Dave Bullock / eecue

photographer, director of engineering: crowdrise, photojournalist, hacker, nerd, geek, human

Blog

Email Fun: Catch-alls, Joe Jobs, SPF and Spam

I no longer have a catch-all email address. For years the email (qmail) server that I run was set up to receive anything @eecue.com. So if you sent an email to asdflakhjflakjsf@eecue.com or dave_is_a_mean_person@eecue.com I would receive it. This was helpful as it allowed me to create addresses for every site that I submitted my information to, such as target@eecue.com, amazon@eecue.com, etc. That way if those companies sold my address to a list I would know they were responsible for the spam.

This seemed like a good idea until I started getting dictionary Joe Jobbed a few years ago. A Joe Job is when someone sends emails from your account to discredit you. In my case it was just a spam bot sending spams from random addresses @eecue.com. I don't think it was an attack on me, I just have a short domain name that has a catch-all address.

The joe-jobbing caused me to receive thousands of bounce messages. Today I finally decided to turn off the catch-all functionality in my email server. First I dug through my archived mail to find any important addresses that I still needed to receive mail at. I added aliases for the ones that would be hard to change. Any address that was easy to change I just logged into the site it corresponded to and changed it to my main address.

After getting rid of the catch-alls I set up a Sender Policy Framework (SPF) record on my DNS server. SPF is a record on a name server that tells mail servers which IP addresses are allowed to send email for that domain. Luckily I only ever send email from my personal mail server so that was easy to fix.

These changes should greatly reduce the amount of spam and joe-job bounces I receive.

Blog

Craziest Nigerian Email Scam Ever

This is the craziest email scam I've ever gotten. It would be totally plausible if there was any chance that Benazir Bhutto whould have had my email address in her address book. I almost want to respond to see what kind of a scam it is, but I'm sure it's just your average Nigerian Email scam:

From: XXXXXXXXXXXXX@yahoo.com
Subject: Re: Benazir Bhutto
Date: March 31, 2008 10:28:38AMPDT
To: undisclosed-recipients: ;

Hello,

I want to take this opportunity to express my heartfelt appreciation to you for your support during the hour of need. The enemy gave us a huge blow when they took the life of my dear mother. As a matter of fact, I do not know you personally except your contact details I got from my mom's address book. I also pass on my sincere appreciation for the feat we were able to record at the last elections despite the absence of my mom who was the party leader until her brutal assassination. The victory was to all Pakistanis as it clearly demonstrated their commitment to the course my mom stood and died for. Your support is conspicuously recognized and highly appreciated.

Losing her is the hardest thing I've been through all my life, but knowing that she was a hero to many people does comfort me. I know she would appreciate what you all did for her. All we just crave for now is for her killing be probed by an international team under the United Nations. It is the only hope we have of getting the possible plotters of her murder properly investigated. Only this would help us convince our supporters that there was some element of collusion between her murderers and agents of President Musharaf who were determined to get rid of her.

Please do acknowledge receipt of this correspondence as I will be confiding something very important in you when I get to hear from you again.

Very sincerely,

Bilawal Zardari.

Blog

NetIQ Sold My Email Address To Spammers

The unique throwaway email address that I used only for NetIQ was eventually sold to a spam list. Shame on you NetIQ, I don't think you've adhered to your own privacy policy.

... we want you to know that NetIQ is not in the business of selling or renting individuals' personal data to other companies for marketing purposes.

Blog

Palm to get Blackberry Email

I have been using a RIM Blackberry 7100t for the past couple of months and I like it, but what I really want is a Treo. I have grown fond of the excellent messaging capabilities of the Blackberry and it is good news to hear that RIM and Palm have struck a deal to use the BB email client on the Palm. Cool Deal!

Blog

Unnamed University's Misconfigured Email Adventure

A few days after Christmas I received an email from an upset University server admin who thought my servers were attacking his servers through email. What was actually happening was that a spammer was sending email using random fake address at his server's domain name which I will call anonymous.edu. It wouldn't have been a problem if the server was correctly responding with 550 errors which mean Permanent Failure, but the servers were sending 450 which are Temporary errors, so all the servers that were trying to deliver the bounces, kept trying.
So here is the first email I received from postmaster@anonymous.edu:

	From: 	  postmaster@anonymous.edu
	Subject: 	Hosts from your domain are attacking our server
	Date: 	December 28, 2004 2:19:23 PM PST
	To: 	  [a bunch of my email address]

Network/Security Administrator,

I'm sending you this mail because one or more IP addresses in your domain
are currently attacking our electronic mail server with a denial of service
attack consisting of multiple, rapid attempts to send mail to randomly
generated, non-existent email addresses.

Please take action with regard to the below hosts immediately to stop this
worm or virus.  This attack may be reported to the U.S Federal Bureau of
Investigation for criminal prosecution.  These hosts may also have been
blacklisted from sending mail to our server.

	64.239.136.142  (www.eecue.com)
To which I responded:
	From: 	  eecue AT eecue.com
	Subject: 	Re: Hosts from your domain are attacking our server
	Date: 	December 28, 2004 2:32:16 PM PST
	To: 	  postmaster@anonymous.edu

Hi you will notice those emails are not actually coming from my server.

The spammers are using my domain as their From: address.

Is this email for real?

-Dave
My guess was close, but I had it backwards...
After getting three more of those emails they sent me this:
	From: 	  postmaster@anonymous.edu
	Subject: 	Hosts from your domain are attacking our server
	Date: 	December 28, 2004 2:59:32 PM PST
	To: 	  [a bunch of my email addresses]


Excuse me if this email is a duplicate. I forgot to list the IP address
of the victim of this attack.  It is: atlantis.anonymous.net (192.168.139.69)
Also, I can be contacted at:  postmaster@anonymous.edu

I'm sending you this mail because one or more IP addresses in your domain
are currently participating in a distributed denial of service attack
consisting of multiple attempts to send mail to randomly generated,
non-existent email addresses at our site.

Please take action with regard to the below hosts immediately to stop this
worm or virus.  These hosts may also have been blacklisted from sending
mail to our server.  They can be re-enabled once the DDoS attack subsides.


	64.239.136.142  (www.eecue.com)
To which I responded this:
	From: 	  eecue AT eecue.com
	Subject: 	Re: Hosts from your domain are attacking our server
	Date: 	December 28, 2004 3:01:28 PM PST
	To: 	  postmaster@anonymous.edu

Hello,

Please send me the full email in question including the headers
so I can track down who is sending said email.

Thanks

-Dave
I didn't hear back about it until today when I received this email:
	From: 	  anon_admin@anonymous.edu
	Subject: 	Re: Hosts from your domain are attacking our server
	Date: 	January 3, 2005 12:42:57 AM PST
	To: 	  eecue AT eecue.com


It was for real, but was the result of a mis-diagnosis of the problem...

Things have returned to normal, there is no need to do anything on your
side.  Our domain was the subject of a massive spam forgery ("Joe Job")
with randomly generated reply-to fields @anonymous.edu.  This occurred for over
14,000 domains, and our mail server was sending a 450 temporary error.

Basically we told 14,000 sites to keep trying to deliver bounce messages
back to us, with no valid local recipient, at whatever rate they did queue
flushes.  Making it look very much to us like a Distributed Denial of
Service Attack.  When really this whole thing would have been only briefly
painful if we had changed the failure notice to a permanent failure,
causing those 14000 servers to trash those invalid messages.

It was not apparent to us what was happening (since we never received any
of the bounces) until someone said, "Hey you know this bounce says that you
are replying with a 450 temporary failure..." It has now been changed to a
550 (permanent failure) response.

Thanks again for looking into this!
Well that was nice of them to fix everything.
	From: 	  eecue AT eecue.com
	Subject: 	Re: Hosts from your domain are attacking our server
	Date: 	January 3, 2005 7:17:39 PM PST
	To: 	  anon_admin@anonymous.edu


Glad you worked everything out.

I thought it was somewhat humorous, so I posted about it on my website:

http://eecue.com/

I changed the names to protect the innocent.

-Dave

....
A. David Bullock
eecue : programmer / designer / admin / human
http://eecue.com/  -
anything is possible