Different email problem: someone is spoofing my domain

[Steven Shelton]

Someone is apparently spoofing my domain to send spam. I received a ton of "mailbox not found" bounces when I checked my email this morning, and when I looked at the source, they were all spam that was supposedly sent from my domain (with random letters as the account name).

I'm new to dealing with these types of issues ("I'm a designer, not a security officer, Jim!"), so I don't know how to put a stop to this.

Any ideas?

[stratplan]

you or possibly a friend with you in their addressbook have been hit by the sobig.F worm. It will 'spoof' sender's addresses from an email address book in the infected machine. Very hard to determine correct sender.

symantec discussion of spoofing etc

[Steven Shelton]

Quote:

Originally posted by stratplan
you or possibly a friend with you in their addressbook have been hit by the sobig.F worm. It will 'spoof' sender's addresses from an email address book in the infected machine. Very hard to determine correct sender.

symantec discussion of spoofing etc

According to Norton AntiVirus, I'm not infected. Plus, the email addresses to which it was sending are not in my address book (or anywhere else on my computer, for that matter).

*shrug*

[stratplan]

here's the text on how that works:
"Email spoofing
W32.Sobig.F@mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual.

For example, Linda Anderson is using a computer infected with W32.Sobig.F@mm. Linda is neither using an antivirus program nor has the current virus definitions. When W32.Sobig.F@mm performs its email routine, it finds the email address of Harold Logan. The worm inserts Harold's email address into the "From" portion of an infected message, which it then sends to Janet Bishop. Then, Janet contacts Harold and complains that he sent her an infected message; however, when Harold scans his computer, Norton AntiVirus does not find anything, because his computer is not infected"

I think you fall into the 'innocent bystander' area like Harold.

[Steven Shelton]

Quote:

Originally posted by stratplan
I think you fall into the 'innocent bystander' area like Harold.

Fan-freakin'-tastic.

I'm still not convinced that this is necessarily what's happening. The messages bounced back at me seemed to be pharmaceutical spam, not your typical Sobig garbage.

My understanding is that the experts think Sobig was written by someone who intended to open people's computer to allow spamming. Maybe they've moved onto that phase of their operations...

I just got off the blacklist of one of the anti-spam companies by finally convincing them I'd moved here. Apparently my old hosting service we were using was sloppy in their setup and allowed open relays, allowing spammers to spoof at will. As a result, basically everyone hosted on their servers got blacklisted. Here we go again...

[alrac]

It's called a "Joe-job" when someone spoofs your domain on a spam run. It is evil and mean and I wish I could beat all spammers with sticks. I have many sticks, should any of you wish to join me.

http://www.spamfaq.net/terminology.shtml#joe_job

[alrac]

PS- there's not much you can do to stop it. You might notify your ISP, in case their abuse staff is too lame to investigate correctly.

If you really want to dig deeper, request the full message with complete headers from some of the people who sent you bounces. (If they are wise and competent, they should have done this in the bounce message) And be sure to explain you are a victim of a joe-job. Then you can try to track down the true source and make complaints. It probably won't do any good, most spam these days is routed through open proxies, or comes from spam-friendly ISPs. But it is interesting and educational. The NANAE Spam-faq is a great starting point.

[Steven Shelton]

Quote:

Originally posted by alrac
PS- there's not much you can do to stop it. You might notify your ISP, in case their abuse staff is too lame to investigate correctly.

If you really want to dig deeper, request the full message with complete headers from some of the people who sent you bounces. (If they are wise and competent, they should have done this in the bounce message) And be sure to explain you are a victim of a joe-job. Then you can try to track down the true source and make complaints. It probably won't do any good, most spam these days is routed through open proxies, or comes from spam-friendly ISPs. But it is interesting and educational. The NANAE Spam-faq is a great starting point.

I'm not sure how talking to my ISP will make any difference.

It happened again tonight: I got 300 bounced emails, all claiming to have originated from my domain, and all advertising viagra. This is really starting to piss me off.

[dtrumbower]

Did you create a helpdesk ticket? They probably could help.

[broken1]

Theres not much you can do. I'm pretty sure the bounces should contain the headers from the original spam. If you look at these headers, you should be able to find the mail server that it was sent from. You're only option is to contact the admin's of the server that was used to relay the spam.

-Craig

[alrac]

Quote:

Originally posted by Steven Shelton


I'm not sure how talking to my ISP will make any difference.

This is just in case your ISP gets complaints from people who are too lame to read mail headers, and blame you for the spam. And then gets you in trouble, if your ISP is lame and does not bother to investigate correctly.

It won't stop the bounces.

[Steven Shelton]

Quote:

Originally posted by alrac


This is just in case your ISP gets complaints from people who are too lame to read mail headers, and blame you for the spam. And then gets you in trouble, if your ISP is lame and does not bother to investigate correctly.

It won't stop the bounces.

Oh, I see what you're saying.

It's not my ISP email account that's being spoofed. (Heck, I don't even know what that account is, to be honest; I never use it.) It's my entire domain that's hosted here at Page-Zone. Random names with my domain name ("randomname@twilightmd.com")

[atucsonwebdesig]

Quote:

Originally posted by Steven Shelton


Oh, I see what you're saying.

It's not my ISP email account that's being spoofed. (Heck, I don't even know what that account is, to be honest; I never use it.) It's my entire domain that's hosted here at Page-Zone. Random names with my domain name ("randomname@twilightmd.com")

That sucks.....

I was going to suggest you post something on your site but I see you already did that

At least its as bad as what my ISP is getting. Their domain is http://www.gci-net.com/default.asp. Apparently their software uses gain.exe so when people search for that on the Internet they find Gain Communications. A friend of mine who works there said they got hit with 300 emails in one week with complaints.

If it aint email spammers its the software spammers.

[alrac]

Quote:

Originally posted by Steven Shelton


Oh, I see what you're saying.

It's not my ISP email account that's being spoofed. (Heck, I don't even know what that account is, to be honest; I never use it.) It's my entire domain that's hosted here at Page-Zone. Random names with my domain name ("randomname@twilightmd.com")

Then tell Page-Zone, the point is whoever your email service provider is needs to know.