally get to talk to my ISP.Been trying for 3 days now.  I'm sure I will have to change my e-mail address once again.
I've set up an account at Yahoo for the time being. |
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 10 December 2006 09:10 PM
profile
The hijacking of a domain name for use as a return address in spam emails is known as a Joe-Job. All you can do is to contact the blacklist agencies and report this fact. Also, go to NANAE and read the posts there, then inform them about the Joe-Job. NANAE is manned by email sys admins and is a newsgroup. You can signup for newsgroups via your ISP, then find news.admin.net-abuse.email.SpamCop.net also maintains a newsgroup that you can join in. ------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. Learn about using a Limited User account to protect your PC. Read my FAQs.
[This message was edited by Wiz Feinberg on 11 December 2006 at 02:13 PM.]
|
Steinar Gregertsen
Member From: Arendal, Norway
|
posted 11 December 2006 02:32 AM
profile
Thanks guys, I'll look into it. Fortunately, if I can use such a word, this is not an address I use to send emails but I receive quite a lot with it after leaving it as log-in address at various forums, etc..
At the moment there's exactly 131 of these messages in my junk folder (trashed after 24 hours..). Steinar ------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights |
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 11 December 2006 02:12 PM
profile
Steinar;
The reason I recommended that you visit NANAE and Spamcop newsgroups is because you are already blacklisted as a possible spammer (which you're not). You need to publish the fact that you are the victim of a Joe-Job, on these newsgroups, so that the major sys admins can read about it and de-list your mail server. You would be surprised at who reads the posts on those newsgroups and who some of the main participants really are. ------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. Learn about using a Limited User account to protect your PC. Read my FAQs.
|
Steinar Gregertsen
Member From: Arendal, Norway
|
posted 11 December 2006 02:18 PM
profile
Uh oh.... Have you checked, so you know for sure that I am listed as a possible spammer?
So what I have to do is to get on those newsgroups and say "I'm innocent, my domain got hijacked" - it's that easy?  Steinar ------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights |
Steinar Gregertsen
Member From: Arendal, Norway
|
posted 11 December 2006 08:43 PM
profile
Well, I didn't understand much of the NANAE, information overload and didn't find a place to post, but I've joined the Spamcop newsgroup and have posted there..... Steinar ------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights |
Mike Neer
Member From: NJ
|
posted 11 December 2006 10:08 PM
profile
Holy Crap! I just read up on this Joe-Job stuff and it's scary!
Check it out: http://www.sitepoint.com/article/sabotage-coping-joe-job
BTW, Steinar, while I can't guarantee it, I don't think it has anything to do with Myspace. It seems like you were specifically targeted. [This message was edited by Mike Neer on 11 December 2006 at 10:11 PM.] |
Jeff Agnew
Member From: Dallas, TX
|
posted 12 December 2006 05:13 AM
profile
Steinar,Good luck with the Spamcop newsgroups. You may be met with a fair amount of skepticism because folks there get similar pleas of innocence daily. But they do know what a joe-job is so hang in there. FWIW, your mail server is not listed on the Spamcop blacklist, or any of the major lists. I only see your mail server listed on one blacklist, and it's not one with which I was familiar (TQM-SPAMTRAP). You can request removal here. quote:
It seems like you were specifically targeted.
It's highly unlikely. Spammers harvest domain names every day and simply run a dictionary database of terms to append a recipient to the domain name. The majority are invalid accounts and can't be delivered. Steinar's domain is now in the REPLY-TO field so that's why he's getting the bounces.In the "old" days a joe-job was malicious. These days it's just another spammer tool. |
Steinar Gregertsen
Member From: Arendal, Norway
|
posted 12 December 2006 08:41 AM
profile
Here's some of the response I've received at the Spamcop newsgroup so far:
"Only IP addresses, not email addresses or domains, are blocked so you don't
have to worry.
You can put a disclaimer on your website for individuals who do not
understand that the return address on spam is usually forged. It usually doesn't last very long at a time."
"The servers which accept the spams for delivery and then create a
newmail addressed to the bogus From are misconfigured. If you are a
spamcop reporter you can report them. When those servers are spamcop
blocklisted, it adversely affects the outgoing mail for their clients
and they are motivated to reconfigure their abusive servers.
There is nothing you can do to make a spam generator stop putting your
addresses in the From. You can stop accepting mail which is addressed to non-existent
gregertsens."
"Suggestion: If you haven't done so already, setup an SPF record for your domain. Information on SPF can be found at www.openspf.org
It won't eliminate such backscatter completely, but it will allow other mail server administrators who have their servers check SPF records be able to honor your policy and reject forged from messages before such backscatter is generated, thus greatly reducing such backscatter. You will still receive such backscatter from mail servers which do not honor SPF records. There are some issues with SPF you will have to look at if your server handles any forwarding mailing lists. The information on how to deal with that is also on the openspf web site such as re-writing the envelope sender address in order to pass SPF checks."
Any comments? I'm totally ignorant in this matter...
Steinar PS - It seems to be slowing down a bit, at the moment there's only 85 in my Junk folder, that's about 50 less than at this time yesterday (I have my Junk settings set so that they're automatically trashed after 24 hours).
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
[This message was edited by Steinar Gregertsen on 12 December 2006 at 08:43 AM.]
|
Steinar Gregertsen
Member From: Arendal, Norway
|
posted 12 December 2006 10:34 AM
profile
Hmmm... seems like I've managed to block the bouncing spam mails. I went to my domain webhost, and deeply buried in a lot of other stuff I found some settings for my mail that allowed me to block all mails that wasn't directed at my legitimate mail address.
Seems to work, I've tried sending mails to "james", "alberta", "yeeeehaw", etc, in front of my domain address (from another account) and they were all rejected. I guess that's an improvement.... (but I'm still royally pi**ed off on those &"¤#&%"¤# spammers who couldn't leave my domain in peace). Steinar ------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights |
Steinar Gregertsen
Member From: Arendal, Norway
|
posted 12 December 2006 07:04 PM
profile
WIZ (or anyone else), can you please decipher this reply for me?"The business about reporting the servers might not seem to be quite as
satisfying as would it seem to be reporting the original spam which
generates the misdirected 'bounce', but reporting the misdirecting
'bounce' servers is actually likely to have some beneficial effect for
'mankind/spamkind' -- because spamcop reporting 'ordinary' spamsources
is typically to report one of a bazillion proxified user IPs, for which
the provider is 'unable' to manage its insecurity problem -- whereas
spamcop reporting misdirected bounces which reporting notifies and
potentially blocklists 'normal' servers with 'normal' users and 'normal'
goodmail is notifying a 'responsive' audience." 
Steinar
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights [This message was edited by Steinar Gregertsen on 13 December 2006 at 02:11 AM.]
|
Jeff Agnew
Member From: Dallas, TX
|
posted 13 December 2006 05:22 AM
profile
What horrid syntax.The message really doesn't add anything to what you've already deduced. But, in essence, it says: Reporting the individual machine (IP address) that sent you spam doesn't accomplish much because it's typically an unsecured computer owned by a computer-illiterate user and which has been hacked. There are millions of them around the world. Virtually all of their owners have no idea they've been hacked and are sending spam. Reporting an improperly configured mail server is a good thing, however. A server admin is more likely to respond and fix their problem than an ordinary user because if the server is blacklisted, all its customers will be affected. That's a rough translation, anyway. I don't necessarily agree with the logic, although the underlying assumptions are correct. Of the list responses you posted, the most important was the one about your server's IP not being blocked. If your server isn't sending spam there is no reason it ever will be. The domain name itself doesn't get blocked. One last comment is that your domain webhost did you no favors by allowing mail delivery to a non-existant address. This setting should be off by default. Very few customers need this capability. |
Wiz Feinberg
Moderator From: Flint, Michigan, USA
|
posted 13 December 2006 06:47 AM
profile
Jeff said; quote:
One last comment is that your domain webhost did you no favors by allowing mail delivery to a non-existant address. This setting should be off by default. Very few customers need this capability.
Bingo!
The first thing I do when setting up a new hosting account is to ensure that the catch-all accounts return ":fail: No such user here," for email sent to non-existant account names. Furthermore, since the webmaster account is always spammed on almost all domains, I send mail addressed to webmaster@ to ":blackhole," and configure an alternative account name for that function. This assumes Cpanel on an Apache Server.------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. Learn about using a Limited User account to protect your PC. Read my FAQs.
|
The Steel Guitar Forum
