Friday, August 6, 2010

D*@%! Spammers

Some low-down, no-good, dirty, slimy, frickin spammer(s) stole one of my domain names and an associated email address to forge email headers to escape detection and being shut down as they've done to so many other netizens.

As a result, I'm busy with damage control and what can be done to protect my other domain names.

Fortunately, the last few years have seen the acceptance of the Sender Policy Framework (SPF) record to help authenticate legitimate email. Had I known about and used it in time, it might have saved me from jumping through hoops getting up to speed this week trying to protect my domain from being blacklisted.

So far, I've set up and published SPF TXT records for my DNS to authenticate my outgoing email with the help of the SPF Setup Wizard. One thing I don't like about the wizard is that it doesn't give the option of -all which means the email is to be treated as spam if it doesn't match the passing criteria, although changing the softfail ~all to the hardfail -all is easy enough by manually editing it.

For the domain names that I'm not using for email, my SPF record is simply:

v=spf1 -all

because any and all email from those domains should be considered forgeries by spammers. Should I decide to use one for email later, it's easy enough to modify the record and republish it through my DNS.

I'm also transferring my domain name registration to another registrar, that I've been using since 1999, because it offers free privacy protection.

(I'd provide a link, except I can't find one for only domain registrations and the current website is all about packages. Using the same company for both domain name registration and web hosting is a really bad idea because you could lose both in one fell swoop. For an idea of how bad a situation can be, read some of the complaints at NoDaddy.)

Some registrars charge for the privacy service and my former registrar of the forged domain name doesn't offer it at all. I'm sure that's how the spammers got it because the email addy that I've seen in spam had to have been harvested from the public Whois listing since I use it exclusively as my contact email address for domain name registration and web hosting.

Just to make sure, I've also changed my contact email address on my website from a simple disguise that some might now be able to decrypt to an image that can't be read by computers. Visitors won't be able to click a mailto link anymore, but I don't get enough emails through my website to warrant my setting up an email form.

Maybe the slight inconvenience of having to read, manually call up their email client and enter my addy will discourage the weirdoes from emailing me like the guy who complained about my dissing pencils on one of my pen pages. (Please see the last paragraph for what I wrote about using a pencil and remember that I didn't make the rules; I was merely reporting them for my visitors' convenience.)

My next step is to set up a webpage to let any recipients of spam purporting to be from me know that I did NOT have anything to do with it. I've already created the page, but must wait for the registration transfer to be completed before I can set it up with my web host.


Luke 6:28b ...pray for them which despitefully use you.

No comments: