I was surprised to find that one of my personal e-mail accounts was accumulating over 600 bounced messages per day. This account has been associated with my consulting business for years. I was somewhat alarmed to find out that my domain was being used by a spammer and that my "catch-all" e-mail account was accumulating the bounced messages. (If I hadn't created a catch-all account, I would never have known this was occurring.)
I thought that perhaps my domain had been hijacked and was being used for malicious purposes. I quickly visited my personal Web site; everything looked fine.
I opened several of the bounced messages and inspected the headers. The spammer had used a fictitious e-mail address for my domain in the "Reply To" field (for example, horror@mydomain.com). Some messages had the original message intact, so I could tell that the spam was annoying but not pornographic or a phishing scam. I was grateful for that much. Most of the messages were of the "News Alert!" genre, with "advice" about purchasing a particular type of stock.
I wanted to better understand and resolve these issues:
-- What is domain hijacking?
-- How could my domain e-mail be used by spammers?
-- How can I prevent this?
-- Is my domain now blacklisted, and what can I do to "unlist" it?
Domain hijacking usually occurs when someone forgets to renew his domain registration, which then becomes available for purchase. Someone else buys it and begins to use it for a new Web site. Though this isn't illegal, imagine waking up one day to find that your Web site is no longer yours and is filled with undesirable content. Setting up automatic renewal with the registrant for your domain can prevent this from happening.
Domain theft is more serious and involves forging a domain registrant's credentials to make changes to the DNS settings, taking control of the domain. In July 2005, the Internet Corporation for Assigned Names and Numbers issued a report titled "Domain Name Hijacking: Incidents, Threats, Risks, and Remedial Actions." It describes actual incidents and makes recommendations to prevent similar ones. Taking a cue from the report, I checked with my registrar and found that my personal information, such as my home address, was listed. I then changed my profile to make my personal information private. There's a small fee for this, but it's well worth it.
Unwilling accomplice
The next step was to find out how my domain e-mail could be used by disreputable spammers. What was actually happening was that my domain e-mail was being spoofed. The CERT Coordination Center at Carnegie Mellon University has this to say about how this occurs: "E-mail spoofing may occur in different forms, but all have a similar result: A user receives e-mail that appears to have originated from one source when it actually was sent from another source. E-mail spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords)."
We've all seen e-mails claiming that we must change our eBay or PayPal account information. Most people now know better than to supply any confidential information via e-mail, and most spam filters now plunk these messages into a bulk or spam folder.
Is there any way to prevent spammers from using my domain name in the "Reply To" field? No. Here's why. The Simple Mail Transfer Protocol doesn't require any authentication, nor does it validate e-mail addresses. It just sends and receives mail if the e-mail addresses are in the right format. There are many things that site administrators can do to protect their mail servers, and some of this information is available in the CERT document. However, in my situation, my domain hosting is outsourced to a company that hosts thousands of domains. I learned from my ISP that associating my e-mail address with the catch-all account made my domain a likely target for spammers, so I changed the settings to bounce messages not addressed to valid domain accounts I owned. The bounces would inform the victims that it was not my domain that was spamming them.
The last question that I needed answered was whether my domain is now blacklisted because it's been used for spamming. I tried several Web sites to determine whether my domain had been blacklisted (I did a Google search on "domain blacklist"). All was well. Fortunately for people who have outsourced their domain and e-mail services, the hosting provider is generally diligent about making sure the IP address of the mail server isn't blacklisted, since that can have a negative effect on thousands of customers. The result of being blacklisted is that e-mail sent from your domain is tagged by e-mail servers or spam gateways as unwanted and generally gets dumped into the bit bucket instead of being delivered to your intended recipient. Basically, e-mail from your domain is blocked all over the Internet. This can be quite serious for a government entity or company.
Thankfully, the problem is solved. But the very idea that someone could use my domain to spam thousands of people horrified me. The entire incident reminded me to thank our e-mail administrators for their diligence in preventing agency personnel from being spammed to death.
What do you think?
This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com, or join the discussion in our forum: computerworld.com/forums
-- To find a complete archive of our Security Manager's Journals, go online to computerworld.com/secjournal