PDA

View Full Version : Hijacked again!


annc
07-02-2005, 01:42 PM
This morning I woke up to a heap of e-mails in my junk mail folder. Almost all were returned e-mails with the usual Delivery failure, Mail Daemon failure etc. subject lines.

Sure enough, someone's hijacked one of my domain names again, and spammed half the world. Next think I know, I'll start getting my e-mails bounced because my domain name has been listed as an abuser.

These episodes are increasing in frequency; it's only three weeks or so since my domain was hijacked for virus delivery. Sigh.

ktinkel
07-03-2005, 05:13 AM
… someone's hijacked one of my domain names again, and spammed half the world. Next think I know, I'll start getting my e-mails bounced because my domain name has been listed as an abuser.Do you know how this happens?

Steve Rindsberg
07-03-2005, 10:25 AM
Hijacked your domain in what sense?

More typically, I think this is the result of Computer A having your domain in its address book and getting infected with a virus that sends spam to the rest of the address book using your domain as the return address.

Result: every av program at the "spam-ee" end that's set to "helpfully" warn people whose email's been rejected for whatever reason starts sending mail to you.

Eventually this will stop spam, you see, because in doubling the network traffic generated by "legitimate" spam, it will cause the intenet to fill up that much sooner. Once it's full, you can't put any more in, of course. Can't put ten kilos of spam in a five kilo tin, after all, so spam will stop.

annc
07-03-2005, 11:18 AM
Hijacked your domain in what sense?

More typically, I think this is the result of Computer A having your domain in its address book and getting infected with a virus that sends spam to the rest of the address book using your domain as the return address.

Result: every av program at the "spam-ee" end that's set to "helpfully" warn people whose email's been rejected for whatever reason starts sending mail to you.

Eventually this will stop spam, you see, because in doubling the network traffic generated by "legitimate" spam, it will cause the intenet to fill up that much sooner. Once it's full, you can't put any more in, of course. Can't put ten kilos of spam in a five kilo tin, after all, so spam will stop.That sounds very logical, except that I would have expected it to be a different domain in that case. Very few people send e-mail to me from that address, whereas half the horse world has my dressageit address. And horse people are mostly innocents abroad on the internet, and get lots of viruses. Almost every third person I speak to tells me their computer is out of action because of a virus.

It's very irritating, this one. I'm getting more mail failures than I used to get spam.

annc
07-03-2005, 11:19 AM
Do you know how this happens?I think Steve has the answer.

marlene
07-03-2005, 11:41 AM
I get bazillions of these. My domain/e-mail host says it's just plain old spam pretending to be a bounce message originating from my domain.

I have a filter set up in Eudora to transfer all of them to one folder. Then I have to go through it, unfortunately, to make sure there aren't any legitimate bounce messages -- every once in a while one of my e-mails does bounce back.

Anyway, I'd bet your messages are the same kind of spam. The spammers know that most people will be concerned enough to read the messages.

mxh

annc
07-03-2005, 11:54 AM
I get bazillions of these. My domain/e-mail host says it's just plain old spam pretending to be a bounce message originating from my domain.

I have a filter set up in Eudora to transfer all of them to one folder. Then I have to go through it, unfortunately, to make sure there aren't any legitimate bounce messages -- every once in a while one of my e-mails does bounce back.

Anyway, I'd bet your messages are the same kind of spam. The spammers know that most people will be concerned enough to read the messages.

mxhThese all have the same subject line. Mine also go into my junk mail folder, which I have to clean out several times a day.

Steve Rindsberg
07-04-2005, 09:57 AM
Which domain it is is mostly up to chance. Which user has which domain in their addressbook. And I suspect that some of these bugs pass the info back to a central computer where it's used even further.

I finally gave up trying to manage all this crap manually ... bought MailWasher (PC product, don't know if it's available for Mac or not) and let it cope. However it's set at the moment seems to have it blowing bogus "You've been a bad boy" emails away w/o even showing them to me. The other less obvious stuff it shows me and lets me decide whether to keep or delete it off the server w/o even downloading it.

It's a bit of a pain having to deal with two different programs but far less pain than manually sorting out all the trash.

annc
07-04-2005, 11:58 AM
Which domain it is is mostly up to chance. Which user has which domain in their addressbook. And I suspect that some of these bugs pass the info back to a central computer where it's used even further.

I finally gave up trying to manage all this crap manually ... bought MailWasher (PC product, don't know if it's available for Mac or not) and let it cope. However it's set at the moment seems to have it blowing bogus "You've been a bad boy" emails away w/o even showing them to me. The other less obvious stuff it shows me and lets me decide whether to keep or delete it off the server w/o even downloading it.

It's a bit of a pain having to deal with two different programs but far less pain than manually sorting out all the trash.There may be something for the Mac - I'll have a look. At the moment, the spam filter in Entourage is handling them all fairly well, and my web hosting company is filtering out the viruses, so it's not too bad. Only about 15 to delete when I got up this morning.

Michael Rowley
07-04-2005, 01:18 PM
Ann:

the spam filter in Entourage is handling them all fairly well

The latest spam filter Microsoft has supplied for Outlook, the nearest equivalent to its Entourage, is pretty good; it comes with a warning though that it might put some genuine messages in the junk tray. If you haven't looked at the Office update site for a few weeks, it's well worth doing.

terrie
07-04-2005, 02:07 PM
>>annc: Sure enough, someone's hijacked one of my domain names again, and spammed half the world.


I had this happen again about 2 weeks ago...drives me NUTS!


>>Next think I know, I'll start getting my e-mails bounced because my domain name has been listed as an abuser.

That's what I'm afraid of too...

Terrie

terrie
07-04-2005, 02:11 PM
>>stever: Hijacked your domain in what sense?
More typically, I think this is the result of Computer A having your domain in its address book and getting infected with a virus that sends spam to the rest of the address book using your domain as the return address. <<

I don't think that's what's happened to me because when it happens, there are bogus "userid's" attached to my domain name like "ted@tlbtlb.com", "fred@tlbtlb.com", etc--these are examples from the last time my domain was highjacked...

Terrie

annc
07-04-2005, 03:12 PM
Ann:

the spam filter in Entourage is handling them all fairly well

The latest spam filter Microsoft has supplied for Outlook, the nearest equivalent to its Entourage, is pretty good; it comes with a warning though that it might put some genuine messages in the junk tray. If you haven't looked at the Office update site for a few weeks, it's well worth doing.Thanks, Michael, I'll have a look. But my version of Entourage is not the latest, so any new filter will probably be for the current version, not mine. Microsoft do like us all to upgrade frequently. <g>

annc
07-04-2005, 03:16 PM
>>Next think I know, I'll start getting my e-mails bounced because my domain name has been listed as an abuser.

That's what I'm afraid of too...So far, I've been lucky. The only times it's happened, it's been because someone has used my ISP to send spam, and other ISPs have blocked that particular IP address, not the entire domain. Resending the e-mail a bit later has fixed it, apparently because I got out with a different mail server.

Michael Rowley
07-05-2005, 08:12 AM
Ann:

Microsoft do like us all to upgrade frequently

There have been at least four uprades to its spam filter for Outlook. They're worth getting, as each one has been an improvement.

annc
07-05-2005, 03:43 PM
Ann:

Microsoft do like us all to upgrade frequently

There have been at least four uprades to its spam filter for Outlook. They're worth getting, as each one has been an improvement.Well, you're lucky. ;-)

There's only one spam filter available on the Microsoft site for Entourage. It's for the latest version (2004) only, and is dated 11th January 2005 (or 1st November 2005, but more likely the former).

Steve Rindsberg
07-05-2005, 05:10 PM
>>stever: Hijacked your domain in what sense?
More typically, I think this is the result of Computer A having your domain in its address book and getting infected with a virus that sends spam to the rest of the address book using your domain as the return address. <<

I don't think that's what's happened to me because when it happens, there are bogus "userid's" attached to my domain name like "ted@tlbtlb.com", "fred@tlbtlb.com", etc--these are examples from the last time my domain was highjacked...

Terrie
How do you mean "attached to my domain name"? As in are the ted@yourdomain.com in the to, from or other fields of the email that's getting bounced back? That probably doesn't mean much other than that some virus is sending mail to made-up-name@yourdomain.com. Give me the ability to install a program on your computer and I can do that too.

ktinkel
07-05-2005, 05:23 PM
I don't think that's what's happened to me because when it happens, there are bogus "userid's" attached to my domain name like "ted@tlbtlb.com", "fred@tlbtlb.com", etc--these are examples from the last time my domain was highjacked...Have you turned off the function to allow any old name -at- tlbtlb.com to work?

I seem to remember that you use softcomca.com. They recommend that this function (can’t remember what it is called) be turned off. If you want a catchall e-mail account, set up an admin e-mail account in addition to the names you do want but do not allow any miscellaneous names.

Than some of this junk should disappear. Or so they tell me! <g>

gary
07-12-2005, 08:30 AM
I just (temporarily) closed a 10-year-old e-mail address because it started receiving over 200 (MyDoom) viruses and bounces a day. Some of the bounces are "legit" from (IMO: inept) sites that bounce viruses to the (forged) sender; some are phoney impersonations.

It's really quite trivial to forge a sender address and near-impossible to forge the sender IP (other than by adding bogus headers). Compromised (including virus-infected) systems are frequently used to send spam and viruses with forged sender addresses.

annc
07-12-2005, 12:19 PM
I just (temporarily) closed a 10-year-old e-mail address because it started receiving over 200 (MyDoom) viruses and bounces a day. Some of the bounces are "legit" from (IMO: inept) sites that bounce viruses to the (forged) sender; some are phoney impersonations.What a good idea! I can do that easily enough with this account. Have you done this before, and if so, how long do you close the account for? The returned e-mails reached their peak over the western hemisphere weekend, and have eased back now, so I'm hoping this episode is about to finish, but I'd like to try your method of dealing with them next time it happens.

It's really quite trivial to forge a sender address and near-impossible to forge the sender IP (other than by adding bogus headers). Compromised (including virus-infected) systems are frequently used to send spam and viruses with forged sender addresses.Yeah. My horsey friends are mostly computer illiterates, and many of them spend a lot of time off the air because their systems are fatally infected. Before their systems crash and burn, however, they are usually a fertile breeding ground for viruses and hijacking attacks. I run a web site dedicated to dressage, so my e-mail addresses are in all their address books.

terrie
07-18-2005, 01:25 PM
>>stever: How do you mean "attached to my domain name"? As in are the ted@yourdomain.com in the to, from or other fields of the email that's getting bounced back? That probably doesn't mean much other than that some virus is sending mail to made-up-name@yourdomain.com. Give me the ability to install a program on your computer and I can do that too.


I'm confused...

The bogus userids were in the TO field--I only know about them because I got an email from myhosting.com reporting a bounced email...the reported bounced email was using the bogus email addy...


I thought that what was happening was that some spammer picked my domain to use to send spam...

Terrie

PS...sorry it's taken me so long to get back to this...my pc was farkled to a faretheewell when it wouldn't boot due to RAM errors and then the repair place said one of my harddrives was going--the one with my OS of course! Fortunately they were able to clone the bad drive and then I had them replace (and clone) my other 2 drives...we got so sidetracked by the drive problem that we forgot about the RAM and once they'd installed the drives, the system became unstable and the repair guy wasn't sure if the RAM or the mobo (or both) were bad. Turned out new RAM worked. Spent the afternoon I got it back madly backing up everything...'-}}

terrie
07-18-2005, 01:30 PM
>>kt: Have you turned off the function to allow any old name -at- tlbtlb.com to work?

Oh yeah...the only reason I know about this is that these were bounced email messages from myhosting.com saying they couldn't be delivered since the addys weren't on my list of valid email addresses...

Terrie

ktinkel
07-18-2005, 03:35 PM
kt: Have you turned off the function to allow any old name -at- tlbtlb.com to work?Oh yeah ... the only reason I know about this is that these were bounced email messages from myhosting.com saying they couldn't be delivered since the addys weren't on my list of valid email addresses ...I figured you had done that, but thought it worth a mention! (myhosting.com is pretty clear on what we ought to be doing!).

Steve Rindsberg
07-18-2005, 08:27 PM
Confused. Well, that's two of us. Symmetry's nice. ;-)

Who's bouncing the stuff back to you? Your own ISP? Does the email seem to be originating on your pc -- look at the trail of IP addresses -- or could somebody else be logging in as you -- change your password and see if it stops?

Or is it the antivirus software at some corporate site tossing stuff back at you just because it appears to have come from you in the first place.

Molly/CA
07-18-2005, 08:32 PM
That's the beauty of Mailwasher. You can delete messages from the server without ever having to download them. And there are several ways to define mail to be deleted --filters, friends list, blacklist, and I think something else.

Mailwasher downloads the first 200 lines of messages (by default: adjustable) so you can take a peek if you're not sure.

And groups the "delete" messages from the "known spam" lists (which include RGB and SpamCop databases), so you can just glance at them all together. There's also a "quick reply" button, so you can send, er, a quick reply through the mail program without exactly going into it.

SpamCop posts anything that it's received x reports of as spam --and x might be as low as one. That's what the Mailwasher people told me when I asked why the heck their update notice was flagged by SpamCop! So once in a while you get a legitimate message marked for delete from those lists. I suspect it's one of the games --reporting legitimate addresses to SpamCop.

Mailwasher just about gets my vote for the program I'd least like to do without.

terrie
07-19-2005, 11:56 AM
>>stever: Or is it the antivirus software at some corporate site tossing stuff back at you just because it appears to have come from you in the first place.

That's exactly the situation...

I've also discovered that my cserve numeric addy has somehow been co-opted as I received an auto anti-spam thingie today--the process where you reply to prove you are a legitimate emailer--which shows my cserve numeric id with someone else's name attached...never had that before...

Terrie

Steve Rindsberg
07-19-2005, 06:58 PM
>>stever: Or is it the antivirus software at some corporate site tossing stuff back at you just because it appears to have come from you in the first place.

That's exactly the situation...

I've also discovered that my cserve numeric addy has somehow been co-opted as I received an auto anti-spam thingie today--the process where you reply to prove you are a legitimate emailer--which shows my cserve numeric id with someone else's name attached...never had that before...

Terrie
Unless I'm wildly misinterpreting what you're saying, Terrie, you can toss a few curses in the direction of the scum who make this sort of thing happen, but otherwise I wouldn't worry about it.

Somebody with your email address in their address book has had their computer hijacked. It's spewing email with your return address. It's not your fault, there's not much of anything you can do about it (other than delete the fool things when they come back to you). Or use something like Mailwasher, which seems to protect you from them nicely.

WizAlger
07-20-2005, 11:21 AM
Steve;

There's another possibility. There are spammers/crackers out there using false "mail returned" messages as the nose of the camel into the gate behind (or ahead of) the Trajan Horse. I have instructed everybody here NOT to open any message that purports to be a returned message.

I have taken to collecting them and notice that they fall into two general categories -- the above-mentioned malware, and "genuine" messages generated by bounces of bogus messages addressed to unknown users at a domain -- as in bogoid@rdpslides.com. Your mail server sends a reply to the "sender's" domain mx (spoofed, of course), and you get a bounce back saying that the "sender" doesn't exist at the "sending" (spoofed, of course) domain.

What they call collateral spam.

Someday, I'm going to figure out how to turn that off in Postfix.

terrie
07-20-2005, 01:16 PM
>>stever: you can toss a few curses in the direction of the scum who make this sort of thing happen, but otherwise I wouldn't worry about it.

I don't normally...it's just annoying...'-}}


>>Somebody with your email address in their address book has had their computer hijacked.

Yeah...that's what I figured but I don't think I've ever seen someone else's name attached to my cserve numeric id...

>>Or use something like Mailwasher, which seems to protect you from them nicely.

I'm going to check that out...normally, I've found that most of that kind of software doesn't really work with Wincim...it's not the big a deal...

Thanks!

Terrie

Steve Rindsberg
07-20-2005, 05:09 PM
Mark,

Yup, there be those too (sppofs of mail returned messages). And I get lots of mail from "my isp" telling me that my account has been used to molest half the email boxes in the western hemisphere and that all I have to do is run the attached file right away and they won't have to shut me down.

As if. Funny thing is, they almost always spoof my own domain name, where there are to be found exactly one sender of mail. I musta been REALLY wasted (on decaf coffee?) last night to have sent me that stuff, eh?

IAC, I don't think there's cause for alarm in any of the above cases. As long as you click nothing.

Steve Rindsberg
07-20-2005, 05:12 PM
Ah. WinCim. CIS email. Right.

That became such a spam-magnet so long ago and so persistently that I just stopped using it.

But as to whether mailwasher would work ... can you access your CIS mail via the usual SMTP/POP3 nonsense? If so, it'd probably work. It doesn't integrate into your email program, it sits in front and kinda preprocesses the mail. Very clever, though it takes a bit of adjustment to the normal email habits.

IAC, demo's free for 30 days.

terrie
07-21-2005, 01:40 PM
>>stever: Ah. WinCim. CIS email. Right. That became such a spam-magnet so long ago and so persistently that I just stopped using it.

There was a period last year where the spam was just *awful* but it's not too bad now...I get maybe 2 or 3 spams at that addy a day...


>>But as to whether mailwasher would work ... can you access your CIS mail via the usual SMTP/POP3 nonsense?

Yeah...I can...I'm not getting enough spam at this point to bother with Mailwasher, particularly as with WINCIM, I can delete it off the server before d/l'ing into my inbox but I'll keep it in mind...one never knows...'-}}

Thanks!

Terrie

Franca
07-21-2005, 04:04 PM
I "wash" my own mail by previewing it first in MailCall. Anything that's in any way undesirable gets deleted off the server by me. At this point I'm the only entity I completely trust to determine what is and isn't spam. Plus I can also delete stuff that isn't spam ... not everything I don't want qualifies as spam. ;)

gary
07-21-2005, 07:37 PM
Someday, I'm going to figure out how to turn that off in Postfix.
You have to reject the mail before the DATA command, i.e. using either smtpd_client_restrictions or smtpd_recipient_restrictions. That forces the server attempting delivery to deal with the message. See http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

Steve Rindsberg
07-22-2005, 02:12 PM
Sounds like MailCall's the same sort of deal as MailWasher then.
That's about what it does too ... preview headers/first few lines, it makes suggestions as to what it thinks is/isnt' spam, you flush what you don't want and keep the rest.

Franca
07-22-2005, 05:02 PM
MailCall lets me preview up to the first 100 lines. I have it set to the max and often that's enough to read the entire piece of e-mail right in MailCall, which can be handy if it's info that doesn't need archiving or a reply.

Steve Rindsberg
07-23-2005, 01:58 PM
Sounds again like Mail Washer's twin (though I can set MW to give me a few more lines, I think, or to grab the whole msg on demand.)

Sounds like I'm evangelizing doesn't it? Ooops. What works, works. For you. For me. ;-)

Franca
07-23-2005, 07:14 PM
I'm glad we both like our Mail "assistants". :) (And no stupid paper clip, either.)

Susie
07-24-2005, 07:02 PM
I do like Mail Washer too. I haven't tried the others, but Mail Washer works just fine for me. And I seem to get more than my fair share of spam these days.

Susie

Molly/CA
07-29-2005, 05:25 PM
Second on the Mailwasher suggestion. The minute I started using it the spam on the CS account dropped dramatically. Like from up to 70 or so to a couple. It gradually built a bit but I never again got the volume, and with Mailwasher it's already sorted and marked for deletion --all you have to do is skim it to make sure there are no false positives, then click the button to process it, and you have a nice clean mail file.

I also love being able to read the first lines of the e-mail; some non-spam is trivial and doesn't need to be kept. And I can try to control semi-spam from places where I've shopped that send you gobs of garbage and only pretend to take you off their mailing lists, like Cooks Garden and Vermont Country Store, by bouncing it.

Steve Rindsberg
07-30-2005, 10:51 AM
Amen.

Though I've got a nice sort of pre-filter at my ISP. Anybody who annoys me with too much UCE/spam gets warned to cut it out; if that doesn't take, their return address or sometimes the whole domain gets added to the "Dump anything from these clowns" list and I never see it again.

If only there were something similar for the snailmail.
Maybe we need a web site that publishes articles like "101 uses for the 101 Lands End catalogs you received last month". Love the store, hate their wastefulness.

Mike
07-31-2005, 01:03 AM
If only there were something similar for the snailmail.
Maybe we need a web site that publishes articles like "101 uses for the 101 Lands End catalogs you received last month". Love the store, hate their wastefulness.

We do seem to get fewer junk CDs these days though.

Steve Rindsberg
07-31-2005, 01:29 PM
[fewer cds]

<aol>Me too. AOL doesn't love me any more.</aol>

Though I don't think they were ever as common as they are/were in Britain.
I always hear from folks on your side about this or that CD that came with a magazine. I don't think I've ever gotten a CD with a magazine.

I wonder why that is. Something to do with the number of subscribers vs the number who're seriously dedicated hobbyists vs. just "leaf through the mag and toss it" readers?

ktinkel
07-31-2005, 01:49 PM
[fewer cds]

<aol>Me too. AOL doesn't love me any more.</aol>

Though I don't think they were ever as common as they are/were in Britain.
I always hear from folks on your side about this or that CD that came with a magazine. I don't think I've ever gotten a CD with a magazine.Some mags here used to enclose a CD. Now they just provide a URL and tell you to go get the stuff yourself.

It was mostly demo and shareware programs — nothing earth-shattering, especially if you were a CIS or other sort of online regular.

Michael Rowley
07-31-2005, 03:18 PM
Steve:

I don't think I've ever gotten a CD with a magazine

They're expected in the UK, and they're quite useful for trying out programs you wouldn't dream of bothering to download from the Web. Quite a number of Microsoft SP's for Windows have been made available that were too big to download have been made available that way too. Some of the magazines regularly have a the latest version of a number of standard utilities as well.

Steve Rindsberg
08-01-2005, 04:49 PM
Steve:

I don't think I've ever gotten a CD with a magazine

They're expected in the UK, and they're quite useful for trying out programs you wouldn't dream of bothering to download from the Web. Quite a number of Microsoft SP's for Windows have been made available that were too big to download have been made available that way too. Some of the magazines regularly have a the latest version of a number of standard utilities as well.
So I hear. Go ahead. Gloat.

Say. A computer club could do well by collecting CDs with MS SPs and selling them to their US cousins. I imagine you could beat MS' price and still turn a tidy profit.

Michael Rowley
08-02-2005, 07:59 AM
Steve:

A computer club could do well by collecting CDs with MS SPs and selling them to their US cousins

Microsoft has varied in its attitude to cover CDs: it used to encourage them, and then got cagey. The SP2 for Windows XP though it positively encouraged the magazines to reproduce on a special CD, which was also available to anyone who didn't or couldn't download it and cared to pay for p. & p. I don't think there's any money to be made, and most people in the UK have a healthy respect for Microsoft's lawyers.