Kimler Sidebar Menu

Kimler Adventure Pages: Journal Entries

random top 40

Randsco Hijacked

Filed in:The Web
Site News

Randsco Hijacked

January 11th, 2007  · stk

Would you like spammers using your domain for their activities? If it happened to randsco.com, it can happen to you. Find out more ...

Been spammed by a randsco.com email address?

We apologize. A few days ago, spammers began using bogus randsco.com email addresses in the "From:" field of their spammy messages. We discovered it's easy for spammers to fake (or spoof) email addresses and that we're relatively powerless to stop it.

spam

Randsco.com does not condone SPAM. Quite the contrary. We make every effort to eliminate it - see here, here, here or here - for proof. We hate SPAM!

Unfortunately, there's very little one can actually do to stop spammers from making it look like their SPAM is coming from your domain. They just use a bogus email address, from your domain, in the "From:" portion of their spammy emails. It turns out, we're not completely defenseless, but the best apparent remedy requires the cooperation of every mail server, across the Internet.

How did I find out that spammers were spoofing randsco.com email addresses? Are spammers giving your domain a spammy reputation? What can you do to help stop these spammy attacks?

To find out ... read on ...

Before I begin, I should say that I'm not an Internet email guru. I'm just an above-average intelligent guy who has a blog and a domain. I hate SPAM and try my best to learn about ways (and create ways) to defeat it. If anyone has more information or a better way, I'd appreciate hearing about it. More worthwhile information is always appreciated.

 

How I Found Out Randsco was Hijacked

While we use sanctioned email addresses on randsco.com, we don't often use them, favoring email accounts at Yahoo and gMail. We prefer them because (a) they're free, (b) it saves disk space, (c) their programmers are constantly improving services and spam-fighting defenses and (d) having an account buys us some additional privileges.

We do occasionally use our randsco.com email accounts. More importantly, we monitor all email activity on our domain. We do this by forwarding any unrouted randsco.com mail to an active email account. This means that you could write to us at [WhateverYouWant]·at·randsco·com and we'd receive it. It also means that when spammers began using bogus randsco.com email addresses, a few days ago, we detected it because all the undeliverable mail was returned.

If you forward all unrouted mail to an active email account, you can monitor email activity on your domain.

So, five or six days ago, for the first time ever, we began receiving undeliverable messages, destined for email addresses at domains we'd never heard of, sent "from" randsco.com email addresses that don't exist.

What does this mean?

 

The Case of Two Possibilities

When I first began noticing the (20 or so emails per day) that were being returned as "undeliverable", my first thought was, "Looks like the spammers are trying a new technique to deliver their junk to us."

My supposition was as follows: Say a spammer wants to send us a SPAM email. They could (and do) email a randsco.com address directly. However, it has a great chance of being blocked by anti-spam software. Instead, they could send the email to a non-existent email address, at a another (valid) domain, using a bogus randsco.com "from" email address. The valid domain would mark the mail as "undeliverable" (no such account) and return the email to the bogus randsco.com "from" email address - the target. The message would be disguised as an informational "undeliverable" email and might pass the scrutiny of anti-spam defenses.

Of course, the other possibility is that spammers are broadcasting scads of SPAM email messages, using bogus email addresses from randsco.com, in the "from:" field. Many people will receive the SPAM messages (which appear to emanate from randsco.com) and if not, will likely generate "undeliverable" email messages, which are bounced back to the bogus emails addresses at randsco.com.

In the first instance, your domain is the SPAM target, but isn't considered "spammy" and won't be blacklisted. In the second case, your domain isn't really the SPAM target, merely the unwitting participant, but your domain appears spammy to many people and may be blacklisted. (Although, most blacklisting services, like spamcop are IP-based, not domain-based).

Regardless, either case is undesirable.

 

What Can a Webmaster do?

You could bury your head in the sand, like an Ostrich, and ignore the problem. (Maybe you have already, unwittingly, done this?) By default, most host providers deliver unrouted mail to :fail: or :blackhole:

If unrouted mail is sent to ":fail: + message", then it bounce messages back to the sender. The idea is that the sender will learn that your domain doesn't deal with unsanctioned email addresses. This is great, in theory, but it means that your bounce message could be sent to unsuspecting innocents (as SPAM).

If unrouted mail is sent to ":blackhole:", then it'll just be discarded and you won't even know anything happened.

In either case, you'll never be aware that your domain is being used for SPAM activity. Additionally, you may also miss receiving legitimate mail: misspelled email addresses or email directed to common names (such as "abuse@yourdomain.com", "webmaster@yourdomain.com", etc.)

There is another, more pro-active, alternative ... add an SPF line to your DNS record.

 

The OpenSource "Sender Policy Framework" Project

Stopping spammers is a war waged on many fronts. One of the ways you can help, is to join the SPF project and keep spammers from using hijacked domain email addresses.

The problem: Many SPAM messages use fake sender addresses from valid domains who are, in turn, punished because they are (unwittingly) associated with SPAM. This isn't good for your domain or the email medium as a whole, because it erodes confidence in email reliability.

Solution: Sender Policy Framework is an open standard that works to prevent sender address forgeries. An SPF Record is added the DNS of the your domain. It's a TXT line in the DNS that specifies which servers are allowed to send email from your domain. A receiving mail exchange server checks the SPF record, to make certain that the IP address of the sending email server matches one of the IP addresses of the servers in your SPF record. If there isn't a match, it's considered a forgery (SPAM) and blocked. If it does match, then it's considered as legit and passes through.

The main problem with the system is that it's an "all parties involved" solution. The sending domain needs to publish an SPF record and the receiving email server needs to check. (i.e., publishing an SPF record isn't enough, as the receiving email server must be instructed to check).

Unfortunately, there's not much else one can do to prevent spammers from sullying your domain name.

 

Setting Up an SPF Record

To begin using an SPF record for your domain, you need to add it to your DNS.

Because we're currently at a hosted site, we simply informed our host that we would like to add an SPF record. They took care of all the details. If you don't have a hosted site, you may need to add it yourself. If so, check out openspf.org for all the details, plus support.

To verify that your SPF record is in place, head over to DNSreport and plug in your domain name. You'll be presented with a series of DNS tests some of which may help you identify other DNS problems. The SPF record should be presented near the bottom of the report (the last box in the "Mail" section). It should look something like this:

You have an SPF record. This is very good, as it will help prevent spammers from abusing your domain. Your SPF record (I don't check to see if it is well designed!) is: "v=spf1 ip4:207.218.208.0/24 a mx a:randsco.com a:siteground126.com a:serv01.siteground126.com mx:randsco.com mx:siteground126.com mx:serv01.siteground126.com include:siteground126.com include:serv01.siteground126.com ~all" [TTL=14400]

I hope this has been helpful to you. We've only just added our SPF record, so I can't say how much of the SPAM messages are being stopped, but even if it's just a few, it's worth it. The more people that utilize SPF records, the more it will work to prevent spammers from hijacking sender email addresses.

EDIT: It's important to publish a correct SPF record. The one given to us by our host, above, yielded permanent errors when it was tested. As a result, I took a quick dip in the SPF pool, to learn how to write my own SPF record. My experiences have been summarized HERE.

 

(Permalink)
Views: 10861 views
3 Comments · GuestBook
default pin-it button
Updated: 8-Feb-2007
Web View Count: 10861 viewsLast Web Update: 8-Feb-2007

Your Two Sense:

XHTML tags allowed. URLs & such will be converted to links.


Subscribe to Comments

Auto convert line breaks to <br />

1.flag John Comment
02/07/07
um, experiences summarized HERE --- where?

ANd how did you get on with it solving the problem?

ANd how come no one has made a comment here? I would have thought this was a HOT topic!! ;o)
2.flag stk Comment
02/07/07
LOL ... you got me! (I've been swamped and have only half-completed the SPF-writing article - which is supposed to be LINKED at that point). Whoops.

I shall finish it and post it shortly.

In the meantime, let me just say that the good news (no, GREAT news) is that it took only about a week after having an SPF record, to completely (knock on wood) eradicate ALL the spammer abuse of our domain name.

I was getting 20-30 bounce-backs per day. Now - NONE.

Yay!

3.flag stk Comment
02/08/07
John ... sorted & linked. Thanks for the kick in the pants. ;)