Have I ever mentioned how much I loathe spammers?
Well, I have even more reason to hate them. Tonight, after arriving home, I opened my mailbox to find over 200 non-delivery reports in my taoofmac.com e-mail account (which I recently moved to Google), and which are the result of someone faking From: addresses @taoofmac.com.
Why did I get these? Well, because I went to the Google Apps For Your Domain preferences and set my account as a "catch-all" address for taoofmac.com - and, as a result, any bounced e-mail ends up in my inbox.
At this point, I have established that besides these 200-odd, another 444 were faked as originating from my domain and recognized by Google as Spam. I was worried for a while, though, since trying to log in to my mail account on Google via Safari yielded -
We're sorry, but Gmail is temporarily unavailable. We're currently working to fix the problem -- please try logging in to your account in a few minutes.
...which did not bode well. I eventually managed to log in, but only to find I cannot remove the catch-all "nickname"!
I can add and remove other nicknames from my account, but not the catch-all (which, despite being a dumb idea, was actually suggested during domain setup - I just decided to go along with it temporarily). Clearly, not being able to remove this particular nickname is a bug. In my particular case, a pretty annoying one.
Update: Thanks to a reader with the right connections, I was made aware of a workaround, which is to disable catch-all address in 'Domain settings' -> 'Advanced settings'. This makes sense, but a link to that instead of the "Remove" option might be a good way to save time.
Obviously, the maggots that are faking e-mail from my domain have noticed a brand new (i.e., virgin) MX record pop up and started using it as a likely way to bypass dumber Spam filters. Since it is impossible to stop people from faking From: addresses, all I can do at this point is track down the assholes that did it this time.
Looking at one of the e-mails I got, that's easily done:
X-Originating-IP: [18.104.22.168] Return-Path: <[email protected]> Authentication-Results: mta149.mail.re2.yahoo.com from=taoofmac.com; domainkeys=neutral (no sig) Received: from 22.214.171.124 (EHLO c-67-187-135-122.hsd1.ca.comcast.net) (126.96.36.199) by mta149.mail.re2.yahoo.com with SMTP; Wed, 18 Oct 2006 03:05:15 -0700 Message-ID: <[email protected]> From: "Marina Brunson" <[email protected]>
Obviously, Marina does not exist. But garyscomputer has an IP address, and (guess what) it comes from one of the cesspits of spamming - Comcast Cable, aka "bot central":
$ whois 188.8.131.52 Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1) 184.108.40.206 - 220.127.116.11 Comcast Cable Communications, Inc. STOKTON-3 (NET-67-187-128-0-1) 18.104.22.168 - 22.214.171.124 # ARIN WHOIS database, last updated 2006-10-17 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
I got 50 NDRs originating from this pest alone, but there were plenty more. Here are the other members of the "Top 5" nuisances I could track down:
$ whois 126.96.36.199 SBC Internet Services - Southwest SBCIS-SBIS-6BLK (NET-68-88-0-0-1) 188.8.131.52 - 184.108.40.206 Maize USD SBC068088166000030708 (NET-68-88-166-0-1) 220.127.116.11 - 18.104.22.168 ... $ whois 22.214.171.124 Savvis SAVVIS (NET-207-2-128-0-1) 126.96.36.199 - 188.8.131.52 WorldPath Internet Services CW-207-3-144-A (NET-207-3-144-0-1) 184.108.40.206 - 220.127.116.11 WPIS TRADEPORT DSL WPIS-207-3-149-128-25 (NET-207-3-149-128-1) 18.104.22.168 - 22.214.171.124 ... $ whois 126.96.36.199 OrgName: Road Runner HoldCo LLC OrgID: RRMA Address: 13241 Woodland Park Road City: Herndon StateProv: VA PostalCode: 20171 Country: US ReferralServer: rwhois://ipmt.rr.com:4321 NetRange: 188.8.131.52 - 184.108.40.206 CIDR: 220.127.116.11/14, 18.104.22.168/15 ... $ whois 22.214.171.124 OrgName: Road Runner HoldCo LLC OrgID: RRMA Address: 13241 Woodland Park Road City: Herndon StateProv: VA PostalCode: 20171 Country: US ReferralServer: rwhois://ipmt.rr.com:4321 NetRange: 126.96.36.199 - 188.8.131.52 CIDR: 184.108.40.206/12
I suppose I could always e-mail abuse at these ISPs, but I have a feeling it won't help much.