Why is my BRAND NEW domain immediately getting spammed?

Purchasing a domain can sometimes cause you to inherit things, like spam directed at the domain's previous users.

Question:

I just purchased a domain and got it all set up. When I made my email
accounts for it, I instantly started getting spam. This is a brand new domain –
are the spammers in bed with my registrar or is something else going on? How’d
they start spamming me so quickly?

Something else is going on.

While it’s possible that spammers are looking at newly registered domains (I
don’t think that they need any special backdoor access to your registrar for that),
that doesn’t seem like a particularly useful thing for the spammers to be doing.
Newly registered domains aren’t likely to have a lot of email recipients and
they are what the spammers want.

No, I think something significantly more mundane is happening here.

In fact, it’s possible that we might have a hard time calling some of those
emails spam at all.

]]>
<![CDATA[

Everything old is new…

My guess is that while you did just newly register the domain, you might not be the first person to have owned it.

“It’s possible that the domain name you just purchased was once owned by someone else.”

Your domain name – something like “yourveryowndomainname.com” – is kind of like your home, your property, and your house on the internet. People come by for a visit (hopefully), mail gets sent there, and so on.

And like real estate in the real world, property on the internet gets sold, traded, or abandoned all the time.

And someone new moves in.

Perhaps that someone was you.

It’s possible that the domain name that you just purchased was once owned by someone else.

And now, you’re getting their mail.

Email accounts & catch-alls

If there were active email accounts used on your domain by its prior owner and you set up accounts with the same email name, perhaps they had user@yourveryowndomainname.com and you also happened to set up user@yourveryowndomainname.com, you’d now be getting any email that’s still trying to reach the prior owner.

Depending on circumstance, that could be unlikely (you have unique email names that don’t overlap with the prior owner) or very likely (you’ve set up all of the standard domain email addresses, such as webmaster@yourveryowndomainname.com, postmaster@yourveryowndomainname.com, and so on – and so did the prior owner).

Depending on how your domain is hosted, what’s more likely is that there’s a “catch-all” account that’s been set up. A catch-all is an email account that receives all of the email for which there is no configured email address. For example, if you don’t have bogus@yourveryowndomainname.com configured as an email address, and someone sends email to bogus@yourveryowndomainname.com, it gets sent to the catch-all account instead.

And, perhaps, as the domain owner, you’re getting all of the mail caught by that catch-all.

You’ll probably want to look at turning that feature off.

It might or might not be spam

So you purchase your domain name, you set up user@yourveryowndomainname.com as your email address, and you suddenly start getting the weekly pickled herring newsletter for herring lovers.

Herring

Why? Because the previous owner of that domain used user@yourveryowndomainname.com as an email address and they had subscribed to the pickled herring newsletter. They just didn’t bother to unsubscribe when they let the domain go and the pickled herring people either didn’t get any notification that the email address was no longer valid or they ignored it.

Is that spam?

It could go either way, but I’d probably say no. It’s possible that everyone did everything right (except perhaps for the previous owner not unsubscribing, but even there, I can see scenarios where they couldn’t) and that the pickled herring people should not be punished by labeling their email as spam.

It’s possible that you should simply unsubscribe (unless you like pickled herring, that is.)

On the other hand, how do you know that this newsletter is legitimate? For all that you know, the prior owner didn’t subscribe and what you’re getting is spam from the notorious pickled herring cartel.

So, I guess, you could mark it as spam. I’d feel guilty doing that, though, if the mail looked legitimate. Maybe because I have my own newsletter, I’m reluctant to punish newsletter publishers with the Spam button when it’s very possible that they did nothing wrong.

On the other hand, if it’s obviously spam, mark it as such if your email system offers that feature.

What to do?

If you find yourself in this situation, I’d recommend a couple of steps:

Turn off the “catch all” functionality so all email that isn’t sent to an email address that you define is either rejected or simply discarded.
Put another way, configure your mailer to only accept email for email addresses that you’ve defined.
If an email address that you create starts getting the prior owner’s email, either deal with it (unsubscribe, delete, mark as spam, however you choose to proceed), or create a new, different email address and use that instead.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

5 comments on “Why is my BRAND NEW domain immediately getting spammed?”

Ken B

October 26, 2011 at 3:09 pm

I suppose another way to tell is by checking the “to” addresses. (Or, for the more technically-inclined, the SMTP “RCPT TO:” address, given that the actual address may be hidden from a BCC line.)

If all of the unwanted/unexpected e-mails are going to a single address, it may be as you described, just left-overs from a previous owner of the domain.

However, if you get numerous copies, all to different addresses, it’s likely spam.

And, of course, spammers don’t care about any inconveniences they put you through. Nothing stops a spammer from actively seeking new domains, and simply doing the spam equivalent of a dictionary attack.
Reply
Greg Bulmash

October 26, 2011 at 3:28 pm

They don’t have to be in bed with your registrar. The moment you registered the domain, your registrar started broadcasting it’s existence all over the internet. It wasn’t a malicious act, but a necessary one.

Internet addresses are all just numbers, and domain names are just aliases for those numbers. When someone types in http://www.yourveryowndomain.com, their computer sends a request to a DNS server which keeps a record of all those numbers and aliases. It takes in the domain and sends back the corresponding number, so your computer can connect to the site. If your domain name isn’t broadcast, the DNS server can’t tell the requesting computer how to reach your site.

But those DNS servers are not the exclusive domain of major players in the communications industry. Anyone can set one up and get all this information. They could then have a script that runs every few hours and shares all the new domains with various spammers or which spams all the new domain names.

You might also want to run a WHOIS search on your domain. A lot of people provide their home address as the administrative contact address for their domain, and that information is publicly available to anyonw who does a WHOIS search on their domain name.

Actually I don’t beleive the broadcast model is accurate (I thought about that before I wrote the article). In reality only the root DNS servers need to know the authoritative name sever for your domain. If it’s not cached anywhere along the way the first request for “ask-leo.com” will end up at the root “.com” name server, who’ll then point at the specific name server for my domain. Everything that happens after that is caching. So I don’t believe that new domain registrations need be “broadcast” internet-wide in the way that you outline, only the root name servers need be informed. ‘course I could be wrong.

27-Oct-2011

Reply
John

November 1, 2011 at 11:21 am

Well, similarly, I recently set up an ftp site on my own machine using Filezila server and a myname.linkpc.com static ip pointer. I instantly, within an hour or so, started getting people trying to hack in. Where did they get my domain from? These are real people, kids I would guess, because the ftp log shows the usernames and passwords they’re trying and its the work of teenagers not machines – just follow the language of the passwords they are trying! Their ip addresses show they are from Asia. Where did they get my domain name from? So now each day I have to check the logs and ban their ip addresses.
Reply
Narc

November 3, 2011 at 11:14 am

My personal anti-spam solution is to use a catch-all, sign up to *everything* using a different address, and blacklist any To: address that starts getting spam (e.g., I sign up to spammysite.com using spammy@example.org, which later gets spam, and I then alias spammy@ to blackhole@, whose delivery address is /dev/null).

I do not have any other kind of anti-spam measures, but I hardly ever see any — and when I do, it’s very easy to just add that one to the aliases for blackhole.
Reply
Narc

November 3, 2011 at 11:56 am
@Greg Bulmash — Getting data out of DNS involves the following steps:
1. You type “www.example.org” in your address bar and hit Enter. The browser asks your OS’s host resolver, which goes and asks your configured DNS server… and waits for the next steps.
2. Your DNS server asks for “www.example.org” at one of the root servers.
  - These are basically the only completely fixed DNS entries on the Internet, and all DNS servers know them as [a-i].root-servers.net, and they all know what IP addresses these resolve to.
3. The root server in question has very simple mappings — it can translate a TLD (like .org) to a pointer to authoritative DNS servers for that TLD. The server results as of this writing are not easily summarizable.
  - Note that this server and its peers are authoritative only for “.org”, which means they can point you to the next branch of the DNS tree. It doesn’t know anything about anything inside .org — only who to ask further.
4. Your DNS server (from a couple of steps ago) goes and asks one of these newly-found servers about “www.example.org”.
5. The authoritative server for .org returns a pointer to the authoritative servers for “example.org” (the domain!). In this case [a,b].iana-servers.net.
  - Most notably, this server doesn’t know anything about “www.example.org” any more than the root server did — it just knows who you should ask further.
6. Your DNS server finally goes and asks one of those most closely authoritative servers about the A (address) record that matches “www.example.org”, and, finally:
7. The authoritative DNS server for example.org explains that “www.example.org” has an A(ddress) of 192.0.43.10 (as of this writing).
8. Your DNS server returns this information to your OS’s host mapper, who passes it on to your browser, who finally opens a TCP connection to 192.0.43.10 and does magic we won’t go into because it’s outside the scope of DNS itself.
Note that at no point during this long trek down the tree from root-servers.net was there a DNS server in existence with an even semi-complete list of host mappings — and there’s no need for servers to announce any information to each other, either. The information is pulled when someone asks for it, and not pushed around beforehand.

Now, this is the simplest sequence of steps a DNS server can take to acquire an address — it can be more convoluted, with the DNS server potentially having forwarders set up (servers to ask when it doesn’t know the answer, instead of going all the way up to root-servers.net), and there are also zone transfers which can allow a trusted DNS server to copy all the data for a domain (like example.org) from another DNS server, but this is how most queries end up working out.

P.S.: As an extra-special note, look at the sequence of steps taking place and then realize that the normal timeout for a DNS query is around 4 seconds, and that most (even uncached) DNS queries get results in under 1 second. Isn’t DNS amazing?
Reply