My email address is being used as return address in spamming??!! Help.

I don't know where to start. Please help me with answer or direct me to where I can be helped.
I am getting about 20-30 of the following every day. I am told that someone is using my email address as a return address in doing spamming. (My domain is registered with 1and1 and hosted with Lunarpages).
I would like this to stop. How can I get this to stop, short of cancelling that email address? Thanks.
The message I'm getting is:

From: "Mail Delivery System" <mailer-daemon@perfora.net>
To: <proxy465014@1and1-private-registration.com>
Sent: Sunday, March 25, 2007 10:36 AM
Subject: Mail delivery failed: returning message to sender


> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of
> its recipients. The following addresses failed:
>
>  <phil@vantagecrest.com>
>
> SMTP error from remote server after transfer of mail text:
> host vantagecrest.com[209.200.240.223]:
> 550 Administrative prohibition
>
>
> --- The header of the original message is following. ---
>
> Received-SPF: none (mxus0: 201.208.5.105 is neither permitted nor
denied
> by domain of 1and1-private-registration.com) client-ip=201.208.5.105;
> envelope-from=proxy465014@1and1-private-registration.com;
> helo=201-208-5-105.genericrev.cantv.net;
> Received: from [201.208.5.105]
(helo=201-208-5-105.genericrev.cantv.net)
> by mx.perfora.net (node=mxus0) with ESMTP (Nemesis),
> id 0MKpe3-1HVXZw1qFx-0003om for
> proxy465014@1and1-private-registration.com; Sun, 25 Mar 2007
> 14:36:32 -0400
> To: proxy465014@1and1-private-registration.com
> Message-ID: <0MKpe3-1HVXZw1qFx-0003om@mx.perfora.net>
> Date: Sun, 25 Mar 2007 14:36:32 -0400
> X-Spam-Flag: YES
spoowizAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InteraXCommented:
Hello spoowiz,

Unfortunately, there isa nothing you can do about this.

As SMTP will accept emails from anywhere regardless of the sending or reply to address, spammers use lists of email addresses or even randomly generated email addresses as the from/reply to address.

Regards,

InteraX
0
suggestionstickCommented:
Hi


you could have a look at SPF, it uses DNS to check the allowed  mail servers for sending email from a domain, before accepting email at the recipients mail server. If a spammer tries to send a email using your email address, it will be rejected by the recipents mail server.

Pls note: not all mail servers are SPF aware yet.

http://www.openspf.org/

SPF is mentioned in the headers of your post, as a check on the recipent server.

Received-SPF: none (mxus0: 201.208.5.105 is neither permitted nor
denied
> by domain of 1and1-private-registration.com) client-ip=201.208.5.105;

Trev.
0
younghvCommented:
Hello spoowiz,

It looks as though 'suggestionstick' has found a method around the old 'Spoofing' problem.
Give it a go and post back the results.
It will be great if that works.

Regards,

Vic
0
spoowizAuthor Commented:
From what I am told, my mail server is not being used. Only my email as "reply address"... thus changing password on my account didn't help either. So if that's the case,  SPF wouldn't help either, right?
0
younghvCommented:
I wrote this piece on 'Spoofing' several years ago and everything I said then is still true - and you're right, I don't think SPF will help.

Vic

SPOOFING EXPLAINED
The malware ‘writers’ out there are continually improving the programs they write and – unfortunately – we all suffer for it.

Many of the current versions will infect a computer and then search the entire hard drive for names and email addresses. It will also search the ‘Default’ address setting in the email program.

The virus/worm will select a name at random and then pretending (SPOOFING) to be that random person, send out messages to all of the other names in the PAB. 

It will also randomly pick the name of a file in your computer and use that as the ‘Subject’ of the message.

This process of randomly selecting a name and then sending messages (with random Subject lines) to all of the other names will continue until proper Anti-virus actions are taken.

In sequence, the process looks like this:

1.   Infect a computer.
2.   Search for any email addresses.
3.   Pick a name – any name – and assume that email identity.
4.   Pick a file name and make that the ‘Subject’ of the message.
5.   Send messages to all other email addresses on computer.
6.   Repeat steps 2-5.
7.   Keep repeating steps 2-5 until the owner of the computer finally updates their Anti-virus program, or forever.  Whichever comes first.
0
grbladesCommented:
Publishing an SPF is about the only thing you can do.
It wont stop the spammer sending mail pretending to be from your address but it will make it far more likely that it will be detected as spam at the other end which the spammer wont like. Therefore publishing a SPF will deter spammers from using your address in future.
0
spoowizAuthor Commented:
When I brought this issue to 1and1 a couple of weeks ago, I was told there was nothing I could do. I brought this issue again today to 1and1 and they're now telling me different. I guess there's been more complaints. I appears that the spammers are using the proxy address, created when I made my domain "private".  So now they are doing something about it. I'll keep you all posted on what goes on.
Thanks.
0
spoowizAuthor Commented:
This is the summary msg from tech support. I'll continue to keep you posted.

The root of this problem is unfortuantely spammers.  I will outline what
happened for you.  Someone spoofed the proxy e-mail address
(proxyxxxxx@1and1-private-registration.com) in your domain's WHOIS
record.  This means that they sent an e-mail and made it seem as if it
came from that proxy e-mail.  They then sent it to your same proxy
e-mail address, which automatically gets forwarded on to your yahoo,
msn, gmail, etc. account.  However, this message was flagged as spam by
us, and thus the forwarded mail server rejected it when it was
automatically forwarded.  We then sent an automatic notification to the
sender that sending the message failed, which in this case was your
proxy address, which was then forwarded on to your yahoo account.  Our
admins are aware of this problem and are working to fix it. We do
apologize for the inconvenience that this is causing you, and we thank
you for your patience in this matter.
0
younghvCommented:
Spoofing continues unabated.
Sometimes the 'Worm' causing the spoofing is a computer program and sometimes the worm is a person.

Vic
0
tymesCommented:
Hello Phil.

What is really happening is spam is trying to be delivered to your proxy465014@1and1-private-registration email address which 1and1 and their stupid private registration hosts.  It's isn't spammers who are doing it... it is 1and1 who are changing SMTP FROM: badly.

1and1 accepts the mail and attempts to deliver the message to you but they always rewrite the SMTP envelope and 1and1 uses your alias/proxy email address <proxy465014@1and1-private-registration> (the same address it just accepted mail for) and then tries to relay it to your server and <phil@vantagecrest>.

Your server blocks the spam and it gets bounced to your proxy 1and1 private registration address which 1and1 used in the SMTP envelop address of the relay attempt.

so... originally...
SMTP FROM:<joespammer@yahoo.com> TO <proxy@1and1>  == 1and1 accepts.
SMTP FROM:<proxy@1and1> TO <phil@vantagecrest>  == your server bounces as spam.
1and1 thinks oh, error?! net's notify the sender.... I'm 1and1 and really dumb.
SMTP FROM:<proxy@1and1> TO <proxy@1and1> == 1and1 now creates error message.
SMTP FROM:<proxy@1and1> TO <phil@vantagecrest> == error message you see.
your server now is the recipient of a cleaned error message that isn't spammy which you get.

They could avoid this by not spoofing your proxy email address, but I've seen other relaying examples of this where subsequent bounces continue to use the same address so each message would bounce about 30 times back to itself in a loop (growing in size).  They could use SMTP MAIL FROM: <> and it wouldn't bounce at all, but you may never get the messages and the senders wouldn't know (like it would be important haha).  Instead 1and1 should have a proper proxy service for this that will bounce back dud error messages to the sender after attempting delivery using something like SRS.  They should just ensure your server info or email address isn't evidient in the bouces -- as it is the sender doesn't get the error messages it doesn't if it's not clean (you currently see your server info and email address).  So currently the only good thing is that spammers can't probe and somehow get the email address protected by your proxy private registration email address.  (unless you post it here on the internet -- not so good).

It wouldn't be very difficult for them to fix this, but for you to fix this, just stop using (their) private registration and create a new email address <domains@vantagecrest> and use that for whois.  Crank up the spam filter protection on your own alias address or change it often (or when you change it, use old addresses as spamtraps -- haha).  

See if you can get a refund for private registration... haha.  After all it didn't protect you from spam as for every spam you didn't get, you got blowback instead! and so the actual number of messages were actually doubled (as they ended up in your spam filters).

Of course there are sophisticated services with better spam protection and blowback protection and lots of stuff that free email you get from wholesale domain registrars can't provide.  Those will resolve not only this issue but other problems other people here have referenced.  I personally like regenerating domain contacts that change every month and are only valid for a few months.

So, I wouldn't use any of the private registration stuff out there as it only serves to give registrars more money and to protect spammers and then registrars probably don't mind the side effect of keeping spammers hidden allowing them to get domains with fewer trails.  If you are a real person with a normal domain don't hide but fight -- stay away from bulk registrars or service that is bad.  (perhaps another private registration service works but whatever).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
suggestionstickCommented:
Hi

Have you tried implmenting SPF yet, it will stop the spammers using your email address, in this case they still would be sending the SPAM from a mail server that is not listed in the SPF records as an allowed Mailserver for your domain

Trev.
0
tymesCommented:
Like I said, this isn't a random spammer spoofing his email address... this is 1and1 spoofing their own proxy addresses which is an alias for his address.  The best solution is to stop and cancel 1and1-private-registration and indeed cancel the affected address (except that address is not <phil@vantagecrest.>, it is <proxy465014@1and1-private-registration.>).

So SPF isn't applicable for this problem, SRS would be.
0
suggestionstickCommented:
Hi


tymes: I have read your post and I agree,  I was basing my option on the tech support snippet:

"The root of this problem is unfortuantely spammers.  I will outline what
happened for you.  Someone spoofed the proxy e-mail address
(proxyxxxxx@1and1-private-registration.com) in your domain's WHOIS
record.  This means that they sent an e-mail and made it seem as if it
came from that proxy e-mail."

spoowiz: SPF will not solve this issue, as the sending (forwarding) server actually belongs to "1and1-private-registration" and what you see is the error message when it fails to forward the orig SPAM to phil@vantagecrest(as per tymes post). SPF only works when spammers use your email address to send spam, for this email they have not.
Tymes seems to have this one all figured out, Full points to Tymes:





 
0
tymesCommented:
The tech support people at 1and1 who told you that don't realize the spammers didn't spoof the proxy address and it's their own inept system that does that and 1and1 is completely at fault.  So they shouldn't be blaming the spammers...as it is 1and1 who are using <proxyxxxxx@1and1-private-registration> to send mail.

Like I said, it could be easy for 1and1 to use something like SRS so the spammers got the error message (as they should) and so it wouldn't get looped back to your proxy address.

So, don't let the 1and1 tech people off the hook, get them to upgrade and fix their system or stop using that aspect of their service which again only doubles the amount of junk you get.
0
spoowizAuthor Commented:
I've emailed tech support to this link. I'll keep you posted.
0
spoowizAuthor Commented:
The following are the latest communication with tech support... arrgh!!

> Thank you for contacting us.
> I apologize for the misinformation you were given, the issue has
nothing
> to do with our servers. I have enclosed some simple solutions to the
> issue that will not cost you anything to set up.

> The root of this problem unfortunately is
> spammers.  I will outline what happened
> for you.  Someone spoofed the proxy e-mail
> address PROXYADDRESS in your domain's WHOIS
> record.  This means that they sent an e-mail
> and made it seem as if it came from that
> proxy e-mail.  They then sent it to your same
> proxy e-mail address, which automatically
> gets forwarded on to your EMAILPROVIDER account.  
> However this message was flagged as spam by us,
> and thus the EMAILPROVIDER mail server rejected
> it when it was automatically forwarded.  We then
> sent an automatic notification to the sender that
> sending the message failed, which in this case was
> listed as your proxy address, which was then
> forwarded on to your EMAILPROVIDER account without
> a spam flag set because usually this notification
> a valid message, so it got through to you.

> This problem is something that not caused nor
> endorsed by us, is experienced on the Internet as
> a whole, and due to the nature of the technology
> that runs mailservers is unavoidable once it happens.  
> There is a way, however, to stop these e-mails coming
> to you, which I will explain.  You would have to
> manually change the proxy e-mail address from a
> forwarding address to a regular e-mail inbox, which
> will stop these messages from being generated and sent
> to your inbox.  To do this, enter the E-mail
> administration section of your Control Panel, select
> the proxy e-mail address PROXYADDRESS by checking the
> checkbox next to it, pull down the "Settings" menu, and
> click "Mailbox/Forward".  Then on the page that loads
> set the type from "Forward" to "Mailbox".  You will
> have to set up a password for the mailbox, which you
> will then be able to either access via our Webmail
> application or you may set up a desktop mail client
> such as Outlook to access the mail.  Make sure that you
> set up spam filtering for this address as it has already
> been the victim of spoofing, specifically to not block
> e-mails from itself, but to place messages from itself
> in the spam folder or delete them.  Please note that this
> e-mail address is very important at your domain and if
> you change it to a regular mailbox you will not be
> receiving any e-mail from this address to your
> EMAILPROVIDER account, and thus you will need to check
> this mailbox regularly to make sure that you are not
> leaving any important communications regarding your
> domain name unread.  Concerning what I have suggested,
> you can of course call our Technical Support team to
> help you at (877) 435-7281 / 0870 24 11 247 should you
> wish to go through with it.  We do apologize for the
> inconvenience that this is causing you.



> If you have any further questions please do not hesitate to contact
us.

> --
> Sincerely,
> Paul Cunningham
> Technical Support
> 1&1 Internet

>> Last tech support info acknowledges that the problem is on your end
at

>> 1and1.
>> Why do I have to pay extra to solve a problem on your end?
>> 
>> ----- Original Message -----
>> From: <support@1and1.com>
>> Sent: Wednesday, April 04, 2007 8:19 PM
>> Subject: Re: C70948096 - 1&1 Internet Support proxy e-mail bounce
> back
>> 
>> 
>> > Thank you for contacting us.
>> >
>> > Yes its actually you can use this as solution on the issue of
email
>> > spoofing. As I checked on the link, it will cost you if subscribe
on
> the
>> > solutions that they will give.
>> >
>> > If you have any further questions please do not hesitate to
contact
> us.
0
tymesCommented:
Ok, so I've done some tests and 1and1 is now using SRS to rewrite senders but they don't use SPF for their own @1and1-private-registration.com address and they will forward it so spammers can spoof that address and it will act as we described.

Furthermore... their 1and1-private-registration.com is only using regular SRS to send mail so it isn't shielding your "private" address or server details so spammers who don't spoof your address will be able to determine your real address if the message bounces by looking at the error message.

They still need to improve it a bit in order for it to properly act as advertised and protect your private information

So while it isn't 100% bad, they are batting 1 for 3 (33%)... they don't protect themselves from spoofing and they will reveal private information and do allow email harvesting.  So ultimately it is still not worth paying any money for this wonderful service.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.