I no longer have a catch-all email address. For years the email (qmail) server that I run was set up to receive anything @eecue.com. So if you sent an email to email@example.com or firstname.lastname@example.org I would receive it. This was helpful as it allowed me to create addresses for every site that I submitted my information to, such as email@example.com, firstname.lastname@example.org, etc. That way if those companies sold my address to a list I would know they were responsible for the spam.
This seemed like a good idea until I started getting dictionary Joe Jobbed a few years ago. A Joe Job is when someone sends emails from your account to discredit you. In my case it was just a spam bot sending spams from random addresses @eecue.com. I don't think it was an attack on me, I just have a short domain name that has a catch-all address.
The joe-jobbing caused me to receive thousands of bounce messages. Today I finally decided to turn off the catch-all functionality in my email server. First I dug through my archived mail to find any important addresses that I still needed to receive mail at. I added aliases for the ones that would be hard to change. Any address that was easy to change I just logged into the site it corresponded to and changed it to my main address.
After getting rid of the catch-alls I set up a Sender Policy Framework (SPF) record on my DNS server. SPF is a record on a name server that tells mail servers which IP addresses are allowed to send email for that domain. Luckily I only ever send email from my personal mail server so that was easy to fix.
These changes should greatly reduce the amount of spam and joe-job bounces I receive.
This is the craziest email scam I've ever gotten. It would be totally plausible if there was any chance that Benazir Bhutto whould have had my email address in her address book. I almost want to respond to see what kind of a scam it is, but I'm sure it's just your average Nigerian Email scam:
Subject: Re: Benazir Bhutto
Date: March 31, 2008 10:28:38AMPDT
To: undisclosed-recipients: ;
I want to take this opportunity to express my heartfelt appreciation to you for your support during the hour of need. The enemy gave us a huge blow when they took the life of my dear mother. As a matter of fact, I do not know you personally except your contact details I got from my mom's address book. I also pass on my sincere appreciation for the feat we were able to record at the last elections despite the absence of my mom who was the party leader until her brutal assassination. The victory was to all Pakistanis as it clearly demonstrated their commitment to the course my mom stood and died for. Your support is conspicuously recognized and highly appreciated.
Losing her is the hardest thing I've been through all my life, but knowing that she was a hero to many people does comfort me. I know she would appreciate what you all did for her. All we just crave for now is for her killing be probed by an international team under the United Nations. It is the only hope we have of getting the possible plotters of her murder properly investigated. Only this would help us convince our supporters that there was some element of collusion between her murderers and agents of President Musharaf who were determined to get rid of her.
Please do acknowledge receipt of this correspondence as I will be confiding something very important in you when I get to hear from you again.
... we want you to know that NetIQ is not in the business of selling or renting individuals' personal data to other companies for marketing purposes.
I have been using a RIM Blackberry 7100t for the past couple of months and I like it, but what I really want is a Treo. I have grown fond of the excellent messaging capabilities of the Blackberry and it is good news to hear that RIM and Palm have struck a deal to use the BB email client on the Palm. Cool Deal!
A few days after Christmas I received an email from an upset University server admin who thought my servers were attacking his servers through email. What was actually happening was that a spammer was sending email using random fake address at his server's domain name which I will call anonymous.edu. It wouldn't have been a problem if the server was correctly responding with 550 errors which mean Permanent Failure, but the servers were sending 450 which are Temporary errors, so all the servers that were trying to deliver the bounces, kept trying.
So here is the first email I received from email@example.com:
To which I responded:From: firstname.lastname@example.org Subject: Hosts from your domain are attacking our server Date: December 28, 2004 2:19:23 PM PST To: [a bunch of my email address] Network/Security Administrator, I'm sending you this mail because one or more IP addresses in your domain are currently attacking our electronic mail server with a denial of service attack consisting of multiple, rapid attempts to send mail to randomly generated, non-existent email addresses. Please take action with regard to the below hosts immediately to stop this worm or virus. This attack may be reported to the U.S Federal Bureau of Investigation for criminal prosecution. These hosts may also have been blacklisted from sending mail to our server. 126.96.36.199 (www.eecue.com)
My guess was close, but I had it backwards...From: eecue AT eecue.com Subject: Re: Hosts from your domain are attacking our server Date: December 28, 2004 2:32:16 PM PST To: email@example.com Hi you will notice those emails are not actually coming from my server. The spammers are using my domain as their From: address. Is this email for real? -Dave
After getting three more of those emails they sent me this:
To which I responded this:From: firstname.lastname@example.org Subject: Hosts from your domain are attacking our server Date: December 28, 2004 2:59:32 PM PST To: [a bunch of my email addresses] Excuse me if this email is a duplicate. I forgot to list the IP address of the victim of this attack. It is: atlantis.anonymous.net (192.168.139.69) Also, I can be contacted at: email@example.com I'm sending you this mail because one or more IP addresses in your domain are currently participating in a distributed denial of service attack consisting of multiple attempts to send mail to randomly generated, non-existent email addresses at our site. Please take action with regard to the below hosts immediately to stop this worm or virus. These hosts may also have been blacklisted from sending mail to our server. They can be re-enabled once the DDoS attack subsides. 188.8.131.52 (www.eecue.com)
I didn't hear back about it until today when I received this email:From: eecue AT eecue.com Subject: Re: Hosts from your domain are attacking our server Date: December 28, 2004 3:01:28 PM PST To: firstname.lastname@example.org Hello, Please send me the full email in question including the headers so I can track down who is sending said email. Thanks -Dave
Well that was nice of them to fix everything.From: email@example.com Subject: Re: Hosts from your domain are attacking our server Date: January 3, 2005 12:42:57 AM PST To: eecue AT eecue.com It was for real, but was the result of a mis-diagnosis of the problem... Things have returned to normal, there is no need to do anything on your side. Our domain was the subject of a massive spam forgery ("Joe Job") with randomly generated reply-to fields @anonymous.edu. This occurred for over 14,000 domains, and our mail server was sending a 450 temporary error. Basically we told 14,000 sites to keep trying to deliver bounce messages back to us, with no valid local recipient, at whatever rate they did queue flushes. Making it look very much to us like a Distributed Denial of Service Attack. When really this whole thing would have been only briefly painful if we had changed the failure notice to a permanent failure, causing those 14000 servers to trash those invalid messages. It was not apparent to us what was happening (since we never received any of the bounces) until someone said, "Hey you know this bounce says that you are replying with a 450 temporary failure..." It has now been changed to a 550 (permanent failure) response. Thanks again for looking into this!
From: eecue AT eecue.com Subject: Re: Hosts from your domain are attacking our server Date: January 3, 2005 7:17:39 PM PST To: firstname.lastname@example.org Glad you worked everything out. I thought it was somewhat humorous, so I posted about it on my website: http://eecue.com/ I changed the names to protect the innocent. -Dave .... A. David Bullock eecue : programmer / designer / admin / human http://eecue.com/ - anything is possible