Mailing List Archive

Steve Prior <sprior@geekster.com> wrote:

> Over the last day I've been getting returned mails from AOL systems for invalid
> addresses. The problem is that some spammer in China made up a userid at
> one of my domains and used that as the from address for those emails. I can
> live with what I hope is going to be a short run of "returned" emails, but
> I'm more concerned about what this does for the image of that domain. I'd be
> even more concerned if the blacklists were still operational (who's existence
> I was otherwise very happy with).

The people who run blocklists (at least those anyone pays
attention to) are smart enough to understand that e-mail
forgery is easy. The lists are based on the IP addresses the
mail actually comes from, not the meaningless "From:" lines.

The bounces are annoying, but I don't think you need to worry
about your reputation. It happens to everyone.

--
Keith C. Ivey <kcivey@cpcug.org>
Washington, DC

It's happening at domain I own as well. I have 3 accounts setup on it
for testing. I'm getting about 1500 bounces a week right now. So far
AOL itself hasn't complained to me as they are probably aware that the
emails are coming from random outside and unrelated sources

It's seems that AOL doesn't do any type of reserve lookup on their
incoming email. This would probably solve this problem if they did.

Gary


-----Original Message-----
From: Steve Prior [mailto:sprior@geekster.com]
Sent: Tuesday, February 24, 2004 7:01 AM
To: Spamassassin List
Subject: Someone in China is using an address@my domain as a from
address!

Over the last day I've been getting returned mails from AOL systems for
invalid
addresses. The problem is that some spammer in China made up a userid
at
one of my domains and used that as the from address for those emails. I
can
live with what I hope is going to be a short run of "returned" emails,
but
I'm more concerned about what this does for the image of that domain.
I'd be
even more concerned if the blacklists were still operational (who's
existence
I was otherwise very happy with).

Is there anything I can/should do about this or just ride it out?

Steve

Steve

This is called a "Joe Job" and I'm sure there are a few links out on
'net that will help in riding out the storm.

I know of serveral organisations that have been hit hard by this
problem, so there should hopefully be a body of knowledge on handling to
problem - once you get the correct nomenclature of course..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Steve Prior wrote:
> Over the last day I've been getting returned mails from AOL systems for
> invalid
> addresses. The problem is that some spammer in China made up a userid at
> one of my domains and used that as the from address for those emails. I
> can
> live with what I hope is going to be a short run of "returned" emails, but
> I'm more concerned about what this does for the image of that domain.
> I'd be
> even more concerned if the blacklists were still operational (who's
> existence
> I was otherwise very happy with).
>
> Is there anything I can/should do about this or just ride it out?
>
> Steve
>

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

Gary Smith <gary@primeexalia.com> wrote:

> It's seems that AOL doesn't do any type of reserve lookup on their
> incoming email. This would probably solve this problem if they did.

I believe AOL (at least sometimes) does do a reverse lookup and
refuses to accept mail from servers that have no PTR record. I
don't understand why you think reverse lookups would solve the
problem. It is not at all true that mail for a particular
domain is always sent out through servers that have PTR records
in that domain. For example, cs.com and netscape.net mail goes
through aol.com servers, and there's nothing wrong with that.

--
Keith C. Ivey <kcivey@cpcug.org>
Washington, DC

"Keith C. Ivey" <kcivey@cpcug.org> writes:

> I believe AOL (at least sometimes) does do a reverse lookup and
> refuses to accept mail from servers that have no PTR record. I
> don't understand why you think reverse lookups would solve the
> problem. It is not at all true that mail for a particular
> domain is always sent out through servers that have PTR records
> in that domain. For example, cs.com and netscape.net mail goes
> through aol.com servers, and there's nothing wrong with that.

As AOL publish SPF records for their outgoing mail, it is a pity that
they do not do SPF checking of incoming mail.

When I look at the source messages for some of the bounce back's helo that was issued was not a domain name. The did do a reverse lookup (so I guess I misstated the problem) but the sender domain wasn't valid. So what AOL really needs to do is reject_unknown_sender_domain & reject_non_fqdn_sender. Given the message fragment below you will note that sender domain is "hjnxg".

Received: from rly-yh05.mx.aol.com (rly-yh05.mail.aol.com [172.18.180.69]) by str-m02.mail.aol.com (v92.16) with ESMTP id RELAYIN8-9403b31161b2; Tue, 24 Feb 2004 06:10:14 2000
Received: from hjnxg (cmr-81-9-177-248.telecable.es [81.9.177.248]) by rly-yh05.mx.aol.com (v98.5) with ESMTP id MAILRELAYINYH54-2ca403b30f1a0; Tue, 24 Feb 2004 06:09:43 -0500
From: Valentina <Nellieywpvhxhnhjhb@adndrealm.net>
Reply-To: <Nellieywpvhxhnhjhb@adndrealm.net>
To: "Dann Zou" <ZEBIRIA@aol.com>
Subject: Grow Young3r and loos3_- weight-!
Date: Tue, 24 Feb 2004 10:59:50 -0500
Message-Id: <veyehjkxcxglr@adndrealm.net>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="xmvverrth_1077638427"
X-AOL-IP: 81.9.177.248
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

-----Original Message-----
From: Keith C. Ivey [mailto:kcivey@cpcug.org]
Sent: Tue 2/24/2004 7:14 AM
To: spamassassin-users@incubator.apache.org
Cc:
Subject: RE: Someone in China is using an address@my domain as a from address!



Gary Smith <gary@primeexalia.com> wrote:

> It's seems that AOL doesn't do any type of reserve lookup on their
> incoming email. This would probably solve this problem if they did.

I believe AOL (at least sometimes) does do a reverse lookup and
refuses to accept mail from servers that have no PTR record. I
don't understand why you think reverse lookups would solve the
problem. It is not at all true that mail for a particular
domain is always sent out through servers that have PTR records
in that domain. For example, cs.com and netscape.net mail goes
through aol.com servers, and there's nothing wrong with that.

--
Keith C. Ivey <kcivey@cpcug.org>
Washington, DC