Blog

How to Deal with 2009 Spammers!

Contrary to what the title says, it is not exactly a how-to article in the strict sense of the term; rather, it is a "how-to" article told through an interesting story: a story that I hope you would enjoy. And here is the REAL kicker: at the end of this article I would also give you a link to a funny video on spam; while my "story" is funny enough on its own, there is nothing more hilarious than the video. So let's begin, shall we! ;)

Spamming your Paypal address from behind a free Gmail or Yahoo address is passé. New age spammers prefer something smarter: they would spam you in a way that you would appear to be both the spammer as well as the "spammed". The good news is that such spam emails can be sent only to you, and the bad news is that probably you won't be able to stop such spam unless:

a) You change your Paypal address to a new one (and wait for the whole cycle to begin again)

b) Do what I did (but most probably, you won't be able to implement my techniques unless you have "root access" to your server)

To be honest, this is kinda what I would say "useless spam" where the spammer is just wasting his time, since the method he is using would enable him spam ME ONLY and no one else, and I am obviously not his target market!

I discussed this issue with a few of my friends and they confirmed that they too received such strange emails where both the "from" and "to" addresses match their own email addresses! However, this spam mail is far more "ingenious" than what you might be familiar with!

Early this month I got a spam mail to my Paypal address promoting "Viagra pills". Nothing new about it, except that this time both the sender and recipient addresses were same, that is, my Paypal address, and what was more surprising was the fact that the email was even signed with my server's domainkey! How did I know? Gmail told me! :D

 

********************************************
Just FYI, I have all my server mails forwarded to my Gmail addresses, so that I can read and reply to all mails from one central location. A copy is left on my server too which I download into Outlook later on for reference purposes. ********************************************

Funny that just in February I had enabled Domainkeys and SPF on my server, and I got this spam early in March. A look at the header and you would think that the email is fully legitimate. Gotcha! Was my server hacked? :P

Well that was the very first thought I had when I received that email. That one spam mail panicked the hell out of me, so to speak! I logged into my domain's Cpanel, and saw that everything was fine. There was neither a single trace of unauthorized activity nor any record of logins from foreign IP addresses.

Even the last login was from my IP (and I am the only one using this PC). So this kinda got me very confused. Since I don't know much about reading email headers, I used this tool to determine the source of the email.

All I could make from it was that the spam originated from a Chinese IP, which then went through my server! That was strange and I would lie if I say I wasn't getting even more confused ;) At this time, I did two stupid things (stupid because they helped little and wasted a lot of my valuable time instead):

1. I reported the email to the ISP of the spammer, the vendor whose product he was promoting as affiliate, as well as the registrar of the domain he was using to redirect his affiliate links. Neither of them replied to my complaint. :(

A little search in Google made me realize that it was 'stupid" on my part to forward the spam to those authorities since they were likely getting tons of such spam complaints already and as such have little time to spare for my case.

2. Contacting my web host didn't help either! Just like me, they too suspected a "hack" attempt on my server (of which they showed no substantial evidence) and asked me to change all passwords, which I did. I thought that step might solve the problem for good, but I was WRONG!

A couple of days later, I got two similar spam emails again, both from Chinese IPs. I guess my reporting to the authorities only confirmed the spammers of my existence :( . My last resort was the Cpanel support staff.

The folks at Cpanel, esp. Lee, helped me fix this problem. He asked me to enable the following options in "Exim Configuration Editor", which can be accessed from WHM.

1. Sender Verification Callouts

2. Set the Sender: Header when the mail sender changes the sender (-f flag
passed to sendmail)

3. RBL: zen.spamhaus.org and rbl.spamcop.net

4. SpamAssassinTM: Enabled for all accounts without the option to disable it

My host said that enabling option #1 and #2 may cause problems; however, but I am yet to face any problem. The good thing was that these measures effectively stopped the ludicrous spam to my Paypal address, or did it really?

Well not quite! While the Chinese folks were successfully stopped dead in their tracks, it was the turn of a German spammer to take their place. Just a couple of days after enabling the above options in EXIM I got a similar spam mail, this time from someone posing as a ' specialist ' for treating health problems (read sex-related problems).

This spammer was nicer though, in that in the whole email he merely described himself and his qualifications (or lack thereof) in a pompous manner instead of showing those colorful "pills" (you know what I mean, don't you?)! Moreover, since this time the email carried the "***SPAM***" tag in subject line (thanks to Spamassassin™), it was easy for me to block such messages permanently by using filters!

However, I was determined to put an end to this menace once and for all. How could I even tolerate the idea of being "defeated" by a nondescript spammer! I had to do something to win this challenge! ;)

So I updated the Cpanel support guys on this issue again. Here is what they had to say:

"It does look like the "from:" address was spoofed; the other server (read originating host) does have the e-mail setup on their server, so the sender verification passed. The Domainkey and other such things were also added (easily obtained). However, the one thing that could be enabled to block these e-mails is the option:

"Require incoming SMTP connections to send a HELO that does not match this server's local domains."

With that option enabled, when the server sends a HELO, it must not match any of the local domains; so it prevents the spammer's domain from appearing as your domain when in fact it is not your domain.

Basically, they cannot say: I am domain.com when domain.com is hosted on your server.

To be honest, this is one of the strangest spams I've ever seen. It is utterly useless as all they do is send spam to you; they cannot send spam to another server and appear as you; your server is the only server in the world that will accept these e-mails (as it does not do spf checking on internal domains, to save overhead). So really, I see no reason for them to be doing this, but the above option will stop them from getting through to your server."

So, after enabling that option, I am no longer receiving spam. If the spammers are still sending me spam, they are just wasting their time!

If you ever receive such spam and have "root" access to  your server (you need to check this with your host, but as a rule of thumb, "root" access to a server is offered only to customers hosted either on Virtual or Dedicated servers), just login to your WHM, go to "Exim Configuration Editor":

and enable these five options:

1. Sender Verification Callouts

2. Set the Sender: Header when the mail sender changes the sender (-f flag
passed to sendmail)

3. RBL: zen.spamhaus.org and rbl.spamcop.net

4. SpamAssassinTM: Enabled for all accounts without the option to disable it

5. Require incoming SMTP connections to send a HELO that does not match this server's local domains.

Check the screenshot below for help (click to enlarge):

Note: After enabling these options, if you notice any problems with sending/receiving emails from/to your server, you may have to disable these options. At the end of the day, you would need to choose between spam and server stability, but as I already said, I am yet to notice any problem in my server after enabling those settings!

I hope that this method would put an end to this nuisance, and give you and me some peaceful sleep! As of this writing, I haven't received a single such spam again, but I am keeping my fingers crossed and would update you accordingly should I ever receive such stupid stuff again.

Once again, kudos to Cpanel.net guys for helping me through this stuff. They are one of the fantastic companies when it comes to customer service (an area in which, strangely enough, many big and small companies lack in). As someone already mentioned on their website, they don't deserve a rating of less than 10! It was virtually impossible for me to even track, much less stop, those new-age "2009" spam emails if not for their support!

Now the funny video on spam I was talking about:

[youtube]zjqZ0aIAgFM[/youtube]
If the video doesn't load, here is the direct link:

http://www.youtube.com/watch?v=zjqZ0aIAgFM

Note to spammers: Please upgrade your spamming strategies. I look forward to more such 'spammy' challenges in my life. After all, what is life without challenges! ;)

As always, your comments are very much welcome and appreciated!