my domain being used for spam email

[Anastasis]

About 4 years ago I obtained my own domain name and have since then used it as the recipient of any emails to that domain, e.g. myname@mydomain.co.uk, mywifesname@mydomain.co.uk, or anythingelse@mydomain.co.uk.

When I register with sites I regularly use the name of the site I am registering with, e.g. cableforum@mydomain.co.uk to identify the sender and ensure it is not used by anyone else for marketing purposes.

That system has worked without any problems since I have had it, but just in this last week it appears that a spammer has picked up my domain name and is using for sending spam email to their list with bogus senders who have their email return address showing as at my domain. So for example, they are sending emails out with a signature of Fred Bloggs but the return email address is a series of random letters at my domain, e.g. osxhg@mydomain.co.uk, kodj@mydomain.co.uk. As a consequence, I am getting several bounced emails returned to me as undeliverable because for example they have been sent an unknown recipient at a domain, and the domain's server has bounced the email back to me suggesting I am the sender.

I have never publicly shared my email addresses with anyone and even on my website the email addresses are cloaked, but I guess the spammer has just got hold of my domain which is in the public domain and used it to send spam.

I don't understand why this is happening as although the spam emails are advertising under names like "Bullseye Weekly Financial Report" with stocks & shares info and there then follows a random bunch of text that is unconnected. In no place in the email is there a hyperlink to take you to a website selling services or anything. It seems like the spammer cannot profit from the email at all except to make a nuisance of himself/herself to recipients and tarnish my domain as a source of spam into the bargain.

Sorry for the long tale of woe. I suspect that other than changing my domain which I do not want to do there is little I can do about this, but in case there is any information or help with this would be appreciated.

[AntiSilence]

I own several domains and have had a similar problem in the past. It seems to come and go.

However, once while I was browsing my web space with my FTP client, I found a file that I had not placed on there called "bot.txt" which turned out to be a SpamBot which connected to an IRC channel and someone was using it to send spam.

I deleted it and I got less bounced emails back.

[Anastasis]

Thanks for your reply. I do not have any file of that name in my webspace. I do have a file called .spamkey but having investigated further it seems that this is a valid file used by a host spam blocker called SpamAssassin.

This is very common, I have a number of domains that regularly get bounce notifications for all sorts of account names that have never existed - all spam sent out with spoofed return addresses.

[Fawkes]

I get the same thing on my domain sometimes.

Benjamin Franklin said:

Quote:

"In this world nothing is certain but death and taxes."

But old Franky boy didn't have the internet did he!

[andygrif]

Quote:

Originally Posted by Anastasis

About 4 years ago I obtained my own domain name and have since then used it as the recipient of any emails to that domain, e.g. myname@mydomain.co.uk, mywifesname@mydomain.co.uk, or anythingelse@mydomain.co.uk.

When I register with sites I regularly use the name of the site I am registering with, e.g. cableforum@mydomain.co.uk to identify the sender and ensure it is not used by anyone else for marketing purposes.

That system has worked without any problems since I have had it, but just in this last week it appears that a spammer has picked up my domain name and is using for sending spam email to their list with bogus senders who have their email return address showing as at my domain. So for example, they are sending emails out with a signature of Fred Bloggs but the return email address is a series of random letters at my domain, e.g. osxhg@mydomain.co.uk, kodj@mydomain.co.uk. As a consequence, I am getting several bounced emails returned to me as undeliverable because for example they have been sent an unknown recipient at a domain, and the domain's server has bounced the email back to me suggesting I am the sender.

I've got this on the go right now, and for the same reasons I have catch-all email forwarding...and using the same things, such as tesco@mydomain.co.uk, you'd be surprised the companies (who claim not to sell your details) who appear to profit from sharing their databases.

Anyway, spammers are not using your domain per se, they're spoofing identities by suggesting that mail comes from somewhere it doesn't, it goes into thousands of expired mailboxes and boucnes back to you, as yourdomain.com is where the return address is.

If it's just started, I'm afraid to tell you that it will get worse before it gets better, but it will tail off. Mine started about 6 months ago and I was getting 100+ 'bounces' per day. Now I get about 10-15.

The way to solve this is to remove the catch-all forwarding. You need to find all the addresses you've used and want to recieve all mail for (eg cableforum@ joebloggs@ etc) and specify these as valid mailboxes.

What will happen then is that dsjhfshfk@yourdomain.com will not actually exist and will bounce or just vanish into the ether.

To do this, consult with your domain's registrar and support pages as they do differ from supplier to supplier. Also, if your ISP (and ntl don't) offer domain hosting (PlusNet do this) you can specify the MXCORE records at your domain host to point to your ISP's and you specify the mailboxes there.

A simpler solution would be to alter the redcords of the places you've signed up with unique addresses to a single one, use that with your domain reg and boucne everything else.

Quote:

Originally Posted by AntiSilence

However, once while I was browsing my web space with my FTP client, I found a file that I had not placed on there called "bot.txt" which turned out to be a SpamBot which connected to an IRC channel and someone was using it to send spam.

I deleted it and I got less bounced emails back.

Are you referring to robots.txt? This is a file in the root directory of your web host which tells the search engines which directories they can and cannot search to place in their directories.

I'm not saying they don't, but I haven't heard of spammers using it, as they would (of course) need to know that domain existed in the first place to search it - in which case they can just use that domain to spam.

More info here: http://www.robotstxt.org/

[AntiSilence]

Quote:

Originally Posted by andygrif

Are you referring to robots.txt? This is a file in the root directory of your web host which tells the search engines which directories they can and cannot search to place in their directories.

I'm not saying they don't, but I haven't heard of spammers using it, as they would (of course) need to know that domain existed in the first place to search it - in which case they can just use that domain to spam.

More info here: http://www.robotstxt.org/

No, I'm not. The file was called "bot.txt" and was not in a root directory. I opened the file in a text editor to view it. In it was code (perl script) to connect to an IRC channel, complete with login name and password. I checked the file out and found that it was used by spammers.

From F-Secure website:

"This IRC-based backdoor-worm was found on August 17th, 2005. The backdoor provides unauthorised access to an infected computer and also has the capability to spread to remote computers using the PNP exploit."

[SMHarman]

Quote:

Originally Posted by Anastasis

That system has worked without any problems since I have had it, but just in this last week it appears that a spammer has picked up my domain name and is using for sending spam email to their list with bogus senders who have their email return address showing as at my domain. So for example, they are sending emails out with a signature of Fred Bloggs but the return email address is a series of random letters at my domain, e.g. osxhg@mydomain.co.uk, kodj@mydomain.co.uk. As a consequence, I am getting several bounced emails returned to me as undeliverable because for example they have been sent an unknown recipient at a domain, and the domain's server has bounced the email back to me suggesting I am the sender.

I'm getting the exact same mailer bot using my domains this week. Most frustrating. Where were your names bought / where are they hosted?
In my case this is UK2 and iWeb. Wonder if there is a pattern, especially as they are using my personal one which gets a lot less spam (and is not used much). I' m not suprised on the advertised publicly marketed shop based domain name.

[andygrif]

Quote:

Originally Posted by AntiSilence

No, I'm not. The file was called "bot.txt" and was not in a root directory. I opened the file in a text editor to view it. In it was code (perl script) to connect to an IRC channel, complete with login name and password. I checked the file out and found that it was used by spammers.

Ah OK..did a little googling myself and it seems that's a file that is used as a backdoor and downloaded into computers - not sure it produces the effects that the o/p was describing, but I guess it's all possible.

Quote:

Originally Posted by SMHarman

I'm getting the exact same mailer bot using my domains this week. Most frustrating. Where were your names bought / where are they hosted?
In my case this is UK2 and iWeb. Wonder if there is a pattern, especially as they are using my personal one which gets a lot less spam (and is not used much). I' m not suprised on the advertised publicly marketed shop based domain name.

The one I have a little trouble with was bought from UK2.net but is now registered with 123-reg.

[Anastasis]

Thanks all for your responses. It is encouraging to know that I am not alone in being hit like this and in particular by the same spammer, but of course it is annoying and frustrating for all of us.

In answer to Andy, thanks for your help and advice on this.

I realise that the spammers are not using my domain, but are spoofing it by putting a name (which seems to be series of random characters) @ my domain in the reply address of their emails.

At the moment I am getting 10-15 a day, all from the same source it would appear, but all bounces from addresses they have sent to that are being returned to me. If that is the quantity of bounces they are getting, then goodness knows how many in total they are sending to valid addresses all of which are seeing my domain as the sender of spam email which is very annoying.

Yes, I did think of stopping the catch-all forwarding on my domain, but to do that as you said I need to find all the addresses I have used and want to receive email for, which I think is likely to be a big task and has the potential for missing some. Whilst it would be good to not have these emails bouncing to me, they are now mostly being redirected into my spam folder, and at least I can continue to monitor their frequency and also respond to anyone who might complain that I am sending them spam.

Is there no way of detecting the real sender of these emails? I have had a look at the source data in the emails, but cannot fathom who this might be if that information is in there. The reason I ask is that maybe, if the spammer's ISP can be identified it might be possible to contact the ISP to show them that one of their accounts is spamming. Maybe some ISPs have anti-spam policies in place that cover misuse by their account holders.

In answer to SMHarman, my domain was purchased from 123-reg and is currently hosted with Dream Hosting, so I don't think there is any pattern to them. Presumably the spammers just trawl directories of domains and select them at random?

Anyway, thanks everyone for all your help.

[andygrif]

Quote:

Originally Posted by Anastasis

Is there no way of detecting the real sender of these emails? I have had a look at the source data in the emails, but cannot fathom who this might be if that information is in there. The reason I ask is that maybe, if the spammer's ISP can be identified it might be possible to contact the ISP to show them that one of their accounts is spamming. Maybe some ISPs have anti-spam policies in place that cover misuse by their account holders.

I'm sure you're right, but the problem you have is that what you're receiving is not the spam, but the bounced messages of email addresses that do not exist, so that email originates from the spammed server, not from the spammer themselves.

Even if you could trace the source of the original email, you'd probably find that it was sent from a hijacked PC and/or uses a false IP address to cover the tracks.

I don't know about 'your' messages but the ones I'm supposed to be sending seem to all be these strange stocks and shares messages that try and encourage buying of certain shares. As they are not sent by the company mentioned in the message and there's no click to sign up to some website or another, it's very difficult to find the originators.

And even if you did find them, chances are they'd be in China or Russia or some other country with no anti-spam laws.

[Anastasis]

Yes, the bounces I am getting are about stocks and shares. I was sent a few myself a few days before I started getting bounces, but I never replied to any.

Some of the bounces I am getting also return a copy of the original email sent from the spammer. This is the header information for one of the latest received with my real domain name replaced by mydomainname.co.uk

Quote:

Return-Path: <nelc@mydomainname.co.uk>
Received: by ctcgw.ctc-g.co.jp (CTC-GN mail 12/05/03) id k94A0nfr021955; Wed, 4 Oct 2006 19:00:50 +0900 (JST)
Received: by mx.ctc-g.co.jp (CTC-GN mail 12/05/03) id k94A0ilO024669; Wed, 4 Oct 2006 19:00:48 +0900 (JST)
Received: (qmail 21560 invoked from network); Wed, 4 Oct 2006 06:04:23 -0400
Received: from unknown (HELO 24.239.61.231) (24.239.61.231)
by dynamic-acs-24-239-192-181.zoominternet.net with SMTP; Wed, 4 Oct 2006 06:04:23 -0400
Message-ID: <45238649.6070100@mydomainname.co.uk>
Date: Wed, 4 Oct 2006 06:00:41 -0400
From: Benny Hester <nelc@mydomainname.co.uk>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: matsuzawa@ctc-g.co.jp
Subject: mythology
Content-Type: multipart/related;
boundary="------------000600090708000701030302"

Can anyone make sense of this?

From what I understand, the sender is this line:

Quote:

Received: from unknown (HELO 24.239.61.231) (24.239.61.231)
by dynamic-acs-24-239-192-181.zoominternet.net with SMTP; Wed, 4 Oct 2006 06:04:23 -0400

The zoominternet.net domain resolves to http://www.armstrongmywire.com which seems to be a web portal for an Internet company in the US much like NTL's web portal site, so it looks like they are an ISP. As yet, despite having trawled around their site, I cannot find any contact information for them.

However, having looked at the headers in a few of the other bounces I have received, they list what look to be other sources, so I guess the spammer is cloaking the real identity of their ISP.

[pedantic]

Try here for information on reading email headers.

Also, you could use this tool (I haven't tried it myself) which is taken from this site.