Spike in amount of backscatter spam in inbox

[SonicDecay]

I'm also getting a lot of backscatter over the last 24-48 hours. Seems to mainly be sent from amazon and gmail servers.

I've changed the TXT records for both my domains from:

v=spf1 include:spf.messagingengine.com ?all

to

v=spf1 include:spf.messagingengine.com -all

Will there be any negative effects from this given that I only use messagingengine SMTP servers?

Walesrob would you be kind enough to post the TXT records you used to set up DMARC?

[ao1]

Same problem. Getting bounces sent to random addresses at my domain (I do have a catch-all).

[walesrob]

Quote:

Originally Posted by SonicDecay

I'm also getting a lot of backscatter over the last 24-48 hours. Seems to mainly be sent from amazon and gmail servers.

I've changed the TXT records for both my domains from:

v=spf1 include:spf.messagingengine.com ?all

to

v=spf1 include:spf.messagingengine.com -all

Will there be any negative effects from this given that I only use messagingengine SMTP servers?

Walesrob would you be kind enough to post the TXT records you used to set up DMARC?

I have a very strict DMARC policy for my domains - I've set parameters to reject 100% of any emails not matching SPF and DKIM and to email daily with the results:

_dmarc.<yourdomain.tld>

v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:<emailaddress>; ruf=mailto:<emailaddresss>; rf=afrf; pct=100; ri=86400

I used the UnlockTheInbox wizard here to set it up:
https://www.unlocktheinbox.com/dmarcwizard/

Hope this helps.

I also have a catch-all set up, I really should stop doing that, but this is the first time ever I've had so much backscatter, normally I don't get any for months, if not years. The catch-all has never been a problem before, and with any spammed aliases, I simply create a rule to discard.

[landale]

This has been concerning to me too also from addresses I don't use. I really think Fastmail needs to look into giving us the option to approve which aliases of our email address we use. I only use maybe 4 or 5 and would rather just list those out than have anyone be able to send from my address like this.

[BritTim]

Fastmail has no control over what anyone puts in the From field in an email. In most cases, when forged email addresses in the From field are used, Fastmail will not even be aware that such a message was sent.

[landale]

Quote:

Originally Posted by BritTim

Fastmail has no control over what anyone puts in the From field in an email. In most cases, when forged email addresses in the From field are used, Fastmail will not even be aware that such a message was sent.

Right, but they should be able to control how the alias feature works and allow us to prevent making anything put before our email address automatically a valid address. Fastmail is likely a target for this because literally anything can be put in front of a Fastmail address and boom its a valid email address. I'd much rather this be something we can control and then manually set which handles are valid.

[David]

Quote:

Originally Posted by landale

Right, but they should be able to control how the alias feature works and allow us to prevent making anything put before our email address automatically a valid address. Fastmail is likely a target for this because literally anything can be put in front of a Fastmail address and boom its a valid email address. I'd much rather this be something we can control and then manually set which handles are valid.

All email clients (that I know of) have a way of doing this as well. I also doubt that spammers use the web interface.

[SonicDecay]

Quote:

Originally Posted by walesrob

I have a very strict DMARC policy for my domains - I've set parameters to reject 100% of any emails not matching SPF and DKIM and to email daily with the re...

Thanks for that, I got it all set up. Looks like the spoofed emails have slowed to a crawl however.

I've just set mine to monitor for a while first, but SPF and DKIM look to be working as intended.

[n5bb]

Quote:

Originally Posted by landale

Right, but they should be able to control how the alias feature works and allow us to prevent making anything put before our email address automatically a valid address...

I think you must be referring to subdomain addresses. All subdomain addresses for a specific alias can be easily disabled for receiving email at Fastmail as follows:

• User domain (Enhanced or higher or equivalent Family/Business account): In the Settings>Domains page for the domain, at the bottom of the page for Subdomain select Reject mail to anything@anything.yourdomain.dom.
• Fastmail domain alias: In the Settings>Rules page create a new rule for each alias for which you wish to disable subdomain operation. The rule for alias alias@fastmail.xxx should be of the form:
  • Any recipient's email ends with @alias.fastmail.xxx
  • Permanently delete the message
  • Click Save at the top

As BritTim pointed out, Fastmail can't prevent anyone from using a From address which you own. But as described above you can prevent email sent to that address (such as backscatter) from arriving at your email account.

Bill

[n5bb]

Quote:

Originally Posted by CyberDyne

Huge amount of these in the last 48 hours but worryingly, while they were all initially sent from a faked alias of a number of my addresses, some were from aliases I've never even sent email from. I do hope there's not been some sort of breach during which said aliases were harvested.

Remember that the bad guys are controlling powerful servers which can generate a high rate of spam messages to random or dictionary addresses. They can't dwell on domains at the Fastmail service too long with a high attack rate or they will get blocked, so they probably space out their attacks to different destinations. They can use common usernames they know, or try random addresses or add random numbers an/or letters to common words. So they can try bill, bill1, bill2, etc., then billa, billb, billc, billd, etc., then 1bill, 2bill, 3bill, etc. Over a few days they can try thousands of these addresses at a domain, and they can use multiple servers in different countries so they aren't as easily blocked. So it's quite possible to get spam at an email address which has never been used. The spammer just has to know (or guess) the domain, then try a dictionary/random attack.

Most of the addresses they try generate "invalid address" responses from the email server. So they know to not use these, and just keep trying until there isn't a bounce. They can then use that address sporadically (every day or so) to send you spam unending. It's horrible to have powerful attack tools in the hands of such criminals.

Bill

[ao1]

And here we go again...

[walesrob]

Quote:

Originally Posted by ao1

And here we go again...

Yep me too. So far 54 DSN's today but all went to spam.

[SonicDecay]

Quote:

Originally Posted by ao1

And here we go again...

From the language used in the spam ("despite numerous requests for payment") hopefully this is the last of it.

Mine all went through to SPAM as well, wouldn't have been happy if my phone was going off all night again.

[ewal]

On two domains I have been flooded with backscatter over the past week approximately.

So I'm taking some actions by disabling the wildcards on my domains and populating my aliases and address book with actual email addresses I have used. Trouble is it is several hundred which I have to harvest from my folders (mainly inbox and sent items).

Hopefully this as well as tightening up my SPF and DMARC settings this nuisance will reduce. I'm mainly concerned that my domains get blacklisted.

[dodorkahedron]

Quote:

Originally Posted by ewal

On two domains I have been flooded with backscatter over the past week approximately.

So I'm taking some actions by disabling the wildcards on my domains and populating my aliases and address book with actual email addresses I have used. Trouble is it is several hundred which I have to harvest from my folders (mainly inbox and sent items).

Hopefully this as well as tightening up my SPF and DMARC settings this nuisance will reduce. I'm mainly concerned that my domains get blacklisted.

My situation is very similar. I really hesitate to disable the wildcards; I'd hoped that first wave was going to be the end of it, but there are over a hundred new ones (most of which routed correctly to Spam this time, but not the few which woke me at 3:30am and caused me to check the forum to see if others were similarly affected.)

I will be very disappointed if my main domain becomes blacklisted because of this. I've had it for years and it is paid-up for quite some time into the future. It's been my main online nickname since the 90s! Blasted miscreant spammers.