Strange activities involving fake email address within a domain of mine

3

I am currently experiencing something that might be construed as an attack, and am wondering what, if anything, I should do about it.

First, a bit of background. I am the long-term owner of a .com domain name, that can be thought of as an abbreviated form of the name of a popular movie. Rather than expose myself any more than I already am, I am going to refer to this domain as movie.com here. This site was set up for a business I ran a long time ago; the business has long since been closed, but I've kept the site in order to preserve the URLs of various things I've put online there. I only ever created a single email address at this domain, plus a "catch-all" mailbox that forwards anything else to my main address.

From the beginning, that catch-all mailbox has received a trickle of misdirected messages, generally addressed to the name of some character from the movie - mostly MainCharacter@movie.com, with an occasional the.villain@movie.com. This never bothered me, as it was low volume, and I knew that I wasn't the original owner of the domain - it seems likely that a previous incarnation of the site was actually a fansite for the movie.

However, that trickle is turning into a flood. In recent months, Mr. Character has been signing up for various newsletters, generally business opportunities of some sort. And in the last few days, he's applied for dozens of jobs, all through the same job site that apparently doesn't require email address confirmation. My inbox is currently being flooded with confirmations of these applications coming from the job site, acknowledgements of receipt of the applications from the companies he applied to, and the occasional message from those companies that want to interview him but found that his contact info wasn't working.

I'm having a hard time imagining why anybody would want to do this. If it's actually an attack directed at me, it's not particularly effective - it would be just a moment's work to disable the catch-all mailbox, and I'd never see a single one of these messages again. Coming up with all these fake resumes, for a variety of job fields, that are good enough to actually get interview requests, seems like an enormous amount of effort - and I don't see how he'd even be able to tell what effect they're having, without actually being able to read the responses.

Perhaps more worrying: somebody with a similar address (referring to the same character, but in the form HeyLastname@movie.com) has booked a cruise about a dozen times, and then cancelled it within a minute; I'm getting all the confirmation messages. I've double-checked my credit cards, and there's no suspicious activity. My only guess here is that someone is trying to validate stolen credit card numbers, and chose a bogus address at my domain as part of their bogus bookings. I would report this to the cruise line, but all of their messages explicitly state that replies aren't accepted. There's a number to call, but the reviews for this particular company indicate that their phone customer service is awful, it sounds like this would just be a waste of my time. (And I have no convenient way to make phone calls during normal business hours, anyway.)

jasonharper

Posted 2019-08-27T04:45:34.203

Reputation: 131

I can't see anything in your description which can harm you, I don't think you need to worry. People abusing your system might not be aware that it's a valid address. As you receive a lot of trash and nothing useful there I'd just switch off the catchall address. – Máté Juhász – 2019-08-27T04:59:23.880

I know how you feel. Especially the i would do something about it but they don't accept replies or have no contact option is always so annoying and frustrating. I killed most of my catchalls some time ago for this, they get a 550 SMTP reply and are gone (knowing this address was fake) - and I'm not silently complicit in some crazy malware- or money-schemes. Now they could scan for valid emails at the domain, but oh well. – nyov – 2019-08-28T16:44:13.657

Answers

2

There is not an awful lot you can do. If you want to reduce the spam, you could remove the catchall, and have stuff silently swallowed. It could be an idea to switch off catch-all addresses, except that this is likely to generate back-scatter which could be more damaging to the Internet - and I would be inclined NOT to enable this.

As to why your domain name has been co-opted, its anyones guess. Someone wanting a legitimate domain name so they can relay/spam use as part of a phishing campaign is likely part of the equation. It is also borderline possible (but IMHO very unlikely) that the perpetrator has a similar domain name to yours, and some kind of autocorrect is kicking in. It could also be part of an automated/semi-automated script probing forms for the result.

davidgo

Posted 2019-08-27T04:45:34.203

Reputation: 49 152

1

If you want to fight for it - ie: spend your time to produce a smart solution - go with greylisting, baynes filters, spamassassin or newer stuff.

It takes some time but after a bit of training to your filters, you won't get much of that spam any more. In your case it is easier to train your filters because you don't mind to produce some false positives (ie: mails that get tagged as spam and you'll never see, but indeed were directed to your domain), because you don't use that domain any more and you have one legit address only for serious stuff, that doesn't get filtered. So: better a false positive rather than a false negative (ie: a spam mail that doesn't get tagged as such).

Otherwise just remove the catch-all.

In general: guessing the phenomenon is impossible. It requires more time than finding a good filtering solution, and most of the times your investigation gets blocked by impossibility to travel or access private information.

More in general: incoming unsolicited mails aren't a problem, as you can always send them to /dev/null. The only problems you must be carefull of are the mails sent using your smtp, as someone might be willing to ask you questions about those mails.

Anichang

Posted 2019-08-27T04:45:34.203

Reputation: 171

I don't see how greylisting, spamassassin or filters would help. The origin of the mails are valid and non-spammy. They are only replies to identity theft/impersonation (of your email identities). Unless you want to train your SA for HAM? – nyov – 2019-08-28T17:05:23.640

There always are some common patterns when the origin is the same. And, as I wrote, yes: he clearly stated there's not much ham, and have no problem to remove the catch-all, so training for an excess of false positives is an option. He is asking for help mainly for being worried, not because not having a solution already. – Anichang – 2019-08-29T09:05:42.300

0

If you do not use this Domain for sending mail, or even if you are, your best bet would be to create an SPF record in the domain's DNS zone.

SPF records can be looked up by the mail recipient's SMTP server and checked to see if the mailserver/MX who sent this mail is authorized to send mail for this domain. If they are not, the message is obviously bogus and can be discarded immediately (at receipt time).

If you are not sending any mail for this domain, this is very simple, and should be in the form:

movie.com.  $TTL    IN  TXT "v=spf1 -all"

where v=spf1 indicates this is an SPF text record and -all translates to "Nobody is allowed to send mail for this domain, what you just received is bogus."

If you do send mail for this domain, then you would define all allowed IPs here, who are authorized to send mail for this domain, such as:

movie.com.  $TTL    IN  TXT "v=spf1 ip4:127.0.0.1/32 include:_spf.google.com ~all"

This would translate to "Only IP 127.0.0.1 or any mailserver of Google may send mail for this domain. ~all: But my admins are lazy and might forget to add a new mailserver here, so this is a SoftFail, you should still accept mail from other sources."

Such a record will then indicate to the receipients of your prolific friends' job résumés, that they are not who they claim to be, sending from a non-authorized mailserver, and their identity is in question -- if the mailserver didn't discard the mail immediately already.

nyov

Posted 2019-08-27T04:45:34.203

Reputation: 229

This would only protect against people sending mail that claims to come from my domain, right? As far as I can tell, that's not what's happening - they are signing up/applying/purchasing via web pages and entering a bogus address that happens to be in my domain. In other words, they're not sending email at all, they're just doing things that solicit email replies. – jasonharper – 2019-08-30T02:01:37.690

@jasonharper, yes, that only protects against fake From addresses in mails. I was under the impression that must be the case for some of the mentioned cases, but it's hard to know, since you wouldn't really notice. – nyov – 2019-08-30T02:51:30.883

Asked: 2019-08-27T04:45:34.203

Viewed: 84 times

Active: 2019-08-29T23:40:56.587