Take Control of Your Domain Names

At 3:36 PM -0800 12/13/06, Alexander Hoffman wrote:
>I have my own domain that I use for a permanent email address (see above).
>
>It seems that some spammer(s) have, of late, decided that they like
>it, too. They are sending out their processed meat food as though it
>is from my domain. As I don't have a a mail server, this is not that
>kind of issue. Rather, they are saying the email is from
>mgbealedev.com, or ovptiualedev.com, or some other random string of
>charactersaledev.com.

That sucks and is one of the problems with having your own domain name.

>That leaves me to get a whole mess of undeliverable bounces back to
>MY email inbox, and also notifications that "my" email has been
>blocked as spam.
>
>There's nothing that I can do about this, this defamation of my
>domain name's reputation, right?

Not much, no.

http://en.wikipedia.org/wiki/Backscatter#Backscatter_of_email_spam
http://en.wikipedia.org/wiki/Joe_job

It might be possible to configure the mail server hosting your domain
to toss bounce messages back to non-existent addresses, rather than
forwarding them to you. If they're being sent back to
postmasteraledev.com, that could be trickier.

Or it might be possible to filter legitimate bounces at the client
level; you'd still have to receive all the rest, but wouldn't have to
see them.

>The other problem is that I really would like to know when email that
>I have actually sent bounces. And still would like to see all the
>misaddressed email messages that are intentionally sent to me or my
>domain. I just want this bounced spam to disappear.

If it were possible to ignore messages aimed at non-existent
addresses, real bounces back to your account wouldn't be included.

cheers... -Adam

Quoting Alexander Hoffman <ahoffmanAleDev.com>:

> There's nothing that I can do about this, this defamation of my
> domain name's reputation, right?

Not really, although there are a couple of plans in place to help with
this but neither really seems to be gaining traction on receiving sides.

SPF or Sender Policy Framework allows you to define a DNS TXT record
that identifies which machines are allowed to send mail from your
domain. When a message is received the receiving server checks the
record and then checks to see if the server it received the mail from
is allowed. If not it rejects it.

There is a wizard that helps setup the contents of the TXT record here:
http://old.openspf.org/wizard.html

The hard part may be in getting the TXT record into your DNS. EasyDNS
allows this through their interface, but for the other registrar/DNS
service I use Active-Domain.com you have to go through tech support to
get it added. And then if you modify your DNS record after the TXT
record has been setup, it screws up the TXT entry.

Another plan being floated around is Microsoft's Sender ID Framework,
but this seems to be the same as SPF now.
<http://www.microsoft.com/mscorp/safety/technologies/senderid/overview.mspx>

And the other plan I'm aware of, DomainKeys, is used on outbound mail
by both Yahoo! and Google. DomainKeys adds a digital signature to each
message using a private key from the domain owner. The public key
stored in a DNS record. When the message is received the signature is
verifed using the key from DNS.

<http://antispam.yahoo.com/domainkeys>

Adam C. Engst <acetidbits.com> on 12/14/06 at 8:42 AM wrote:

>Or it might be possible to filter legitimate bounces at the client
>level; you'd still have to receive all the rest, but wouldn't have to
>see them.

If you have a "catchall" address set, that could be the problem. That means that all bounces to fake addresses get forwarded. Catchall addresses are thus problematic. I have my domains set to receive email for certain addresses and bounce the rest as "no such user" or even "faked return address."
--
Glenn Fleishman
seattle . washington
unsolicited pundit . glennf.com
columnist . seattletimes.com/practicalmac
daily wireless networking news . wifinetnews.com
this email is intended to be private unless otherwise noted
email you send to me is considered private unless you tell me otherwise

I have my own domain (raggedcastle.com) set so that mail from the few valid addresses goes to specific mailboxes and mail to anythingelseatall raggedcastle.com goes to the bit bucket. So, I only see the bounces that are my own that way.

Yeah, people use your domain as a reply address but I don't think anyone holds it against you. Most people are aware that if its spam, nothing about it can be trusted.

Well, except for the ones from Nigeria. I expect to close that deal any day now and then I will be RICH! RICH I tells ya! And then we'll see who's top of the Mac Power list then! MWUHAHAHA.

Ahem.

-A


--
Andy J. Williams Affleck
Author: Take Control of Podcasting on the Mac: <http://www.takecontrolbooks.com/podcasting-mac.html >
Podcast: <http://tcopodcasting.podbus.com/>
Blog: <http://www.raggedcastle.com/webcrumbs/>
Profile: <http://www.linkedin.com/in/aaffleck>

At 15:36 on 13-12-2006, Alexander Hoffman wrote:
> The other problem is that I really would like to know when email that
> I have actually sent bounces. And still would like to see all the
> misaddressed email messages that are intentionally sent to me or my
> domain. I just want this bounced spam to disappear.

I have the same issue, and would be very interested in a solution.
For the moment I've turned off the catch-all setting (so I don't get
any misaddressed email messages) as the spam bounces were just too
much. But I would love to be able to re-enable catch-all for the
postmaster account.

In general, I find it disappointing that email is still languishing
in the 1970s. I'm sure there will always be spam, but a lot of this
could be eliminated by a cooperative effort of technology companies
to come up with a way to verify each email's sender (without any
ulterior motives on the part of anyone). The various plans by
individual companies don't seem to have made any serious headway.
What we need is a neutral organisation to come up with a well thought
out plan which everyone can sign up to. Sure it will take some time
for the internet's infrastructure to be updated, but at least we
could get started with making email more fit for purpose.

_________________
=> Jolin

On 14-Dec-2006, at 15:18, Jeffrey McPheeters wrote:
> In other words, mail sent to a bogus
> address will be bounced by the mail server automatically to the from
> address, without any human intervention.

Not on most properly configured mailserver, which should REJECT the
email when it is attempted to be sent t a non-existant address, or
REJECT it during the SMTP transaction based on spam filtering.

Spam filtering after you accept the message is fine, but BOUNCING
that filtered email based on the FROM or From: headers is simply
irresponsible, and worthy of complaining about it.

On 14-Dec-2006, at 15:18, D I wrote:
> We've advertised the email address associated with our domain names
> (for business and personal use) so much that we can't give them up
> right now. So I'm in the process right now of researching and
> installing a Challenge/Response application, which is how I
> stumbled/Googled across TibBITS and your comment.

So, what you are doing is setting up a system whereby you
automatically generate even MORE spam to forged from addresses,
passing of your spam problems to some other innocent party? That
will get you blacklsited on a lot of mailservers, including mine.
Challenge-Response is pure unadulterated evil. Don't do it.

Imagine, if you will, someone sends you several hundred spams, all
using forged email addresses at my domains. You sent a challenge
response to each of those, thus hammering my server with emails to
'verify' your spam. I will blacklist you so fast you'll never know
what hit you, and you will be on a blacklist I last removed an entry
from in 1995.

> I've read many criticisms of Challenge/Response systems, but there
> really isn't any other good solution to block the volumes of junk
> email and bouncebacks from spoof emails.

You're not blocking, you are passing your spam problem on to someone
else, and in the process becoming a spammer yourself.

SpamAssassin works very well if you want to tag spam, and you can
even run it with your MTA software so that spam messages are rejected
right off, without bouncing or even deleting incoming mail.

On Dec 14, 2006, at 2:18 PM, Adam C. Engst wrote:

> It might be possible to configure the mail server hosting your domain
> to toss bounce messages back to non-existent addresses, rather than
> forwarding them to you.

FastMail, for instance, offers a backscatter filter to address
precisely this problem. If your e-mail host doesn't provide such a
filter, you might consider switching to one that does.

On Dec 14, 2006, at 3:06 PM, Jolin M Warren wrote:

> Sure it will take some time
> for the internet's infrastructure to be updated, but at least we
> could get started with making email more fit for purpose.

Roughly two decades for the update, *after* agreement.

Getting Exchange2000, which does not know how to reject invalid
addresses at SMTP time--but must accept and bounce--off the network
will help. That alone will be about a decade from now. (Not to
mention earlier Exchange versions.)

A good portion of the "blowback" bounces into domain catchall
addresses come from old Exchange installations.

And I still fear Network Neutrality--worded as "any source to any
destination" would seem to allow those who adhere to the well-named
CAN-SPAM act to demand not to be blocked at the server level,
doubling or tripling many recipients' unwanted mail load.

   --John

On 14-Dec-2006, at 16:06, Andy J. W. Affleck wrote:
> I have my own domain (raggedcastle.com <http://raggedcastle.com>)
> set so that mail from the few valid addresses goes to specific
> mailboxes

This is good.

> and mail to anythingelseatall raggedcastle.com <http://
> raggedcastle.com> goes to the bit bucket.

This is BAD. if someone means to send mail to
"andyraggedcastle.com" and they accidently type
"adnyraggedcastle.com" they should get a BOUNCE.

Deleting the email gives the appearance that it was delivered.

On 14-Dec-2006, at 16:06, Jolin M Warren wrote:
> a lot of this could be eliminated by a cooperative effort of
> technology companies to come up with a way to verify each email's
> sender

This is trivial, although it will screw a lot of people. Until
someone comes up with a solution that allows me to send mail from
"myusermycompany.tld" when I am 1) at my company 2) at home 3) on
the road in Marrakech then any solution is going to be grossly
inconvenient for me. More inconvenient than the miniscule amount of
spam that gets through my Bayes and SpamAssassin filtering. 99% of my
spam comes to my one 'unprotected' email account which gets and saves
all the email sent to it, regardless of spam score or greylist
status. The only thing it bounces is stuff in the zen.spamhaus.org
blocklist.


> (without any ulterior motives on the part of anyone)

Aye, well, there's the rub.

> The various plans by individual companies

The solution will have to come from the open source community, not
from a company. The companies all have ulterior motives, and even if
they don't, no one trusts them too not.

At 7:21 PM -0800 2006/12/14, Google Kreme wrote:
>On 14-Dec-2006, at 16:06, Jolin M Warren wrote:
>>a lot of this could be eliminated by a cooperative effort of
>>technology companies to come up with a way to verify each email's
>>sender
>
>This is trivial, although it will screw a lot of people. Until
>someone comes up with a solution that allows me to send mail from
>"myusermycompany.tld" when I am 1) at my company 2) at home 3) on
>the road in Marrakech then any solution is going to be grossly
>inconvenient for me. More inconvenient than the miniscule amount of
>spam that gets through my Bayes and SpamAssassin filtering. 99% of my
>spam comes to my one 'unprotected' email account which gets and saves
>all the email sent to it, regardless of spam score or greylist
>status. The only thing it bounces is stuff in the zen.spamhaus.org
>blocklist.

        Why don't you just use port 587 w/ STARTTLS on your primary
SMTP server? That should be reachable from just about anywhere; and
webmail can cover when it isn't because you're roaming on evil,
anti-social, and stupid ISP.


--
Chris Pepper: <http://www.reppep.com/~pepper/>
                             <http://www.extrapepperoni.com/>
Rockefeller University: <http://www.rockefeller.edu/>

On Dec 14, 2006, at 3:06 PM, kevinvanhaaren.net wrote:

> Another plan being floated around is Microsoft's Sender ID Framework,
> but this seems to be the same as SPF now.
> <http://www.microsoft.com/mscorp/safety/technologies/senderid/
> overview.mspx>

SPF didn't take off in part because it is broken for the forwarding
case in which the return path remains unaltered. (There are schemes
which do alter the return path so that the intermediate relay
machine's computed return path contains what they need to send
bounces on back to senders in the domain, but allows them to use
THEIR SPF records.) SRS is the one I know. Here's a sample of SRS
as done by pobox.com (I've adjusted my address as buried in the
return path):
Return-path: <SRS0=ucf7=FZ=scandaroon.com=invalid@bounce2.pobox.com>


Reference for SPF: <http://www.openspf.org/>


SenderID is similar, and doesn't fail in the face of forwarding, but
went nowhere--at least until recently--for two reasons.
   1. Microsoft insisted on patenting the thing and requiring
Microsoft-like licenses to use it. That caused the standards process
to break down
   2. SenderID requires that the whole of the offered message be
read over the connection by the receiving machine (SPF can be dealt
with from only the envelope).

Microsoft has now placed the SenderID patents under their "use it,
and we'll never sue" program. That MIGHT restart the standards
effort (although that ended in a pretty poisoned state, so it might
not).

> And the other plan I'm aware of, DomainKeys, is used on outbound mail
> by both Yahoo! and Google. DomainKeys adds a digital signature to each
> message using a private key from the domain owner. The public key
> stored in a DNS record. When the message is received the signature is
> verifed using the key from DNS.

DomainKeys also suffers from the need to read the whole message from
the wire, plus requiring rewrites of many mailing list software
packages (including Mailman). I suspect that DomainKeys is described
somewhere on

At the moment, we publish SPF in its informational form, and we use
it backwards--for domains we trust which publish SPF, failing SPF
adds a small positive spam score--not too much or the broken forwards
are trapped.

A major problem with both DomainKeys and SPF in terms of blocking
spam from spammer domains (as opposed to forged spam from zombie
machines) is that such domains are the most likely to use DomainKeys
(except for Yahoo! and Google) and/or publish SPF (except for
pobox.com, where SPF was born). That's why we only pay attention for
domains we trust that publish SPF.

Chris Pepper wrote:
> Why don't you just use port 587 w/ STARTTLS on your primary
> SMTP server? That should be reachable from just about anywhere; and
> webmail can cover when it isn't because you're roaming on evil,
> anti-social, and stupid ISP.
>
Because when he's in Marrakech it can be very hard to maintain a solid
connection back to his Main Street USA ISP. And forget web mail when
you're on a dial up connection in the "stans" that's getting 10kbps on a
good day.

johnbaxterlistsmac.com wrote:
> A major problem with both DomainKeys and SPF in terms of blocking
> spam from spammer domains (as opposed to forged spam from zombie
> machines) is that such domains are the most likely to use DomainKeys
> (except for Yahoo! and Google) and/or publish SPF (except for
> pobox.com, where SPF was born). That's why we only pay attention for
> domains we trust that publish SPF.

And the big problem with all of this is that they are totally geared
towards what Microsoft, Yahoo, AOL/TWC, etc.... think of as the small to
medium business market and up. (SMB) Everyone else is assumed to
outsource their email. Of course all of these guys define SMB as
starting with 200 to 500 employees. I guess those of us working with
smaller firms in the under 50 employee range are a part of the TWBM or
Tinnee Wiennee Business Market and don't count.

There are more problems with these various "solutions" that are killers
for those of us in the TWBM. Such as with SPF many of us have to choose
between not using it at all or publishing records which say "all"
domains can send from us.

As the other poster mentioned, change will be a long time coming.

On 15-Dec-2006, at 11:00, Chris Pepper wrote:
> At 7:21 PM -0800 2006/12/14, Google Kreme wrote:
>> On 14-Dec-2006, at 16:06, Jolin M Warren wrote:
>>> a lot of this could be eliminated by a cooperative effort of
>>> technology companies to come up with a way to verify each email's
>>> sender
>>
>> Until someone comes up with a solution that allows me to send mail
>> from "myusermycompany.tld" when I am 1) at my company 2) at home
>> 3) on the road in Marrakech
>
> Why don't you just use port 587 w/ STARTTLS on your primary
> SMTP server?

Oh, I can. But the 'me' in there was not really ME, but 'a user'.

Also, the use of port 587 is a workaround, not a solution.

On Dec 14, 2006, at 9:21 PM, Google Kreme wrote:

>> I have my own domain (raggedcastle.com <http://raggedcastle.com>)
>> set so that mail from the few valid addresses goes to specific
>> mailboxes
>
> This is good.
>
>> and mail to anythingelseatall raggedcastle.com <http://
>> raggedcastle.com> goes to the bit bucket.
>
> This is BAD. if someone means to send mail to
> "andyraggedcastle.com" and they accidently type
> "adnyraggedcastle.com" they should get a BOUNCE.
>
> Deleting the email gives the appearance that it was delivered.

And in most cases, much less bandwidth on the part of the SMTP
server. You should use the :FAIL: command, rather than
the :blackhole: command. Here's a simple explanation of what happens,
in most cases:

Some other SMTP server connects to your server on port 25 and
initiates an SMTP connection (EHLO command)
Other server then sends a message saying who they're delivering a
message for (MAIL FROM command)
Other server then sends who the message is for on your server (RCPT
command)
At this point your server then checks whether the email address in
the RCPT command can actually be delivered on your server. If you do
not have a catchall alias configured to point to an email address
(Default Address) and you have it set to :fail: the following happens:
Your server sends back along the same connection to the sending
server "Go away, no-one here" (the DENY command)
The sender server would then normally tell their user that the
attempt to email your server failed. Your server does not send a
"bounce" message. As far as your server is concerned, all that has
happened is a little SMTP chatter and no email has been received and
no bounce sent

Not all mail servers work alike, so this is based on what happens
with EXIM, a fairly common server in public hosting space.

Jeffrey

At 2006-12-14 15:06 -0800 Google Kreme wrote:

>Challenge-Response is pure unadulterated evil. Don't do it.

Google - does this comment of yours apply also to the system used by
2idi <http://2idi.com/> to forward mail to people's i-name addresses?
I would have described that as a challenge-reponse system, but apart
from the initial exchange to establish the sender's bona-fides, it
doesn't seem to generate much extra traffic. I have replaced (much
too late, of course, but better late than never, I feel) all the
"mail-to" links on my personal web pages with a 2idi contact link.

I'd welcome your views on the type of system used by 2idi, and indeed
anyone's views on the likely future for i-names.

regards

Rowland
--
| Wilma & Rowland Carson http://home.clara.net/rowil/
| <rowilclara.net> ... that's Rowland with a 'w' ...

On Dec 16, 2006, at 12:31 PM, Google Kreme wrote:
> Also, the use of port 587 is a workaround, not a solution.

Well, it's more than a workaround in the "do this because it might
work" sense, because that port IS standardized for mail submission.
One of the faults in email these days is that MUAs (mail user
agents: Mail.app, Thunderbird, Lookout Depress, Lookout, etc) got
into the "habit" of pretending to be MTAs (mail transfer agents)
using port 25 instead of port 587. (And the MUAs probably have to
default that way, because not every mail server is configured for
submissions on 587.)

But it IS a workaround in the sense that it is working around one of
the messes the spammers have caused.

   --John

The other problem is that I really would like to know when email that I have actually sent bounces. And still would like to see all the misaddressed email messages that are intentionally sent to me or my domain. I just want this bounced spam to disappear.

Nothing I can do, right?

Any bounce message will probably include a line:

From: qdegnexample.com

You can filter bounces by only accepting bounces whose content include:

From: actualuserexample.com

for legitimate values of actualuser. This will eliminate the vast majority of the bogus bounces.