I'm getting a lot of returned emails from "postmasters" about delivery failures.

These are addressed TO invalid email addresses (I don't and never used).

It's as if that bogus email address @mysite.com tried to send email to someone who didn't exist.

Can someone be spoofing my email address, then getting my domain put on spam lists at the receiving end?

I've never spammed yet AOL is notorious about putting my company's valid emails into the spam folder. I worked with them over a year ago to stop that, but it continues.

Any advice how to prevent email hosts from putting my valid emails into spam folders is appreciated.

And, I'm concerned about my company reputation when someone sees these bogus emails from mysite.com.

Any suggestions how to handle this short of hiring an investigator and attorney to fight this.

Thank you.

__________________
*** Free Tibet ***

First of all, there is nothing you can do to stop others send emails with "From: you@your_domain.com" among the headers.

One would be very stupid if he would block emails coming from a given domain because he got spam mails from this domain. The only thing to look at is the IP address from where the email is coming. Even so, these emails are probably sent from countries where they don't care about these things.

If your "catch-all" option of your email server is enabled, disable it. This will significantly reduce the number of spam emails you receive.

Jean-Luc

__________________
Checking redirects is now as easy as 1 2 3, even if you are not a HTTP-header guru !
AWStats Support: installation assistance, add-on's, extra sections, dedicated forum,...

If you have web sites with your email address displayed or in the coding it will be stripped from your site and then used by spammers. Another way is if they have managed a peek at your address book on your PC with spyware, or then again anyone else with your email address in their address book. This can get your domain name blacklisted by ISP's as spam.

Personally speaking if they ever re-introduced capital punishment in the UK I for one would advocate spamming should be added to the list of capital crimes. It costs us all in the long run.

Fact of life and sadly unavoidable. It took me by surprise the first time I got spam from myself.

Astro.

__________________
Chill & be happy with www.astro-holidays.com

Hi Blitzen,

I feel your pain. Many webmasters have suffered damage to their reputations because of spoofed email addresses.

One of the most important thing for you to do is implement as many safeguards as possible to help email servers distinguish between your legitimate email and spoofed mail. There are a number of methods for doing this and they all involve some sort of server side identification that the receiving servers can check to confirm legitimacy (or more importantly, illegitimacy).

The value of implementing these is that major email services will not blame you for spoofed email your server can confirm that you didn't send it. Also, any email that you do send has a higher chance of delivery because it can be verified as legitimately coming from your server.

I highly recommend:

SPF records: (Microsoft uses these to determine legitimacy, along with many other providers, such as AOL and Gmail). You can use Microsoft's tools to create you SPF record, but you may need your server administrator to update your DNS Zone file to include the record

Microsoft's tool and other resources: Sender ID Resources: Tools and Information to Aid in Deploying E-Mail Authentication

DomainKeys: (Yahoo uses this and several other providers including Gmail) Pretty much impossible for individual website owners to implement unless they also control the server and can install the functions. But, if your server supports DomainKeys, you absolutely should enable it. If you don't know if your server supports it, contact your server administrator and request it. In my opinion, every server should be using this.

This can be a real nightmare for website owners, so I hope this info gives you some relief.

Regards,
Jade

__________________
Jade Burnside, Ahead of the Web
What good is your web site if no one can find it?
SEO & Optimized Web Site Design

Have you checked the forms on your website to see if they are set up to not allow header insertions? If they are open to this vunerability, then they can be used to relay email out without you ever seeing anything other than the error messages.

This happened to several of my sites. For a quick fix, I changed the form handler the formmail.pl. For a long term fix I bought www.web-site-scripts.com's Form Maker Pro.

__________________
Daphne Talbot
http://www.TalbotServices.com
Website marketing & design

yeah, that happen to me too! doesnt seem to be much i can do about it..... let me know if you find away to stop it

__________________
"outstanding design requires a subversive mind" -anon

I had the same problem a few months ago & was getting 1000+ email rejections. I changed my sign in password but the problem returned a few weeks later. I guess my email id had been hacked so I scrapped it & set up another.

__________________
traveljunkies for worldwide adventure travel
www.traveljunkies.com

Yeah,

When I contacted godaddy about it, they told me I could fix it by turning of all autoforwarders. Of course i stopped getting the bouncebacks, but that didn't stop them from using my e-mail account. I was told I was SOL as far as that was concerned.

__________________
Web Geek http://www.sjvwd.com
http://www.arthurspools.com

Unfortunately, it happens to everyone and there is no way to prevent someone from spoofing your return e-mail address to their e-mails (hey, they don't want the non-deliverables sent back to them).

Sincerely,
Bill Gates
billyg@microsoft.com

Even that would be of no avail.

You'd need a rather large, full-time hit squad & the rest of your life to try stop this type of activity.

__________________
The Penn State Ticket Man http://www.pennstateticketman.com
http://www.happyvalleytickets.com http://www.hounddogtours.com

SpiderBait's suggestion is a good one. Here's an analogy to what's happening:

Take out a pen, a piece of paper, and an envelope. Write some obscene advertisement on the piece of paper, and put it in your envelope. Then, write the "to" address on the envelope, and instead of writing your own address on the letter, write someone else's address in the top-left corner.

Now, here comes the important part - don't take it to the post office. Instead, take it directly to the recipient's home, open their mailbox, pop the letter in, and walk off. Ta-dah! You've just imitated the spamming process. But that's not where the similarites end.

If the recipient were to look closely at the envelope, he/she might realize that there's no post-office stamp on the envelope, indicating that it is suspicious, and might throw out the envelope. Sometimes that "to" name might be misspelled, also arousing suspicion. Sometimes, instead of just throwing out the envelope, the person writes "return to sender" on it, and then it goes back via normal mail to the "from" address. The person listed as the "from" suddenly gets this mail that appears to have been from them. Confusion ensues and so on.

This is extremely similar to the real, SMTP mail protocol. A spammer can connect straight to a mail server and just drop in an e-mail there with any "from" address they want (they often choose a random combination of letters and numbers combined with a domain name that they've found somewhere on a web page). It's up to the recipient's mail server to determine what to do with spam. The most proper thing to do is just to dispose of spam instead of bouncing it and causing more confusion and traffic on the internet.

However, the mail server can only do so much to figure out what is spam and what is not. In order to help mail servers do this, there are a few ideas out there, like SPF and DomainKeys (mentioned by SpiderBait), which help the recipient's mail server figure out that they're dealing with a spoofing attempt. Those ideas work by giving YOU, the owner of a domain, the ability to publish a list of servers that are allowed to send out mail from that domain. (This list is published in your DNS, and it is best done by a network administrator or someone that is fairly technical.)

So when a spammer tries to send an email, pretending to be bob@mail.com, the mail server can go look up the DNS for mail.com and then compare the list of "authorized" mail senders for mail.com against the address of the computer that is currently trying to send the email. If the computer is not in that list of authorized senders, then the mail server can be reasonably certain that it is dealing with a spammer.

Finally - SPF and DomainKeys are free to implement (last time I checked, anyway). There's a site for SPF that has plenty of tools to help you set up SPF, while DomainKeys is a little different. There's plenty of documentation on how to do both, but both will help remote mail servers realize that YOU are not sending out spam.

[quote=jhilgeman;386124]SpiderBait's suggestion is a good one. Here's an analogy to what's happening:

Take out a pen, a piece of paper, and an envelope. Write some obscene advertisement on the piece of paper, and put it in your envelope. Then, write the "to" address on the envelope, and instead of writing your own address on the letter, write someone else's address in the top-left corner.

This is slightly of topic but those of you in the states might find it interesting... (I am in uk so probably will not work)
I was told by an American student friend a long, long time ago that to get your snail mail delivered free that you
put your own address on the front and the recipients address in the top left corner. you then mail letter without a stamp it is then returned to sender as having not enough postage, so it goes where you want free! If the idea goes wrong & the mail man delivers it to you & asks for payment you just refuse to accept it..... I have never tried it as I am in uk and would not even suggest that anybody tries this as I am sure it is illegal ( I am sure that this would not stop some student types) YOU know who I am referring to at the back!

__________________
historical information links re uk and usa
http://www.ssrichardmontgomery.com

Great analogy, although the spammed mail will normally go through the normal e-mail system, rather than being directly delivered. We can expand on this a little bit...

Lets say the spammer did mail that letter instead of dropping it directly into the recipient's mailbox. Basically, the spammer simply puts the letter in his outbox, with the forged return address. The mail system does what it is supposed to do, and forwards the letter through various post offices until it is finally delivered to the recipient. So far, this is exactly how the SMTP system works - it was actually modeled after the US postal system (hence the name "Post Office Protocol"), and what happens with forged e-mail.

Now, lets say that the recipient works in an office building with an internal mailroom (think of the office building as the recipient's ISP, and the mailroom as the mailserver at the ISP). Someone in the mailroom may look at the letter and see that the town on the postmark does not match the town in the return address. This is an SPF lookup - the letter came from a different network than that which the supposed sender uses. Seeing this, the mailroom clerk would simply discard the suspicious letter, or send a message to the return address, asking for confirmation before delivering the envelope to the intended recipeint.

Now, we can take this analogy even further. It is possible, but more difficult, for a spammer to circumvent SPF lookups, sometimes at least. The spammer could go to whereever the forged sender is located, and drop the letter into that company's outgoing mail. This is akin to a spammer accessing an improperly secured mail server and using it to send out spam.

__________________
The best way to learn anything, is to question everything.

Hi,

I turned on SPF and DomainKeys (mentioned by SpiderBait and JHilgeman) and so far, no returning spam
I was totally unaware that the receiving server will go out and check the originating domain.

What a concept! This should be automatically turned on.

Thanks for the great advice!

Oh, can you think of any disadvantages to having both these turned on?

-BLitzen

__________________
*** Free Tibet ***

Yes.

Legitimate mail sent from senders who do not implement SPF will not be received by you, but will be returned marked that it was refused.

__________________
The Penn State Ticket Man http://www.pennstateticketman.com
http://www.happyvalleytickets.com http://www.hounddogtours.com

Hi Deepsand,

Can you please elaborate on this? My understanding is quite a bit different from this.

For one thing, SPF is a text record maintained in your own domain's DNS Zone file and as such, it is simply a static record which is there to be referenced only by other servers. It doesn't actually perform any functions such as checking or filtering incoming mail. So, as I understand it, having an SPF record will have absolutely zero effect on your ability to receive mail. It is, in that sense, a one-way method. Your server doesn't have to utilize SPF lookups for incoming mail just because you have created an SPF record and conversely, just because your server may be using SPF lookups for incoming mail, doesn't mean you have to create one (although I don't know why you wouldn't).

DomainKeys, however, is more of a two-way method. Once enabled on the server it will affix the DomainKey signature to your outgoing email so that receiving servers can verify the signature against your server. At the same time, if your server receives mail that has a DomainKeys signature affixed, your server can check that signature against the sending server.

What your server does with incoming mail that does NOT contain a DomainKeys signature is a matter of configuration, but I don't believe that many (if any) servers are yet rejecting email simply because it doesn't contain a DomainKeys signature (which is what Deepsand appears to be suggesting might happen.)

Perhaps at some point in the future when the technology has reached a higher adoption rate it will become more common to reject mail that does not utilize DomainKeys, but I don't think we're there yet and I certainly don't think that Blitzen's server is automatically rejecting it. To be sure though, he should check with his server administrator.

So, to answer Blitzen's question myself, in my opinion, I don't believe there are any disadvantages to using either of these methods.

Additionally, some major providers (most notably AOL and Hotmail) have publicly stated their intentions to move towards rejecting mail that does not originate from servers with SPF records. So, with that in mind, there is actually a disadvantage to NOT having an SPF record (in addition to the disadvantage of being vulnerable to spoofing, which was the OP's original problem).

So, in summation, at some point in the future there might be a downside to DomainKeys if your server is configured to reject email that doesn't contain a DomainKeys signature, but that's probably not the case now for 99.9% of servers. While on the other hand, SPF records have absolutely no potential to affect your ability to receive email, either now or in the future.

__________________
Jade Burnside, Ahead of the Web
What good is your web site if no one can find it?
SEO & Optimized Web Site Design

My comment was, as stated, addressing SPF only, and under the assumption that SPF was fully implemented, as opposed to being used only for outgoing messages.

From personal experience with Authorize.net, as well as another ASP, I observed multiple instances where e-mail generated on behalf of a client merchant, bearing that client's name/e-mail address as the Sender, but sent from Authorize.net's server, was refused by recipients' e-mail systems which had adopted SPF, owing to Authorize.net not having implemented such.

__________________
The Penn State Ticket Man http://www.pennstateticketman.com
http://www.happyvalleytickets.com http://www.hounddogtours.com

Hi Deepsand, thanks for the clarification.

Just to clear up any confusion this may cause to readers of this thread, I'll put into my own words what I think (IMO) Deepsand seems to have experienced. Of course, I may have it wrong if I've misunderstood him, but what he's describing sounds like an easily preventable situation.

An SPF record allows you to specify "permitted" senders for your domain name. This means you will indicate if your own server sends mail for the domain and also if there are any other servers that might send mail on behalf of your domain.

So, in the instance above, it was not up to Authorize.net to implement SPF in order to send the mail reliably. Rather, it was up to Deepsand's client to ensure their SPF record was complete and Accurate. Mail sent from Authorize.net's server on behalf of Deepsand's client's domain would NOT be rejected if the SPF record were properly configured to identify authorize.net as a "permitted" sender. (Actually, that's kind of the whole point of the SPF record - only the domain owner can change what it says)

Furthermore, the SPF method allows the domain owner to specify how you would like receiving servers to handle mail that does not come from an explicitly permitted server. You can tell it to "pass," "soft-fail" or "hard-fail" such mail. Of course, receiving servers don't have to abide by your instructions but most will take it into account.

Feel free to correct me if I've misunderstood the scenario, Deepsand.

This makes sense Deepsand. But it's worth noting that SPF does NOT need to be implemented on the server for a domain to have its own SPF record. And perhaps most importantly, if SPF is implemented on the incoming mail server, in most cases (unless you control the server configuration) there's no choice about it for the domain owner. Mail from non SPF recorded domains MAY be blocked, whether they create their own SPF record or not.

__________________
Jade Burnside, Ahead of the Web
What good is your web site if no one can find it?
SEO & Optimized Web Site Design

This thread has got me thinking that there should be a place where these resources and information relating to them can be concentrated and discussed.

So, I've created a thread specifically for this, and I've included more resource links than I did above.

You can see the new thread here.

Cheers,
Jade

__________________
Jade Burnside, Ahead of the Web
What good is your web site if no one can find it?
SEO & Optimized Web Site Design