dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
403

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

jimkyle

Premium Member

"Will be closed..." emails

For several days I've been getting messages with a subject line "Will be closed due to bad conditions" that purport to be from (non-existent) users on my private e-mail server, which is locked down to prevent relay attempts. Some of them seem to be actual user names at other domains, that appear in my address book, but not all -- and the most recent such message although addressed TO my domain claimed to be FROM another (and "whois" on the original "received" entry in its header showed that the FROM and REPLY-TO entries were forged).

Since these symptoms are typical of a takeover for spamming purposes, but could also be due to infection of someone else's system if my own address happens to be in that system's contact list/address book, I'm a bit concerned. My logs show no untoward activity, and I use fail2ban to protect my installation of postfix, but I'm curious to know if anyone else is seeing similar messages.

The body of the message does contain a URL, but when examined it appears to go to my server rather than anywhere else -- and I'm running Xubuntu with very tight controls on the server, so am confident that no user of the name used in the URL exists on my system.

My address is public on my web site, since I depend on contacts from people who need my data recovery services. Thus it's quite easy for baddies to forge information making it appear to originate from me. I don't see any way to avoid that; it's the main reason I run a private mail server rather than rely on others to keep things cleaned up. However I don't want to wind up on any blacklists due to such forgeries.

Comments???

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

Re: "Will be closed..." emails

"So, in each case a name has been harvested from my web site and an email address guessed (tony@ and vecho@) in order to send the spam.

I've seen this process of scraping my web site and guessing email addresses before by a business called CIO Summits ...
"
»blog.dynamoo.com/2014/03 ··· oor.html

This is about mail addresses being scraped & guessed.

jimkyle
Btrieve Guy
Premium Member
join:2002-10-20
Oklahoma City, OK

1 recommendation

jimkyle

Premium Member

Thanks for the link! That's exactly what my messages have been, but the URL included for a reply points to my own domain -- which, coincidentally (not) happens to be hosted by GoDaddy. Guess it's time to move my registration elsewhere...