Someone Used My Domains For SPAM

[herme3]

Somebody was using a few of the domains I have on GoDaddy.com to send phishing schemes, viruses, and other junk mail. The e-mail addresses that the SPAM was sent from aren’t even registered on my domains. I got all the returned mail because I have one inbox on each domain setup as a “catch all” account. A “catch all” account means anything sent to (anything)@(mydomain).com will be sent to that inbox. A strange thing is that they used domains that I normally don’t even use to send or receive mail. In fact, one of the domains that were used doesn’t even have a web site hosted on it. Here is a picture of an inbox on one of my domains:

 

 

It looks like the messages were sent out to a variety of e-mail addresses. They were sent from names like “NicoleCleveland@destinypoems.com” which is not a real e-mail address on that domain. The only reason I got the returned mail was because of the “catch all” feature. Here is one of the returned messages:

 

This message was created automatically by mail delivery software.

 

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

 

aanepco@server.ttcampus.com

(generated from jabxog@aanep.com)

retry timeout exceeded

 

------ This is a copy of the message, including all the headers. ------

 

Return-path: <JenniferBishop@destinypoems.com>

Received: from [24.217.210.221] (helo=destinypoems.com)

by server.ttcampus.com with smtp (Exim 4.52)

id 1FMvP2-0007gO-2d

for jabxog@aanep.com; Fri, 24 Mar 2006 20:09:14 -0300

Message-ID: <14B4B6EF.6EB0E8C@destinypoems.com>

Date: Sat, 25 Mar 2006 04:27:58 +0400

Reply-To: "Cathy Klein" <JenniferBishop@destinypoems.com>

From: "Cathy Klein" <JenniferBishop@destinypoems.com>

X-Accept-Language: en-us

MIME-Version: 1.0

To: <jabxog@aanep.com>

Subject: News from DLsoft: new Mac's products added

Content-Type: multipart/related;

boundary="------------640781030521240585750166"

 

 

--------------640781030521240585750166

Content-Type: text/html;

charset="us-ascii"

Content-Transfer-Encoding: 8bit

 

 

<html>

<head>

<title>jryrttcduy</title>

</head>

<body>

<p align="left"><font face="Arial" size="1"><em>(Mailing list information,

including

unsubscription instructions, is located at the end of this

message.)</em></font></p>

<table style="border: 1px groove orange;" align="left" bgcolor="#fcfcfc"

cellpadding="0" cellspacing="0" width="635" height="322">

<tr>

<td bgcolor="#a7c201" height="58" width="633">

<p align="left"><font face="Arial" size="2">

<img src="cid:09278CD0.FE48FCC@destinypoems.com" alt border="0"

width="229" height="91">

</font></p>

</td>

</tr>

<tr>

<td bgcolor="#FFFFFF" style="padding-left: 5px; padding-top: 5px;

padding-right: 5px;" height="218" width="623">

<p align="left"><font face="Arial" size="2"><span class="style38">

<font class="blue1" style2><strong>Dear members and friends of DLsoft

Team</strong>,</font><span class="style11"><br>

</span><font color="#6c3306"><br />

</font><span class="style11">* <strong><em>Our products'

list</em></strong>

has been recently <strong><em>updated</em></strong>. <strong><em>More

products

</em></strong>for Mac were <strong><em>added</em></strong>

.</span></span><span class="style4">.</span><span class="style38"><br />

<span class="style11">Are you interested ? Then click on

</span><strong><em>

<a href="http://SPRINGBREAKSOFT.COM/det43.html">More details

</a></em></strong>

link. <br />

<br />

<strong align="left"><em><a

href="http://SPRINGBREAKSOFT.COM/det43.html">Click

here for more specials ...</a></em></strong><br />

Your cooperation will be met with a great gratitude and appreciation,

and we'll

be glad to create more special offers for you in the future. <br />

<br />

</span></font></p>

<p class="style38" align="left"><font face="Arial" size="2">Sincerely

yours,

DLsoft Team. <font class="orange"> </font></font></p>

</td>

</tr>

<tr>

<td height="46" align="center" bgcolor="#a7c201" style="padding-left:

5px; padding-top: 9px; padding-right: 5px;" width="623">

<p class="style9" align="left"><font face="Arial" size="2">

<span class="style38"><font class="white">© 2006, DLsoft PTE. All

rights

reserved.</font> All logos, trademarks, etc. are property of their

respectful

owners.</span></font></p>

</td>

</tr>

</table>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"> </p>

<p align="left"><font face="Arial" size="2">The following information

is a reminder

of your current mailing list subscription: </font></p>

<p align="left"><font face="Arial" size="2">You are subscribed to the

following

list: </font></p>

<p align="left"><strong><font face="Arial"

size="2">DLsoft</font></strong><font face="Arial" size="2"><strong>

customers Weekly specials</strong></font></p>

<p align="left"><font face="Arial" size="2">using the following

email:</font></p>

<p align="left"><strong><font face="Arial" size="2">support @ softbydl

com</font></strong></p>

<p align="left"><font face="Arial" size="2">You may automatically

unsubscribe

from this list at any time by visiting the following URL:</font></p>

<p align="left"><font face="Arial" size="2">

<a href="http://SPRINGBREAKSOFT.COM/cgi-bin/members/unsubscribe.cgi/?rk'>http://SPRINGBREAKSOFT.COM/cgi-bin/members/unsubscribe.cgi/?rk

miiraoacjravytj">http://SPRINGBREAKSOFT.COM/cgi-bin/members/unsubscribe.cgi/

?quatnkksrdbwefwqxxswilbe

</a></font></p>

<p align="left"><font face="Arial" size="2">If the above URL is

inoperable,

make sure that you have copied the entire address.<br> Some mail

readers will

wrap a long URL and thus break this automatic unsubscribe

mechanism.</font></p>

<p align="left"><font face="Arial" size="2">You may also change your

subscription

by visiting this list's main screen:</font></p>

<p align="left"><font face="Arial" size="2">

<a href="http://SPRINGBREAKSOFT.COM/cgi-bin/members/change.cgi/?rcglaxf

euaqsxtrttng">http://SPRINGBREAKSOFT.COM/cgi-bin/members/change.cgi/?djgdaky

wutlvfaswucggvg

</a></font></p>

<p align="left"><font face="Arial" size="2">If you're still having

trouble,

please contact the list owner at:</font></p>

<p align="left"><font face="Arial" size="2">

support @ softbydl . com </font></p>

<p align="left"><font face="Arial" size="2">The following physical

address is

associated with this mailing list:</font></p>

<p align="left"><font face="Arial" size="2">DLsoft, P.O. Box 5009

Pirae<br>

Tahiti FP</font></p>

</body>

</html>

 

Can anybody give me any more information about this? Why and how did they use my domains? Should I do anything about this if it happens again?

[Cap'n Refsmmat]

I'm guessing that either they're spoofing the email address to make it look like it came from you, or you've got something on your server you shouldn't. Ask your host to check the logs from your account to see if you've actually been sending spam.

[herme3]

Ok, thank you. I e-mailed them, and I'll let you know what they say. I also had this problem with my Yahoo account. How do people decide what e-mail addresses or domains to use when they send SPAM? Does this happen to most people who own domains, or is there any reason why they could have picked my domains? Is there anything I can do to discourage people from using my e-mail addresses and domains? Do I need to worry about e-mail services putting my domains on blacklists because SPAM is coming from them?

[Cap'n Refsmmat]

I've had it happen to one of my domains before. It's just a simple trick, so they probably look randomly through a whois database and pick domains.

[bluesmudge]

yeah the odd thing is most SMTP servers (out going mail) don't have much or any filtering - in fact i've experiemented with this a little, it is possible to send mail through my SMTP provider acting as if it came from any address i like, which struck me as a little odd but status quo im afraid.

- im sure klaynos will inform you he pointed this out to me, as he seems to have developed a habbit of doing that

[Klaynos]

Thanks bludsmudge...

 

There is no real way of stoping this, some mail servers are set up so that when they receive an email they check with the server which deals with that domain whether that account really exists.

 

SMTP is a relatively open network, because the servers deal with email from lots of differnt email addresses from all differnt places they can't really check that the email that has been sent to them has come from a ligitimate place. For example I send email from home via my ISP's SMTP server from my domains, some other private email addresses and my university one. If I couldn't do this every email I'd send I'd have to connect and authenticate to a different server for different addresses, which would be deeply annoying.

 

A tip:

 

If you look at the line: Received: from [24.217.210.221] (helo=destinypoems.com)

 

This shows that the email came from the IP address listed which claimed to be destinypoems.com

 

If you resolve the IP address you can see that it does not tie up with that domain so it didn't come from your server. Some mail servers do this kind of lookup as a matter of course and you would see a slightly differnt line showing the proper resolved host aswell...

[5614]

My Gramps get emails which look just like that. I wasn't at his place for long but ran some virus scans and tried to get some meaningful IPs from the emails... the computer was clean and I couldn't do anything with the email headers.

 

There's this guy that he knows who might be able to fix it, maybe, if he does I'll have to ask him what he did to fix it. Otherwise there doesn't really seem to be a solution.