I've received over two-hundred failure notices from someone sending spam and using made-up e-mails with my domain. I've contacted my host so I don't get my hosting yanked over it...but how can I stop it? I don't believe they have access to my files, or they'd be spoofing a real e-mail... FLASH! I think I actually figured out what it is in the middle of my post. Oh well, I'll finish anyway, as a warning: my tell-friend script. DUH! I knew that spammers could use this, I just didn't think they would...right. And I went and contacted my host. Keep an eye on those tell-friend scripts (just removed the link to mine).
the email address can be spoof .... but, I'm sure the details such as the sender server come with the email
You took it off and have no problems anymore. They might just keep makeing new emails from your domain name.
Well, the failure notices are still coming in...might be for days. They've been damn busy, that's for sure...I started seeing this an hour ago. 350+ and probably 25 waiting for me when I get back. And that's just the failures. If only my visitors had used it so dilligently! Of course, I've seen hardly any traffic that way. But I'm pretty sure that's how they were doing it, hopefully that's that. The worst part is my domain e-mails will probably trip a spam filter now. I'm going evangelistic on don't use tell-friend scripts./
You've taken the link off, but did you remove / rewrite the vulnerable script itself? I am not sure if you were implying that by saying you've removed the link. If the script is still there, the spammer would already know the correct request variables to send to it in order to produce E-mail. They don't need a hyperlink. Absolutely make sure the actual script itself has been updated / removed! Hope I'm not stating the obvious to you, amanamission!
I've removed the script and blocked the offending IP in both root directory and the domain they were spoofing. The spam failures stopped for several days, but my box just got hit with another 150. This IP will not go away. According to Wikipedia, it's an "open proxy" or "zombie computer," so the humans behind this may not realize it's blocked. .htaccess just send you to a serve default page. I actually went to the proxy Wiki mentioned, and sure enough, my sites are blocked. So it must be on automatic. Nice to be rid of them though, because I never know what's really going on with this crap.
I don't really know what the hell they are doing. That's why I started this thread. However, I believe that failure notices are a good metric of whether they are sending out spoofs, because I get failure notices from the spam detectors. So if they use my domain in the sending address, I get the failure notice about it. They seem to have stopped since I totally deleted the script, but this IP is still living at my site despite being .htaccess banned.
You may want to make sure you have a SPF record as well on your domain. You can then test trying to spoof your own domain when your done adding the SPF record to your DNS Zone. Here are instructions on how to do so http://www.trexhost.com/support/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=4&nav=0
There are some smtp grabber net so maybe some hackers used it and got your smtp address and started spamming . But now a days, scammer use phpmailer to spam to the entire e-mail inbox. they can't access the your files but still can manage to send e-mail from a existing e-mail address (like ) whatever most of the time they live in bulk/spam box!
that's correct lkj.. if your webhost isn't using SPF, then there's no way of stopping email spoofing.
Hi - same thing happening to me. It started just before the weekend and today I got over 300 failure notices in my mailbox. I have a tell-a-friend script too, but the spammers are using one particular mailbox that has nothing to do with the script? How so I get their IP address? From the email headers? What do I look for?
Isnt SPF at the domain/dns level? At any rate if someone is spamming through a form on your site SPF makes no difference because the spammer is sending through a form on your web site whose IP probably is cleared through the spf entry on the dns, so if you have a spammable form, fix it or take it off or get blacklisted. Also, SPF does not stop the actual spoofing that results in the millions of bounced messages. What SPF is good for is working with blacklists becasue if a spammer spoofs your email address (which i sooo easy to do) and send a million email via their local spam server, if any of those spams are reported say to spam cop, spam cop wont black list becasue the sending ip wont match whats in your spf record. SPF is handy andan extra measure in keeping your domain name off a blacklist buts its not infallible.