Google Apps For Your Domain, and Spam


Have I ever mentioned how much I loathe spammers?

Well, I have even more reason to hate them. Tonight, after arriving home, I opened my mailbox to find over 200 non-delivery reports in my taoofmac.com e-mail account (which I recently moved to Google), and which are the result of someone faking From: addresses @taoofmac.com.

Why did I get these? Well, because I went to the Google Apps For Your Domain preferences and set my account as a "catch-all" address for taoofmac.com - and, as a result, any bounced e-mail ends up in my inbox.

At this point, I have established that besides these 200-odd, another 444 were faked as originating from my domain and recognized by Google as Spam. I was worried for a while, though, since trying to log in to my mail account on Google via Safari yielded -

Server Error

We're sorry, but Gmail is temporarily unavailable. We're currently working to fix the problem -- please try logging in to your account in a few minutes.

...which did not bode well. I eventually managed to log in, but only to find I cannot remove the catch-all "nickname"!

I can add and remove other nicknames from my account, but not the catch-all (which, despite being a dumb idea, was actually suggested during domain setup - I just decided to go along with it temporarily). Clearly, not being able to remove this particular nickname is a bug. In my particular case, a pretty annoying one.

I tried with both Camino and Safari, but it seems to make no difference: [email protected] is still there, and I have reported this to Google via the support form and replied to the boilerplate e-mail.

In case anyone at Google is reading this, it's issue #78992522 Cannot remove catch-all (*) "nickname".

Update: Thanks to a reader with the right connections, I was made aware of a workaround, which is to disable catch-all address in 'Domain settings' -> 'Advanced settings'. This makes sense, but a link to that instead of the "Remove" option might be a good way to save time.

Hunting Rats

Obviously, the maggots that are faking e-mail from my domain have noticed a brand new (i.e., virgin) MX record pop up and started using it as a likely way to bypass dumber Spam filters. Since it is impossible to stop people from faking From: addresses, all I can do at this point is track down the assholes that did it this time.

Looking at one of the e-mails I got, that's easily done:

X-Originating-IP: [67.187.135.122]
Return-Path: <[email protected]>
Authentication-Results: mta149.mail.re2.yahoo.com  from=taoofmac.com; domainkeys=neutral (no sig)
Received: from 67.187.135.122  (EHLO c-67-187-135-122.hsd1.ca.comcast.net) (67.187.135.122)
  by mta149.mail.re2.yahoo.com with SMTP; Wed, 18 Oct 2006 03:05:15 -0700
Message-ID: <[email protected]>
From: "Marina Brunson" <[email protected]>

Obviously, Marina does not exist. But garyscomputer has an IP address, and (guess what) it comes from one of the cesspits of spamming - Comcast Cable, aka "bot central":

$ whois 67.187.135.122
Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
                                  67.160.0.0 - 67.191.255.255
Comcast Cable Communications, Inc. STOKTON-3 (NET-67-187-128-0-1)
                                  67.187.128.0 - 67.187.159.255

# ARIN WHOIS database, last updated 2006-10-17 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

I got 50 NDRs originating from this pest alone, but there were plenty more. Here are the other members of the "Top 5" nuisances I could track down:

$ whois 68.88.166.243
SBC Internet Services - Southwest SBCIS-SBIS-6BLK (NET-68-88-0-0-1)
                                  68.88.0.0 - 68.95.255.255
Maize USD SBC068088166000030708 (NET-68-88-166-0-1)
                                  68.88.166.0 - 68.88.167.255
...
$ whois 207.3.149.143
Savvis SAVVIS (NET-207-2-128-0-1)
                                  207.2.128.0 - 207.3.255.255
WorldPath Internet Services CW-207-3-144-A (NET-207-3-144-0-1)
                                  207.3.144.0 - 207.3.151.255
WPIS TRADEPORT DSL WPIS-207-3-149-128-25 (NET-207-3-149-128-1)
                                  207.3.149.128 - 207.3.149.255
...
$ whois 24.24.57.45

OrgName:    Road Runner HoldCo LLC
OrgID:      RRMA
Address:    13241 Woodland Park Road
City:       Herndon
StateProv:  VA
PostalCode: 20171
Country:    US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange:   24.24.0.0 - 24.29.255.255
CIDR:       24.24.0.0/14, 24.28.0.0/15
...
$ whois 71.65.207.158

OrgName:    Road Runner HoldCo LLC
OrgID:      RRMA
Address:    13241 Woodland Park Road
City:       Herndon
StateProv:  VA
PostalCode: 20171
Country:    US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange:   71.64.0.0 - 71.79.255.255
CIDR:       71.64.0.0/12

I suppose I could always e-mail abuse at these ISPs, but I have a feeling it won't help much.


See Also: