So I’ve my office email configured as the “catch-all” for the agency. Anything ending with our domain that doesn’t go to an existing account ends up in mine. You know, in case someone mistypes the email addy or some such.
Well this morning I get a crapload of emails returned as undelivered.
All the “from” addresses are non-existant accounts, but appearing from our domain. (ex: email@example.com where there is no ‘fps’ in the office).
SO I call the hosting company to ask and the support fellow tells me that there is a spam going around that somehow uses my domain address, but without actually being sent from my domain. Did not think this was possible.
Can anyone tell me if there is any way to check to see if this is the case? I’m worried that someone’s computer may be compromised, despite what the support dude says. No antivirus have been triggered so I checked that.
I don’t know how easy it is now, but when I was in highschool we did this all the time. All you had to do was find an IP address for a company, telnet to it (Port 25), and you can send mail to whomever you want (Mailto:) and from wherever you wanted.
For example if there was someone we didn’t like we would do
Oh, and BTW what they where doing was called domain spoofing.
You don’t even have to send it through a server at that IP to make it look like it was addressed from there. You just have to telnet to any SMTP server and manually build the header, or use software (not your typical email client) that allows you to do the same thing. Examination of the Internet headers will probably reveal the spoof but many people don’t even know what they are or how to see them. (Today I’ll bet few companies besides ISPs have an SMTP server open to the Internet. As a side note, my own ISP won’t even let me send outgoing mail to any SMTP server but theirs.)
(When you were in high school? I guess that’s the equivalent of a crank call today. When I was in high school TCP/IP hadn’t been invented yet.)
You can actually spoof the entire header so that even if you run it thru headers it reads your address. This is possible though not easily done
The better trick is to make it appear to come from your domain but instead use many anonymous resenders. Try spamcop it will allow you to trace the source.
I have had some spam come thru as much as many as 25 resenders. Of course all the resenders are in foreign countries so it makes tracing it pretty unlikely as the foreign countries keep no records
You can actually spoof IP address, if you know how. I knew a computer guy that used his cell phone (not the computer phone) and spoofed caller ID. So that is another thing NOT to trust.
In all having a catch all domain is not a good idea. All it does is tell the spammer the email is active. If your client mistypes the address he will get a failure notice and resend. So will the spammer.
This way you told him your domain is wide open for spam
And just to clear up one point, the person with the virus is not necessarily anyone in your office. Most likely, it’s someone who knows someone in your office. In this context, “knows” means “has ever sent an e-mail to or received an e-mail from”. So let’s say, for instance, that the secretary once sent an e-mail to his long-lost cousin. The secretary’s e-mail, including your domain name, is now sitting somewhere in an inbox folder on the cousin’s computer. The cousin gets a virus, which searches the computer for e-mail addresses. One of the addresses it finds is your secretary’s. When the virus spams out copies of itself, it uses a bunch of random addresses from your domain as the “from” address (as stated, this is literally as easy as putting the wrong return address on a regular, post office letter: Both the USPS and the e-mail protocols rely on most users being honest). Some of those spammed e-mails bounce, and the bounces go back to your domain, since that’s the “from” address they have listed.
Since the suspect pool is everyone who’s ever communicated with anyone in your office, it would be essentially impossible for you to figure out who it is who actually has the virus, without a lot of further information (which is probably difficult or impossible for you to get). You could maybe use this incident to talk your boss into funding an upgrade of your antivirus setup, but beyond that, there’s not really much you can do about this.
It’s unlikely to be a virus at all, just a spoofed mail header as several others have mentioned.
I get these all the time. My mail server is not relaying (I checked the logs the first few times and occasionally thereafter just to be sure), and in fact the IP addresses associated with the mail aren’t from my domain at all.
It’s just one of those things you need to live with; most of the Internet (and especially email) was designed to be efficient, not secure, and until the next generation of stuff comes along these “attacks” are just part of the deal.
You can spoof a lot of the header, but you can’t spoof all of it.
As to 25 resenders: In all probability many of those are fakes tacked onto the header by the spammer. This bypasses black lists that naively only look at the last server on the list (which one might assume is the one that sent the original). In fact, the sender might be the 14th on the list with the ones after being spoofs. But the ones before the real one are real.
Which is just another way of saying that even a human expert, let alone a spam blocking program, has an immense task finding the actual originator.