Spoof Me, To Hell With You

I have reached a point where managing a domain is becoming too arduous—at least from Webhost Yahoo!. There has been a marked increase in comment spam. Worse, yesterday my domain was spoofed by spammers.

Around 3:12 p.m., my inbox started filling up with returned e-mail from my domain name at my domain name. No such e-mail address exists. Someone had spoofed that address off my domain to make it seem like spam messages were coming from me. The returned messages probably represent a fraction of the thousands sent out over the last 24 hours. 

I immediately checked my Yahoo! hosting and determined that no one had directly accessed my account, although they may have accessed the provider’s SMTP servers for the spoofing. I next called Yahoo! technical support. I waited for 10 minutes and ended up speaking to someone on this continent and not from somewhere like India. His suggestion, and it was a bad one: Turn off the catchall mail box so that I would no longer get the hundreds of returned e-mails. I’m not an ostrich. I don’t stick my head in the sand and pretend a problem doesn’t exist. I wanted to stop the e-mail spoofing. he gave me a Yahoo! e-mail address to report the spoofing, which was little better than no help at all.

So, I had to begin the chase on my own, using Apple Mail to examine the raw e-mail headers. All the e-mails appeared to have numerical references off domain thebat.net. The domain is used by RITLabs, which makes e-mail program The Bat!. A notice on the company’s Website claims that RITLabs has nothing in common with ‘thebat’ spam messages. Apparently, that’s not the case. A February security alert warned that The Bat! could be used “create untrackable message and spoof message origin, including sender’s network”. Apparently, RITLabs hasn’t issued a patch for this flaw, and that’s assuming that it’s not a, uh, intentional feature.

If the spammer used The Bat!, as it would appear, than it wouldn’t necessarily need Yahoo! SMTP server access (I think) and could easily cloak the originating IP address. Or so the situation seemed. But after scouring additional e-mails, I discovered disturbing identification that indicated the messages likely had been sent from mail servers hosted on Yahoo!.

Further investigation revealed an ongoing spam problem associated with Yahoo! Webhosting and two mail servers uncovered in my e-mails. I started this e-mail by saying that I might have to change Webhosts. I concluded my research while still writing this post. With certainty, I am searching for a new host and will move this blog. It’s my expectation that doing so may disrupt access. One option is to forgo hosting altogether. I haven’t made a decision yet on what I will do.

Photo Credit: Antonio Tajuelo

Editor’s Note: On Sept. 10, 2017, this post was recovered from my Facebook Timeline. Between autumn 2006 and Spring 2007, months of content was lost while changing blogging systems and webhosts. Date is authentic but not timestamp. I joined FB on Oct. 1, 2006.