Catchall Addresses & Dictionary SPAM Attacks
Catchall (or wildcard) addresses are the addresses that receive all email for a domain, unless there is a specific address better suited to handle the incoming email. You may or may not have one on one of your domains. e.g.
Bloggs.com has two email addresses, “firstname.lastname@example.org” and “@bloggs.com” (the catchall). If a mail comes in addressed to email@example.com, it is delivered to the “firstname.lastname@example.org” mailbox. If a mail comes in addressed to email@example.com, it is delivered to the “@bloggs.com” mailbox.
With the ever increasing level of spam on the Internet, people are being more guarded with their email addresses. It’s therefore more difficult for spammers to obtain valid addresses to send their messages to. Rather than scour the WWW for a limited supply of well protected addresses, they’ve come up with a better idea: Find domains through search engines, and then send thousands of emails to common ‘local parts’ at those domains. (The ‘local part’ is the bit before the @ sign)
For example, they might find the bloggs.com domain through a search engine, or a domain registration tool, and then send to the following email addresses:
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, etc, etc.
There’s only a small amount of addresses listed here, but depending on the thoroughness of the spammer, there can be upwards of 20,000 variations for a single domain. And, because bloggs.com has a catchall email address – every single message will end up in the one mailbox..
Dictionary SPAM Attacks
This is called a ‘dictionary attack’, and is getting more and more popular with spammers. Quite often, they’ll send these messages out from a huge network of ‘zombie machines’ or ‘bots’, which are virus/adware infected home PCs. Because of this vast distributed network of infected machines sending the mail, there’s no reliable way of blocking the mail.
What’s worse is that some of the dictionary attacks check for ‘successful’ delivery, i.e. if a recipient is not refused at the destination mail server, then the recipient’s address is added to the ‘verified’ list, and possibly sold on to other spammers.
So now, the catchall mailbox at bloggs.com is overwhelmed with 20,000 messages, and because none of the mail was rejected, is on the list of ‘viable targets’ for another attack.
Recently, more and more domains that we host email for have been falling victim to dictionary attacks. A lot of them do not have catchalls, and the spammer’s mail is harmlessly bounced before even being allowed onto our servers, but a few domains have been effectively disabled for many hours, thanks to the catchall accepting the many thousands of email messages. Either the customer’s Exchange/Outlook server falls over under the strain, or the customer has to retrieve all the messages slowly, and then sift through, looking for legitimate mail. This isn’t limited to POP accounts either, as catchall forwards are affected. Both affect the performance of the servers, and impact the quality of service for your domains, and the domains of other customers.
How do I eliminate the SPAM generated from a dictionary attack?
The solution is to remove the catch-alls. We’ve disabled the creation of new catch-all accounts, as we believe that in 99% of cases, there is no need for them to be there. Any existing catchalls on the system have been left untouched, but you are encouraged to phase them out as soon as possible, before your domain finds its way onto a ‘viable target’ list.
Parked Domain Names
Login to your Domain Control Panel to disable the catchall for your domain name.
- Login to https://www.uk-cheapest.co.uk/members
- Select “Email Forwarding” from the Functions list
- Select “Delete” on your [ CATCH-ALL ] alias
- SPAM to your domain will be instantly reduced
Web Hosting Customers
The following documents will show how your catchall should be set
If you have any questions please contact the HelpDesk for support.