The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Customer getting bounces from email spams he did not send.

Discussion in 'E-mail Discussions' started by Metro2, May 4, 2007.

  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I'm at a real loss here and I'm hoping someone knows of something I haven't tried yet, because the problem is getting bad.

    I have a customer whose email account is generating thousands of bounced "undeliverable" and "failed" messages for spam that he never sent. Someone is sending out emails as him, and it's not him doing it.

    For example's sake, I will make up a fake domain and email address here to help explain what I mean and what I've done / checked so far:

    Let's say my customer has "nicetoyfrogs123.com" hosted on my server and his email address is "frog@nicetoyfrogs123.com".

    Spammers are sending out viagra / porn emails as "frog@nicetoyfrogs123.com", and my customer is receiving the bounces, warnings, and even threats from the victims of the spammer.

    My server is secure, no open relays, and I have an SPF record in place on the customer's domain (SPF string used: v=spf1 ip4:xxx.xxx.xxx.xxx -all , where xxx... are the IP address of my mail server).

    Mailscanner is preventing the customer from having to deal with most of the messages, but they're coming in by the thousands each week and using server resources that I'd rather they didn't.

    I checked mailwatch to view the messages actually sent by "frog@nicetoyfrogs123.com" (remember, that's not real) and none of the spam was ever sent from his account. He has sent 120 messages in the past month, all legitimate, yet thousands "viagra" etc... spams are bouncing back to him, and he's actually received direct threats / complaints.

    Ultimately my biggest worry is that my server, with all the other customers on it, could get blocked / blacklisted, due to no fault of mine or my customer.

    I called my data center and the tech basically told me:
    - the SPF helps, but can't stop the spoofing
    - there's nothing we can do other than to change his email address

    I don't want to believe that. Is there ANY way to stop spammers from faking my customer's email address and sending out their junk as him?

    Thanks very much for any thoughts / ideas!
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Unfortunately, other than setting up a tight SPF record, there isn't actually a lot that can be done. You could also move his email to a challenge-response system (eg postini) off your server, which could help control things until it stops.

    If you want to Google for more, this is called a "joe job".
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. The bounces are also known as "backscatter" as something else you can search on. The best you can realistically do is to setup some email Filters for the bounces and ride out the storm. I doubt SPF would actually make much difference at all with regards the bounces, it would simply mean a few providers will mark it as possible spam to the recipients.
     
  4. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks guys, at least I know that I've done everything I can to help the customer.
     
  5. codegirl42

    codegirl42 Well-Known Member

    Joined:
    Mar 9, 2006
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    this sounds like exactly what we're going through....
     
  6. VirtuaLira

    VirtuaLira Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chile
    I have a similar problem... but....

    How the "joe job" intruder knows a email address?
    1) I never use the affected email account
    2) only created for test proposes... I never get email from people in this account, and never give the email to anyone...
    3) ??? how ?

    Is this a cpanel/exim issue? a bug? a vulnerability to give all the accounts hosted in the server and email name accounts for spam use??... how happen this??

    I really doesn't understand how can happen something like that.... I changed 2 times my server machine, and ISP provider, different IP address... etc...

    Someone knows something about this problem?
     
  7. wardv

    wardv Member

    Joined:
    Aug 10, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    - solution which helps in some cases: disable catch-all by setting the default e-mail to bounce, and not to an e-mail mailbox. The most of the time spammers use random addresses for your domain name, so catch-all helps a lot in this case.

    - it is possible to check the existence of an e-mail address, just by trying to send an e-mail to an e-mail address on a particular server, but not actually 'send' the e-mail - just probing. It is possible, if your e-mail address is generic, 'someone' probed your e-mail domain with some generic e-mail addresses to check for a valid e-mail address.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Putting an email address on a web page is enough for the spammers to find it, don't know if that's a possibility.

    Changing servers won't help once the email address has escaped unfortunately.
     
Loading...

Share This Page