

Ask HN: Help with spam "originating" from my website - sendos

Several spammers are sending email from fake email addresses from my domain (e.g. bob@mydomain.com, where bob is not a valid email address).<p>Not sure if they are
1) Sending them from other computers and just spoofing the headers to make it appear that it&#x27;s from bob@mydomain.com<p>or<p>2) Somehow hacked into my VPS and sending them from my actual server.<p>Below are some emails I get from websites that bounce the spam that is being sent:
http:&#x2F;&#x2F;pastebin.com&#x2F;Tb4Th8kM<p>The two problems that arise from this are that my mail folder gets full from all the bounced email, and also that my domain is now on several spam lists and I can&#x27;t send email from any legitimate address on my domain.<p>Can you guys help with suggestions on how I can go about:
a) Determining whether (1) or (2) above is happening 
b) Stopping it if possible
c) If not possible to do (b), at least minimize the damage<p>Thanks
======
cheald
First, look at the headers to see where the message originated. If it didn't
originate from your VPS or mail server, you're probably okay.

You should google and implement SPF and DKIM for your domain. SPF is just a
DNS change that says what hosts are allowed to send email for your domain, and
DKIM is a DNS + mailserver change that will sign legit outbound email with a
key that MTAs can verify to make sure that the email is legit (and bounce it
if it's not). That will stop the vast majority of fraudulent email in its
tracks.

Looking at the email you provided:

    
    
        Received: from __MY_USERNAME__ by __MY_WEBSITE__.com with local (Exim 4.80.1)
        X-PHP-Script: __MY_WEBSITE__.com/ for 127.0.0.1
    

I'd bet good money that you have a compromised or vulnerable mailer script on
your machine somewhere and it's being exploited in an automated fashion. Check
all of your mailers for known vulnerabilities and patches.

It may be wise to assume that the box is compromised, save your known good
data and code, torch the whole thing and rebuild it piece by piece, validating
the pieces as you go. That's extreme, but when dealing with a potential
machine breach, you can't really ever be sure that you're clean without nuking
it from orbit.

~~~
sendos
> I'd bet good money that you have a compromised or vulnerable mailer script
> on your machine somewhere

This must be the case. I turned on SPF and DKIM and the spam emails slowed
down for a while, but are now back in full force.

It looks like I will need to torch the whole VPS (I have backed up the
important data)

------
gus_massa
How does the headers of a real massage (from your server) looks like? It’s
strange that the bounced messages in Pastebin only have one “Received” header,
without IP information.

I just looked at the last message I got and it has 10 headers with Received,
X-Received or Received-SPF, with a lot of IP information.

If they are spoofing the email, then “DomainKeys Identified Mail (DKIM)” may
help [http://www.dkim.org/](http://www.dkim.org/) . I never deployed it to a
server, so you must seek advice from someone with real word experience.

------
ijl
You should implement at least Sender Policy Framework to endorse only email
from your own servers. Better yet implement DomainKeys Identified Mail.

