Bad case of Spam Fatigue, Can anyone help

Hi Guys

My email is being misused in the following way:

As anyone who has had the same email address for a long time knows,
harvesters get hold of your email address and sell it to marketeers who
try to sell you products/services viagra etc, financial
services.....you know the kinda thing I mean. Over the years I have got
used to that and eventually they get fed up....and new ones take their
place.

However, there is now a much more insidious type of spammer that has
got my address and sends spam to lots of recipients, using the catchall
of my email.

eg: xyz@myemail.com, or edfghi@myemail.com............The result is an
ever increasing inbox full of return/bounceback emails from recipients
the spammers are spamming.

And.........there is no actual text in the email, just a picture of a
newspaper cutting tell me to buy stock or shares in various companies.

I have looked on my computer and as far as I can tell I am not being
zombied,


so how can I stop these folks from using my address?

Thanks in advance for any help or suggestions

Bob

Re: Bad case of Spam Fatigue, Can anyone help

>However, there is now a much more insidious type of spammer that has
>got my address and sends spam to lots of recipients, using the catchall
>of my email.
>
>eg: xyz@myemail.com, or edfghi@myemail.com............The result is an
>ever increasing inbox full of return/bounceback emails from recipients
>the spammers are spamming.

Spammers using innocent peoples e-mail address (or domain) as the
sending e-mail address is quite common. In your case, the biggest
mistake you made is to have a catchall e-mail address for your domain.
Simply only accept mail for existing accounts. That said, create those
accounts you really need, and have your e-mail server refuse mail to
non existing e-mails at the SMTP level.

HTH

Markus

Re: Bad case of Spam Fatigue, Can anyone help

Hi Markus

Thanks for the quick reply. I have created 3 accounts and have left the
others catchall. When I had no catchall there was an overload and even
genuine messages bounced back so I turned the catchall back on again.

That said I would like to know how to do this below
>and have your e-mail server refuse mail to
>non existing e-mails at the SMTP level.

Thank for the help.

Bob

Re: Bad case of Spam Fatigue, Can anyone help

bobdydd wrote:
> Hi Guys
>
> My email is being misused in the following way:
> [snip]
>
> However, there is now a much more insidious type of spammer that has
> got my address and sends spam to lots of recipients, using the catchall
> of my email.

You shouldn't use catch all addresses. The reason is that there are
robotic programs that spammers use for dictionary attacks. When
spammers start testing a new domain they often configure such programs
to send spam to randomly made up user names. If you have a catch-all
address setup they will get a "status=sent" returned by the mail server
on each of the random user names they tried, thus indicating to the
robot that the address is a valid recipient. Said robots will then
likely list each of the random user names it tried as valid for future
spamming. When the spammer sells the lists, and the list gets resold
over and over this activity can quickly grow exponentially to a point
where it can overload a small mail server. If the random user names all
map to one address, you are going to eventually end up with the same
spams sent over and over to you, abet to the different random user names.

What you should do is use a combination of techniques. Keep in mind that
there are lots of different methods of spam filtering besides these, and
opinions vary on the relative merits of any of them. Ultimately you will
have to find a combination that works for you and your situation. With
that said, This is what I personally recommend.

1) Whitelist senders you correspond with regularly so that they can
bypass your filters.

2) Make use of one of the DNS based Blacklists such as Spamhaus to tag
emails as suspect if they are on the list. Spamhaus has a good web page
on spam fighting, so you might want to have a look at that also.

2a) Possibly use said blacklist to do direct SMTP rejects of IP's that
are on it during the SMTP transaction.

3) Filter remaining email through a good mail filtering program.

4) Possibly make use of a bayesian filter as well to supplement the
other mail filter.

Using this combination of methods, with a bit of fine tuning on your
part, you can regain control of the situation fairly easily.

>
> eg: xyz@myemail.com, or edfghi@myemail.com............The result is an
> ever increasing inbox full of return/bounceback emails from recipients
> the spammers are spamming.
>
> And.........there is no actual text in the email, just a picture of a
> newspaper cutting tell me to buy stock or shares in various companies.

The content of the spams are irrelevant to the issue. The issue here, if
I'm interpreting what you said accurately, is that your domain name is
being forged into the from headers on spam being sent by others.

This is a very common issue.

To help with this, you can start using SPF (Sender Policy Framework).
More information on that at http://www.openspf.org/

SPF is a protocol that lets you publish via a DNS record what your
outgoing mail servers are so that when another server receives an email
with your domain name in the from header, it can check your SPF policy
to see if the IP is allowed by you or not. If not, then it can safely
reject the message as trivial forgery during the SMTP transaction.

You can also try using Domain Keys to have your server digitally sign
outgoing email.

Neither of these methods will stop the attempts, but either of them will
allow other servers to authenticate the messages if their mail
administrators so choose.

>
> I have looked on my computer and as far as I can tell I am not being
> zombied,
>
>
> so how can I stop these folks from using my address?
>

You can't stop the attempts. But as indicated above the situation is not
totally hopeless. By publishing an SPF record, and/or using Domain Key
Signatures, you can discourage spammers from using your domain in their
spams.

Should you receive complaints about your domain after implementing an
SPF policy, or Domain Key Signature, you could just refer the person to
your policy and ask them why they didn't just configure their mail
server to reject messages that fail an SPF check, or failed to
authenticate the signature.

Hope this helps.

--
Garen

Re: Bad case of Spam Fatigue, Can anyone help

Hi Bob

>Thanks for the quick reply. I have created 3 accounts and have left the
>others catchall. When I had no catchall there was an overload and even
>genuine messages bounced back so I turned the catchall back on again.

You probably should elaborate a bit on your configuration / setup. To
me a catchall address is:

does_not_matter_what_here@yourdomain.com

This is evil in that the server hosting that domain MUST obviousely
accept any e-mail address under your domain name no matter what.

So by instead just creating those users which DO exist and not having
a catchall address, the reciveing server can verify the recipients for
their existence and simply not accept mail for any other address. In a
typical SMTP session all that happens would be

EHLO whatever.com
220 OK
MAIL FROM:
220 OK
RCPT TO:

At this stage the reciveing mailserver can verify if the e-mail
account exists or not. If not it simply replies with:

550 no such user

That's it. Thereafter the sender does not have any chance other than
specifying a valid recipient or else the dialog never reaches the
"DATA" stage at which the mail effectively is transfered. This saves
magnitudes of bandwidth and processing power.

Of course, the server must be able to do this. IMHO older Exchange
servers were not able to do so, and if you host your domain with a
provider not willing/able to do this, you may have trouble too. (Btw,
should you not be able to change the reciveing mail servers behaviour
due to whatever reason, we sell a small cheap embedded e-mail server
which you could hook up in front of it thereby doing these checks,
spam and virus filtering and only pass good mail foreward
www.nct-usa.com is our US representant).

So, if the server reciveing mail for your domain can't verify the
users, then you must change this or else you can't solve the problem.

We had a similar incident with one of our customers. It was that bad
that the complete internet bandwidth of said customer was eaten up and
the (in this case) exchange server was running at maximal load. Once
we placed our box in front of it (don't get me wrong, I'm not trying
to sell you something, should serve as an example of introducing
recipient e-mail address verification at SMTP level) the load of the
exchange went back to some 2ish %, and the internet bandwidth was back
ok. The interesting thing is that not only spam bounces can be
responsible for this, but also (and quite often) trojans trying to
propagate themselves. Some of them - after they have sent themselves
to all e-mail addresses found on a infected system - start to use the
domain names found and guess/randomly generate users for said domains.
The problem in these scenarios with a server accepting everything is
that such propagated trojans are actually compareably big and really
summarize bandwidth wise big time.

Our device also is using a sort of what we call "rumpestilz attack"
prevention. That said, the sending hosts are monitored for their
ability to name valid recipients. If a sender can't name valid
recipients repeatedly in a row - no matter if across multiple sessions
- the sender get's auto ignored for a complete week. Once auto
ignored, the device simply does not respont at the TCP level to the
sending IP. In case of trojans this is very effective in that not
responding at the TCP level uses up a lot of the senders time and in
the end does not leave them any other chance than moving to a next
potential victim.

>That said I would like to know how to do this below
>>and have your e-mail server refuse mail to
>>non existing e-mails at the SMTP level.

I hope above explanations helped.

Markus