| Author |
Topic: My mail address used for massive spam attack!! |
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 9 Dec 2006 7:51 pm |
|
Well, not exactly 'my' email address, but my domain "gregertsen.com" and they've simply added various silly names before the @...
What's happened is that I have received literally hundreds of "Undelivered mail notification" mails the last couple of days, only in the last 24 hours it's been 92 of them, so it seems like some spambot has picked up the "gregertsen.com" and used it to send out who knows how many spam mails. If I get hundreds in return I don't dare to think of how many we're talking about, probably several thousand.....
Anything I can do about this?
I believe this happened because I signed up at MySpace a week ago and the link to my website shows "gregertsen.com", but I don't want to remove the link since the main purpose of being on MySpace is to promote yourself and draw traffic to your website and wherever you sell your music....
Should I just hope it calms down and that there's no damage done? Or how does this work?
Steinar
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
[This message was edited by Steinar Gregertsen on 09 December 2006 at 07:53 PM.] |
|
|
|
Bobby Boggs
From:
Upstate SC.
|
Posted 10 Dec 2006 8:36 pm
|
|
This happen to me several years back.I had to get a new e-mail address. Friday, I found out my E-mail address had been black listed by several E-mail providers. I'm guessing someone is using my e-mail address to send spam or even worse.I'll know more when finally get to talk to my ISP.Been trying for 3 days now.  I'm sure I will have to change my e-mail address once again.
I've set up an account at Yahoo for the time being. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 11 Dec 2006 2:32 am
|
|
Thanks guys, I'll look into it. Fortunately, if I can use such a word, this is not an address I use to send emails but I receive quite a lot with it after leaving it as log-in address at various forums, etc..
At the moment there's exactly 131 of these messages in my junk folder (trashed after 24 hours..).
Steinar
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
|
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 11 Dec 2006 2:18 pm
|
|
Uh oh.... Have you checked, so you know for sure that I am listed as a possible spammer?
So what I have to do is to get on those newsgroups and say "I'm innocent, my domain got hijacked" - it's that easy?
Steinar
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
|
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 11 Dec 2006 8:43 pm
|
|
Well, I didn't understand much of the NANAE, information overload and didn't find a place to post, but I've joined the Spamcop newsgroup and have posted there.....
Steinar
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
|
|
|
|
Mike Neer
From:
NJ
|
Posted 11 Dec 2006 10:08 pm
|
|
Holy Crap! I just read up on this Joe-Job stuff and it's scary!
Check it out: http://www.sitepoint.com/article/sabotage-coping-joe-job
BTW, Steinar, while I can't guarantee it, I don't think it has anything to do with Myspace. It seems like you were specifically targeted. [This message was edited by Mike Neer on 11 December 2006 at 10:11 PM.] |
|
|
|
Jeff Agnew
From:
Dallas, TX
|
Posted 12 Dec 2006 5:13 am
|
|
Steinar,
Good luck with the Spamcop newsgroups. You may be met with a fair amount of skepticism because folks there get similar pleas of innocence daily. But they do know what a joe-job is so hang in there.
FWIW, your mail server is not listed on the Spamcop blacklist, or any of the major lists. I only see your mail server listed on one blacklist, and it's not one with which I was familiar (TQM-SPAMTRAP). You can request removal here.
| Quote: |
| It seems like you were specifically targeted. |
It's highly unlikely. Spammers harvest domain names every day and simply run a dictionary database of terms to append a recipient to the domain name. The majority are invalid accounts and can't be delivered. Steinar's domain is now in the REPLY-TO field so that's why he's getting the bounces.
In the "old" days a joe-job was malicious. These days it's just another spammer tool. |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 12 Dec 2006 8:41 am
|
|
Here's some of the response I've received at the Spamcop newsgroup so far:
"Only IP addresses, not email addresses or domains, are blocked so you don't
have to worry.
You can put a disclaimer on your website for individuals who do not
understand that the return address on spam is usually forged.
It usually doesn't last very long at a time."
"The servers which accept the spams for delivery and then create a
newmail addressed to the bogus From are misconfigured. If you are a
spamcop reporter you can report them. When those servers are spamcop
blocklisted, it adversely affects the outgoing mail for their clients
and they are motivated to reconfigure their abusive servers.
There is nothing you can do to make a spam generator stop putting your
addresses in the From.
You can stop accepting mail which is addressed to non-existent
gregertsens."
"Suggestion: If you haven't done so already, setup an SPF record for your domain. Information on SPF can be found at www.openspf.org
It won't eliminate such backscatter completely, but it will allow other mail server administrators who have their servers check SPF records be able to honor your policy and reject forged from messages before such backscatter is generated, thus greatly reducing such backscatter. You will still receive such backscatter from mail servers which do not honor SPF records.
There are some issues with SPF you will have to look at if your server handles any forwarding mailing lists. The information on how to deal with that is also on the openspf web site such as re-writing the envelope sender address in order to pass SPF checks."
Any comments? I'm totally ignorant in this matter...
Steinar
PS - It seems to be slowing down a bit, at the moment there's only 85 in my Junk folder, that's about 50 less than at this time yesterday (I have my Junk settings set so that they're automatically trashed after 24 hours).
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
[This message was edited by Steinar Gregertsen on 12 December 2006 at 08:43 AM.] |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 12 Dec 2006 10:34 am
|
|
Hmmm... seems like I've managed to block the bouncing spam mails. I went to my domain webhost, and deeply buried in a lot of other stuff I found some settings for my mail that allowed me to block all mails that wasn't directed at my legitimate mail address.
Seems to work, I've tried sending mails to "james", "alberta", "yeeeehaw", etc, in front of my domain address (from another account) and they were all rejected.
I guess that's an improvement.... (but I'm still royally pi**ed off on those &"¤#&%"¤# spammers who couldn't leave my domain in peace).
Steinar
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
|
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 12 Dec 2006 7:04 pm
|
|
WIZ (or anyone else), can you please decipher this reply for me?
"The business about reporting the servers might not seem to be quite as
satisfying as would it seem to be reporting the original spam which
generates the misdirected 'bounce', but reporting the misdirecting
'bounce' servers is actually likely to have some beneficial effect for
'mankind/spamkind' -- because spamcop reporting 'ordinary' spamsources
is typically to report one of a bazillion proxified user IPs, for which
the provider is 'unable' to manage its insecurity problem -- whereas
spamcop reporting misdirected bounces which reporting notifies and
potentially blocklists 'normal' servers with 'normal' users and 'normal'
goodmail is notifying a 'responsive' audience."
Steinar
------------------
"Play to express, not to impress"
www.gregertsen.com
Southern Moon Northern Lights
[This message was edited by Steinar Gregertsen on 13 December 2006 at 02:11 AM.] |
|
|
|
Jeff Agnew
From:
Dallas, TX
|
Posted 13 Dec 2006 5:22 am
|
|
What horrid syntax.
The message really doesn't add anything to what you've already deduced. But, in essence, it says:
Reporting the individual machine (IP address) that sent you spam doesn't accomplish much because it's typically an unsecured computer owned by a computer-illiterate user and which has been hacked. There are millions of them around the world. Virtually all of their owners have no idea they've been hacked and are sending spam.
Reporting an improperly configured mail server is a good thing, however. A server admin is more likely to respond and fix their problem than an ordinary user because if the server is blacklisted, all its customers will be affected.
That's a rough translation, anyway. I don't necessarily agree with the logic, although the underlying assumptions are correct.
Of the list responses you posted, the most important was the one about your server's IP not being blocked. If your server isn't sending spam there is no reason it ever will be. The domain name itself doesn't get blocked.
One last comment is that your domain webhost did you no favors by allowing mail delivery to a non-existant address. This setting should be off by default. Very few customers need this capability. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 13 Dec 2006 6:47 am
|
|
Jeff said;
| Quote: |
| One last comment is that your domain webhost did you no favors by allowing mail delivery to a non-existant address. This setting should be off by default. Very few customers need this capability. |
Bingo!
The first thing I do when setting up a new hosting account is to ensure that the catch-all accounts return ":fail: No such user here," for email sent to non-existant account names. Furthermore, since the webmaster account is always spammed on almost all domains, I send mail addressed to webmaster@ to ":blackhole," and configure an alternative account name for that function. This assumes Cpanel on an Apache Server.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. Learn about using a Limited User account to protect your PC. Read my FAQs.
|
|
|
|
