Re: [WISPA] domain spam attack - JoeJob
> Does anyone have any experience with having an attack done on your domain > where the sender spoofs the header and then puts your domain in it as the > sender. I think this is called a JoeJob and we are getting 1000's of the > bounced messages because of it and are now having difficulty sending to some > of the bigger email providers like aol, yahoo, and hotmail. I tracked the > originating IP down to somewhere in Asia and reported them to the holder of > the Whois information there. Anything else I can do? Setup an SPF record. http://www.openspf.org/ Matt WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] domain spam attack - JoeJob
On 2009-12-30 10:31, Kurt Fankhauser wrote: > Does anyone have any experience with having an attack done on your domain > where the sender spoofs the header and then puts your domain in it as the > sender. I think this is called a JoeJob and we are getting 1000's of the > bounced messages because of it and are now having difficulty sending to some > of the bigger email providers like aol, yahoo, and hotmail. I tracked the > originating IP down to somewhere in Asia and reported them to the holder of > the Whois information there. Anything else I can do? BarricadeMX has a mechanism for that. All the outgoing mail must go through it, though, to be able to make it work. http://www.fsl.com/index.php/barricademx/barricademx It also works very, very well to cut inbound spam. Regards, Ugo WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] domain spam attack - JoeJob
" If they send legitimate mail from their hotel or Home circuit (if it was originally an Office account/circuit with you, but bring laptop home also), which home provider blocks SMTP excpet for using Access provider's SMTP server, the legitimate sender will no longer get notice when a send was unsuccessful. SMTP Auth is not always a winning solution, when Port 25 gets blocked." Most mail servers will support both SMTP Authentication and alternate SMTP ports. Port 587 is supposed to be a standard alternate port for SMTP. We have our roaming users replace port 25 with 587 and enable SMTP authentication which seems to work very well. Richey -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Tom DeReggi Sent: Tuesday, December 29, 2009 1:48 PM To: WISPA General List Subject: Re: [WISPA] domain spam attack - JoeJob The watermark idea sounds like a clever idea, and worthy solution. Only thing, should consider whether you let your mail users send through other providers during travel or secondary locations. (Would also apply to SPF to some extent). If they send legitimate mail from their hotel or Home circuit (if it was originally an Office account/circuit with you, but bring laptop home also), which home provider blocks SMTP excpet for using Access provider's SMTP server, the legitimate sender will no longer get notice when a send was unsuccessful. SMTP Auth is not always a winning solution, when Port 25 gets blocked. So it boils down to... Do you want to set policy to only support mail if sent through your own mail server? Thats a personal decission. But it could also be addressed by how the watermark gets delt with. For example, what if the watermark rule was used, BUT it accepted the first 5 bounces within a define period of time, and then auto blocked all future bounces for a defined period of time? That would be better because it allows getting a few of the bounces for management, but also limits the number of harmful bounces. We use similar techniques with Blacklisting. We let first few through, and then when threshhold is exceeded we temporarilly blacklist sender for like 12 hours. That is very effective in managing SPAM and DDOS. Unforunteately, it is not a good way to prevent poor reputation ratings that rely on other provider's systems that accept and weight to heavilly "What is SPAM" submissions from their end users. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Terry Hickey" To: "WISPA General List" Sent: Tuesday, December 29, 2009 11:20 AM Subject: Re: [WISPA] domain spam attack - JoeJob >I use MailScanner http://www.mailscanner.info/ . It allows you to put a > watermark on all messages leaving your mailserver. If a bounce come in > without the watermark , it trashes it . works like a charm for exactly > that. > > Terry > > - Original Message - > From: "Nick Olsen" > To: "WISPA General List" > Sent: Tuesday, December 29, 2009 8:54 AM > Subject: Re: [WISPA] domain spam attack - JoeJob > > >> Not really. Being in Asia and all. >> We have had this happen to us before. Just have to wait for them to go >> away. >> >> Nick Olsen >> Brevard Wireless >> (321) 205-1100 x106 >> >> >> -------- >> >> From: "Kurt Fankhauser" >> Sent: Tuesday, December 29, 2009 10:32 AM >> To: "WISPA General List" >> Subject: [WISPA] domain spam attack - JoeJob >> >> Does anyone have any experience with having an attack done on your domain >> where the sender spoofs the header and then puts your domain in it as the >> sender. I think this is called a JoeJob and we are getting 1000's of the >> bounced messages because of it and are now having difficulty sending to >> some >> of the bigger email providers like aol, yahoo, and hotmail. I tracked the >> originating IP down to somewhere in Asia and reported them to the holder >> of >> the Whois information there. Anything else I can do? >> >> Kurt Fankhauser >> WAVELINC >> P.O. Box 126 >> Bucyrus, OH 44820 >> 419-562-6405 >> www.wavelinc.com >> >> >> >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >
Re: [WISPA] domain spam attack - JoeJob
The watermark idea sounds like a clever idea, and worthy solution. Only thing, should consider whether you let your mail users send through other providers during travel or secondary locations. (Would also apply to SPF to some extent). If they send legitimate mail from their hotel or Home circuit (if it was originally an Office account/circuit with you, but bring laptop home also), which home provider blocks SMTP excpet for using Access provider's SMTP server, the legitimate sender will no longer get notice when a send was unsuccessful. SMTP Auth is not always a winning solution, when Port 25 gets blocked. So it boils down to... Do you want to set policy to only support mail if sent through your own mail server? Thats a personal decission. But it could also be addressed by how the watermark gets delt with. For example, what if the watermark rule was used, BUT it accepted the first 5 bounces within a define period of time, and then auto blocked all future bounces for a defined period of time? That would be better because it allows getting a few of the bounces for management, but also limits the number of harmful bounces. We use similar techniques with Blacklisting. We let first few through, and then when threshhold is exceeded we temporarilly blacklist sender for like 12 hours. That is very effective in managing SPAM and DDOS. Unforunteately, it is not a good way to prevent poor reputation ratings that rely on other provider's systems that accept and weight to heavilly "What is SPAM" submissions from their end users. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Terry Hickey" To: "WISPA General List" Sent: Tuesday, December 29, 2009 11:20 AM Subject: Re: [WISPA] domain spam attack - JoeJob >I use MailScanner http://www.mailscanner.info/ . It allows you to put a > watermark on all messages leaving your mailserver. If a bounce come in > without the watermark , it trashes it . works like a charm for exactly > that. > > Terry > > - Original Message - > From: "Nick Olsen" > To: "WISPA General List" > Sent: Tuesday, December 29, 2009 8:54 AM > Subject: Re: [WISPA] domain spam attack - JoeJob > > >> Not really. Being in Asia and all. >> We have had this happen to us before. Just have to wait for them to go >> away. >> >> Nick Olsen >> Brevard Wireless >> (321) 205-1100 x106 >> >> >> ------------ >> >> From: "Kurt Fankhauser" >> Sent: Tuesday, December 29, 2009 10:32 AM >> To: "WISPA General List" >> Subject: [WISPA] domain spam attack - JoeJob >> >> Does anyone have any experience with having an attack done on your domain >> where the sender spoofs the header and then puts your domain in it as the >> sender. I think this is called a JoeJob and we are getting 1000's of the >> bounced messages because of it and are now having difficulty sending to >> some >> of the bigger email providers like aol, yahoo, and hotmail. I tracked the >> originating IP down to somewhere in Asia and reported them to the holder >> of >> the Whois information there. Anything else I can do? >> >> Kurt Fankhauser >> WAVELINC >> P.O. Box 126 >> Bucyrus, OH 44820 >> 419-562-6405 >> www.wavelinc.com >> >> >> >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> >> >> >> >> >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> >> >> WISPA Wireless List: wireless@wispa.org >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless >
Re: [WISPA] domain spam attack - JoeJob
You're right, it does require the recipient domain to implement SPF checking, but I think it's better than nothing. It could at least help prevent from having your domain name end up on some auto-populated spam lists like aol, yahoo, etc like he originally said he was having problems with... although usually I've seen that happen with IPs rather than domain names themselves. -Matt On Tue, 2009-12-29 at 11:24 -0500, Nick Olsen wrote: > This assumes that the receiving party drops mail based on SPF. > And still, most of the time it will bounce the message saying it failed > spam checks or something like that. > > Nick Olsen > Brevard Wireless > (321) 205-1100 x106 > > > > > From: "Matt Hardy" > Sent: Tuesday, December 29, 2009 11:08 AM > To: "WISPA General List" > Subject: Re: [WISPA] domain spam attack - JoeJob > > You can implement the use of SPF records in your dns/mx settings. This > will tell mail servers which use SPF checking (which many do) to only > allow mail from your domain name to come from the mail servers / IPs > that you specify (in the SPF records) are allowed. Any mail coming from > non-allowed IPs are blocked... > > -Matt > > On Wed, 2009-12-30 at 10:31 -0500, Kurt Fankhauser wrote: > > Does anyone have any experience with having an attack done on your > domain > > where the sender spoofs the header and then puts your domain in it as > the > > sender. I think this is called a JoeJob and we are getting 1000's of the > > bounced messages because of it and are now having difficulty sending to > some > > of the bigger email providers like aol, yahoo, and hotmail. I tracked > the > > originating IP down to somewhere in Asia and reported them to the holder > of > > the Whois information there. Anything else I can do? > > > > > > > > Kurt Fankhauser > > WAVELINC > > P.O. Box 126 > > Bucyrus, OH 44820 > > 419-562-6405 > > www.wavelinc.com > > > > > > > > > > > > > > > > > > > > > > > > WISPA Wants You! Join today! > > http://signup.wispa.org/ > > > > > > > > WISPA Wireless List: wireless@wispa.org > > > > Subscribe/Unsubscribe: > > http://lists.wispa.org/mailman/listinfo/wireless > > > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] domain spam attack - JoeJob
This assumes that the receiving party drops mail based on SPF. And still, most of the time it will bounce the message saying it failed spam checks or something like that. Nick Olsen Brevard Wireless (321) 205-1100 x106 From: "Matt Hardy" Sent: Tuesday, December 29, 2009 11:08 AM To: "WISPA General List" Subject: Re: [WISPA] domain spam attack - JoeJob You can implement the use of SPF records in your dns/mx settings. This will tell mail servers which use SPF checking (which many do) to only allow mail from your domain name to come from the mail servers / IPs that you specify (in the SPF records) are allowed. Any mail coming from non-allowed IPs are blocked... -Matt On Wed, 2009-12-30 at 10:31 -0500, Kurt Fankhauser wrote: > Does anyone have any experience with having an attack done on your domain > where the sender spoofs the header and then puts your domain in it as the > sender. I think this is called a JoeJob and we are getting 1000's of the > bounced messages because of it and are now having difficulty sending to some > of the bigger email providers like aol, yahoo, and hotmail. I tracked the > originating IP down to somewhere in Asia and reported them to the holder of > the Whois information there. Anything else I can do? > > > > Kurt Fankhauser > WAVELINC > P.O. Box 126 > Bucyrus, OH 44820 > 419-562-6405 > www.wavelinc.com > > > > > > > > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] domain spam attack - JoeJob
I use MailScanner http://www.mailscanner.info/ . It allows you to put a watermark on all messages leaving your mailserver. If a bounce come in without the watermark , it trashes it . works like a charm for exactly that. Terry - Original Message - From: "Nick Olsen" To: "WISPA General List" Sent: Tuesday, December 29, 2009 8:54 AM Subject: Re: [WISPA] domain spam attack - JoeJob > Not really. Being in Asia and all. > We have had this happen to us before. Just have to wait for them to go > away. > > Nick Olsen > Brevard Wireless > (321) 205-1100 x106 > > > > > From: "Kurt Fankhauser" > Sent: Tuesday, December 29, 2009 10:32 AM > To: "WISPA General List" > Subject: [WISPA] domain spam attack - JoeJob > > Does anyone have any experience with having an attack done on your domain > where the sender spoofs the header and then puts your domain in it as the > sender. I think this is called a JoeJob and we are getting 1000's of the > bounced messages because of it and are now having difficulty sending to > some > of the bigger email providers like aol, yahoo, and hotmail. I tracked the > originating IP down to somewhere in Asia and reported them to the holder > of > the Whois information there. Anything else I can do? > > Kurt Fankhauser > WAVELINC > P.O. Box 126 > Bucyrus, OH 44820 > 419-562-6405 > www.wavelinc.com > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] domain spam attack - JoeJob
You cant do anything to stop blocking them from being forged and sent, but there are things you can do to help notify other ISPs what servers are authorized to send mail for your domain, so that they can use smarter methods to block and allow SPAM. For example, you can use a Sender Policy Framework record in your Domain headers. Some recipient servers have different rules on whether they just drop or return SPAM, dependant on detection method. IF similar methods are already being done, and the messages are being sent back to you after being blocked, and getting flooded with the bounce messages, probably not much can do, other than to set up a temp rule to drop those specific bounce message group. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: "Kurt Fankhauser" To: "'WISPA General List'" Sent: Wednesday, December 30, 2009 10:31 AM Subject: [WISPA] domain spam attack - JoeJob > Does anyone have any experience with having an attack done on your domain > where the sender spoofs the header and then puts your domain in it as the > sender. I think this is called a JoeJob and we are getting 1000's of the > bounced messages because of it and are now having difficulty sending to > some > of the bigger email providers like aol, yahoo, and hotmail. I tracked the > originating IP down to somewhere in Asia and reported them to the holder > of > the Whois information there. Anything else I can do? > > > > Kurt Fankhauser > WAVELINC > P.O. Box 126 > Bucyrus, OH 44820 > 419-562-6405 > www.wavelinc.com > > > > > > > > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > -- > Internal Virus Database is out-of-date. > Checked by AVG. > Version: 7.5.560 / Virus Database: 270.12.26/2116 - Release Date: > 5/15/2009 6:16 AM > > WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] domain spam attack - JoeJob
You can implement the use of SPF records in your dns/mx settings. This will tell mail servers which use SPF checking (which many do) to only allow mail from your domain name to come from the mail servers / IPs that you specify (in the SPF records) are allowed. Any mail coming from non-allowed IPs are blocked... -Matt On Wed, 2009-12-30 at 10:31 -0500, Kurt Fankhauser wrote: > Does anyone have any experience with having an attack done on your domain > where the sender spoofs the header and then puts your domain in it as the > sender. I think this is called a JoeJob and we are getting 1000's of the > bounced messages because of it and are now having difficulty sending to some > of the bigger email providers like aol, yahoo, and hotmail. I tracked the > originating IP down to somewhere in Asia and reported them to the holder of > the Whois information there. Anything else I can do? > > > > Kurt Fankhauser > WAVELINC > P.O. Box 126 > Bucyrus, OH 44820 > 419-562-6405 > www.wavelinc.com > > > > > > > > > > > WISPA Wants You! Join today! > http://signup.wispa.org/ > > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] domain spam attack - JoeJob
Not really. Being in Asia and all. We have had this happen to us before. Just have to wait for them to go away. Nick Olsen Brevard Wireless (321) 205-1100 x106 From: "Kurt Fankhauser" Sent: Tuesday, December 29, 2009 10:32 AM To: "WISPA General List" Subject: [WISPA] domain spam attack - JoeJob Does anyone have any experience with having an attack done on your domain where the sender spoofs the header and then puts your domain in it as the sender. I think this is called a JoeJob and we are getting 1000's of the bounced messages because of it and are now having difficulty sending to some of the bigger email providers like aol, yahoo, and hotmail. I tracked the originating IP down to somewhere in Asia and reported them to the holder of the Whois information there. Anything else I can do? Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
[WISPA] domain spam attack - JoeJob
Does anyone have any experience with having an attack done on your domain where the sender spoofs the header and then puts your domain in it as the sender. I think this is called a JoeJob and we are getting 1000's of the bounced messages because of it and are now having difficulty sending to some of the bigger email providers like aol, yahoo, and hotmail. I tracked the originating IP down to somewhere in Asia and reported them to the holder of the Whois information there. Anything else I can do? Kurt Fankhauser WAVELINC P.O. Box 126 Bucyrus, OH 44820 419-562-6405 www.wavelinc.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/