Someone is spoofing my domain

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • LVZ
    Member
    • Mar 2004
    • 52
    #1

    Someone is spoofing my domain

    One of my primary domains is uniQon.com

    Someone is spoofing my domain sending out EXE and PIF files which are presumably viruses or trojans under my domain name. What can I do to prevent this? Below are the headers from four spoofed messages. Note that the following email accounts are phony and do NOT exist:

    christina@uniqon.com
    remove_spam_x@uniqon.com
    Boardmeetups@uniqon.com
    management@uniqon.com
    igrfkowuseskhtwfbcd@uniqon.com
    lpdjnaowkxgmlyxcwiq@uniqon.com

    #1===============================
    Return-path: <texaskerry-unsubscribe@yahoogroups.com>
    Envelope-to: meetups@uniqon.com
    Delivery-date: Mon, 31 May 2004 12:00:22 -0500
    Received: from [68.69.154.236] (helo=D57R0821.net)
    by cpanel13.gzo.com with smtp (Exim 4.34)
    id 1BUq96-0002rW-5w
    for meetups@uniqon.com; Mon, 31 May 2004 12:00:21 -0500
    Date: Mon, 31 May 2004 13:00:24 -0500
    To: meetups@uniqon.com
    Subject: I just need a friend
    From: christina@uniqon.com
    Message-ID: <igrfkowuseskhtwfbcd@uniqon.com>

    #2==============================
    Return-Path: <remove_spam_x@uniqon.com>
    Received: from nodo50.org (38.Red-80-34-136.pooles.rima-tde.net [80.34.136.38])
    by mxzilla7.xs4all.nl (8.12.10/8.12.10) with ESMTP id i4S6rW70092286
    for <ecogranada@nodo50.org>; Fri, 28 May 2004 08:53:33 +0200 (CEST)
    Message-Id: <200405280653.i4S6rW70092286@mxzilla7.xs4all.nl>
    From: remove_spam_x@uniqon.com
    To: ecogranada@nodo50.org
    Subject: Mail Delivery (failure ecogranada@nodo50.org)
    Date: Fri, 28 May 2004 08:54:42 -0500

    #3===============================
    Received: from metropoli2000.com (38.Red-80-34-136.pooles.rima-tde.net [80.34.136.38])
    by mx1.m2kcore.com (Postfix) with ESMTP id B1DAFAC06A
    for <info@metropoli2000.com>; Fri, 28 May 2004 08:43:30 +0200 (CEST)
    From: remove_spam_x@uniqon.com
    To: info@metropoli2000.com
    Subject: Re: my website
    Date: Fri, 28 May 2004 08:45:03 -0500
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
    X-Priority: 3
    X-MSMail-Priority: Normal
    Message-Id: <20040528064330.B1DAFAC06A@mx1.m2kcore.com>

    #4===============================
    Return-path: <Boardmeetups@uniqon.com>
    Received: from [68.60.149.25] (helo=matt-s-computer.net)
    by cpanel13.gzo.com with smtp (Exim 4.34)
    id 1BSDf3-0001S1-Am
    for 404078LVZmeetups@uniqon.com; Mon, 24 May 2004 06:30:30 -0500
    Date: Mon, 24 May 2004 08:00:40 -0500
    To: 404078LVZmeetups@uniqon.com
    Subject: Email report
    From: management@uniqon.com
    Message-ID: <lpdjnaowkxgmlyxcwiq@uniqon.com>

    Las Vegas Neighborhood Message Boards
    http://www.myLVN.com     subframed at http://vegas215.com/forums
    Tags: None
    • Buddha
      Senior Member
      • Mar 2004
      • 825
      #2
      One of those looks like W32/Bagle-W trojan, email number one.

      This happens to my clients sometime... Not much you can do except not give your email address out and make sure everyone you do give it to is well informed about virus protection.

      We have figured out who was infected a couple time by the returned emails.
      "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

        Comment

        • Frank Hagan
          Senior Member
          • Mar 2004
          • 724
          #3
          You cannot control what other people do. There is nothing you can do to prevent someone from making up an email address with your domain name in it and sending it out.

          You can protect your real email addresses by not having them posted in a manner that they can be harvested. Don't have them in "mailto:" links on your sites, or your customer's sites. Encode them using any of the obfuscation methods. Look at Tim Williams' examples at http://www.u.arizona.edu/~trw/spam/index.htm

          That way, the spammers will simply make up an email address, but they won't be using your actual email address.

          Other than that, you have to wait for some kind of legislative change to track users across the Internet.

            Comment

            • fcm
              Junior Member
              • Oct 2005
              • 28
              #4
              So here are a couple of questions about this (I have a client getting tons of this stuff, apparently from their own domain):

              1. If I set up an actual email address using the 'spoofed' email address, would that help my situation? None of the emails that come are from 'legitimate' email accounts on that domain.

              2. Client is concerned that if they add the sender to a 'Junk' email list (they have Zone Alarm, I think) that it will block all the other addresses from their domain, and they won't be able to send each other stuff. Any thoughts on that?

              3. And finally, just to clarify, this email 'spoofing' doesn't mean that their site security has been comprimised, is that correct? Just that their domain has been targeted and someone is faking it?

              Thanks in advance to those in the know. It really freaked my client out, and I am admittedly no email guru.

                Comment

                • Buddha
                  Senior Member
                  • Mar 2004
                  • 825
                  #5
                  Originally posted by fcm
                  1. If I set up an actual email address using the 'spoofed' email address, would that help my situation? None of the emails that come are from 'legitimate' email accounts on that domain.
                  No it wouldn't help. Might set the default email address to /dev/nul (blackhole in cPanel) though.

                  Originally posted by fcm
                  2. Client is concerned that if they add the sender to a 'Junk' email list (they have Zone Alarm, I think) that it will block all the other addresses from their domain, and they won't be able to send each other stuff. Any thoughts on that?
                  I usually tell my clients never to mark their own domain as junk. If I ain't looking over their shoulder, I don't trust them to not to be reporting themselves to Spamhaus or something.

                  Originally posted by fcm
                  3. And finally, just to clarify, this email 'spoofing' doesn't mean that their site security has been comprimised, is that correct? Just that their domain has been targeted and someone is faking it?
                  No it doesn't mean the server has been compromised but somebody's PC has been though. Make sure every one has up to date virus and adware protection especially those with access to the server (yourself included).
                  "Whatcha mean I shouldn't be rude to my clients?! If you want polite then there will be a substantial fee increase." - Buddha

                    Comment

                    • samsam
                      Member
                      • Mar 2004
                      • 79
                      #6
                      Originally posted by LVZ
                      Someone is spoofing my domain sending out EXE and PIF files which are presumably viruses or trojans under my domain name. What can I do to prevent this?
                      Not much. It happens to me periodically too - I get a ton of spam from some of my own domains and I think for a second - WTF?

                      It is trivially easy in any email client or script to put in a phony 'from' or 'reply to' address (try it yourself sometime). Hence the problem.

                      I find that most of these spam messages using my own address(es) in the 'from' field come about as a result of people I have emailed in the past getting their PC's infected with a virus/trojan that harvests their address books, and hence the trojan finds my address. All too common.

                      I can verify this because some of the spam I have received apparently from myself has used a quite complicated email address I have only used to correspond with very specific clients about specific projects, and which has never otherwise been public, or on the web etc. And which would be too hard to generate randomly.

                      So I certainly concur with the advice others have given here - one part of the solution is for your clients/ correspondents to keep their email anti-virus systems up to date.

                      Having said this though, I find that most of these spams only have a short shelf life. It's been very rare for me to get the same sort of spoofed email twice.

                        Comment

                        • mdmcginn
                          Junior Member
                          • Mar 2004
                          • 22
                          #7
                          SPF (if it ever became common) would reduce this problem. I added the following TXT record to my DNS zone, to signal that any email from mydomain.com that didn't go through mail.mydomain.com didn't really come from my domain and shouldn't be trusted (I don't use my ISP's mailservers):

                          Code:
                          'v=spf1 a mx mx:cpanelxx.gzo.com ~all'

                            Comment

                            Previous template Next
                            Working...