I am receiving bounced emails that I did not send! It looks like someone is sending emails using my domain and email account to send spam, why is this happening?
This is called a “Joe Job”. Unfortunately very little can be done about this. This actually is happening all over the internet for all domain names. SPAM or infected computers & servers constantly send spam emails to thousands of other recipients pretending to be others. The “REPLY To” (also called the “From”, and “Return-Path”) in their spam is an email address of a forged domain name (such as in this case, it is your domain).
What happens is that the spam bounces, and is bouncing back to the REPLY to (which was forged by the spammer). Then you end up with the bounced email.
Please see the following example. Please note that we have hidden some of the information with *** in order to keep some of the information confidential.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: ******@tiger.jet.msk.su SMTP error from remote mailer after RCPT TO:< ******@tiger.jet.msk.su>: host localhost.jet.msk.su [127.0.0.1]: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown ------ This is a copy of the message, including all the headers. ------ Return-path: <youremailaccount@emailaccount.com> Received: from [194.87.88.**] (helo=mx2.jet.msk.su) by tiger.jet.su with esmtp (Exim 4.33) id 1Jq04H-0006Gj-SJ for ******@tiger.jet.msk.su; Sun, 27 Apr 2008 10:08:57 +0400 Received: from uucp by mx2.jet.msk.su with spam-scanned (Exim 4.34) id 1Jq04G-0007AQ-D0 for ******@jet.msk.su; Sun, 27 Apr 2008 10:08:57 +0400 Received: from 200-233-173-***.xf-static.ctbcnetsuper.com.br ([200.233.173.**]) by mx2.jet.msk.su with esmtp (Exim 4.34) id 1Jq04F-0007A7-HL for ******@jet.msk.su; Sun, 27 Apr 2008 10:08:56 +0400 Message-ID: <000a01c8a82d$05897763$4cd6deb7@lhypwhxx> From: =?koi8-r?B?4sXT0MzB1M7PIMTM0SDhx8XO09TXIO7FxNfJ1snNz9PUyQ==?= <youremailaccount@emailaccount.com> To: =?koi8-r?B?99nHz8TOz8Ug0NLFxMzP1sXOycUgxMzRIOHHxc7T1Ncg7sXE18nWyQ==?= =?koi8-r?B?zc/T1Mk=?= <*** @jet.msk.su> Subject: *****SPAM***** =?koi8-r?B?4sXT0MzB1M7PIMTM0SDhx8XO09TXIO7FxNfJ1snNz9PUyQ==?= Date: Sun, 27 Apr 2008 04:27:19 +0000
In this case the spamming server is 194.87.88.**, which is a server located in Russia.
The best recommendation is that you disable the catchall email function anything@yourdomain.com . By disabling it you will notice significantly less spam. Since these are forged by systems, they usually do not forged know email addresses such as youractualemail@yourdomain.com , although it can sometimes happen as well.
It’s also important to note that this does not affect your business negatively from the aspect of communication with your customers. These spammers send to random email addresses, which would not be your customers. System administrators are also familiar with the “joe job” problems and as such they do not blacklist your domain. They would only blacklist the originating IP from Russia.
It is possible to help against “Joe Jobs” by having an DNS SPF record. To setup a DNS SPF record, please see this Knowledge base article.
You can learn more about DNS SPF records here:
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.openspf.org