I just purchased a domain and got it all set up. When I made my email
accounts for it, I instantly started getting spam. This is a brand new domain -
are the spammers in bed with my registrar or is something else going on? How'd
they start spamming me so quickly?
Something else is going on.
While it's possible that spammers are looking at newly registered domains (I
don't think that they need any special backdoor access to your registrar for that),
that doesn't seem like a particularly useful thing for the spammers to be doing.
Newly registered domains aren't likely to have a lot of email recipients and
they are what the spammers want.
No, I think something significantly more mundane is happening here.
In fact, it's possible that we might have a hard time calling some of those
emails spam at all.
]]>
Everything old is new...
My guess is that while you did just newly register the domain, you might not be the first person to have owned it.
Your domain name - something like "yourveryowndomainname.com" - is kind of like your home, your property, and your house on the internet. People come by for a visit (hopefully), mail gets sent there, and so on.
And like real estate in the real world, property on the internet gets sold, traded, or abandoned all the time.
And someone new moves in.
Perhaps that someone was you.
It's possible that the domain name that you just purchased was once owned by someone else.
And now, you're getting their mail.
Email accounts & catch-alls
If there were active email accounts used on your domain by its prior owner and you set up accounts with the same email name, perhaps they had user@yourveryowndomainname.com and you also happened to set up user@yourveryowndomainname.com, you'd now be getting any email that's still trying to reach the prior owner.
Depending on circumstance, that could be unlikely (you have unique email names that don't overlap with the prior owner) or very likely (you've set up all of the standard domain email addresses, such as webmaster@yourveryowndomainname.com, postmaster@yourveryowndomainname.com, and so on - and so did the prior owner).
Depending on how your domain is hosted, what's more likely is that there's a "catch-all" account that's been set up. A catch-all is an email account that receives all of the email for which there is no configured email address. For example, if you don't have bogus@yourveryowndomainname.com configured as an email address, and someone sends email to bogus@yourveryowndomainname.com, it gets sent to the catch-all account instead.
And, perhaps, as the domain owner, you're getting all of the mail caught by that catch-all.
You'll probably want to look at turning that feature off.
It might or might not be spam
So you purchase your domain name, you set up user@yourveryowndomainname.com as your email address, and you suddenly start getting the weekly pickled herring newsletter for herring lovers.
Why? Because the previous owner of that domain used user@yourveryowndomainname.com as an email address and they had subscribed to the pickled herring newsletter. They just didn't bother to unsubscribe when they let the domain go and the pickled herring people either didn't get any notification that the email address was no longer valid or they ignored it.
Is that spam?
It could go either way, but I'd probably say no. It's possible that everyone did everything right (except perhaps for the previous owner not unsubscribing, but even there, I can see scenarios where they couldn't) and that the pickled herring people should not be punished by labeling their email as spam.
It's possible that you should simply unsubscribe (unless you like pickled herring, that is.)
On the other hand, how do you know that this newsletter is legitimate? For all that you know, the prior owner didn't subscribe and what you're getting is spam from the notorious pickled herring cartel.
So, I guess, you could mark it as spam. I'd feel guilty doing that, though, if the mail looked legitimate. Maybe because I have my own newsletter, I'm reluctant to punish newsletter publishers with the Spam button when it's very possible that they did nothing wrong.
On the other hand, if it's obviously spam, mark it as such if your email system offers that feature.
What to do?
If you find yourself in this situation, I'd recommend a couple of steps:
-
Turn off the "catch all" functionality so all email that isn't sent to an email address that you define is either rejected or simply discarded.
-
Put another way, configure your mailer to only accept email for email addresses that you've defined.
-
If an email address that you create starts getting the prior owner's email, either deal with it (unsubscribe, delete, mark as spam, however you choose to proceed), or create a new, different email address and use that instead.
I suppose another way to tell is by checking the “to” addresses. (Or, for the more technically-inclined, the SMTP “RCPT TO:” address, given that the actual address may be hidden from a BCC line.)
If all of the unwanted/unexpected e-mails are going to a single address, it may be as you described, just left-overs from a previous owner of the domain.
However, if you get numerous copies, all to different addresses, it’s likely spam.
And, of course, spammers don’t care about any inconveniences they put you through. Nothing stops a spammer from actively seeking new domains, and simply doing the spam equivalent of a dictionary attack.
They don’t have to be in bed with your registrar. The moment you registered the domain, your registrar started broadcasting it’s existence all over the internet. It wasn’t a malicious act, but a necessary one.
Internet addresses are all just numbers, and domain names are just aliases for those numbers. When someone types in http://www.yourveryowndomain.com, their computer sends a request to a DNS server which keeps a record of all those numbers and aliases. It takes in the domain and sends back the corresponding number, so your computer can connect to the site. If your domain name isn’t broadcast, the DNS server can’t tell the requesting computer how to reach your site.
But those DNS servers are not the exclusive domain of major players in the communications industry. Anyone can set one up and get all this information. They could then have a script that runs every few hours and shares all the new domains with various spammers or which spams all the new domain names.
You might also want to run a WHOIS search on your domain. A lot of people provide their home address as the administrative contact address for their domain, and that information is publicly available to anyonw who does a WHOIS search on their domain name.
27-Oct-2011
Well, similarly, I recently set up an ftp site on my own machine using Filezila server and a myname.linkpc.com static ip pointer. I instantly, within an hour or so, started getting people trying to hack in. Where did they get my domain from? These are real people, kids I would guess, because the ftp log shows the usernames and passwords they’re trying and its the work of teenagers not machines – just follow the language of the passwords they are trying! Their ip addresses show they are from Asia. Where did they get my domain name from? So now each day I have to check the logs and ban their ip addresses.
My personal anti-spam solution is to use a catch-all, sign up to *everything* using a different address, and blacklist any To: address that starts getting spam (e.g., I sign up to spammysite.com using spammy@example.org, which later gets spam, and I then alias spammy@ to blackhole@, whose delivery address is /dev/null).
I do not have any other kind of anti-spam measures, but I hardly ever see any — and when I do, it’s very easy to just add that one to the aliases for blackhole.
@Greg Bulmash — Getting data out of DNS involves the following steps:
Note that at no point during this long trek down the tree from root-servers.net was there a DNS server in existence with an even semi-complete list of host mappings — and there’s no need for servers to announce any information to each other, either. The information is pulled when someone asks for it, and not pushed around beforehand.
Now, this is the simplest sequence of steps a DNS server can take to acquire an address — it can be more convoluted, with the DNS server potentially having forwarders set up (servers to ask when it doesn’t know the answer, instead of going all the way up to root-servers.net), and there are also zone transfers which can allow a trusted DNS server to copy all the data for a domain (like example.org) from another DNS server, but this is how most queries end up working out.
P.S.: As an extra-special note, look at the sequence of steps taking place and then realize that the normal timeout for a DNS query is around 4 seconds, and that most (even uncached) DNS queries get results in under 1 second. Isn’t DNS amazing?