Solved

My email address is being used as return address in spamming??!! Help.

Posted on 2007-04-01
17
5,341 Views
Last Modified: 2009-12-16
I don't know where to start. Please help me with answer or direct me to where I can be helped.
I am getting about 20-30 of the following every day. I am told that someone is using my email address as a return address in doing spamming. (My domain is registered with 1and1 and hosted with Lunarpages).
I would like this to stop. How can I get this to stop, short of cancelling that email address? Thanks.
The message I'm getting is:

From: "Mail Delivery System" <mailer-daemon@perfora.net>
To: <proxy465014@1and1-private-registration.com>
Sent: Sunday, March 25, 2007 10:36 AM
Subject: Mail delivery failed: returning message to sender


> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of
> its recipients. The following addresses failed:
>
>  <phil@vantagecrest.com>
>
> SMTP error from remote server after transfer of mail text:
> host vantagecrest.com[209.200.240.223]:
> 550 Administrative prohibition
>
>
> --- The header of the original message is following. ---
>
> Received-SPF: none (mxus0: 201.208.5.105 is neither permitted nor
denied
> by domain of 1and1-private-registration.com) client-ip=201.208.5.105;
> envelope-from=proxy465014@1and1-private-registration.com;
> helo=201-208-5-105.genericrev.cantv.net;
> Received: from [201.208.5.105]
(helo=201-208-5-105.genericrev.cantv.net)
> by mx.perfora.net (node=mxus0) with ESMTP (Nemesis),
> id 0MKpe3-1HVXZw1qFx-0003om for
> proxy465014@1and1-private-registration.com; Sun, 25 Mar 2007
> 14:36:32 -0400
> To: proxy465014@1and1-private-registration.com
> Message-ID: <0MKpe3-1HVXZw1qFx-0003om@mx.perfora.net>
> Date: Sun, 25 Mar 2007 14:36:32 -0400
> X-Spam-Flag: YES
0
Comment
Question by:spoowiz
  • 5
  • 4
  • 3
  • +3
17 Comments
 
LVL 16

Expert Comment

by:InteraX
Comment Utility
Hello spoowiz,

Unfortunately, there isa nothing you can do about this.

As SMTP will accept emails from anywhere regardless of the sending or reply to address, spammers use lists of email addresses or even randomly generated email addresses as the from/reply to address.

Regards,

InteraX
0
 
LVL 5

Expert Comment

by:suggestionstick
Comment Utility
Hi


you could have a look at SPF, it uses DNS to check the allowed  mail servers for sending email from a domain, before accepting email at the recipients mail server. If a spammer tries to send a email using your email address, it will be rejected by the recipents mail server.

Pls note: not all mail servers are SPF aware yet.

http://www.openspf.org/

SPF is mentioned in the headers of your post, as a check on the recipent server.

Received-SPF: none (mxus0: 201.208.5.105 is neither permitted nor
denied
> by domain of 1and1-private-registration.com) client-ip=201.208.5.105;

Trev.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Hello spoowiz,

It looks as though 'suggestionstick' has found a method around the old 'Spoofing' problem.
Give it a go and post back the results.
It will be great if that works.

Regards,

Vic
0
 

Author Comment

by:spoowiz
Comment Utility
From what I am told, my mail server is not being used. Only my email as "reply address"... thus changing password on my account didn't help either. So if that's the case,  SPF wouldn't help either, right?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
I wrote this piece on 'Spoofing' several years ago and everything I said then is still true - and you're right, I don't think SPF will help.

Vic

SPOOFING EXPLAINED
The malware ‘writers’ out there are continually improving the programs they write and – unfortunately – we all suffer for it.

Many of the current versions will infect a computer and then search the entire hard drive for names and email addresses. It will also search the ‘Default’ address setting in the email program.

The virus/worm will select a name at random and then pretending (SPOOFING) to be that random person, send out messages to all of the other names in the PAB. 

It will also randomly pick the name of a file in your computer and use that as the ‘Subject’ of the message.

This process of randomly selecting a name and then sending messages (with random Subject lines) to all of the other names will continue until proper Anti-virus actions are taken.

In sequence, the process looks like this:

1.   Infect a computer.
2.   Search for any email addresses.
3.   Pick a name – any name – and assume that email identity.
4.   Pick a file name and make that the ‘Subject’ of the message.
5.   Send messages to all other email addresses on computer.
6.   Repeat steps 2-5.
7.   Keep repeating steps 2-5 until the owner of the computer finally updates their Anti-virus program, or forever.  Whichever comes first.
0
 
LVL 36

Expert Comment

by:grblades
Comment Utility
Publishing an SPF is about the only thing you can do.
It wont stop the spammer sending mail pretending to be from your address but it will make it far more likely that it will be detected as spam at the other end which the spammer wont like. Therefore publishing a SPF will deter spammers from using your address in future.
0
 

Author Comment

by:spoowiz
Comment Utility
When I brought this issue to 1and1 a couple of weeks ago, I was told there was nothing I could do. I brought this issue again today to 1and1 and they're now telling me different. I guess there's been more complaints. I appears that the spammers are using the proxy address, created when I made my domain "private".  So now they are doing something about it. I'll keep you all posted on what goes on.
Thanks.
0
 

Author Comment

by:spoowiz
Comment Utility
This is the summary msg from tech support. I'll continue to keep you posted.

The root of this problem is unfortuantely spammers.  I will outline what
happened for you.  Someone spoofed the proxy e-mail address
(proxyxxxxx@1and1-private-registration.com) in your domain's WHOIS
record.  This means that they sent an e-mail and made it seem as if it
came from that proxy e-mail.  They then sent it to your same proxy
e-mail address, which automatically gets forwarded on to your yahoo,
msn, gmail, etc. account.  However, this message was flagged as spam by
us, and thus the forwarded mail server rejected it when it was
automatically forwarded.  We then sent an automatic notification to the
sender that sending the message failed, which in this case was your
proxy address, which was then forwarded on to your yahoo account.  Our
admins are aware of this problem and are working to fix it. We do
apologize for the inconvenience that this is causing you, and we thank
you for your patience in this matter.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 38

Expert Comment

by:younghv
Comment Utility
Spoofing continues unabated.
Sometimes the 'Worm' causing the spoofing is a computer program and sometimes the worm is a person.

Vic
0
 
LVL 7

Accepted Solution

by:
tymes earned 500 total points
Comment Utility
Hello Phil.

What is really happening is spam is trying to be delivered to your proxy465014@1and1-private-registration email address which 1and1 and their stupid private registration hosts.  It's isn't spammers who are doing it... it is 1and1 who are changing SMTP FROM: badly.

1and1 accepts the mail and attempts to deliver the message to you but they always rewrite the SMTP envelope and 1and1 uses your alias/proxy email address <proxy465014@1and1-private-registration> (the same address it just accepted mail for) and then tries to relay it to your server and <phil@vantagecrest>.

Your server blocks the spam and it gets bounced to your proxy 1and1 private registration address which 1and1 used in the SMTP envelop address of the relay attempt.

so... originally...
SMTP FROM:<joespammer@yahoo.com> TO <proxy@1and1>  == 1and1 accepts.
SMTP FROM:<proxy@1and1> TO <phil@vantagecrest>  == your server bounces as spam.
1and1 thinks oh, error?! net's notify the sender.... I'm 1and1 and really dumb.
SMTP FROM:<proxy@1and1> TO <proxy@1and1> == 1and1 now creates error message.
SMTP FROM:<proxy@1and1> TO <phil@vantagecrest> == error message you see.
your server now is the recipient of a cleaned error message that isn't spammy which you get.

They could avoid this by not spoofing your proxy email address, but I've seen other relaying examples of this where subsequent bounces continue to use the same address so each message would bounce about 30 times back to itself in a loop (growing in size).  They could use SMTP MAIL FROM: <> and it wouldn't bounce at all, but you may never get the messages and the senders wouldn't know (like it would be important haha).  Instead 1and1 should have a proper proxy service for this that will bounce back dud error messages to the sender after attempting delivery using something like SRS.  They should just ensure your server info or email address isn't evidient in the bouces -- as it is the sender doesn't get the error messages it doesn't if it's not clean (you currently see your server info and email address).  So currently the only good thing is that spammers can't probe and somehow get the email address protected by your proxy private registration email address.  (unless you post it here on the internet -- not so good).

It wouldn't be very difficult for them to fix this, but for you to fix this, just stop using (their) private registration and create a new email address <domains@vantagecrest> and use that for whois.  Crank up the spam filter protection on your own alias address or change it often (or when you change it, use old addresses as spamtraps -- haha).  

See if you can get a refund for private registration... haha.  After all it didn't protect you from spam as for every spam you didn't get, you got blowback instead! and so the actual number of messages were actually doubled (as they ended up in your spam filters).

Of course there are sophisticated services with better spam protection and blowback protection and lots of stuff that free email you get from wholesale domain registrars can't provide.  Those will resolve not only this issue but other problems other people here have referenced.  I personally like regenerating domain contacts that change every month and are only valid for a few months.

So, I wouldn't use any of the private registration stuff out there as it only serves to give registrars more money and to protect spammers and then registrars probably don't mind the side effect of keeping spammers hidden allowing them to get domains with fewer trails.  If you are a real person with a normal domain don't hide but fight -- stay away from bulk registrars or service that is bad.  (perhaps another private registration service works but whatever).
0
 
LVL 5

Expert Comment

by:suggestionstick
Comment Utility
Hi

Have you tried implmenting SPF yet, it will stop the spammers using your email address, in this case they still would be sending the SPAM from a mail server that is not listed in the SPF records as an allowed Mailserver for your domain

Trev.
0
 
LVL 7

Expert Comment

by:tymes
Comment Utility
Like I said, this isn't a random spammer spoofing his email address... this is 1and1 spoofing their own proxy addresses which is an alias for his address.  The best solution is to stop and cancel 1and1-private-registration and indeed cancel the affected address (except that address is not <phil@vantagecrest.>, it is <proxy465014@1and1-private-registration.>).

So SPF isn't applicable for this problem, SRS would be.
0
 
LVL 5

Expert Comment

by:suggestionstick
Comment Utility
Hi


tymes: I have read your post and I agree,  I was basing my option on the tech support snippet:

"The root of this problem is unfortuantely spammers.  I will outline what
happened for you.  Someone spoofed the proxy e-mail address
(proxyxxxxx@1and1-private-registration.com) in your domain's WHOIS
record.  This means that they sent an e-mail and made it seem as if it
came from that proxy e-mail."

spoowiz: SPF will not solve this issue, as the sending (forwarding) server actually belongs to "1and1-private-registration" and what you see is the error message when it fails to forward the orig SPAM to phil@vantagecrest(as per tymes post). SPF only works when spammers use your email address to send spam, for this email they have not.
Tymes seems to have this one all figured out, Full points to Tymes:





 
0
 
LVL 7

Expert Comment

by:tymes
Comment Utility
The tech support people at 1and1 who told you that don't realize the spammers didn't spoof the proxy address and it's their own inept system that does that and 1and1 is completely at fault.  So they shouldn't be blaming the spammers...as it is 1and1 who are using <proxyxxxxx@1and1-private-registration> to send mail.

Like I said, it could be easy for 1and1 to use something like SRS so the spammers got the error message (as they should) and so it wouldn't get looped back to your proxy address.

So, don't let the 1and1 tech people off the hook, get them to upgrade and fix their system or stop using that aspect of their service which again only doubles the amount of junk you get.
0
 

Author Comment

by:spoowiz
Comment Utility
I've emailed tech support to this link. I'll keep you posted.
0
 

Author Comment

by:spoowiz
Comment Utility
The following are the latest communication with tech support... arrgh!!

> Thank you for contacting us.
> I apologize for the misinformation you were given, the issue has
nothing
> to do with our servers. I have enclosed some simple solutions to the
> issue that will not cost you anything to set up.
>
> The root of this problem unfortunately is
> spammers.  I will outline what happened
> for you.  Someone spoofed the proxy e-mail
> address PROXYADDRESS in your domain's WHOIS
> record.  This means that they sent an e-mail
> and made it seem as if it came from that
> proxy e-mail.  They then sent it to your same
> proxy e-mail address, which automatically
> gets forwarded on to your EMAILPROVIDER account.  
> However this message was flagged as spam by us,
> and thus the EMAILPROVIDER mail server rejected
> it when it was automatically forwarded.  We then
> sent an automatic notification to the sender that
> sending the message failed, which in this case was
> listed as your proxy address, which was then
> forwarded on to your EMAILPROVIDER account without
> a spam flag set because usually this notification
> a valid message, so it got through to you.
>
> This problem is something that not caused nor
> endorsed by us, is experienced on the Internet as
> a whole, and due to the nature of the technology
> that runs mailservers is unavoidable once it happens.  
> There is a way, however, to stop these e-mails coming
> to you, which I will explain.  You would have to
> manually change the proxy e-mail address from a
> forwarding address to a regular e-mail inbox, which
> will stop these messages from being generated and sent
> to your inbox.  To do this, enter the E-mail
> administration section of your Control Panel, select
> the proxy e-mail address PROXYADDRESS by checking the
> checkbox next to it, pull down the "Settings" menu, and
> click "Mailbox/Forward".  Then on the page that loads
> set the type from "Forward" to "Mailbox".  You will
> have to set up a password for the mailbox, which you
> will then be able to either access via our Webmail
> application or you may set up a desktop mail client
> such as Outlook to access the mail.  Make sure that you
> set up spam filtering for this address as it has already
> been the victim of spoofing, specifically to not block
> e-mails from itself, but to place messages from itself
> in the spam folder or delete them.  Please note that this
> e-mail address is very important at your domain and if
> you change it to a regular mailbox you will not be
> receiving any e-mail from this address to your
> EMAILPROVIDER account, and thus you will need to check
> this mailbox regularly to make sure that you are not
> leaving any important communications regarding your
> domain name unread.  Concerning what I have suggested,
> you can of course call our Technical Support team to
> help you at (877) 435-7281 / 0870 24 11 247 should you
> wish to go through with it.  We do apologize for the
> inconvenience that this is causing you.
>
>
>
> If you have any further questions please do not hesitate to contact
us.
>
> --
> Sincerely,
> Paul Cunningham
> Technical Support
> 1&1 Internet
>
>> Last tech support info acknowledges that the problem is on your end
at
>
>> 1and1.
>> Why do I have to pay extra to solve a problem on your end?
>>
>> ----- Original Message -----
>> From: <support@1and1.com>
>> Sent: Wednesday, April 04, 2007 8:19 PM
>> Subject: Re: C70948096 - 1&1 Internet Support proxy e-mail bounce
> back
>>
>>
>> > Thank you for contacting us.
>> >
>> > Yes its actually you can use this as solution on the issue of
email
>> > spoofing. As I checked on the link, it will cost you if subscribe
on
> the
>> > solutions that they will give.
>> >
>> > If you have any further questions please do not hesitate to
contact
> us.
0
 
LVL 7

Expert Comment

by:tymes
Comment Utility
Ok, so I've done some tests and 1and1 is now using SRS to rewrite senders but they don't use SPF for their own @1and1-private-registration.com address and they will forward it so spammers can spoof that address and it will act as we described.

Furthermore... their 1and1-private-registration.com is only using regular SRS to send mail so it isn't shielding your "private" address or server details so spammers who don't spoof your address will be able to determine your real address if the message bounces by looking at the error message.

They still need to improve it a bit in order for it to properly act as advertised and protect your private information

So while it isn't 100% bad, they are batting 1 for 3 (33%)... they don't protect themselves from spoofing and they will reveal private information and do allow email harvesting.  So ultimately it is still not worth paying any money for this wonderful service.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now