Hi Clare,
#1) All email, just like postal mail, can be made to "look like" it came
from someplace that it did not actually originate from. Spammers take
advantage of this to the nth degree. If I wanted to make this message
look like it came from some hotmail.com address instead of my own, there
would be little effort involved. I have no statistical proof, but just
thumb nailing, I would estimate 90%+ of the spam I receive is not from
the address or even the domain that appears in the "From:" address of
that spam.
#2) Many MTAs are configured to accept mail before attempting to decide
if that mail is for a valid user, let alone Unwanted Bulk Email or virus
laden. I make a differentiation between Unwanted and Unsolicited. MTAs
that do accept email before checking, then have to bounce invalid mail
to the Return-Path or From address. Forged header information with your
domain, means these bounces come to you or your domain's MTA.
#3) I do not know of any way to prevent spammers from falsifying header
information, but if everyone were to configure their MTA to check before
accepting invalid mail, block relaying while they are at it, and adopt the
SPF (Sender Policy Framework formerly known as Sender Permitted From) the
world would be a better place. SPF helps prevent forgeries. You can help
others that have adopted SPF by adding SPF entries to your domain's DNS.
Going back to point #1, if this message were from hotmail, but did not
come from a hotmail MTA (or one defined as SPF allowed in DNS), you could
reject it. Anyone receiving mail claiming to be from you or your domain
without coming from your SPF allowed address(es) could choose to reject
that mail.
To summarize, mail was attempted to be sent by someone (maybe by a
spammer) claiming to be majordomo-owner at your domain with an IP
address of 67.15.98.3 to teehead1 at their domain through an MTA that
was configured to block relaying. Specifically, relaying was denied
from the IP address, and not the email address, but because the MTA
had already accepted the message, the bounce was returned to the only
address that MTA could find.
In answer to your question, is there anything you can do about it?
Use SPF to advertise which machines legitimate mail from your domain
is allowed to traverse. Make sure your MTA is secure, and does not
allow relaying. Tighten down your majordomo list's config files to
only allow subscribers to send messages, and confirm the addresses of
subscribers before adding them to your lists. Make sure the aliases
for your majordomo lists or otherwise, are not exploited.
An ISP is not likely to ban your messages unless they have strong
evidence you are a cause of their problems. On the other hand, they
could also ban your messages simply because you do not have a static
IP or reverse DNS. Either way, I would not lose sleep over it.
Some things we can change, some things we can't. We just have to be
smart enough to tell the difference, and willing to take action when
something can be changed.
Dan Liston
Clare Redstone wrote:
> Can anyone answer this for me as I've had another couple of messages like
> it. I don't know if this is a sign of a significant problem or not so would
> be grateful for advice.
>
> Thank you
>
> Clare
> -----Original Message-----
> From: Clare Redstone
> Sent: 26 April 2006 23:48
> To: Majordomo users
> Subject: A returned mail message
>
> I've just received the following message and had another like it recently.
> There was an attachment too - which wasn't a message I sent. (I deleted it
> without reading in case virus.) I don't recognise the address below.
>
> Does this mean someone is sending sp @ m made to look as if it's coming from
> our list? I'm concerned that ISPs may begin to ban messages from our domain
> if it's apparently sending sp@m messages.
>
> Is there anything I can do about it?
>
> Thanks
>
> Clare
>
> -----Original Message-----
> From: Mail Delivery Subsystem [mailto:MAILER-DAEMON@hphl.org.uk]
> Sent: 26 April 2006 13:11
> To: Majordomo-Owner@hphl.org.uk
> Subject: [-SPAM-] Returned mail: see transcript for details
>
> The original message was received at Wed, 26 Apr 2006 13:10:32 +0100
> from root@localhost
>
> ----- The following addresses had permanent fatal errors -----
> teehead1@pythonian.com(reason: 553 sorry, relaying denied from your location
> [67.15.98.3] (#5.7.1))
>
> ----- Transcript of session follows -----
> ... while talking to mailstore1.secureserver.net.:
>
>>>>DATA
>
> <<< 553 sorry, relaying denied from your location [67.15.98.3] (#5.7.1)
> 550 5.1.1 teehead1@pythonian.com... User unknown
> <<< 503 RCPT first (#5.5.1)
>
>
References:
|
|
