Ask Al: Help, my domain is being forged!

John from the UK writes: We have recently -- the last 2 weeks -- become victims of a spamming outfit. They have borrowed our domain name and are sending out emails from random fictitious addresses within the domain. We know about it because of the bounce back messages from corporate and ISP email servers. The emails are not being sent via our hardware and software. They are being sent from a large number of IP addresses, most probably falsified. Is there anything we can do to address this problem?

I asked around on John's behalf. What I heard back wasn't overly encouraging. The answers I got ranged from colorful variations on "too bad, welcome to the Internets" (I'd never heard the acronym "BOHICA" before) to "implement complicated technical solutions that kind of help, but not really."

The short answer here is that you don't have a ton of options other than just putting up with it. If the level rises to the point where it'd be appropriate for you to bring lawyers into the fray, I'd recommend finding a savvy internet consultant or anti-spam group to help you track down the offenders. I'm sure the spam is coming from hosts all around the Internet and I doubt that they correctly indicate who the sender is (both are clear violations of the US CAN-SPAM law). Spamhaus, the anti-spam group most well known, is especially adept at this type of thing. I don't know if they consult for folks in your situation, but it's worth investigating. Their website is at

In the realm of a technical solution, BATV (Bounce Address Tag Validation -- see is a process that a mail server can employ to help determine good bounces from bad.

Matt Sergeant of email security and management service provider MessageLabs was kind enough to explain to me how it works. Here's what he had to say:

Instead of sending MAIL FROM: your MTA (mail transfer agent) munges that into MAIL FROM: (the "cookie" part is usually based on the date, but it can get more complex than that). If you get a bounce back (MAIL FROM:<>) your MTA checks the RCPT TO -- If it's not RCPT TO: but instead to plain old then you know it was a forged mail, because all your outbound mail has the cookie attached.

It's very effective, but breaks any remote end system that keys off the MAIL FROM address (and there are lots of such systems, making a roll out on a large and diverse system problematic). Very effective on systems you have lots of control over though.

If that sounds a bit technical, that's because it is. It also doesn't stop the bad guys from doing what they're doing, it just helps you filter out the bounces more easily.

SpamAssassin offers a "Virus Bounce Toolset" which is supposed to help in a similar fashion.

Eventually, email authentication technologies like SPF (Sender Policy Framework) and DK (DomainKeys) could help with stuff like this. If you publish an SPF record, you're telling the world that your mail only comes from a certain set of IP addresses. The spammer's mail would not be coming from those specified IP addresses, and receiving ISPs could filter or reject the mail based on this fact. Look for this in the future, but it's not widely deployed or enforced currently.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.