Does anyone know how to defend against forged email headers.

For example a user has a website called sampledomain.com and there is one email address setup info@sampledomain.com

What happens is the server gets emails from GeorgeMiller@sampledomain.com (obvious spamming of faked email headers) and the email has Spam content also.
Occasionally these emails are failure emails and often there are hundreds of failures.

Is this an exploit of a weak server (i.e. would moving to a dedicated / managed server solve this sort of problem ?)

Its a puzzling one, since you cannot find out where the emails are coming from, they seem to be relayed.

Any assistance would be great !

You headed your posting with "Email Load", and then spoke about mails not from you, and failures.

I am not clear what it is that is bothering you.

There is no load on your outgoing mail server, because the mails don't come from you.

Incoming, it shouldn't be a problem for your mail server, but your server will have to receive them to examine them.

You could automatically delete all emails that are not to your real address(es).

Well the case in question got 420 emails per minute, all failures, all forged emails.

The data coming to the server was too much and the server was crashing due to the incoming fake emails.

The problem is that somebody is sending emails from a fake address e.g. From : Spammer@somedomain.com - To: 123@aol.com
when the TO: address fails, the failures are coming back to somedomain.com creating a load issue.

The emails are obviously forged / faked headers but are there any solutions to combat this problem.

Is it a problem with this host and would moving to a dedicated / managed server help ?

When the person forging the e-mails sends the messages, are they going through your server, or does your server only get the failure responses?

Hosting Company assures us that the server is only getting responses from message failures - no outgoing email apart from normal traffic (i.e. the spam is not sent from these servers).

420 per minute doesn't sound like a lot.

I *think* that normally, on a shared host, you have your own mail server, similar to mail.mydomain.com, so moving to a dedicated server would not help.

Anyone know for sure?

And bear in mind, the spammers will move on very soon. I once had thousands of emails arriving in a similar fashion, back in the late 90s. I wrote something to delete them from the server, and it lasted for about 12 hours, then stopped.

Unfortunately, the damage being done by this is much more than simply the flood of data from the bad packets you are receiving. Your domain name is probably getting put onto the major spam blacklists as a result of this.

It is quite possible that the spammer is sending the e-mails himself from his own mail server. It is not hard to do and there is not really any defense for this unfortunately.

Unfortunately, the damage being done by this is much more than simply the flood of data from the bad packets you are receiving. Your domain name is probably getting put onto the major spam blacklists as a result of this.

AFAIK, there are no blacklists that would black this site. Emails are very easy to trace, it can be proved from the headers that the emails are not coming from the site, and no blacklist would be foolish enough to list the site without any proof, their credibility would be zero.

<bitching>In fact, they would be as credible as SiteAdvisor (see relevant topic (http://www.webproworld.com/viewtopic.php?p=326533#326533)), which isn't directly related to this thread, but it makes me feel better to mention it...</bitching>

There are a few different types of blocklists that I am aware of. The major subscription lists would probably see the forged headers and not block the domain. However, those blocklists that use user votes (the user clicking the spam button) and volume based blocklists typically would block the domain name.

In addition, this can damage a reputation. An unknown number of internet users are getting spam stamped with the domain name in question, and the vast majority of these users don't know anything about forged headers.

There are a few different types of blocklists that I am aware of. The major subscription lists would probably see the forged headers and not block the domain. However, those blocklists that use user votes (the user clicking the spam button) and volume based blocklists typically would block the domain name.

I haven't seen any of those, can you give me some examples?

The one I ran into was AOL about a year ago when we tried to start a newsletter to our opt in subscribers. After 50 e-mails from our domain name we were blacklisted. Had to fill out a ton of paperwork to get taken off the list.

This happend to our domain. And to say, a blacklister wouldn't put the domain in there without proof is not true.

Our domain has ended up on different blacklists. At this point, only one of our clients uses any of those so it hasn't been a real problem.

And one of the blacklisters charges to remove you because they believe it is your own fault for making your e-mail public, yada, yada, yada. Of course itis public, so that clients and potential clients have a quick and easy way to get a hold of you from the web. When I went to read some comments, there was one that could be libelous, but who has the time to pursue it.

Although it is easy enough to prove it isn't coming from us, the blacklisters don't ask for proof.

The IT Manager of my client said go to www.mxtoolbox.com and you can find out the lists you are on.

Here is what I found. We are on BLARSBL, SPAMBAG, JAMMDNSBL.

The same IT Manager said you could create a second domain to email from and not post that address anywhere. And then have the new one have an internal mail forward to the old. Since, 99% of our email gets through to our clients, I haven't pursued this.

Follow-up. I did convert our website to use a contact form and not post our email address, but since it was out there before we still get plenty of returned failed messages.

This happend to our domain. And to say, a blacklister wouldn't put the domain in there without proof is not true.

I was, of course, referring to blacklists that will get used.

I know the first one on your list, BLARSBL, that is a personal list, driven more by attitude than common sense. At least one of my (totally innocent) domains is on it, and I really couldn't care less.

I can't imagine me sending him any mail, and I can't imagine anyone using his list. So why should I worry?

I even see lists which say ignore his list...


I am currently seeing spam sent out using an address picked out at random - not a real address - on one of my domains. I can't do anything about it, I have received 3 bounced emails, but anyone with any sense would not bounce emails where the sender domain does not match the sender email address. It is pointless, and wastes bandwidth.