Spammers are ruining my good (domain) name

Spam by HormelNothing like arriving home from visiting family to find 6404 e-mail messages in your inbox. All of these were returned / failed / out-of-office error messages because some spammer is using my domain name and random usernames to send spam messages. I’m still receiveing about one returned error message per minute. No telling how many actually are getting through to people.

Out of all of these messages, there was one that was different. It was a response to one of my Blog entries. It was, you might have guessed, a spam blog comment.

Written by in: Web | Tags: | Last updated on: 2014-May-27 |

12 Comments »

  • Carlton Bale says:

    Just now, I received my first non-error message e-mail. It was spam addressed to me, not a delivery error. Gee, I feel so special to actually receive some spam instead of being framed for sending it.

  • Carlton Bale says:

    Update: another 9641 spam messages returned to me. I now have a filter setup to isolate the messages that bounce-back to me.

    At least initially, the e-mails were referencing sub-domains of OEMWX.COM and TABOODK.COM. I wondered who these kind persons were, so I check the domain registrant info. Both were Yahoo accounts, which I’m sure are valid:

    Registrant:
    Manoj Kumar
    Navi Mumbai Mumbai, 400003, IN
    ENOM, INC.
    Domain Name: OEMWX.COM
    Created on: 14-dec-2005
    Expires on: 14-dec-2006
    Last Updated on: 17-dec-2005
    Administrative Contact:
    Technical Contact:
    Kumar , Manoj
    manojkumar_2205@yahoo.com
    Navi Mumbai Mumbai, 400003,IN
    +91.02225438906

    Kumar , Manoj
    manojkumar_2205@yahoo.com
    Navi Mumbai Mumbai, 400003,IN
    +91.02225438906

    Domain servers in listed order:
    Registry Status: REGISTRAR-LOCK
    NS1.OEMBZ.COM
    NS2.OEMBZ.COM

    TABOODK.COM
    Registrant:
    e-mail :
    August RITTER (RITTER4-BMN-PE) 1902 North Griffin Street 58501 Bismarck UNITED STATES fax:
    ONLINE SAS
    Domain Name: TABOODK.COM
    Created on: 23-dec-2005
    Expires on: 23-dec-2006
    Last Updated on: 23-dec-2005
    Administrative Contact:
    Technical Contact:
    August RITTER (RITTER4-BMN-PE),
    ritteraugust@yahoo.com

    Domain servers in listed order:
    Registry Status: ACTIVE
    CA.CABOCHONGH.COM
    GH.CABOCHONGH.COM

  • Carlton Bale says:

    domain: beststorediscount.com
    owner: Brion Benson
    organization: Benson and co. corp
    email: billbrees2@yahoo.com
    address: 191 Timberhill Dr
    city: Canton
    state: NC
    postal-code: 28716
    country: US
    phone: +1 734 416-3284
    admin-c: billbrees2@yahoo.com#0
    tech-c: billbrees2@yahoo.com#0
    billing-c: billbrees2@yahoo.com#0
    nserver: ns1.dnshostlink.com 220.173.103.6
    nserver: ns2.dnshostlink.com 221.11.134.35
    status: lock
    created: 2005-12-15 12:53:41 UTC
    modified: 2005-12-15 13:03:31 UTC
    expires: 2006-12-15 07:53:41 UTC
    source: joker.com live whois service
    query-time: 0.015056
    db-updated: 2005-12-26 16:58:30

  • Carlton Bale says:

    Still getting bounce-backs and still filtering out over 99% of them. I’m lookin through some of the messages from where they were sent and to which sites they refer.

    Where email originates:
    telekomunikacja.pl, tpnet.pl

    Site referenced: http://www.mugest.com/pt/
    Domain hosting by: zj.chinamobile.com

    Site referenced: http://www.kerinn.net/pt/
    Resolves to 211.140.139.106
    Whois for 211.140.139.106 : quanhf@zj.chinamobile.com

    So, it looks like China is the source of my ill. Someone in China is trying to make a buck, I guess. And in the process sending me over 20,000 e-mail messages in 5 days. Can’t wait until the new e-mail system to replace SMTP is implemented so these guys will be looking for a new job.

  • KNH says:

    Who ever said you had a good name?

  • Carlton Bale says:

    KNH blog comments = spam, perhaps?

  • Carlton Bale says:

    The count is now over 45,000 spam e-mails.

  • Carlton Bale says:

    Well, I thought this problem may have been a temporary issue, but I’m still getting about 2000 e-mails per day. I’ve white-listed all of my legitimate addresses and I’m able to isolate all of the spam bounce backs, so it is not at all the headache it was.

    I did some reading on spamcop and found these bounce-back error messages are considered spam as well. The postmasters of the servers should be more considerate and not automatically send failed delivery messages to me when I didn’t send the messages originally. Users sending authentication messages to people who did not send them mail should look for a better solution as well. Glad to see there are some thoughts on how to resolve these problems in the future:
    http://www.spamcop.net/fom-serve/cache/329.html

  • Carlton Bale says:

    I’ve now added SPF records to my DNS server. Unfortunately, most mail servers are not using SPF, so there is little benefit to me at the moment. Generating the SPF records was easy; I did it by going to http://www.openspf.org/

  • Carlton Bale says:

    I’ve been reading some more and the general theory for my domain being targeted for unsolicited bounces is that, because I reported spam to spamcop, I was targeted. SpamCop obscures the name and e-mail address of the person reporting, but the messages can contain unique information (such as picture names) that would show I was the intended recepient.

    So here is how it works: spammers send spam to a bunch of people. Those that report it to spamcop are among the few, so they are retalliated against by Unsolicited Bounces. If they continue to report, even more unsolicited bounces. To be allowed send more spam, they target those that report.

    I can’t verify that this is factual, but that is my guess. My server appears to be getting more traffic the more spam I report. Too bad everyone doens’t use SPF to ignore spoofed mail headers. Too bad the new and improved e-mail system to replace SMTP is still years away.

  • Antarius says:

    You’re not alone…

    I’m currently receiving thousands of undeliverable, out-of-office and “your message is spam” responses from non-existant addresses also.

    Like you, the spammer is using random usernames at a handful of domains I admin (such as docs.com.au – which for some reason is always confused with docs.gov.au… I get these wonderfully sensitive reports on child abuse that I really wish didn’t get here!)

    Even domains that I don’t admin (aaledo.com.au and trainingaustralia.com.au) are getting them – yet a different username appears in the “To” field!

    Like you, I initially thought that it might be retaliation for using a spam reporting service. I was using Blue Security until they were crushed by repeated DDOS attacks. Now I’m using SpamCop.

    Then I realised; Aaledo.com.au and trainingaustralia.com.au weren’t part of my “protected addresses,” so I wasn’t reporting the Spam (1,000+ msgs per day) for this account.

    So I don’t know why the Spammers are picking on me or my domains; I just hope it stops soon!

  • Carlton Bale says:

    I think the root of the problem may have been that my catch-all e-mail address accepted all of the bounced messages, which allowed the spammers to send more messages as they didn’t have to deal with any bounces. I killed my catch-all e-mail addresses and set the unknown response to be “Fail: The sender is notified that the address doesn’t exist”. If the bounce occurs fast enough, it may push back to the original spammer IP and slow down the rate of spam deployment. Also, it may not make any difference at all to the spammer. Either way, killing my catch-all and bouncing back messages to invalid e-mail addresses solved my problem.

RSS feed for comments on this post.


Leave a Reply

If you have a comment or question, please post it here!

CarltonBale.com is powered by WordPress | View Mobile Site | © 1996-2016 Carlton Bale