Forged mail headers from me?!


#1

Hi-

I just received a “returned mail: user unknown” note from AOL. The problem was it looks someone is forging the header so it looks like it comes from an address at my domain to send out “Subject: last email:, hi, The perfect Travel gift”.

I’ve never been a spammer before? I certainly don’t want to get me or DH blacklisted.

Is there anything I can do about this?


#2

Oh … I got more than a dozen a couple of days ago, seemingly returned by AOL. Those spammers just picked domains at random.

As for being blacklisted, I guess it’s just some silly act by those who think they are somebody. Who cares? I don’t even care if AOL blocks my domains, frankly.


Yours Truly, nameslave

nameslave.com - Buying and selling domain names since 1997
HostHideout.com - Where professionals discuss web hosting


#3

Random I can live with, although I still feel sort of violated. Is this common? Have any others of you had this happen to you?

Blacklisting goes a little deeper than that when people you know can’t recieve your emails because their ISP has blocked email from your domain. That’s my worst-case scenario in this. That, and having spam-hunters harass me.

The AOL thing has already been a pain with another one of my domains and its announcement list.


#4

And speaking of spam hunters… this is something I’ve been interested in for awhile.

Can any of you recommend any resources on the techniques used to track down spammers? Ex: how to trace mailers using the header content.


#5

Virtually any ISP that is blocking mail locally is also smart enough to figure out when a sender-address is being forged. In most cases, the IP of a message’s origin is what ISPs block on, not the sender’s domain. In extreme cases (where all mail from a domain is known to be rogue, or when a domain is known to never send mail from that domain), a domain, or hosts within a particular domain, might be blocked, but this is fairly rare.

AOL doesn’t reject messages outright a lot of the time (this is slowly changing, supposedly). When a message is rejected during the SMTP transaction itself, the job of delivering the bounce falls upon the sending MTA. Viruses and spamware that send direct to the MX generally ignore the failure completely, so the only time you’ll get a bounce is when the message is accepted by a mail server and then rejected to the sender.

It’s understandable why AOL does this - they have a lot of users, so their mail system is more complicated, and rejecting unknown addresses immediately would make it easier for spammers to “dictionary attack” their mail servers to find valid usernames. However, the sheer volume of bounces can overwhelm a mail server. If it’s a long term, persistent problem, they can often be convinced to disable bounces for a particular sender-address or domain.


#6

This also happens when there is a worm outbreak, as the worms send copies of themselves to addresses they find on victimized computers, and pick one of those to forge the header with.

As will said, its the IP address that you have to use to trace the message, and that is in the Recieved headers. Sometimes you can do a lookup and see what ISP or upstream provided the Internet connection. Though I only do this to see if the message was sent from a different country or perhaps by a dial-up or otherwise non-commercial IP address.

:cool: Perl / MySQL / HTML+CSS


#7

Thanks.

I know it wasn’t worm related because it’s not a real address that I ever set up or aliased. Additionally, this is a domain that I have a basic site up for, but don’t really do any emailing from it.

A couple weeks ago I had a bunch of bounced messages “from me” when sobig was tearing through the net. Between those and the copies that were sent to me “from others” it was like a big game of “six-degrees of separation.” It was almost entertaining. For some reason I kept getting a bunch from law firms in Austin and Houston… who do I know that would have me AND a bunch of Texas lawyers in their address book? I don’t even live near Texas.

Maybe I should go sign up on Friendster.


#8

This has just started happening to me (and my domain). Hopefully it just stops of its own accord ?


#9

I wouldn’t bet on it stopping. I still get a couple bounce-backs from AOL every week which means to me that there are a bunch going out that are actually finding there mark.

The problem (among many problems) with AOL is that they truncate the bounced message down to the headers… you don’t even get to see what is being sold.