Reply to: Expired domain and SPAM!!!

I don't think you need to ditch the whole domain?

As mentioned before, you'll want to get rid of the catch-all functionality of *.mydomain.com; essentially block all addresses and allow only those you know to be untainted.

Examine carefully which addresses the spammer is masquerading as. For example, if he's setting his forged "Reply-To:" to bob@mydomain.com and sue@mydomain.com then get your mail server to bounce only those (bouncing the bounces usually) with a 550 (Invalid recipient). Write off those specific addresses. The rest of your domain 'namespace' should be clean and ready to use e.g. robert@mydomain.com and susan@mydomain.com

I'm being sent bounced emails at a rate of over 100 per minute and it is 24/7

A major spammer is using my domain name.

Here's a sample of my inbox after just a few minutes after clearing it down.



I don't want to change ISP.

It's easier to ditch the domain.

I think you misunderstand too. You can filter out anything with a suitable regex at the mail server - including bounce messages. Once the storm is over, you can accept bounces again. I've been Joe Jobbed before (after posting to NANAE with a recognisable e-mail address) and that's the course of action I followed.

The only reason I mentioned Linux is because it's cheap and easy to set up - I'm not sure you could follow an MS solution without opening your wallet, and as contractors we both know that spending any money should be a last resort.

As for having a tainted IP address - complain to your ISP. You do have a business broadband package, yes? If they don't do anything, change ISPs.

Cowboy Bob.

I think you misunderstand my problem.

My problem is 100's of zombie machines posting spam out to other people with a reply-to that is my domain.

Hence I receive 100's of bounced emails.

It has nothing to do with Linux (yuck - spit - vile crap) and all to do with Joe Jobs (look it up http://www.g4tv.com/techtvvault/feat...e_Joe_Job.html)

PS. As an aside I can't run my own mail server anyway (tried that) as my IP address from my ISP is on a spam list, and any emails I send are bounced back with a report saying I must use my ISP's mail server.

The answer is to run your own mail server/DNS off your office broadband rather than rely on someone else's setup. I find a Linux/Postfix/TinyDNS solution to be the most pain free and its easy on the wallet.

Then just set up Postfix to look up against your choice of DNS blacklists. I find that the one that returns all the dynamic IP addresses kills 95% of spam (most seems to be sent from compromised machines). You can grab the info from http://www.nl.sorbs.net/

The instructions I followed to set this system up are here - http://www.securitysage.com/antispam/intro.html

The best bit is you can specifically block certain domains from ever e-mailing you, e.g. computerpeople.co.uk

There's not much you can do. The email system was designed in a more civilised era. It's trivial to rewrite "From:" fields and "Reply-To:" fields. With regard to the "localhost" issue, it's not really your localhost (127.0.0.X) so it's unlikely you're an open relay.

"Received:" headers in SMTP are 'backwards', so the lowermost ones tell you the relays nearest the source of the spam. Some ISP's put "X-Originating-IP", which should match the lowermost "Received:" header. That will be the source of the spam.

Looking at the email (receiving about 100 per minute )

They all originate from hijacked machines:

Received: from localhost (unknown [222.252.48.134])


Everytime a different IP address from localhost. Reverse DNS puts them all over the world.

that should apply to all those open relay servers as well.

Yes, 1st step is turn of the catch all email forwarding.

Spammers should be killed. Slowly and painfully.