This Domain is a Victim of Forgery
Apr 3rd, 2006 by Alex
I know nothing about Erection PowerPack, nor do I care to. But it really pisses me off when bulk mailers use my domain to forge a return address for their spam mailings.
For the record, I don’t send out unsolicited email.
This morning I received several hundred bounce messages from dozens of systems, informing me that “my” email couldn’t be delivered. I do send quite a bit of email, but I certainly wouldn’t bother people with erectile enhancers, get-rich-quick schemes, or any of the other garbage that is being peddled online. Now the domains that I own have not been a frequent victim of this sort of thing, but eventually it happens to everyone. It could happen to you, without warning, at any time. Fortunately I’ve yet to receive any hatemail on the topic. Here’s the offending message, as reported to me by a whole lot of mailer daemons.
Return-Path: <sales@moundalexis.com>
Received: from www (helo=apache.email-sexe.com)
by email-sexe.com with SMTP id Ab44qw9z002367915;
Mon, 03 Apr 2006 03:47:13 +0000
Message-Id: <BcGIuq.ifff17@apache.email-sexe.com>
Date: Mon, 03 Apr 2006 03:47:13 +0000
Subject: Erection PowerPack. Time limited offer
From: "Madeline Carr" <sales@moundalexis.com>
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
<html>
<body>
<center>
<a href="http://omitted/?18913066"><img border=0 width=467 height=230
src="http://omitted/imagedir/fl17.jpg"></a></center>
</body>
</html>
As you can see the offending email — if you could call it that — has no text content whatsoever, just a linked image. As you can imagine, the image and the link hostname point to an IP address in China.
A basic Nmap TCP connect() scan reveals the following about the originating system:
> nmap [omitted] Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2006-04-03 21:57 EDT Interesting ports on [omitted]: (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp filtered ftp 22/tcp open ssh 80/tcp filtered http 135/tcp filtered msrpc 5800/tcp filtered vnc-http 5900/tcp filtered vnc Nmap run completed -- 1 IP address (1 host up) scanned in 117.251 seconds
An Nmap SYN scan reveals the same. Alas, nothing too exciting.
Some people claim that publishing SPF records would cut down on these sorts of bounce messages. As much as I’d like to believe that, a reduction in replies from forged emails will only occur if a lot of people adopt the standard. As Kasia reported back in May, not a whole lot of people have implemented SPF checking. Almost a year later I only saw one or two bounce messages that made any reference to SPF, which makes me think twice about implementing it. One more DNS lookup per message — times daily message count — is a lot of load for little payoff.
I know I only received a few hundred bounce messages, which means there had to be several times more that actually got through. Of those, I wonder how many of those were tagged as spam. I wonder how many hosts blacklist senders based on hostname (forged or not). I wonder how much damage was done to my domain’s reputation.
