Botnet has harvested users email address

[Mister Natural]

I'm guessing there isn't much I can do about this. One of our users email account has been harvested by a botnet. We're getting a bunch of undeliverable mail messages being sent back to that email address. I've setup some rules to prevent them from showing up in the users inbox. I'm 100% sure it isn't coming from our office. Someone's pc outside the office somewhere appears to be infected and has that email address in their contacts list most likely. Any options left?

 

[YeOldeStonecat]

It sucks...but things will move on. If you're hosting your own e-mail server, you'll have to be extra prudent about ensuring it's setup correction, RevDNS/PTR, etc..and keep an eye on blacklists.

Usually when spam/viruses "spoof" an e-mail address, it moves on in due time...claiming a new victim pretty quickly.

Does your company have a website? Any "contact us" links on it? If so, are they encoded? Or just old fashioned so that a right click reveals a "mailto:" link on it..which harvesting spiders just love to eat up!

 

[Mister Natural]

We outsource email/web hosting so no email server in house. All email addresses on our website are encoded using username%40domain%2ecom format. I had the same thought as you YeOlde. It started a couple weeks ago, last week started to die down to almost nothing. Today it's back to where it started. Lot's of rejected messages coming back in today.

 

[InvisiBill]

SPF may help. Unfortunately, having SPF records only helps if the other end checks them, so it's more of a passive solution than an active one. However, if the incoming spam fails the other end's SPF check, it should end the connection or drop the message rather than bouncing it "back" to you later, since it now knows that it's not actually from you.

Technically, most NDRs should happen during the SMTP transaction - the server should not accept the message if it doesn't know whether or not it can deliver it. The server isn't supposed to accept the message, then later look at its list of users and determine the account doesn't exist, and then create an NDR message to the "from" or "reply-to" address. It's supposed to reject the incoming message while it's still talking to the sending mail server (the spammer) rather than bouncing the spam back to you. Unfortunately, many servers do have delayed bounces, because instant rejection reportedly helps spammers prune/validate email addresses.

As I'm sure you're aware, some spammers have even started using this to blast spam from others' servers. They use the intended recipient's address as the sender, and send their spam to a known-bad address. The receiving mail server then "bounces" the spam message back to the "from" address, which is an innocent person who is now getting a spam NDR.

These issues have become a big enough problem that SpamCop now allows the submission of this misdirected junk as spam when they previously did not. See Why are auto-responders (and delayed bounces) bad? too.

While I doubt that those servers bouncing messages "back" to you are actually trying to harm you, you could report them to SpamCop or similar services. They're technically mishandling their own incoming spam, which pushes it onto you. However, that's only stopping the clueless guy in the middle, rather than the actual root source of the spam (and even if you stop one clueless guy, there are a million more out there doing the same thing). You might be able to convince him to submit the original spam message to SpamCop* or similar services, which will help get the source and content blacklisted and/or shut down. That's actually helping to fight the root of the spam problem for everyone, rather than just stopping the annoyances you're ending up with.

*Even if the NDR has the full original spam message attached, you can't submit it yourself. SpamCop's parser relies on sending a test email to you and examining the headers so that it can understand the chain of servers used to deliver mail to your account. If the submitted spam doesn't match up with your receiving system, it can't tell where it was handed off from the bad spammer server to the good receiving server, and thus who to report.

 

[Captain Colonoscopy]

Does your hosting provider provide anti-spam services as part of your agreement? If so, tell them to block back-scatter spam. It's not too hard to setup a spam filtering solution that blocks NDRs to messages that didn't originate from your system.