Problem with hijacked domain name

Topic

New Reply

I have my own domain name which I have had for years. Over time it has been occasionally hijacked and somehow used for the generation of Spam emails. This has caused me a lot of grief and frustration. I have taken steps to try to reduce or eliminate the problem but none have been successful.

One of the steps recommended by a couple of professionals was to create a Sender Policy Framework (SPF) record. SPF is defined as a simple email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is being sent from a host authorized by that domain’s administrators.

This was supposed to solve my issue; the SPF is supposed to check that the sender is the valid sender as specified in the SPF. You can read more about SPF at: http://emailuniverse.com/ezine-tips/?id=1202

The SPF appears to not work; either that or the spammers have devised a way around the SPF.

The symptom that tells me they are at it again is that I begin to receive quantities of Delivery Status Notification messages telling me that my email cannot be delivered. The reasons for not being delivered vary: some use a 550 error; among other things this indicates the sender is an identified spammer. Not true in my case, I do not spam. Others are just rejected due to a non-existent address. Some are caused by a rejection due to either white or black address lists. 554 Denied [SHPBL] Denied by Spamhaus as a spammer. 554 5.7.1 Access denied; also related to spam. There are other notification replies that are too numerous to mention.

I am not the author of any of the rejected email messages. This current crop of messages appear to be sent to recipients in the United Kingdom and Australia. I don’t even know anyone who lives in either place.

Please do not suggest that I give up my domain name; I have been using it for so many years that it would be a real hardship on my every day, legitimate internet use. I know this current siege of spam/junk emails will eventually end but it is very frustrating while it goes on.

Everyone I have spoken with just sort of shakes their head when I relate my problem. No one seems to have a solution or remedy. Can anyone out there provide some assistance or advice on how to proceed? How do I either stop or somehow mitigate the unauthorized use of my domain name?

Reply | Quote

Replies

I am afraid there is no solution for your problem. Anyone can enter an email address from your domain in a client or use it in a program to send email, as the sender’s address. There is nothing you can do to prevent that, because some email servers will always accept to send email on behalf of a non valid email addresses for the domains they host.

This will have the undesired effect that you describe, but it should not affect your ability to send email from your server’s email domain. Spam blacklists list the sending server, so your server should not be affected in anyway. Getting the notifications you get , well that is just a cost of having your own domain. It shouldn’t trouble you too much, really.

Not all servers check SPF records and if they reject the email on the SPF record check, it’s even likely that you will be notified. A way to avoid this notification, for some situations where the sender email address does not exist, is not to have a catch all account for your domain.

P.S.: I have my own domain, as well. There isn’t been some time since I last got rejected emails I didn’t send, but it has happened. If, at any time, you have the need to prove you didn’t send those emails, it will be easy to prove, as the sending server will not be your email server.

Reply | Quote

@ efstanley

I have had my own domain name since about 2001. At first my website used a simple HTML-only “Contact” form which had my email address, i.e.: name@domain, coded into the HTML. But by about 2004 I was having similar problems as you describe with spammers.

After some searching I cancelled the affected email address, set up a new one, and modified the “Contact” form’s code to use JavaScript to “cloak” my email address. This worked well for some years, but by about 2012 it was clear spammers had worked out how to decipher the Javascript.

After some more searching I found this tutorial: http://www.html-form-guide.com/contact-form/php-contact-form-tutorial.html

Since I implemented the form in the above tutorial (with yet another new email address) the problem has not returned.

Reply | Quote

Thank you for the reply.

I replied to you but my reply did not post to the thread; apparently I did not do it correctly. I also did not retain a copy of my reply; I did on the fly so it is gone.

If you do not mind could you return a copy of my reply to me so I can post it to the thread. It may help someone else understand the problem.

After reading the thread I find that I am not alone with this problem; some small consolation.

Thank you again.

Reply | Quote

Thank you for the reply.

I replied to you but my reply did not post to the thread; apparently I did not do it correctly. I also did not retain a copy of my reply; I did on the fly so it is gone.

If you do not mind could you return a copy of my reply to me so I can post it to the thread. It may help someone else understand the problem.

After reading the thread I find that I am not alone with this problem; some small consolation.

Thank you again.

I have no way to access your “lost” reply, sorry.

Reply | Quote

I have no way to access your “lost” reply, sorry.

Ruirib, could internet server caching have caused the reply to become lost? Reason for asking: I lost two online bank transactions long time ago, I thought I had online-paid two bills, however, later discovered those two actions never made it to the bank’s finincial server. I wondered internet server caching in both cases.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Ruirib, could internet server caching have caused the reply to become lost? Reason for asking: I lost two online bank transactions long time ago, I thought I had online-paid two bills, however, later discovered those two actions never made it to the bank’s finincial server. I wondered internet server caching in both cases.

There is no caching when you are submitting data. When you are reading data, it is possible that some of it will be cached somewhere along the way, but not when you’re submitting it.

Reply | Quote

I guess I am not sure why you are asking about my use of “domain name.”

I purchased my domain name years ago from a national domain name provider. I pay a yearly fee for its maintenance. It has the ability to host a web site but I have never used that option. I have always used it as an email forwarder to my real email provider. This would allow me to change email providers without the necessity of informing every one of the change. All I would need to do is change forwarding destination and my email would follow me to the new email provider.

Email addressed to abc@mydomain.com gets forwarded to my real email provider at efstanley@somedomain.net .

One of the other reasons I bought the domain name to enable me to track the many websites and vendors that sold email addresses to others so they could send their sales and other messages to valid users. My domain has a “catch all” facility such that anything in front of the valid domain name is forwarded ie: Sears@mydomain.com would get forwarded as would Visa@mydomain.com and I could determine who sent the email. It never really worked all that well to stifle the invalid use of my address but now my use of the address to identify who is supposedly sending the email is well established.

That is also the facility that is being used against me to hijack my domain name. The “catch all” facility allows the spammers to put anything they wish in front of the domain name and use it as the sender name. SPF should catch it but few servers use SPF to validate the email source. The rejected email messages are returned to the “sender”; at my hijacked domain name.

I hope this answers your question about my use of the domain name.

Reply | Quote

… The “catch all” facility allows the spammers to put anything they wish in front of the domain name and use it as the sender name. ..

Your catch-all does not change the ability of spammers to send emails, it only changes the number of bounce messages that you will see. The spam recipients cannot usually verify that a sender’s name is valid – only the domain part can be tested.

Reply | Quote

I guess I am not sure why you are asking about my use of “domain name.”

I purchased my domain name years ago from a national domain name provider. I pay a yearly fee for its maintenance. It has the ability to host a web site but I have never used that option. I have always used it as an email forwarder to my real email provider. This would allow me to change email providers without the necessity of informing every one of the change. All I would need to do is change forwarding destination and my email would follow me to the new email provider.

Email addressed to abc@mydomain.com gets forwarded to my real email provider at efstanley@somedomain.net .

One of the other reasons I bought the domain name to enable me to track the many websites and vendors that sold email addresses to others so they could send their sales and other messages to valid users. My domain has a “catch all” facility such that anything in front of the valid domain name is forwarded ie: Sears@mydomain.com would get forwarded as would Visa@mydomain.com and I could determine who sent the email. It never really worked all that well to stifle the invalid use of my address but now my use of the address to identify who is supposedly sending the email is well established.

That is also the facility that is being used against me to hijack my domain name. The “catch all” facility allows the spammers to put anything they wish in front of the domain name and use it as the sender name. SPF should catch it but few servers use SPF to validate the email source. The rejected email messages are returned to the “sender”; at my hijacked domain name.

I hope this answers your question about my use of the domain name.

I guess the question was asked because, in fact, the spammers never get hold of your domain, or your email server, or any part of those. If we were talking about traditional, snail mail, the equivalent would be someone sending letters with your home address as the sender, even if the letter’s contents would have nothing to do with you. Would you call this “hijacking” your house? I think email spoofing is the term that actually describes your situation.

I also agree with the previous comment about the “catch-all” facility. You can disable catch-all and any spammer will still be able to send emails pretending to be sent from your domain. So the catch-all only allows you to catch some of the sent messages, if the email system is not able to deliver them for some reason.

Reply | Quote

I think ruirib is correct. The term for what has happened to me is that spammers are using my domain to “spoof” my email address. His analogy using snail mail makes that clear. It doesn’t fit the “hijack” definition.

After all this discussion I am more accepting of the fact I will just have to tolerate this condition. The consensus is that there is really nothing I can do under the current email system.

Thanks to all that took the time to comment; I appreciate your effort on my behalf. I hope this discussion added to the store of knowledge in the Lounge.

I’m still upset over the fact that they can get by with it with no repercussions.

Reply | Quote

I’m still upset over the fact that they can get by with it with no repercussions.

The cost of freedom of use is increased vigilence on the part of users.

cheers, Paul

Reply | Quote

I’m still upset over the fact that they can get by with it with no repercussions.

Would seeing fewer bounce notifications reduce the upset? You can do that by forgetting about all the ‘disposable’ addresses you use, which aren’t of much use anyway–if you find spam coming to your sears@ address, it will almost never be Sears which leaked or sold your address.

Big companies usually hire agencies for promo work, and the agencies usually hire contractors for various types of promo–eg a TV ad production company for TV spots, an email marketing company for email work, and so on. The contractors sub-contract to outsiders or freelancers all the time during busy periods.

So who knows how your address got out? If indeed it did–it could easily have been a dictionary spoof on your domain, ie using a long list of names in front of your domain name.

I assume your domain name is currently with a hosting company, so you can have a full email account to send outgoing email, as well as receive? It should be helpful to move your email hosting to either Outlook.com or Gmail.com–there may be others as good, but those are the two I have used to good effect.

I used to have your problem last decade on my business addresses, and dozens of addresses I supplied to clients as a service–all addresses were hosted on my shared web server at smaller hosts. The addresses would be spoofed 3-4 times a year for 3-4 days at a time, people would get upset about all the bounce notifications, and there was occasional repair work to be done with the blunt instrument amateur anti-spam lists like Spamcop, RBL, Spamhaus etc.

After I ceased client services, I moved all my business email serving to Gmail, and no more problems. A few years ago I switched to Outlook.com, and also no problems. Very little incoming spam, no bounce notifications. Put simply, Outlook.com or Gmail should solve your problem. Could well work with the disposable addresses too, if you prefer to hang onto those–but I recommend not.

I think ruirib is correct.

Yes, everything ruirib has posted is correct.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

Reply | Quote

Thank you for the reply.
Your reply exactly matches my experience. Since many servers do not bother to use the SPF record it has turned out to be a futile defense against these spammers. I am not certain who receives the SPF rejected messages; the spammer or me. I don’t think it has ever happened in my case.

What has happened to me is that I have been erroneously identified, by some servers, as a spammer; this has caused my legitimate emails to be rejected. Try and fix that condition. No one will answer or respond to your pleas of innocence; you are tried and convicted without a trial.

You are not the only person to tell me to just ignore it and go on. I have tried to ignore it but it just irritates me to have some unknown persons hiding and abusing my name through the use of my domain name. Spammers have to be at least one step below pond scum. What a way to make your living.

Reply | Quote

What has happened to me is that I have been erroneously identified, by some servers, as a spammer; this has caused my legitimate emails to be rejected. Try and fix that condition. No one will answer or respond to your pleas of innocence; you are tried and convicted without a trial.

If one of your emails has been rejected, you will get an error message and you can then act on it. It is entirely possible that if you are using an email server used by someone else (which is usually the case), the rejection can be due to those users and not you. Better make sure about the cause for each rejection, before withdrawing definitive conclusions.

Reply | Quote

…it just irritates me to have some unknown persons hiding and abusing my name through the use of my domain name…

I am wondering if you correctly understand the meaning of “domain name”.

It is likely to help us advise you better if you could more clearly define exactly what you mean by “domain name”.

1. Do you mean a “domain name” you have registered and paid for (usually 2 years) for a website you have?

2. Do you mean the “domain name” part of the email address you are having problems with (the part of the email address after the @ symbol)?

Reply | Quote

When you (a mail server) connects to a mail server to deliver mail you are required to provide information about yourself, including your email address. This information is plain text and can be anything you like as long as it’s a validly formatted email address. Spammers use real email addresses in an attempt to fool mail systems into accepting the spam.

The problem you describe arises because email systems are required to provide notification of email delivery failure – not success – and these Non Delivery Reports are sent to the originating sender. In this case your email address is used as the sender address so you receive the NDR. Just throw the NDRs away, there is no point in bothering with them, unless they relate to email you actually sent.

cheers, Paul

Reply | Quote

You might check what you’ve already done against the recommendations in this article from openspf.org…

http://www.openspf.org/FAQ/Common_mistakes

Does SPF help with spoofed spam from other servers?

Reply | Quote

Does SPF help with spoofed spam from other servers?

Nope, it just identifies you as a valid sender of email for that domain.

cheers, Paul

Reply | Quote

Nope, it just identifies you as a valid sender of email for that domain.

I suppose there could be an indirect effect, but it seems to rely on spammers using some intelligence?:

If a domain publishes an SPF record, spammers and phishers are less likely to forge e-mails pretending to be from that domain, because the forged e-mails are more likely to be caught in spam filters which check the SPF record. Therefore, an SPF-protected domain is less attractive to spammers and phishers. Because an SPF-protected domain is less attractive as a spoofed address, it is less likely to be blacklisted by spam filters and so ultimately the legitimate e-mail from the domain is more likely to get through.
Reasons to implement Sender Policy Framework (SPF)[/url]

Reply | Quote

@efstanley

I know the feeling, I have my own domain and it’s happened once in the past and coincidently over the last week or so.

No point in changing domain names in any case as that could just as easily be spoofed

Reply | Quote

You can check if your domain or mail server have been blacklisted at this site: http://mxtoolbox.com/blacklists.aspx
Is your SPF record correct? The IP address(es) must be those of your mail server, not your domain server – they are rarely the same.

cheers, Paul

Reply | Quote

…
554 Denied [SHPBL] Denied by Spamhaus as a spammer. …
554 5.7.1 Access denied; …

Responses like this make me think you should be looking more deeply at the problem.
As far as I know, spamhaus only looks at IP address – nothing to do with your domain name. Now, it is probable that spammers claiming to be sending from your domain will be using banned IP addresses, but the 554 status messages are meant to be sent from the recipient server back to the actual IP address that tried to send the email. You should never see them.

You should ensure that it is not actually your PC, or your web page that is sending the email. Spamhaus block messages often include the offending IP address.

Now it is possible for poorly configured systems to do this test at the wrong stage of the process, but in those cases they should not be sending the report back to you. However some do.

Email service providers are slowly making more use of SPF, and in my experience, once we had set up a proper SPF on the domains I look after, these backscatter reports for delivery failure gradually subsided to far less than they used to be.
Make sure you submit your domain to an SPF validation service. This one listed on the openspf.org web page worked for me: http://www.kitterman.com/spf/validate.html

In the same way that the Spamhaus DNSblocklist message should go to the spammer’s computer, you should never know any time your SPF entry works to deny a spammer forging your domain name.

Reply | Quote

there is no solution

unless you can hire some mercs to hunt down whoever is spoofing your name and kill them

I have my own domain name which I have had for years. Over time it has been occasionally hijacked and somehow used for the generation of Spam emails. This has caused me a lot of grief and frustration. I have taken steps to try to reduce or eliminate the problem but none have been successful.

One of the steps recommended by a couple of professionals was to create a Sender Policy Framework (SPF) record. SPF is defined as a simple email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is being sent from a host authorized by that domain’s administrators.

This was supposed to solve my issue; the SPF is supposed to check that the sender is the valid sender as specified in the SPF. You can read more about SPF at: http://emailuniverse.com/ezine-tips/?id=1202

The SPF appears to not work; either that or the spammers have devised a way around the SPF.

The symptom that tells me they are at it again is that I begin to receive quantities of Delivery Status Notification messages telling me that my email cannot be delivered. The reasons for not being delivered vary: some use a 550 error; among other things this indicates the sender is an identified spammer. Not true in my case, I do not spam. Others are just rejected due to a non-existent address. Some are caused by a rejection due to either white or black address lists. 554 Denied [SHPBL] Denied by Spamhaus as a spammer. 554 5.7.1 Access denied; also related to spam. There are other notification replies that are too numerous to mention.

I am not the author of any of the rejected email messages. This current crop of messages appear to be sent to recipients in the United Kingdom and Australia. I don’t even know anyone who lives in either place.

Please do not suggest that I give up my domain name; I have been using it for so many years that it would be a real hardship on my every day, legitimate internet use. I know this current siege of spam/junk emails will eventually end but it is very frustrating while it goes on.

Everyone I have spoken with just sort of shakes their head when I relate my problem. No one seems to have a solution or remedy. Can anyone out there provide some assistance or advice on how to proceed? How do I either stop or somehow mitigate the unauthorized use of my domain name?

Reply | Quote

efstanley, who knows, maybe sooner rather than later, somebody will read this thread, and for some technical reason, s/he will say “Hey! I can help reduce if not eliminate that!” and will come up with something that does exactly that – reduce if not eliminate the “that”

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote