Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Apologies if this is the wrong forum for this question; please let me know where it would be more appropriate.
For the past three days I've been receiving 'undeliverable mail' messages that appear to be originating from my domain; but I have NOT sent out. Aside from the nuisance value of the incoming messages, which I can filter; is there anything I can do to stop this. I'm afraid that my domain will become blacklisted. This will be a problem, since I use it for legitamite business-related emails. I have already sent an email to 'abuse' at my upstream ISP (which handles my DNS) and sent them copies of some of the emails.
Anyone have ANY suggestions on what else I can do.
For those that are curious the email advertises some kind of porn chat site (whois indicates an entity in Beliz, though all the info looks rather fake); which when you visit the site it redirects to to another site that also is registered to an entity in Belize. And it goes on.
Again, anyone have any suggestions short of hiring a mercenary?
Is the mail server running on a box you maintain or on your ISPs server? If yours, you need to do some reading on firewalls and email security. If the ISPs, not much you can do about it except let them know they may have been breeched.
You can always try changing your email password, just in case they are actually logging into the mailserver as you...
No, it's my server. It's an old Compaq Deskpro; I would have noticed someone using it send spam. The stuff they sent went all over the world (at least that's what I see from the returned messages); and my little machine would have melted. I do have a firewall in place.
I have recently installed the most recent version of sendmail. I don't think they are using my box.
I did find on another site's forum where someone indicated the same problem, and in fact it appeared that the same group that was doing it me was doing it to them; the spam advertising the same web site.
I see. They are just using your domain name.
Usually blackhole lists operate off of the originating IP or the MD5 of the message. You may want to contact someone like SpamCop and see what advice they can give you.
Do you have the header from one of the original spam emails? If so, you can find where the mail originated and contact the ISP that owns that range of addresses and maybe they will shut them down. That is really the only thing I can think of if you are sure they are not using your box to send from.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Congratulations, you got hit with a "Joe Job". That's what happens when someone spoofs your address to send malicious mail: You get all their bounces. Some idiots will no doubt complain about your domain as being the originator, and there's not much you can do about that. Certainly contacting your ISP is a good move. Keep an eye out to see if your IP shows up in any RBLs (you can periodically run a query on the zones of the popular RBLs, like Spamcop, Spamhaus, etc).
Filtering the bounces is really the only thing you can do. Everything else is just "wait and see". It should be fairly easy to prove to an RBL operator that you didn't send the original messages. Just keep some of the bounce messages that contain the original headers to use as proof. Most Anti-Spammers can recognize a Joe Job when they see one, so hopefully people will be reasonable with you.
Had the same thing happen to me - viagra... certain enlargement procedures - A bloody nuisence indeed! Just make sure that you report the incident to the ISP.
Another thing you could do if you are a daredevil is checking to see if the site advertised in the mail is owned by a US company - If so contact the FTC as I understand they do take quite a serious view on spam and identity theft...
The toughest part was figuring out what the thing was called: "joe job", but now I know.
And like everyone has pointed out, there's bloody nothing I can do about it; though I did forward some of the items to 'abuse' for the networks that appear in the header as the source of the spam. I also posted a message on my site indicating the situation. Hopefully, I can ride the thing out.
Though as an aside, an interesting thing is that some of the spam links you to a legit site as an affiliate... am going to try to trace that one down.
Again, thanks for the help and suggestions, they are most welcome!
-mark
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.