Help, my url has been hijacked!

Help, my url has been hijacked!

Didn't find your answer?

I've spent much of the day deleting undeliverable messages from spam filters all over the world (many in Chinese). Spammers have hijacked my website address and used it as the return path on their e-mails. I'm getting about 10-20 messsages a minute at the moment. Fortunately 99% of them are picked up by my own filter, but it's still annoying as occasionally the filter picks up genuine e-mails from clients so I have to skim through them instead of deleting them en-masse.

My website hosts say nothing can be done and it is just "my turn" today. Eventually the spammers will stop as they never use the same url for long.

But there must be some way to stop this from happening - short of suspending the url altogether. Does anyone else have any experience of this?

Replies (16)

Please login or register to join the discussion.

By Moonbeam
19th Mar 2012 13:30

Could be because some of your software isn't up to date

I think these people hack into sites where the software hasn't been kept up to date. I presume this means that your version of Wordpress may not be up to date.

It would definitely be worth asking the help of an IT expert to sort this out for you.

Thanks (1)
Chris Caspell CTA TEP
By ccaspell
19th Mar 2012 13:40

Hacking or spoofing?

Your website host may be right, but it depends upon whether your mail account has been hacked or simply the spammer is putting your email address as the return address (known as spoofing).

There is very little you can do about spoofing - it is like someone writing your home address on the back of their letter and putting it in the post box. As your hosting provider says, the spammers usually don't use the same address for long.

However, if your site has been compromised the spammer will have access to all your usernames and passwords and perhaps more. For safety I suggest that you change all your login passwords to something difficult to guess (use this site to help you if you wish: http://www.wikihow.com/Create-a-Password-You-Can-Remember).

Compromised sites are usually quickly pounced upon once spamming occurs and if the site is not fixed it could affect the other sites on the host's server, so I doubt that your hosts will ignore any real threat. Ask them if they are certain your email account has not been compromised and change your passwords just to be sure.

Thanks (1)
avatar
By neiltonks
19th Mar 2012 15:03

Spoofing!

Agree with the previous comment - almost certainly just spoofing and you can't do anything about that, but it's worth changing passwords just in case.

It happened to me, too, and while it's a nuisance while it lasts, the problem does disappear after a while (a couple of weeks in my case).

Thanks (1)
avatar
By User deleted
19th Mar 2012 16:16

Spoofing ....

The really disappointing aspect of spoofing and spam filters on mail programs is that filters seem to take the easy way out by simply returning/bouncing the email back to the spoofed address

Filters should be perfectly capable of reading the email header and determining the real source of the email, however, they don't seem to bother. Of course once they read the source they can then take the approriate action against perpetrators IP address. This in turn would annoy the spammers host who would then take action

(probably wouldn't work with gmail etc. who really don't give a damn)

The result is that these spam filters are actually generating spam themselves when returning spoofed emails to the 'wrong' address

A few years ago when this happened to one of my domains I challenged the filter orgainsations and said they themselves would be reported for spam because they knew full well that the email had not come from the spoofed address - therefore it was unsolicitated mail from the spam filter organistion

Thanks (0)
By cfield
19th Mar 2012 16:50

Thanks all

Just as I thought really - nothing much that can be done. Very interesting comment by JC though re the spam filters. You'd think Postmaster and Daemon could tell the difference between spoofing and the real spammers.

Why isn't there concerted action at international level for spam to be traced back to the real culprits who could then be relieved of their ill-gotten gains and made to pay for all the hassle they cause? Spoofing should be made a criminal offence.

Chris

Thanks (0)
Chris Caspell CTA TEP
By ccaspell
19th Mar 2012 17:55

SPF and SenderIDQ

Servers can tell the difference between real and spoofed emails. The way they do it is to look at the header information and validate that (this is the info that you can show in most mail programs but most people turn off).

SenderID is microsoft's own protocol that validates the email address. While Microsoft is prevalent in the PC market they only have about 15% of the web servers worldwide so the use of SenderID is more limited. The version more widely used is SPF (stands for Sender Policy Framework) which is available (as far I know) on all web-based email platforms. The problem is getting everyone to adopt it. SenderID implements earlier versions of SPF but users found that it was easy to get around so web-hosts tended not to use it (better to rely upon spam filtering than reject legitimate emails).

Later versions of SPF have been better but since it is an open source project it has been slow to catch on, so until a biggie such as MSoft or Google take it under their wing it is unlikely to really flourish.

When talking to your hosting company you could ask them if their email software validates email before it is returned? This won't help you, but it will help other victims in a similar position to you.

At the end of the day, I feel your pain. Spam is a real curse!

Thanks (1)
avatar
By NetAccountant
29th Mar 2012 12:19

SPF / TXT DNS Records

Chris (ccaspell) is correct, SPF (also called TXT) records should reduce this spoofing outbreak significantly.

What your host should do is add one such entry to your domain DNS records which tells every other server, which computer (IP Address / A record) your genuine emails are sent from. If your mail server then checks this on return email, all the spoofed emails should be stopped.

The other thing to consider - apart from the spam you receive - is the impact such an outbreak can have on your company's reputation. For the hundreds of returned emails you receive, I would guess that - at least - the same amount is actually reaching it's intended target. Having SPF/TXT records means that these would be stopped as well - and overall your email deliverability rates should be significantly improved (if you send monthly newsletters for example).

Hope this helps.

Leo | Accountant Websmiths

Thanks (1)
Replying to Duhamel:
By cfield
29th Mar 2012 12:39

Thanks Leo

Sounds like very good advice. I shall cut and paste it to my webhosts forthwith. I won't hold my breath though as they seem quite fatalistic about this problem. Just grin and bear it seems to be their advice so far!

Never mind hundreds - it's been thousands almost every day for the last week and a half! It stopped for a few days and then started again yesterday, but it seems to come in waves. Nothing today yet though, thankfully. 

Fortunately it doesn't seem to be attacking my address book and most of the victims are from overseas looking at the bounced e-mails, so my reputation is probably still intact.

 

Thanks (0)
pic
By jndavs
29th Mar 2012 13:02

Web site
Does you website have a mailto: link?
- this could be what the spambots have harvested and it may keep on happening unless it is encrypted.

You may want to consult
http://www.spamstop.org/

Spamcop supply some useful tools/services but these may be charged for.

Thanks (1)
avatar
By NetAccountant
29th Mar 2012 13:23

Good point

@jndavs - you are quite correct, the email address on the contact page is not obfuscated ([email protected] in plain sight), so email harvesters are probably at the origin of the issue.

@cfield, if may also be worth asking your web designers to use javascript to "hide" your email address.

Thanks (1)
By cfield
29th Mar 2012 14:03

Javascript

Having already been "harvested" is it not too late now to "hide" the url? And can they not see it from the website address anyway?

Thanks (0)
Chris Caspell CTA TEP
By ccaspell
29th Mar 2012 14:41

hiding email addresses

You are right it is too late to stop people who already have the email address, but it is not too late to stop anyone else grabbing it.

Email addresses are generally harvested by computer programs that look for anything that resembles an email address (so the @ symbol and a dot in a group of characters are the usual targets). Typically javascript would send a piece of code to your browser which interprets the code to look like an email address. The computer programs (or bots as they are sometimes called) are not usually all that intelligent and so when they see the code they do not recognise it as an email address and pass by.

You are right that they can see the website address, but these bots are looking specifically for email addresses so they can send spam mail.

Remember that there is rarely a human at the end of the computer when the harvesting is done so you only need to fool the software not a person here.

Personally I am surprised that 10 days on you are still receiving bounced emails.Spoofing attacks are usually quick to arrive and quick to leave. I would still speak to your service provider about SPF as I (and Leo) mentioned above. If it carries on then there is always the drastic action of changing your email address, but that is often more painful than the spamming in the first place.

Thanks (1)
pic
By jndavs
29th Mar 2012 14:41

Too late?
Probably but as others have pointed out, the spammers move on after a while. This will make future occurrences less likely.

Mailto: usually fills in the email address for the sender, so it is trivial to change this, use another mail account and send the old one to /dev/null.

Thanks (1)
avatar
By maxmillion
29th Mar 2012 23:52

Considered creating an image for your email address?

Have you considered creating an image for your email address?

I have found this works well and you just need to know how to upload the image on your webpage.

This free site http://www.email2image.com/Convert-Email-to-Image.aspx has helped me create various address images over the past year. I can't say that it has reduced the spam for one of my existing addresses because that address was visible to the world's spammers for some years, but where I implemented a new domain and new email address, it took much longer before I started receiving any.

(Now my main source of spam is when well-meaning friends put all the recipient addresses in the TO field of an email - and then just one of those recipients needs to get hacked, and the spammer simply reads all the email addresses and bombards them all) - so ALWAYS send BCC and ALWAYS remove other addresses when forwarding mails onwards)

Another thing worth considering with your domain emails is to only create the specific email addresses you require, rather than using a catchall. Previously I used different addresses when I registered on different sites and forums which was great - but then the spammers started by using any combination of letters and numbers also and it became unfeasible to continue.

-M

Thanks (1)
By RogerNeale
30th Mar 2012 07:52

A Simple check

A very simple check, to see if your email address is likely to be "spammed", is to search for your email address in Google.

Simply put your email address inside qoute marks eg "yourname@yourdomainincluding the quotes and hit search.

If you get any results then look at the source of them i.e. the website where the address has been found and you should easily be able to figure out if a particular site is the source of the SPAM.

I do this on a regular basis and found one of the worst culprits was AWeb, this was because I always liked putting my email address at the bottom of postings like this one. I've stopped doing that now :-)

All the other suggestions are very valuable and worthwhile taking on board.

Regards

Roger Neale
Perkeo Computer Systems Ltd
www.perkeo.co.uk

Thanks (1)
avatar
By User deleted
30th Mar 2012 08:09

Contact page or Javascript

Now a days most organisation have a Contact page so that the email address is never available on the site & emails are handled behind the scenes on the server

Alternatively here is an example some Javascript to do the job - many other examples are available

<script type="text/javascript">
  function encrypt_mail(){
  var cry0,cry1,cry2,cry3,cry4,cry5,cry6,cry7,cry8,cry9;
  cry1='<a href=\"mai'; cry2='info'; cry3='\">'; cry1+='lto:';
  cry2+='@'; cry5='</a>'; cry6='';
  cry2+='mydomain.com';
  if (cry6) cry4=cry6; else cry4=cry2 ; document.write(cry1+cry2+cry3+cry4+cry5);}encrypt_mail();
</script>      

However, the question has to be - who wrote your site in the first place and why was it not tackled at that point?

'Locking the stable door .. ' is absoutely no substitute for doing the job properly in the first place

 

Thanks (1)