Previous INDEX Next
Working through a Microsoft Proxy Server Building man pages with Docbook

Hi-jack! Take this domain name to Spain...

A while ago, I noticed that the mail log showed I was getting a number of emails for non-existent users on my domain; it was easy to spot as I'm the only legitimate user. Was this some spammer's error, setting the wrong name on a spam destined for me?

The default setup of sendmail rejects mail for unknown users, so I thought I'd turn this off for a while and see what the mails were. This requires a line like this in the .mc file:

  define(`LUSER_RELAY', `local:user_name')dnl

which ensures that all undeliverable mail is directed to my mail box (name changed to protect the guilty).

After about 30 minutes I had a number of emails. Bugger, this was bad; these mails were various bounce and reject messages for spam reputedly being sent from my domain! Had somebody hacked into my system and used it as a spam bot?

Closer inspection of the messages revealed this was not the case. A spammer was forging the From field so that the spam was apparently coming from my domain, but it was actually being sent out from a compromised machine somewhere else. Here's an example:

  Return-Path: <>
  Received: from ( [])
        by (8.13.8/8.13.1/WPZ 0.26) with ESMTP id
        for <>; Wed, 29 Aug 2007 14:45:43 +0300
  Received: from (unknown
        []) by (Postfix) with ESMTP id 2D0AB497E4
        for <>; Wed, 29 Aug 2007 14:45:41 +0300 (EEST)
  Received: by with SMTP id asUHgtmaDtGRh;
        Wed, 29 Aug 2007 13:56:12 +0200 (GMT)
  Received: by with SMTP id YGMKBdtvTtDUVY.2838840098907;
        Wed, 29 Aug 2007 13:56:10 +0200 (GMT)
  Message-ID: <000e01c7ea33$958f59e0$4483eb57@nono>
  From: "Earle Loness" <>
  To: <>
  Subject: uncrumpl
  Date: Wed, 29 Aug 2007 13:56:07 +0200

In all the emails, the machine appeared as an MTA. I figured this machine was the spam bot.

What could I do? People would think I was responsible for this rash of spam. It turns out there's not much you can do, but I did them both.

First, I subscribed to the Sender Policy Framework. Anyone who uses this framework (e.g. gmail) can determine that mail purportedly from which did not originate from my ISPs mailers is not legitimate. SPF involves defining a TXT record on the DNS records for the domain, in a specific format, indicating which machines are legitimate sources for the domain's mail. E.g.:

  v=spf1 ~all

The only other defence I had was to write to No response, so I tried the contact names from whois. Still no response. Ah well, no surprise there.

Since the first wave, there was another, this time originating from I also wrote to, and this time did receive a reply; canned, but nevertheless a reply. Will it do any good? Who knows...

Previous INDEX Next
Working through a Microsoft Proxy Server Building man pages with Docbook