[AuckLUG] Spam emails

Daniel Pittman daniel at rimspace.net
Wed Feb 28 02:50:10 NZDT 2007 

Stuart R Mealor <stuart at learning.ac.nz> writes:

> This isn't really a specific Linux issue, but I wonder if anyone here
> can offer advice...?

[...]

> I have noticed an increase in 'Undeliverable email' hitting our email
> admin account from:
> Postmaster...
> Mail Delivery System...
> Mail Delivery Subsystem
> Mailer-Daemon...
> etc...

All of those are the same "account" -- the system email address for
bounces, etc, from which mail is seldom human originated.

> In all these cases, it looks like someone has just added a 'random'
> name to our domain, and sent it off to other email address.  

Yup.

> Are these emails really going to other email addresses and looking
> like spam sent by us?  

Yes, in some cases.  The envelope sender is definitely set to your
domain, the header in the messages itself may or may not be.

> Is there anything we can proactively DO about this?  

In theory SPF, Domain Keys or a handful of similar systems can protect
you against this.

In practice none of these are completely reliable, and all of the
options have significantly divided opinions available about them.[1]

Also, neither is sufficiently widely deployed that it will even manage
to prevent "a lot," let alone "most" of this getting through.


Anyhow, if you /do/ elect to deploy one or both of those technologies to
try and prevent this you should do a bunch of research on the pros and
cons of both, then make up your own mind.

Charging in blindly to either *will* result in problems such as email
from your staff -- in some circumstances -- being incorrectly rejected
by third parties.  That can be a ... career limiting move. ;)

> Is this a result of our email accounts being on a Telecom server?

No.

> Advice or knowledgeable comments(!) gratefully received.

This is another step in the war of spam-vs-filtering: people now check
that the domain that an email address claims actually exists, and is
deliverable[2], or even go as far as verifying that it is from a real,
deliverable email account at that domain.

So, the obvious response happened: the spammer now has the from address
set to a randomly generated email address -- at the pool of real domains
they are sending spam to, all of which did (at one stage) exist.

Some of them also use real email addresses, equally at random, to ensure
that ever a fuller check will work.


Finally, in some cases this is a malicious attack on the forged domain.
That is known as a "Joe Job" in, er, industry parlance.  You should be
able to Google that and get as much detail as you want on the history
and practice of this.


Anyway, the short version is: no, it isn't your setup; yes, it is really
spam claiming to be from you; no, there isn't anything terribly
effective you can do today.

Regards,
        Daniel

Footnotes: 
[1]  Personally, Domain Keys undecided, SPF in the "bad" bucket for
     trying to change the world without due process.

[2]  ...because this used to filter a lot of SPAM.

-- 
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707        email: contact at digital-infrastructure.com.au
                 http://digital-infrastructure.com.au/

More information about the AuckLUG mailing list