Domain Compromised - How do I fix it?

03/06/2007 08:58:31 AM · #1

My website got attacked somehow last night.

This morning I found 11 "returned email" notices in my inbox, all sent by email accounts associated to my web domain - incompatibilities@penrodstudios.com, invocate@penrodstudios.com, equalizer@penrodstudios.com, enumerator@penrodstudios.com, reaal@penrodstudios.com, forecome@penrodstudios.com, etc.....

When I check the Domain registration I can only see the 2 email accounts I set up and don't see any of the above.

Is there a way I can block this from happening again? For 75cents / month I can have my domain info (Whois info) kept private - will that help?

Strikeslip

Canon EF 100-400mm f/4.5-5.6L IS

03/06/2007 09:05:09 AM · #2

Way back when I always used my ISP-assigned email address, I got bouncebacks like that every once in a while for email I didn't send. It was because some airhead thought it was her address and she configured the return address as mine in her email client.

eMail isn't usually password-verified on the way out, so people can set up any return address they want. It looks to me like that's what's happening to you, but on purpose. :-(

The airhead using my address fixed up her email client after I replied to some of her friends' emails in EXTREMELY sexually graphic ways. This was only after months of polite notices.

Strikeslip

Canon EF 100-400mm f/4.5-5.6L IS

03/06/2007 09:06:13 AM · #3

I don't know if there's a way to fix it. :-(

ganders

Tamron SP AF 28-75mm f/2.8 XR Di for Canon

03/06/2007 09:20:54 AM · #4

Originally posted by idnic:

Is there a way I can block this from happening again? For 75cents / month I can have my domain info (Whois info) kept private - will that help?

Short answers, no and no.

It's unlikely to have anything to do with your actual website; it's just some spammer and/or virus choosing to use your domain name as a 'from' address. It's just one of those things, I'm afraid.

Telehubbie

Canon EF 24-70mm f/2.8L USM

03/06/2007 09:24:45 AM · #5

As Slippy says, there might not be a way to fix it. But, you could turn off your "catch-all" emails so that you at least don't keep getting the returns from these addresses. A catch-all is a place where misspelled or other email addresses at your domain are sent to you, so if somebody for example sends an email to "Sindy@penrodstudios.com" your catch all would catch it and deliver it to you. Should be in your account settings somewhere.

Message edited by author 2007-03-06 09:29:16.

RainMotorsports

Nikon D60

Nikon AF-S DX Zoom-Nikkor 18-55mm f/3.5-5.6G VR

03/06/2007 09:24:48 AM · #6

Well you should be aware of whats called "white mail" I in the recent past could send email and make it look like its coming from any email address that does or does not exist.

If you were to recieve a white mail its easy to find out where it actually came from by looking at the headers. If your using html type email or Outlook or whatnot the headers maybe hidden and theres an option to look at the headers somewhere.

relent

Nikon D80

Nikon AF Zoom-Nikkor 18-135mm f/3.5- 5.6G ED DX

03/06/2007 09:25:48 AM · #7

its probably a spammer spoofing your domain when sending their junk out. Its very easy to do and nothing your can do to stop it (at least you can't stop the initial spam)

To stop if from appearing in your inbox you could just configure the email to blackhole emails sent to addresses that you havn't previously configured

pineapple

Canon EF 50mm f/1.4 USM

03/06/2007 09:28:18 AM · #8

Originally posted by idnic:

My website got attacked somehow last night.

Not quite true. However, as said, someone is using mail addresses with your domain name attached. I think this is par for the course for anyone with a registered domain. And yes, you would do well to pay 0.75 for privacy on any domain you register.

I think that you will find your mailserver is configured to have a 'catch all' account. In other words, if mail is sent to a non existent mail account at your mail server it will forward that mail to the catch all account. I imagine that your mail server is set up to forward all those unsolicited mails to your personal account. Go into the mail server administration account and create a user such as unsolicited@penrod... .com then configure the system to forward any messages sent to non existent accounts to that address (unsolicited...). You can then check it once a month, if you so feel inclined, and find out if any legit mail has landed there. Sometimes people misspell addresses and their messages will end up there. You can then delete the unsolicited trash.

Is that as clear as mud?

03/06/2007 09:59:51 AM · #9

Thanks for the responses, guys. I set the catch-all to an address that won't fill my inbox. I also signed up for the Domain Privacy option (75 cents/month).

Looking back through the returned emails I see a name on several of them, but the associated email address is my domain on each. Not that I want to track someone down and kick butt, I just don't want my domain used for spamming. :( The emails were all crap like OBENS SELLS MICROSOFT FOR $49...... phuckers!

Telehubbie

Canon EF 24-70mm f/2.8L USM

03/06/2007 10:10:10 AM · #10

Good luck Cindi. But look at the bright side... just think of all the free exposure your site is getting from this. :-)

Gordon

RIM BlackBerry Curve

Canon EF 85mm f/1.8 USM

03/06/2007 10:12:33 AM · #11

Email currently works on an honour system. You contact the mail server and say 'Hi, my name is cindi@penrodstudios.com, please send this mail to ' and the mail server believes you.

Most of the mail servers in the world work that way. There's nothing to stop you contacting the mail server and saying 'Hi, my name is shrub@whitehouse.gov, please send this mail to ' and the mail server still believes you.

Canon EF 28-135mm f/3.5-5.6 IS USM

03/06/2007 10:17:11 AM · #12

LOL Thanks, Marc. The shame is, I worked all day yesterday on a new fresher look & feel for the site. Its not ready for upload yet so all that new traffic is seeing the boring current site! :P

I love shrub@whitehouse.gov! ;)

ClubJuggle

Canon EOS-400D Rebel XTi

03/06/2007 11:00:05 AM · #13

Cindi,

This does not mean your domain was compromised in any way.

Email works much like sending a physical letter, in that there is generally no validation of the return address. This has benefits - for example, you could send an email from a penrodstudios.com email address using your ISP's outgoing mail server. The problem is, much like there's nothing stopping anyone from writing your return address on a physical letter and dropping it in a mailbox, there's no way to stop someone from putting your domain on an email.

If you've had just a few to a few dozen of these, don't worry about it. They are part of life on the Internet. There is always the possibility, though, that someone will start sending mail your domain on a sustained basis. This is very rare, but it did happen to me once, and I started receiving 3,000 to 4,000 bounce messages per day as a result. If this happens, your best option may be to implement Sender Policy Framework (SPF) on your domain. SPF is a method for describing valid email origins for your domain, and alerting recipients that certain messages are likely to be invalid.

~Terry

Sigma 30mm f/1.4 EX DC HSM for Nikon

03/06/2007 11:11:20 AM · #14

Thanks, Terry, good info! I'd freak if I got 3000 emails a day! LOL

ShaneBlake

Nikon D7100

03/06/2007 11:55:18 AM · #15

i get this crap all the time. my host keeps trying to get me to turn off the catch-all, but i use that too much. it's too much fun to give a new email address to everyone, and just let it filter back to my gmail acount.

unfortunately, though, i get lots of "out of office" replies from people who got spam from someone who used "xlakezkagfrak@[my site].com" as the "reply-to" address.

jerks.

soup

Canon EOS-30D

Canon EF 17-40mm f/4.0L USM

03/06/2007 12:10:24 PM · #16

this happened to me recently. domain spoofing. unfortunatly there isn't much you can do unless you want to spend a great deal of effort trying to track down the originator of the spoof. it is a federal crime - but difficult to enforce.

if you're just getting a 100 or so a day - after a short spell the spoofer will likely move on to another server.

to block the bounced emails from getting to you. if that's what you want. your mail server likely has a 'catchall' filter that is tied to the domain oweners mailbox. this forwards invalid addressed maessages to the doamins admin. you can temporarily turn this off and the bounced messages will get deleted by the server instead of being forwarded to you.

soup

Canon EOS-30D

Canon EF 17-40mm f/4.0L USM

03/06/2007 12:12:01 PM · #17

it's likely that none of the messages are actually being delivered to anyone - as they are just randomaly filling the xxxx@domain.com in hopes that some will get through. that is only likely on a server with a lot of email accounts. so you probably don't have to worry about 'bad press'.

chimericvisions

Canon EF 24-70mm f/2.8L II

03/06/2007 12:56:01 PM · #18

Originally posted by ClubJuggle:

SPF is what I was going to suggest. The problem with it is that unless your name service offers an easy way to set it up, it can be quite daunting (and very easy to get wrong)...

hankk

Sigma 24-70mm f/2.8 EX Aspherical DF for Canon

03/07/2007 11:16:47 AM · #19

You should also implement some sort of spam filter. I use popfile, after a couple of weeks of training, it works quite well.

TCGuru

Canon EF 28-135mm f/3.5-5.6 IS USM

03/08/2007 10:47:09 AM · #20

The most important thing to do is let your hosting service know you are not sending the e-mails and DO NOT open any of them.

Letting your hosting service know that you aren't doing it prevents your ISP from being shut down due to the "can spam" act of the 80's.

Opening one will let the spammer know that it is an active, watched e-mail address/inbox and the spam will only increase. Also, do NOT report the messages as spam, they can see that too :)

I only know this because it started happening to me about a month ago and when I contacted my hosting service, they gave me the same warnings. I also market through e-mail (not off MY service) and that is how I know they can see if you opened it or reported it as spam. :)

Good Luck!