Someone may be maliciously using my domain name

[nite_monkey]

Recently I have been getting returned mail delivery errors stating that "somerandomname(at)mydomainnamehere(dot)com" could not be delivered, because the recipient doesn't exist. I know for a fact that this is not my doing, because I use, and am the admin of the google apps account that creates email accounts for my domain name, and none of the accounts that are sending these emails are real. So I am guessing someone is spoofing their email address and using my domain name to do it. I looked at the returned mail email error, and it said the email was mailed-by host102(dot)host102-server(dot)com.

There was a file attached to the error message that apparently gives me more information on the person who is doing it. Their name is apparently Phoebe Henry, and the reply to address is Annette Thompson.

I won't attach the file here, because it has this Annette person's email in it. If someone wan'ts me to though, I can remove their email, and then attach the file here.

any help on how to put an end to this would be much appreciated. I don't want this person/people to send an email to a real person, and have me take the blame for it.

[mouser]

My understanding is that you are completely out of luck and that there is no way to prevent people from doing this stuff.  People do it and pretend to be mailing from @donationcoder.com accounts all the time.  It's extremely frustrating.

I hope I am wrong -- looking forward to what the experts here say.

[nite_monkey]

That kind of sucks to hear, but I was almost expecting that.

[wraith808]

I had the same problem, and found out through my trials that there's not really anyway to stop them.  They put bogus reply addresses (in many cases, they use an account on your server) so that they can get past some spam checks that don't use something akin to the Sender Policy Framework^w check to make sure it's actually from that domain.  It can also get your domain blacklisted.  This was several years ago that I had this problem, so I'm not sure if something better has come along in the meantime.

[rgdot]

I don't believe anything can be done, even if you do find a way the next spammer will arrive sooner or later.

[nite_monkey]

Guess I'm SOL then. Just one of the many perks of owning your own domain name.

Edit: wow, I just checked my spam folder, and found 7 more...

[SoldierByte]

Guess I'm SOL then. Just one of the many perks of owning your own domain name.

Edit: wow, I just checked my spam folder, and found 7 more...

-nite_monkey (June 29, 2012, 01:12 PM)

Nite-Monkey,
What the others say is the sad truth..
about ten years ago I suffered the exact same thing on both
of my domains..
At times I was getting over 600 returned emails a day..!!
I was able to trace my culprit to Nigeria..
Everything I did failed..
After seven weeks I figured I'd risk trouble and
regain my sites or disband them..
A virus the offender received solved my frustrations..
I have now embed a small " present/gift " within everything
upon my domains so were a pic, gif, sentence, word, etc.
copied FROM said domains and then pasted,
the thief would be rather upset...
This DOES not stop automated scans and crawlers
( or humans ) that just choose domain names at random..
In that case I still have found no way to stop this issue as
most POP type accounts and their security work more
or less on an " honor code ' type of system..
I normally would have refrained from posting
since my coding seems to offend " some " here.....
But I wanted to at least give you some encouragement
that you are not alone, and problem IS a common one..
But what has happened to you will usually not last more
then a few months until " whomever ' moves on to the
next account/domain name....
Because they are NOT actually utilizing YOU account/servers/smpt
but in affect just using your name " pasted over " their real stuff.
So changing your account is null and in vain.
And the risk of having your domain (s) blacklisted is very real..
( one of mine WAS )
Wish I had a solution, but afraid I do not..
Be advised the creeps ALSO utilize private email too..
They will grab a valid ID like abc123  @ say example Yahoo/Google etc..
and use that too..
The problem IS frustrating, and ALL the governments are fully aware
of this issue....
My advice is stay strong, don't do anything crazy, and CONTINUALLY
monitor your email as you might find something in their to lead you
to the perpetrator..
If there is anything "good" about this...
Knowing you were NOT personally targeted,
but simply a random victim is about your only consolation ..
I wish you luck my friend..

[Renegade]

It's called a "joe job".

But you aren't totally powerless...

I had the same problem, and found out through my trials that there's not really anyway to stop them.  They put bogus reply addresses (in many cases, they use an account on your server) so that they can get past some spam checks that don't use something akin to the Sender Policy Framework^w check to make sure it's actually from that domain.  It can also get your domain blacklisted.  This was several years ago that I had this problem, so I'm not sure if something better has come along in the meantime.

-wraith808 (June 29, 2012, 12:52 PM)

808 is on the right track there. SPF can help you out.

Part of the benefit of SPF is that while you cannot stop someone from doing joe jobs, you *CAN* setup your DNS records with SPF to explicitly state which email servers are permitted to send mail for the domain.

That means that if you wanted to, you could list "mail.donationcoder.com" as a legitimate email sender for your domain, and mouser could then email on your behalf, or let you send email through his email server.

The net effect there is that when someone does a DNS lookup for the SPF record, they can verify that the domain name or IP address is legitimate for email, and then either allow a connection or deny the connection (or allow/disallow email).

This is very important, because it then makes it clear that joe jobs are spam, and that they should be rejected. It also lets people know that they shouldn't blacklist your domain because of a joe job, as you have already explicitly stated that the joe job email server is NOT legitimate.

So, SPF does give you a certain degree of power by letting you state who is and isn't a legitimate email sender. (You still can't stop the joe job, but you CAN say that it is spam.)

[nite_monkey]

I've setup a gmail label in my account, so new whenever I see one of the return to sender emails, I just add it to the label so that later I can go back and examine it.

[SeraphimLabs]

SPF records can help.

You can also note the IPs of the server that the mail originated from and contact the abuse address of that server to report that it is generating spam.

Although not always successful, in many cases spam is generated by abusive clients on web hosting services. Reporting the spam to the owner of the originating server can sometimes get the spam-generating site shut down, at least providing a break in the flood before they set up a replacement spam generator.

[Stoic Joker]

Recently I have been getting returned mail delivery errors stating that "somerandomname(at)mydomainnamehere(dot)com" could not be delivered, because the recipient doesn't exist.

-nite_monkey (June 29, 2012, 12:44 PM)

Critical point that appears to be getting missed here is a little something called NDR (Non Delivery Report) Spam. The point of which is two fold. Back before Mail Admins made a practice of throttling back on the events that warranted an NDR. Malicious types would send mail to a server that was intentionally addressed wrong, just to force the mail server to crash itself with a flood of (self generated) NDRs.

On the flip side, the practice is still used to bypass (server level) spam filters by tricking the server into delivering the mail to the target by way of a delivery failure notice. e.g. the phony from address (you) is actually the intended target...the to address is intentionally invalid which forces the server to "return" it to the (now intended) target.

This is why I severely limit the NDR reports that are allowed by our mail server.

One thing to try is to send an Email to an invalid address to see what your mail servers NDRs are supposed to look like. As it's entirely possible (they won't match) that the mail is getting (bank shotted) bounced a few times before it gets to you.

[nite_monkey]

One thing to try is to send an Email to an invalid address to see what your mail servers NDRs are supposed to look like. As it's entirely possible (they won't match) that the mail is getting (bank shotted) bounced a few times before it gets to you.

-Stoic Joker (July 01, 2012, 09:01 AM)

I use google apps for my mail server.

I think I will setup a spf record for my domain name. Hopefully that will help a little in some way.

edit:well it appears I already have an spf record setup. (I don't manage the dns for my domain, someone else does. They may have set it up.)
I also decided that I will just disable my catchall setting on my google apps account, and actually create email aliases instead of using the catchall as an alias.