herme3 Posted April 25, 2006 Posted April 25, 2006 Somebody was using a few of the domains I have on GoDaddy.com to send phishing schemes, viruses, and other junk mail. The e-mail addresses that the SPAM was sent from aren’t even registered on my domains. I got all the returned mail because I have one inbox on each domain setup as a “catch all” account. A “catch all” account means anything sent to (anything)@(mydomain).com will be sent to that inbox. A strange thing is that they used domains that I normally don’t even use to send or receive mail. In fact, one of the domains that were used doesn’t even have a web site hosted on it. Here is a picture of an inbox on one of my domains: It looks like the messages were sent out to a variety of e-mail addresses. They were sent from names like “NicoleCleveland@destinypoems.com” which is not a real e-mail address on that domain. The only reason I got the returned mail was because of the “catch all” feature. Here is one of the returned messages: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: aanepco@server.ttcampus.com (generated from jabxog@aanep.com) retry timeout exceeded ------ This is a copy of the message, including all the headers. ------ Return-path: <JenniferBishop@destinypoems.com> Received: from [24.217.210.221] (helo=destinypoems.com) by server.ttcampus.com with smtp (Exim 4.52) id 1FMvP2-0007gO-2d for jabxog@aanep.com; Fri, 24 Mar 2006 20:09:14 -0300 Message-ID: <14B4B6EF.6EB0E8C@destinypoems.com> Date: Sat, 25 Mar 2006 04:27:58 +0400 Reply-To: "Cathy Klein" <JenniferBishop@destinypoems.com> From: "Cathy Klein" <JenniferBishop@destinypoems.com> X-Accept-Language: en-us MIME-Version: 1.0 To: <jabxog@aanep.com> Subject: News from DLsoft: new Mac's products added Content-Type: multipart/related; boundary="------------640781030521240585750166" --------------640781030521240585750166 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 8bit <html> <head> <title>jryrttcduy</title> </head> <body> <p align="left"><font face="Arial" size="1"><em>(Mailing list information, including unsubscription instructions, is located at the end of this message.)</em></font></p> <table style="border: 1px groove orange;" align="left" bgcolor="#fcfcfc" cellpadding="0" cellspacing="0" width="635" height="322"> <tr> <td bgcolor="#a7c201" height="58" width="633"> <p align="left"><font face="Arial" size="2"> <img src="cid:09278CD0.FE48FCC@destinypoems.com" alt border="0" width="229" height="91"> </font></p> </td> </tr> <tr> <td bgcolor="#FFFFFF" style="padding-left: 5px; padding-top: 5px; padding-right: 5px;" height="218" width="623"> <p align="left"><font face="Arial" size="2"><span class="style38"> <font class="blue1" style2><strong>Dear members and friends of DLsoft Team</strong>,</font><span class="style11"><br> </span><font color="#6c3306"><br /> </font><span class="style11">* <strong><em>Our products' list</em></strong> has been recently <strong><em>updated</em></strong>. <strong><em>More products </em></strong>for Mac were <strong><em>added</em></strong> .</span></span><span class="style4">.</span><span class="style38"><br /> <span class="style11">Are you interested ? Then click on </span><strong><em> <a href="http://SPRINGBREAKSOFT.COM/det43.html">More details </a></em></strong> link. <br /> <br /> <strong align="left"><em><a href="http://SPRINGBREAKSOFT.COM/det43.html">Click here for more specials ...</a></em></strong><br /> Your cooperation will be met with a great gratitude and appreciation, and we'll be glad to create more special offers for you in the future. <br /> <br /> </span></font></p> <p class="style38" align="left"><font face="Arial" size="2">Sincerely yours, DLsoft Team. <font class="orange"> </font></font></p> </td> </tr> <tr> <td height="46" align="center" bgcolor="#a7c201" style="padding-left: 5px; padding-top: 9px; padding-right: 5px;" width="623"> <p class="style9" align="left"><font face="Arial" size="2"> <span class="style38"><font class="white">© 2006, DLsoft PTE. All rights reserved.</font> All logos, trademarks, etc. are property of their respectful owners.</span></font></p> </td> </tr> </table> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"> </p> <p align="left"><font face="Arial" size="2">The following information is a reminder of your current mailing list subscription: </font></p> <p align="left"><font face="Arial" size="2">You are subscribed to the following list: </font></p> <p align="left"><strong><font face="Arial" size="2">DLsoft</font></strong><font face="Arial" size="2"><strong> customers Weekly specials</strong></font></p> <p align="left"><font face="Arial" size="2">using the following email:</font></p> <p align="left"><strong><font face="Arial" size="2">support @ softbydl com</font></strong></p> <p align="left"><font face="Arial" size="2">You may automatically unsubscribe from this list at any time by visiting the following URL:</font></p> <p align="left"><font face="Arial" size="2"> <a href="http://SPRINGBREAKSOFT.COM/cgi-bin/members/unsubscribe.cgi/?rk'>http://SPRINGBREAKSOFT.COM/cgi-bin/members/unsubscribe.cgi/?rk miiraoacjravytj">http://SPRINGBREAKSOFT.COM/cgi-bin/members/unsubscribe.cgi/ ?quatnkksrdbwefwqxxswilbe </a></font></p> <p align="left"><font face="Arial" size="2">If the above URL is inoperable, make sure that you have copied the entire address.<br> Some mail readers will wrap a long URL and thus break this automatic unsubscribe mechanism.</font></p> <p align="left"><font face="Arial" size="2">You may also change your subscription by visiting this list's main screen:</font></p> <p align="left"><font face="Arial" size="2"> <a href="http://SPRINGBREAKSOFT.COM/cgi-bin/members/change.cgi/?rcglaxf euaqsxtrttng">http://SPRINGBREAKSOFT.COM/cgi-bin/members/change.cgi/?djgdaky wutlvfaswucggvg </a></font></p> <p align="left"><font face="Arial" size="2">If you're still having trouble, please contact the list owner at:</font></p> <p align="left"><font face="Arial" size="2"> support @ softbydl . com </font></p> <p align="left"><font face="Arial" size="2">The following physical address is associated with this mailing list:</font></p> <p align="left"><font face="Arial" size="2">DLsoft, P.O. Box 5009 Pirae<br> Tahiti FP</font></p> </body> </html> Can anybody give me any more information about this? Why and how did they use my domains? Should I do anything about this if it happens again?
Cap'n Refsmmat Posted April 25, 2006 Posted April 25, 2006 I'm guessing that either they're spoofing the email address to make it look like it came from you, or you've got something on your server you shouldn't. Ask your host to check the logs from your account to see if you've actually been sending spam.
herme3 Posted April 25, 2006 Author Posted April 25, 2006 Ok, thank you. I e-mailed them, and I'll let you know what they say. I also had this problem with my Yahoo account. How do people decide what e-mail addresses or domains to use when they send SPAM? Does this happen to most people who own domains, or is there any reason why they could have picked my domains? Is there anything I can do to discourage people from using my e-mail addresses and domains? Do I need to worry about e-mail services putting my domains on blacklists because SPAM is coming from them?
Cap'n Refsmmat Posted April 25, 2006 Posted April 25, 2006 I've had it happen to one of my domains before. It's just a simple trick, so they probably look randomly through a whois database and pick domains.
bluesmudge Posted April 25, 2006 Posted April 25, 2006 yeah the odd thing is most SMTP servers (out going mail) don't have much or any filtering - in fact i've experiemented with this a little, it is possible to send mail through my SMTP provider acting as if it came from any address i like, which struck me as a little odd but status quo im afraid. - im sure klaynos will inform you he pointed this out to me, as he seems to have developed a habbit of doing that
Klaynos Posted April 25, 2006 Posted April 25, 2006 Thanks bludsmudge... There is no real way of stoping this, some mail servers are set up so that when they receive an email they check with the server which deals with that domain whether that account really exists. SMTP is a relatively open network, because the servers deal with email from lots of differnt email addresses from all differnt places they can't really check that the email that has been sent to them has come from a ligitimate place. For example I send email from home via my ISP's SMTP server from my domains, some other private email addresses and my university one. If I couldn't do this every email I'd send I'd have to connect and authenticate to a different server for different addresses, which would be deeply annoying. A tip: If you look at the line: Received: from [24.217.210.221] (helo=destinypoems.com) This shows that the email came from the IP address listed which claimed to be destinypoems.com If you resolve the IP address you can see that it does not tie up with that domain so it didn't come from your server. Some mail servers do this kind of lookup as a matter of course and you would see a slightly differnt line showing the proper resolved host aswell...
5614 Posted April 25, 2006 Posted April 25, 2006 My Gramps get emails which look just like that. I wasn't at his place for long but ran some virus scans and tried to get some meaningful IPs from the emails... the computer was clean and I couldn't do anything with the email headers. There's this guy that he knows who might be able to fix it, maybe, if he does I'll have to ask him what he did to fix it. Otherwise there doesn't really seem to be a solution.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now