Results 1 to 5 of 5

Thread: Spam attack

  1. #1
    charlesh's Avatar
    charlesh is offline Master Glow Jedi
    Join Date
    Aug 2006
    Location
    Atlanta, GA - better than you imagined it would be.
    Posts
    189

    Default Spam attack

    I've been a bit confused lately as to what types of spam are within my control and that which is out of my control - so I wanted to make sure that I understood the difference between the two.

    Tonight while I was no where near a computer, I was barraged on my blackberry with undeliverable messages, returned to me (aka the sender) from mailboxes that didn't exist or from mail servers who had flagged the message as spam. There were about 188 of them in a 15 minute window, so I don't want to think about the messages that even got through. This irks me more than anything due to the fact that they (whoever the spammers are) are using my name and email address to send spam with and I am going to end up on a blacklist if I haven't done so already. No where on my site do I have my email address listed, either.

    So, whenever this happens, I always get freaked out that someone has taken over my mail server to send spam, even though I know this isn't a usual case, only that they spoof my email address and anyone can write a sendmail() script to do it, but it still scares me in thinking I've been totally hacked.

    So, my question is - is there any way to stop this? I'm guessing the answer is no, but then my other question is why don't spammers use gmail or yahoo or msn addresses as well? Never before have I had returned messages from one of those accounts, so what is going on here?

    Since I'm running my own DNS, is there a way that I can counteract this type of thing?

    Thanks,
    Charles H.

  2. #2
    Alexander's Avatar
    Alexander is offline Technical Analyst
    Join Date
    Jul 2007
    Posts
    1,376

    Default

    I'm afraid, you can't forbid spammers to use your e-mail address as the one in Reply-to field of spam messages. But you can decrease the number of such mails rejected to your mail accounts. Just don't use catch-all e-mail account and keep your SpamAssasin enabled. Custom filtering rules also can help in this situation.

  3. #3
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,350

    Default

    Are you sure they did not originate from your own mail server? check the email headers to be sure.

    If your catch-all is off and you received a ton of bounces to a legitimate email address, then chances are one of your php scripts that has the mail function has been hacked.

    It is probably the script that has bounced-user@yourdomain.com coded right into the reply-to header. That is where I would start is to think about the site and any scripts that have reply-to set to the email address that was bounced.
    Last edited by Matt; 04-02-2008 at 11:36 AM.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  4. #4
    charlesh's Avatar
    charlesh is offline Master Glow Jedi
    Join Date
    Aug 2006
    Location
    Atlanta, GA - better than you imagined it would be.
    Posts
    189

    Default

    Matt,

    Sorry for the firedrill - that is exactly what I'm concerned about, although on my site I only have one contact form with all the get data addslashed and htmlspecialchars filtered out, so I don't think any malicious scripts could be injected. Here is an example header -

    Code:
    Return-path: <>
    Envelope-to: charles@harmonmediagroup.com
    Delivery-date: Tue, 01 Apr 2008 21:35:22 -0400
    Received: from [72.32.68.27] (port=60577 helo=90752-www2.kapowwe.com)
        by cpvps125-vern.harmonmediagroup.com with esmtp (Exim 4.68)
        id 1JgrsT-00013A-Do
        for charles@harmonmediagroup.com; Tue, 01 Apr 2008 21:35:21 -0400
    Received: by 90752-www2.kapowwe.com (Postfix)
        id 303BB6AC6D3; Tue,  1 Apr 2008 20:35:08 -0500 (CDT)
    Date: Tue,  1 Apr 2008 20:35:08 -0500 (CDT)
    From: MAILER-DAEMON@kapowwe.com (Mail Delivery System)
    Subject: Undelivered Mail Returned to Sender
    To: charles@harmonmediagroup.com
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
        boundary="E914C6AC52E.1207100108/90752-www2.kapowwe.com"
    Message-Id: <20080402013508.303BB6AC6D3@90752-www2.kapowwe.com>
    X-Spam-Status: No, score=1.2
    X-Spam-Score: 12
    X-Spam-Bar: +
    X-Spam-Flag: NO
    And here is the return bounce header part

    Code:
    Reporting-MTA: dns; 90752-www2.kapowwe.com
    X-Postfix-Queue-ID: E914C6AC52E
    X-Postfix-Sender: rfc822; charles@harmonmediagroup.com
    Arrival-Date: Tue,  1 Apr 2008 20:35:07 -0500 (CDT)
    
    Final-Recipient: rfc822; austin@www.kapowwe.com
    Action: failed
    Status: 5.0.0
    Diagnostic-Code: X-Postfix; mail for www.kapowwe.com loops back to myself
    So, it doesn't look like it is originating from me, does it? Or is there not enough info to tell. Funny thing that all of the sudden I got around 200 bouncebacks last night.

    Charles

  5. #5
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,350

    Default

    Quote Originally Posted by charlesh View Post
    No where on my site do I have my email address listed, either.
    But now you have it listed at least one place on the web. can't tell a whole lot from that bounce but I will look at the logs and see if we can find anything. Probably just a lucky spoof.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16