Who Uses My Email?

[TCH-Thomas]

I have several emailadresses and Im not sure how smart it is to publish them in this forum so except for the one in my signature i will fake one of them in description below (anyone having a good solution and needing the real adress may pm me though).

 

All day i have received emails on johndoe@somemail.com from various senders using my jikrantz.com as email.

 

Example: Last email i received on johndoe@somemail.com came from claudia@jikrantz.com. There is no claudia at that adress. Atleast not set up by me.

 

All these emails have been from different people @jikrantz.com

 

Since there is alot of viruses around us i have not downloaded any of them but previewed them through mailwasher.

 

All emails have been empty as far as i can see.

 

How can i find out who uses my domain as email and what can i do to stop it?

 

Addition: As far as i know and hope that these emails from blahblah@jikrantz.com has only been sent to johndoe@somemail.com. I sure hope so anyway, Im so tired of the ****-spam.

Edited August 6, 2005 by TCH-Thomas

[MikeJ]

Viruses will do this, and that's probably what you are seeing. As soon as I migrated my domain email over here, I started receiving a ton of bogususer@****. You can't really do anything about it. Most of the people who are sending mail as you probably don't even realize it due to the virus infection.

 

Best thing is to set in your cpanel any mail that doesn't belong to a particular mail account to forward to ":fail:".

[TCH-Thomas]

Ok, thanks.

 

2 additional questions though...

 

1) You say:

Best thing is to set in your cpanel any mail that doesn't belong to a particular mail account to forward to ":fail:".

How do you mean? (Im a newbie on these things)

 

2) I noticed in cpanel that todays bandwidth is 1.70 mb so far. I havent done much uploads or viewing my site today more than once and there havent been many visitors either, so could those people have sent big emails from my domain?

I have gotten and sent some emails, but i figure plain text emails doesnt take much bandwidth?

What i mean is that 1.70 mb is just too much for one day in my case.

[TCH-Rick]

There are two special entries that can be used in forwarders or as your default address, :fail: and :blackhole:. Be sure to include the colon and the beginning and end.

 

The first, :fail:, will cause any email coming to that address to be rejected. You can add a message after it such as :fail: Sorry but he doesn't want your mail. This will cause a bounce message to be sent if mail is sent to that address and it will say Sorry but he doesn't want your mail.

 

The second, :blackhole:, will simply delete any mail sent to that address. No bounce message will be sent.

 

Big Gorilla is right, to eliminate spam sent to random addresses using your domain it is best to set the default to discard any message not directed to one of your real accounts.

 

I disagree, however, that :fail: should be used. I prefer to see :blackhole: as it is easier on the server. Many spammers use throwaway addresses and what happens is the bounce is sent to that fake address which is then bounced back to our server. The server will then continue to retry to send the message and it clutters up the mail queue. Setting the default to :blackhole: will simply delete the message and it's over.

[Brent]

Rick,

 

First, sorry about the Panthers loss. Great game though; best SB I have seen in a while. I was rooting for the Panther's all the way!

 

Re: your comments about :fail versus :blackhole...

 

I have been inundated by these virus e-mails; about 100 a day for the last 4 or 5 days. I have not yet enabled :blackhole because it is often important that I am able to receive errant mail sent to unknown_names@mydomains.com. Right now, however, I'm sick of receiving all those virus e-mails and want to do something about it.

 

Would you suggest that I turn on :blackhole for a while, until the viruses stop coming, or am I doomed to receiving those suckers forever? Are there any other better alternatives that would allow me to continue to monitor the errant, but "legitimate" e-mails which are accidently sent to the wrong address, and at the same time avoid the virus e-mails?

 

Thanks for your suggestions.

 

- Brent

 

brent@twinmail.com

brent@verlworkman.com

[MikeJ]

Big Gorilla is right, to eliminate spam sent to random addresses using your domain it is best to set the default to discard any message not directed to one of your real accounts.

:blackhole: is a little easier on the server if the MTA (mailer) accepts the message, determines the user doesn't exist, then bounces it, for :fail: (which based on your response I assume is true), instead of denying reciept of the message for invalid addresses.

 

The only caveat of :blackhole: for default is that if someone sending valid email simply misspells your username, they won't realize you didn't get the message (because they don't get a bounce), and you won't realize they sent one (because it was deleted). However, for most people that is likely a rare case and they would probably be fine using the preferred :blackhole:.

[TCH-Thomas]

When i read all this solutions i get more confused.

As i understand it, the fail or blackhole will work when i receive email on my domain jikrantz.com but my problem is that it sends from jikrantz.com to my other adress.

Or will it work when they send from jikrantz.com too?

[TCH-Thomas]

Here is a header from one of those emails:

 

Return-Path:

Received: from server23.totalchoicehosting.com([207.44.240.63])

by amsfep18-int.chello.nl

(InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP

id

for ; Mon, 2 Feb 2004 03:45:08 +0100

Received: from [194.112.113.86] (helo=smtp.ciao.com)

by server23.totalchoicehosting.com with esmtp (Exim 4.24)

id 1AnU53-0004v3-7D

for dan@jikrantz.com; Sun, 01 Feb 2004 20:44:57 -0600

Received: by smtp.ciao.com (Postfix)

id DB6972FE47; Mon, 2 Feb 2004 03:34:57 +0100 (CET)

Date: Mon, 2 Feb 2004 03:34:57 +0100 (CET)

From: MAILER-DAEMON@ciao.com (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

To: dan@jikrantz.com

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

boundary="223922FBD4.1075689297/smtp.ciao.com"

Message-Id:

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - server23.totalchoicehosting.com

X-AntiAbuse: Original Domain - jikrantz.com

X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain -

 

This is a MIME-encapsulated message.

 

--223922FBD4.1075689297/smtp.ciao.com

Content-Description: Notification

Content-Type: text/plain

 

This is the Postfix program at host smtp.ciao.com.

 

I'm sorry to have to inform you that the message returned

below could not be delivered to one or more destinations.

 

For further assistance, please send mail to

 

If you do so, please include this problem report. You can

delete your own text from the message returned below.

 

The Postfix program

 

: host mail.ciao.com[194.221.9.197] said: 550 5.1.1

... User unknown (in reply to RCPT TO command)

 

--223922FBD4.1075689297/smtp.ciao.com

Content-Description: Delivery error report

Content-Type: message/delivery-status

 

Reporting-MTA: dns; smtp.ciao.com

Arrival-Date: Mon, 2 Feb 2004 03:34:52 +0100 (CET)

 

Final-Recipient: rfc822; anna@ciao.com

Action: failed

Status: 5.0.0

Diagnostic-Code: X-Postfix; host mail.ciao.com[194.221.9.197] said: 550 5.1.1

... User unknown (in reply to RCPT TO command)

 

--223922FBD4.1075689297/smtp.ciao.com

Content-Description: Undelivered Message

Content-Type: message/rfc822

 

Received: from jikrantz.com (host-64-65-200-29.pro.choiceone.net [64.65.200.29])

by smtp.ciao.com (Postfix) with ESMTP id 223922FBD4

for ; Mon, 2 Feb 2004 03:34:52 +0100 (CET)

From: dan@jikrantz.com

To: anna@ciao.com

Subject: test

Date: Sun, 1 Feb 2004 21:45:19 -0500

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0012_3295C453.AFCB1EF1"

X-Priority: 3

X-MSMail-Priority: Normal

Message-Id:

 

This is a multi-part message in MIME format.

 

------=_NextPart_000_0012_3295C453.AFCB1EF1

Content-Type: text/plain;

charset="Windows-1252"

Content-Transfer-Encoding: 7bit

 

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

 

 

------=_NextPart_000_0012_3295C453.AFCB1EF1

Content-Type: application/octet-stream;

name="doc.pif"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="doc.pif"

[MikeJ]

When i read all this solutions i get more confused.

As i understand it, the fail or blackhole will work when i receive email on my domain jikrantz.com but my problem is that it sends from jikrantz.com to my other adress.

Or will it work when they send from jikrantz.com too?

I can understand your confusion, email trails get pretty convoluted. Let me see if I can clear it up some.

 

There are two components to your problem....

 

1) Someone else is sending mail claiming to be from your domain. There's isn't really anything you can do for this. If you look at the headers of the originating message in the example you provided, you see the following origin:

Received: from jikrantz.com (host-64-65-200-29.pro.choiceone.net [64.65.200.29]) by smtp.ciao.com (Postfix) with ESMTP id 223922FBD4

Although the host at choiceone.net claims to be jikrantz.com, they aren't. However, emails can be forged so easily that people can claim to be anyone they want to when sending email... but fortunately, the headers rarely lie (they can just be hard to interpret). Since the email being sent never comes from your account, nor any machine you control, you cannot stop it from going out. You could attempt to contact each and every person that sends one, but that would be a difficult process since the majority of these are likely coming from viruses, and you will receive bounces that originally came from numerous different infected machines. The number of emails will diminish when those people fix their infected machines, but when the next virus comes out, it may start all over again.

 

The reason people are claiming to be your domain, is likely because they have your address in their address book because they have received email from you at some point in time. The virus then takes random domain names from the address book to create fake addresses, most likely in an attempt to make it slightly harder to identify infected machines.

 

The only real solution to this problem given the way email works today is for the general public to protect their machines better, and for vendors to provide more secure software.

 

2) You are getting a lot of bounces (returned email) due to (1). This is a problem you can control, and that we were recommending solutions to. Basically, given that trying to contact every person that is infected and claiming to be you is pretty much a futile effort, the value of those bounces is pretty much nil. So the :blackhole: or :fail: options is a method of discarding useless mail so that you don't have to sift through it.

 

Hopefully that helps clear it up a little.

[TCH-Thomas]

Ok. Big thank you for the long but informative answer/explanation.

Now I understand a little more.

 

Thank you everyone involved.

 

This kind of response/help makes me just feel I am home.

 

I might have one more question but i will do a search first cause i thiink i have seen the answer somewhere.

[Brent]

Rather than :blacklist at the TCH level at this time, I am going to filter my incoming e-mail at the client level instead, so that I can monitor the other harmless mail that comes in with misspelled names, etc. I'll filter out what I am certain is MyDoom-related and allow the rest through.

 

I may activate :blacklist later if the volume does not decrease soon.

 

Thanks for all the feedback and suggestions.

 

- Brent

[cloudrm]

The only real solution to this problem given the way email works today is for the general public to protect their machines better, and for vendors to provide more secure software.

Protecting your machines is the best option. I hope that eventually, the consumer will be protected as part of a service package, ISP or Host.

 

The sad part about this current virus is that most current "spam/junk/virus" programs (the ones that come from your ISP or email services) block any/all legitimate outgoing mail from your address to anyone on their system.

 

IE: the virus sends itself to "blank@hotmail.com". . . the receiver clicks "block and report sender". . . So now, every e-mail I send to anyone with a "hotmail" address is bounced back, automatically deleted or sent to their junk mail folder.

 

I just don't understand what kind of thrill these virus creators get out of it. If they think they're just hurting "the big guys" they're mistaken. I just don't get what, in human nature, would make someone think that my not being able to send an e-mail to my Mother would give him/her some power.

 

O.K. that's my rant for the day Mad!!!

[OJB]

good job i did a search before posting a topic of my own

 

im getting the same thing as Thomas...

 

i get dozens of emails sent from invalid addresses on my domain everyday, outlook will alert to they contain viruses each time i get one..

 

like:

admin@ukhhf.co.uk (not an address my end)

helpdesk@ukhhf.co.uk (also not an address i have set up)

 

and things along those lines.

 

 

bit gutting i cant really do anything about it, im just worried that members of my website might end up getting one of these dodgy emails and think its legit and in turn get infected by a virus. the reason is that all the emails i get sent say things like "user violation located, account deleted" and things along those lines.. so it may worry some of my forum users...

[stevevan]

Spammers will try almost anything to get email through. The best prevention is to be pro-active in your web design (e.g. not blatantly have email addresses showing in the web site, and turning on and using SpamAssasin), and education (e.g. don't open unknown attachments). Nothing will stop all of this type of email...it's an unfortunate fact of life on the internet.