The Old Joel on Software Forum: Part 4 (of 5) - New spam method: random usernames@domain!

New spam method: random usernames@domain!

I have a custom domain that I use for 99% of my email. My POP server gets anything addressed to that domain, and I "create" new addresses ad hoc in order to encapsulate email addresses needed for web registrations. IE: my New York Times registration is nytimes@myname.com. I must have created a few hundred of these over the years.

Part of my antispam strategy has been to "mothball" usernames on that domain that have gotten too SPAMmy. IE, email addreses that I posted on web sites or used in newgroup messages. So, I have a black hole for those addresses.

The point is, any username@domain not in my "blacklist" gets through. Until now.

What I am observing in the last week or so is that I am getting MAJOR amounts of spam directed to randomly selected usernames on my domain, hundreds in one day. These are user names that I have never used at any time. Some look like first names, others are just random combinations of characters. I have checked message headers and it does not look like any known addresses are being used.

I am on jaguarpc.com (web host) and they have an implementation of SPAMassasin. I enabled it after getting about 200 messages in one afternoon like this. I also enabled the "SPAM inbox" feature to see what I was getting. It is phenomenal, the sheer volume of spam I am getting. Spamassasin is, for now, detecting every such email.

This is a new attack I have never gotten before. It almost looks like my user name is being treated like an ISP's domain name, with a user base. I am coping, but lacking spamassasin, I would be "immobilized".

Bored Bystander
Friday, May 7, 2004

You've explained it at the end. Somebody or something has decided that your domain is like an ISP's and they are doing a dictionary attack. These have been going on for the last eitghteen months or so, and all that has happened is that somebody or something is trying it on you.

Stephen Jones
Friday, May 7, 2004

I wonder if the tar pit scheme could slow this down. If the SMTP server incounters an email address it doesn't know about, it starts dribbling just enough data to keep the connection alive, hence slowing the sending server.

The problem is relays. Ahh screw it. If someone is relaying spam, they get what they deserve.

christopher baus (www.baus.net)
Friday, May 7, 2004

Thats one of the reasons I only allow mail sent to specific addresses at my domain. For new sites that need email I use the format myemail-modifier@example.org.

Though I think that some spammers have been stripping off that -modifier.

Also it means that I don't get all of the bounces or replies when someone uses my domain and sends out spam as "sales@example.org" or some other fake address. Its happened a couple times so far.

Andrew Hurst
Friday, May 7, 2004

I too had a "catch-all" on my domain until a month a go I started getting huge amounts of spam due to spammers guessing names at my domain. Once I only allowed a limited number of email addresses it dropped significantly.

I would also recommend not using a common first name at your domain, like matthew@yourdomain (like I do!) Many spammers will get you by just trying every first name @yourdomain.

Matthew Lock
Friday, May 7, 2004

I too am a victim of this sort of attack. In my case, there is one slight difference, but with VERY serious implications.

Random usernames@mydomain are being spoofed into the FROM headers of outbound spam targetting hundreds of recipients...and here's the kicker... They are then being routed through entirely different smtp servers (apparently open relays).

Result: I get hundreds of bounce notifications from invalid recipients and/or rejected email, supposedly FROM non-existent users under my domain.

I've totally disabled all smtp service on my mail server (months ago actually), but the spam-bounces just keep pouring in.. I'm sure it's only a matter of time before my domain is blacklisted and therefore useless to me for any outbound email purposes.

Just a note of warning to you folks, and a plea for help if anyone knows how to combat this sort of spoof/spam/domain hijacking.

Thanks.

Elden
Wednesday, June 9, 2004