Spam attack

[charlesh]

I've been a bit confused lately as to what types of spam are within my control and that which is out of my control - so I wanted to make sure that I understood the difference between the two.

Tonight while I was no where near a computer, I was barraged on my blackberry with undeliverable messages, returned to me (aka the sender) from mailboxes that didn't exist or from mail servers who had flagged the message as spam. There were about 188 of them in a 15 minute window, so I don't want to think about the messages that even got through. This irks me more than anything due to the fact that they (whoever the spammers are) are using my name and email address to send spam with and I am going to end up on a blacklist if I haven't done so already. No where on my site do I have my email address listed, either.

So, whenever this happens, I always get freaked out that someone has taken over my mail server to send spam, even though I know this isn't a usual case, only that they spoof my email address and anyone can write a sendmail() script to do it, but it still scares me in thinking I've been totally hacked.

So, my question is - is there any way to stop this? I'm guessing the answer is no, but then my other question is why don't spammers use gmail or yahoo or msn addresses as well? Never before have I had returned messages from one of those accounts, so what is going on here?

Since I'm running my own DNS, is there a way that I can counteract this type of thing?

Thanks,
Charles H.

[Alexander]

I'm afraid, you can't forbid spammers to use your e-mail address as the one in Reply-to field of spam messages. But you can decrease the number of such mails rejected to your mail accounts. Just don't use catch-all e-mail account and keep your SpamAssasin enabled. Custom filtering rules also can help in this situation.

[Matt]

Are you sure they did not originate from your own mail server? check the email headers to be sure.

If your catch-all is off and you received a ton of bounces to a legitimate email address, then chances are one of your php scripts that has the mail function has been hacked.

It is probably the script that has bounced-user@yourdomain.com coded right into the reply-to header. That is where I would start is to think about the site and any scripts that have reply-to set to the email address that was bounced.

[charlesh]

Matt,

Sorry for the firedrill - that is exactly what I'm concerned about, although on my site I only have one contact form with all the get data addslashed and htmlspecialchars filtered out, so I don't think any malicious scripts could be injected. Here is an example header -

Code:

Return-path: <>
Envelope-to: charles@harmonmediagroup.com
Delivery-date: Tue, 01 Apr 2008 21:35:22 -0400
Received: from [72.32.68.27] (port=60577 helo=90752-www2.kapowwe.com)
    by cpvps125-vern.harmonmediagroup.com with esmtp (Exim 4.68)
    id 1JgrsT-00013A-Do
    for charles@harmonmediagroup.com; Tue, 01 Apr 2008 21:35:21 -0400
Received: by 90752-www2.kapowwe.com (Postfix)
    id 303BB6AC6D3; Tue,  1 Apr 2008 20:35:08 -0500 (CDT)
Date: Tue,  1 Apr 2008 20:35:08 -0500 (CDT)
From: MAILER-DAEMON@kapowwe.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: charles@harmonmediagroup.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="E914C6AC52E.1207100108/90752-www2.kapowwe.com"
Message-Id: <20080402013508.303BB6AC6D3@90752-www2.kapowwe.com>
X-Spam-Status: No, score=1.2
X-Spam-Score: 12
X-Spam-Bar: +
X-Spam-Flag: NO

And here is the return bounce header part

Code:

Reporting-MTA: dns; 90752-www2.kapowwe.com
X-Postfix-Queue-ID: E914C6AC52E
X-Postfix-Sender: rfc822; charles@harmonmediagroup.com
Arrival-Date: Tue,  1 Apr 2008 20:35:07 -0500 (CDT)

Final-Recipient: rfc822; austin@www.kapowwe.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; mail for www.kapowwe.com loops back to myself

So, it doesn't look like it is originating from me, does it? Or is there not enough info to tell. Funny thing that all of the sudden I got around 200 bouncebacks last night.

Charles

[Matt]

No where on my site do I have my email address listed, either.

But now you have it listed at least one place on the web. can't tell a whole lot from that bounce but I will look at the logs and see if we can find anything. Probably just a lucky spoof.