Spam being sent using my email address

wheres me jumpa

Hey Guys,

I was reading here a few months back about a problem known as email injection. Not sure who it was but basically a form on somebodies website was been used to send spam. A simple few lines of code would solve the problem.

At the time I discovered that I was having this trouble on my brothers website and I actually removed the forms. This past week an inbox for the site in question has been recievieing failed delivery reports on emails being sent using its address. The report looks like this;

Hi. This is the qmail-send program at beryllium.3dpixelnet.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<jankoent@sprynet.com>:
207.69.200.17 does not like recipient.
Remote host said: 550 [email]jankoent@sprynet.com...User[/email] unknown
Giving up on 207.69.200.17.

--- Below this line is a copy of the message.

Return-Path: <paul@dalymotoring.com>
Received: (qmail 3206 invoked by uid 0); 9 Feb 2006 11:12:55 -0000
Date: 9 Feb 2006 11:12:55 -0000
Message-ID: <20060209111255.3205.qmail@beryllium.3dpixelnet.com>
From: paul@xxxxxxx.com
To: jankoent@sprynet.com
CC:
Subject: Re: For you and your women
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

The from field is my brothers email address. What exactly is happening here? Is the person trying to use this email address to send spam having success with only the occassional failure being sent back to my brother? How do I stop this?

misterq

you can't stop spam or virus mails faking the from address. Occasionally you might be unfortunate enough to be the from address, but most of the time they are non-existent.

It shouldn't be something you should lose too much sleep over unless they are actually originating from your brothers website or pc.

Bananna man

I have a similar problem. I am getting spam mails (about 200 a day now) addressed from my own website all with different names ahead of my domain name e.g. the@irishpokeronline.com

Is their anything i can do to sort this out or just hope it sorts itself out?

Thanks

wheres me jumpa

It seems they are using my brother's email address as the from field. Im not sure how many are being sent but there were ten failure reports in his inbox today.

mneylon

There's no simple solution to this, but turning off any "catch all" address you have on the domain can help mitigate the situation, as at least that way you won't get the bounces back on the invalid return path

wheres me jumpa

Cheers Blacknight.

How exactly are they doing this? Im curious to know the technique.

CuLT

It's easy enough to fake the From field, I occasionally get messages like that bounced back to my eircom email address. I probably posted it carelessly in a few places years back.

There's spam programs designed specifically to hammer email addresses "anonymously", you'd probably find them if you googled for them.
I tested one out by sending myself fifty mails with the From field as "god@heaven.com"

That said, it could just have easily been used to sent a load of password request emails to people with "support@microsoft.com" as the from field.

TimTim

If I understand correctly, why don't you add an SPF record to your domain?

Because if those emails are being sent from a mail server other then your own (or what you specified) then any SPF aware mailserver should drop them like a hot potato.

esskay

Want to send email from someone elses address, just look at this prog
http://www.freedownloadscenter.com/Email_Tools/Mail_Clients/Umail.html
This 500k freeware prog will let you enter the "from" address so you can send from any address. easy, isn't it......

wheres me jumpa

TimTim wrote:

If I understand correctly, why don't you add an SPF record to your domain?

Because if those emails are being sent from a mail server other then your own (or what you specified) then any SPF aware mailserver should drop them like a hot potato.

how do i do this?

seamus

esskay wrote:

Want to send email from someone elses address, just look at this prog
http://www.freedownloadscenter.com/Email_Tools/Mail_Clients/Umail.html
This 500k freeware prog will let you enter the "from" address so you can send from any address. easy, isn't it......

You can also do this in Outlook. Just set up another account with the email address you wish to spoof, and stick this address in the from field.

The main problem is that the bulk of domains don't have SPF records (mine don't ) and the bulk of SMTP servers don't use SMTP authentication. Even without these two things, it's a simple enough problem to sort, but there are a lot of people out there managing mail servers without a clue and/or hosting providers who don't care all that much.

The basic rundown of a conversation between a client and a mail server goes like this:

MS: I'm a mailserver.
Client: Hello, I'm client1
MS: Hi client1.
Client: I'd like to send a mail from joe.bloggs@company.com
MS: Okay.
Client: I'd like to send this mail to jane.doe@otherco.com
MS: Okay.
Client: I'll now tell you what I'm going to send
MS: Okay, fire away and let me know when you're done.
Client: <blahblahblahblah>
Client: I'm done.
MS: OK, thanks. Let me know if you want to send another.

This is the way that many transactions go. As you can see, there's zero attempt to make sure that the sender (or recipient) is valid.

There are a few general ways to prevent just anyone from inserting any data in the above transaction:
Modern mailservers will allow you to restrict the sending of mail depending on where the person is connecting from. Corporate mailservers, for example, can insist that a sender is only connected to their domain, otherwise reject the mail. They can also insist that the "from" field uses only @mydomain.com.

ISPs are a little more lax, as customers may want to send/receive mail from multiple accounts. They usually just insist that you are connected to their network. If you try to use the mail server to send mail while you are connected to a different ISP, you'll be told "Relaying Not Allowed for ..."

mneylon

TimTim wrote:

If I understand correctly, why don't you add an SPF record to your domain?

Because if those emails are being sent from a mail server other then your own (or what you specified) then any SPF aware mailserver should drop them like a hot potato.

The problem with SPF is that only a small number of domains are publishing SPF records and not that many tools are actively blocking SPF failures.

Sure - you could configure your own mail server to drop the SPF failures, but that wouldn't solve the issue of the bouncebacks ..

Arch-Stanton

Another nasty piece of work is Beijing Express, when the spammer sends his mail the “email address From” picks up the server address of the server the victims email account is hosted on.

It’s a pity that one of the best tools technology has to offer (email) is perverted by some.