Hi-jack! Take this domain name to Spain...

A while ago, I noticed that the mail log showed I was getting a number of emails for non-existent users on my domain; it was easy to spot as I'm the only legitimate user. Was this some spammer's error, setting the wrong name on a spam destined for me?

The default setup of sendmail rejects mail for unknown users, so I thought I'd turn this off for a while and see what the mails were. This requires a line like this in the .mc file:

  define(`LUSER_RELAY', `local:user_name')dnl

which ensures that all undeliverable mail is directed to my mail box (name changed to protect the guilty).

After about 30 minutes I had a number of emails. Bugger, this was bad; these mails were various bounce and reject messages for spam reputedly being sent from my domain! Had somebody hacked into my system and used it as a spam bot?

Closer inspection of the messages revealed this was not the case. A spammer was forging the From field so that the spam was apparently coming from my domain, but it was actually being sent out from a compromised machine somewhere else. Here's an example:

  Return-Path: <Lonessdxvf@hydrus.org.uk>
  Received: from mx2.song.fi (mx2.song.fi [195.10.132.70])
        by takatasku.wapice.com (8.13.8/8.13.1/WPZ 0.26) with ESMTP id
        l7TBjgY3024260
        for <bowlingdd@wapice.com>; Wed, 29 Aug 2007 14:45:43 +0300
  Received: from static-68-131-235-87.ipcom.comunitel.net (unknown
        [87.235.131.68]) by mx2.song.fi (Postfix) with ESMTP id 2D0AB497E4
        for <bowlingdd@wapice.com>; Wed, 29 Aug 2007 14:45:41 +0300 (EEST)
  Received: by 10.116.172.197 with SMTP id asUHgtmaDtGRh;
        Wed, 29 Aug 2007 13:56:12 +0200 (GMT)
  Received: by 192.168.199.22 with SMTP id YGMKBdtvTtDUVY.2838840098907;
        Wed, 29 Aug 2007 13:56:10 +0200 (GMT)
  Message-ID: <000e01c7ea33$958f59e0$4483eb57@nono>
  From: "Earle Loness" <Lonessdxvf@hydrus.org.uk>
  To: <bowlingdd@wapice.com>
  Subject: uncrumpl
  Date: Wed, 29 Aug 2007 13:56:07 +0200

In all the emails, the machine static-68-131-235-87.ipcom.comunitel.net appeared as an MTA. I figured this machine was the spam bot.

What could I do? People would think I was responsible for this rash of spam. It turns out there's not much you can do, but I did them both.

First, I subscribed to the Sender Policy Framework. Anyone who uses this framework (e.g. gmail) can determine that mail purportedly from hydrus.org.uk which did not originate from my ISPs mailers is not legitimate. SPF involves defining a TXT record on the DNS records for the domain, in a specific format, indicating which machines are legitimate sources for the domain's mail. E.g.:

  v=spf1 include:enta.net ~all

The only other defence I had was to write to abuse@comunitel.net. No response, so I tried the contact names from whois. Still no response. Ah well, no surprise there.

Since the first wave, there was another, this time originating from i03m-212-195-148-129.d4.club-internet.fr. I also wrote to abuse@club-internet.fr, and this time did receive a reply; canned, but nevertheless a reply. Will it do any good? Who knows...