After the debacle with my CenturyLink DSL last summer, I had to make a quick decision on alternatives to hosting my own domain, email and web. I ended up being off the network for two weeks when CenturyLink couldn’t figure out how to restore my DSL server when they did an upgrade that I had already cancelled.
Many years ago, I used a domain-hosting service called DomainDiscover that registered my domains and DNS, redirected web requests inside of a frame, and relayed email from a virtual domain to my ISP account. After I started running Apple’s OS X Server, though, I realized that I could provide most of those services myself, on my own home server. My ISP, NeTrack, who was later acquired by Indra’s Net, provided a static IP address, so hosting my own domain was fairly straight-forward.
Once I started running my own services locally, I decided that it wasn’t necessary to be paying DomainDiscover for the other services that I wasn’t using any longer. All I really needed was a domain registrar. Checking on pricing, it seemed that GoDaddy was about the least expensive, and while nobody had a great customer service record, GoDaddy was large and established, so I transferred my domain registrations to them.
So, when my DSL was down for an extended period of time, I did some quick checking, and discovered that GoDaddy had recently started using CPanel virtual Linux hosting, and had hosting plans on sale for half-price, so it was only about $5/month, as I recall. Since my domains were already at GoDaddy, it was easy to setup the hosting account, and I was able to get email service back up in a matter of minutes. Over the next couple of weeks, I was able to create MySQL databases and restore backups from my home server, and migrate all of the content for Drupal, so I had my websites backup in a couple of hours.
Since that time, however, the amount of SPAM that I receive has increased significantly. While cPanel includes SpamAssassin, it allows very little configuration, so its practically useless. What is worse that the SPAM is the backscatter. These are bounced messages from a forged sender that look like came from me, but didn’t. When the SPAM can’t be delivered, it sends the failure notice to the forged sender’s address, which is mine in this case. I’m getting over 500 backscatter daily!
Let me say at this point that if you have looked up my name or email address on the web, because you’re angry that I’m sending you SPAM about something seen on the Oprah show — I’m not the one sending it, I haven’t been hacked or infected with a virus or worm, and it didn’t come from my computer!
My domain, or rather my domain’s email server, is being spoofed by spammers, who are obviously sending huge quantities of SPAM from a variety of different sources, pretending to be my domain.
What does backscatter look like, and how can you tell where it came from?
Let’s take a look at the headers from one of the messages. There different ways to do this in different email applications. In Apple’s Mail, I choose “Message -> Full Headers” from the View menu.
------ This is a copy of the message, including all the headers. ------
Return-path:
Received: from [188.52.86.70] (port=65247 helo=mail.tombaugh.org)
by p3plcpnl0545.prod.phx3.secureserver.net with esmtpa (Exim 4.85)
(envelope-from )
id 1YhKy8-0002yW-SZ; Sun, 12 Apr 2015 09:42:49 -0700
Subject: from: Brandon Tate
From: Brandon Tate
Content-Type: multipart/alternative;
boundary=Apple-Mail-291EBA29-F9D3-9F3D-1ECC-F30B84161BF8
X-Mailer: iPhone Mail (11D257)
Message-Id:
Date: Sat, 12 Apr 2015 05:42:44 +0000
To:
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
--Apple-Mail-291EBA29-F9D3-9F3D-1ECC-F30B84161BF8
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi! How are you?
Have you seen this
before?
Oprah had been using it for over a year!
—————–
First, let’s look at the “From:” line
From: Brandon Tate
If a human were to look at this, its apparent that the name and address don’t match. However, many email applications now hide the actual email address, and only show the sender’s name, so many people aren’t even aware that it has been faked.
Now, let’s look at the “Received from” line:
Received: from [188.52.86.70] (port=65247 helo=mail.tombaugh.org)
by p3plcpnl0545.prod.phx3.secureserver.net with esmtpa (Exim 4.85)
This shows the IP address making the connection to the SMTP server. You can find who this address belongs to by doing a “whois” lookup, from a website, the terminal or command prompt, or the Network Utility on a Mac. I did a whois lookup, and see that address is assigned to Saudi Telecom:
Whois has started…
% This is the RIPE Database query service.
% Information related to ‘188.52.0.0 – 188.52.255.255’
% Abuse contact for ‘188.52.0.0 – 188.52.255.255’ is ‘[email protected]’
inetnum: 188.52.0.0 – 188.52.255.255
netname: SAUDINET_DSL_POOL
descr: DSL HOME Subscribers
country: SA
role: Saudi Telecom Co. Registry Admin-C contact
address: STC complex, murslat, Riyadh
address: P.O.Box: 295997
address: Riyadh 11351
address: Saudi Arabia
phone: +966-11-4434970
% This query was served by the RIPE Database Query Service version 1.78 (DB-3)
I live in Colorado, and my domain is hosted by GoDaddy in Phoenix, so this definitely didn’t come from me!
Next, on the same line, see the “HELO=” which shows the name that the sender proclaimed to be — mail.tombaugh.org. If you lookup this host name in DNS, it shows:
dig mail.tombaugh.org all
; > DiG 9.8.3-P1 > mail.tombaugh.org all
;; global options: +cmd
;; Got answer:
;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.tombaugh.org. IN A
;; ANSWER SECTION:
mail.tombaugh.org. 3600 IN CNAME tombaugh.org.
tombaugh.org. 600 IN A 23.229.231.36
;; Query time: 128 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sun Apr 12 13:29:05 2015
;; MSG SIZE rcvd: 65
;; Got answer:
;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;all. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015041200 1800 900 604800 86400
;; Query time: 16 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sun Apr 12 13:29:05 2015
;; MSG SIZE rcvd: 96
The DNS query shows that the IP address for mail.tombaugh.org is 23.229.231.36, not 188.52.86.70. In my opinion, this should cause the email to be blocked immediately! Unfortunately, it was accepted for delivery, but bounced, and sent the failure notice back to my account.
What can be done to prevent SPAM?
Unfortunately, it is obvious that the SMTP server that received the message isn’t validating the reverse DNS lookup from the HELO, and they aren’t checking the SPF record. Who’s email server is that not checking these basic parameters? Lets look back at the received by line:
Received: from [188.52.86.70] (port=65247 helo=mail.tombaugh.org)
by p3plcpnl0545.prod.phx3.secureserver.net with esmtpa (Exim 4.85)
Oh my gosh! That’s one of the servers in the secureserver.net domain operated by my hosting company, GoDaddy! So GoDaddy’s cPanel virtual Linux hosting email servers are not checking that the senders name and address match, nor are they checking their own SPF records in their own DNS for the domains that they host for their customers!
The first line of defense against SPAM is in the SMTP server itself. The SMTP server bundled with CPanel is EXIM. Exim has the helo_verify option which will reject mail if the sender doesn’t open with HELO or EHLO, or if the address verification fails. This is obviously NOT enabled. If it were the SPAM would get refused before it was sent.
The second line of defense is to use a blacklisting service such as SpamHaus to see if the sender has been identified as a spammer. I checked the address 188.52.86.70, and its in the SpamHaus Zen blacklist, and several other services as well. This leads me to believe that GoDaddy isn’t using a blacklist to validate senders, either…
The next check that should be done would be to verify the authenticy of the sender using a certificate, Yahoo’s DomainKeys or DKIM, or Sender Policy Framework. One of GoDaddy’s own Support articles suggests creating SPF records in their DNS, which is ironic since their own servers don’t seem to check SPF records!. This is what an SPF record looks like:
dig mail.tombaugh.org txt
; > DiG 9.8.3-P1 > mail.tombaugh.org txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mail.tombaugh.org. IN TXT
;; ANSWER SECTION:
mail.tombaugh.org. 3600 IN CNAME tombaugh.org.
tombaugh.org. 3600 IN TXT “v=spf1 a mx ptr include:secureserver.net ~all”
;; Query time: 154 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sun Apr 12 13:29:32 2015
;; MSG SIZE rcvd: 107
The SPF record is stored as text, and shows the names of the mail servers that are authorized to send for this domain. In this case, its including any mail server run by GoDaddy.
According to GoDaddy, after wasting an hour talking with their technical support, I should change my email account password, and create an “SPF” record in my DNS… The problem is, the mail didn’t come from my account, so changing my password won’t affect anything, and I already have an SPF record!
The technical support people at GoDaddy that I talked with today claim that since this email is being handled by cPanel that they can’t change the settings to enable helo_verify, set a blacklist, or enable checking SPF records, which I think is bullshit! Even if GoDaddy weren’t able to change the configuration for cPanel, they could (and should) relay their inbound email through their own gateway servers which ought to incorporate these kinds of basic filtering mechanisms.
I’m frustrated that not only is GoDaddy not helping to prevent or block SPAM, it appears to me that, in essence, they are enabling the spammers! Any combination of the three simple configurations that I outlined above would prevent this spam from being sent to thousands of recipients, and would eliminate hundreds of backscatter messages per day as well.
The only option that they were able to recommend is to move to a virtual Linux host, instead of cPanel, so that I could do all of the work to setup these things myself. This is what I was expecting to avoid by hosting my domains with a “professional” hosting organization. So, until I decide to host my own server again, I’m going to be deleting ~500 backscatter and a bunch of other SPAM every day…