spoofing of my domain

Scarlett · 01-06-2006, 11:44

Myself and the wife have our own domains that we use for emails only. recently though, someone has started to spoof my wifes domain to spam people with.

I'm 99% certain its spoofing because we have up to date anti-virus and ZA firewall and we use opera for mails and we don't open attachements etc. we dont use P2P and only have MSN chat on but rarely active.

Since this started we have been getting Tons of emails from people's ISP's with returned type headers.

All the emails are of the form sdfhsd@mydomain.com so clearly spam but the problem is that we are now getting 10-15 a day and although we are moving them all to a seperate folder its still anoying.

any suggestions apart from moving domains

Jon M · 01-06-2006, 11:52

If you run your own mailserver, you should reject any mail item to your domain that isn't "postmaster@", "abuse@", "admin@" possibly "info@" and any of you own addresses. All unrecognised addresses should be rejected rather than forwarded to a catch all address (usually set as postmaster).

Using a false or spoofed domain/address in a spam is one of the most common tactics you'll see, anyone that knows what they're doing will ignore a sender address and check the originating IP from the header.

abailey152 · 01-06-2006, 11:56

I had this a few months back. Like you, I wasn't sure whether the emails were really bounced messages from other ISP's etc., or whether they were spoof emails, just trying to get me to respond.

In the end, I found a common link between them all. The originiating IP range, in this case, so I just set up a SPAM filter to remove them.

Not sure if it is any consolation, but in my case the emails did stop after a few weeks, and I've not had anything similar since.

Scarlett · 01-06-2006, 12:21

I see what you mean, the common originating IP is 212.227.15.XX which leads back to a German Webhosting company.

Strzelecki · 01-06-2006, 12:27

If you are getting quite a lot of these emails and you have the option, instead of rejecting the emails your should 'blackhole' them. This means your mail server just swallows them up and destroys them instead of wasting resources trying to reject them and return them to sender. Filtering by IP won't always stop them as all the spammer has to do is change their IP.

Scarlett · 01-06-2006, 13:51

I set the filter up on the first 3 numbers of the IP address. 99% of the mails gone in one go.

I know the spammer may change the IP address but at least I can change my filter easily

**Paul M** · 01-06-2006, 17:13

I get loads on one of my domains, they simply send the spam with a false address as the return address so any rejects come back to you.