Message Board

Donating MX Entries

Older Posts ]   [ Newer Posts ]
 Donated MX domain being spoofed by spammers
Author: R.Gupta7   (2 May 15 8:59am)
My donated MX has started being joe-jobbed by spammers using servers in China. Anyone else experienced this?
 
 Re: Donated MX domain being spoofed by spammers
Author: H.User1325   (2 May 15 9:38am)
No. I'm curious how you know?
 
 Re: Donated MX domain being spoofed by spammers
Author: R.Gupta7   (6 May 15 9:53am)
I have DMARC set up on my top-level domain and my aggregate reports show quite a few joe-jobs using someaddress@domain-matching-my-donated-mx starting around Apr 22nd.

Post Edited (6 May 15 9:57am)
 
 Re: Donated MX domain being spoofed by spammers
Author: H.User1325   (6 May 15 12:07pm)
With the DNS being distributed, I would not have though info available to the local server would identify anything except lookups from local SMTPs
 
 Re: Donated MX domain being spoofed by spammers
Author: R.Gupta7   (7 May 15 6:02am)
No, the info is not from DNS. It is from a DMARC email feedback loop from ESPs like Google, Microsoft, Yahoo and others. See http://dmarc.org/.
 
 Re: Donated MX domain being spoofed by spammers
Author: H.Salvisberg   (17 May 15 12:26pm)
Yes, this is bound to happen sooner or later. And it results in mis-directed bounces and other autoresponders to the spoofed senders ( = PHP-created mail addresses).
See https://www.spamcop.net/fom-serve/cache/329.html for details.

It could be reasonably argued that mis-directed bounces, out-of-office messages, etc. are as bad as the original spam, but they don't fit the profile that PHP is looking for.

I wonder whether PHP is prepared to filter out and ignore the backscatter, which might come from the likes of Google and other reputable mailers. (Yes, gmail.com has recently sent me mis-directed bounces -- it's really disappointing that Google is not smart enough to handle this properly!) Treating backscatter as spam and blacklisting honest but not-so-smart bouncers/auto-responders would not help PHP's cause.

Not only would it not help, but it could actually be a PHP vulnerability that lets the spammers purposely undermine PHP's effectiveness. It's a non-trivial issue for PHP to solve, and just relying on frequencies will not be sufficient in the long run.

@R.Gupta7:

It would probably be fair to set the subdomain's SPF record to reject all mail coming from the donated subdomain, so that the innocent recipients can easily automate rejecting the spam, and to discourage the spoofing. This might even be necessary to avoid exposing you to litigation if PHP's actions result in problems for innocent third parties, and if it's not part of PHP's current instructions, it should probably be added.

Have you tried to set the subdomain's DMARC record to NOT produce any reports? It might be fun to see these for a while, but ultimately I wouldn't want them to mess up my real DMARC stats.

(I have honeypots running on several domains and am considering donating MX subdomains, but I haven't done so yet.)
 
 Re: Donated MX domain being spoofed by spammers
Author: K.Lex   (27 May 15 2:57am)
For what it's worth, I'm seeing the exact same thing - DMARC reports have the donated MX address. Reports said SPF and DKIM checks were failing, but I set "v=spf1 -all" as the SPF record just to be explicit.



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–17, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email