I've been busy the past week scouring my server for any signs of intrusion: new files, altered files, admin rights on users that shouldn't have them, code injection in databases, etc.
The other day I checked my mail and I got some unexpected messages. Sometimes, when you send an email you accidently type the address wrong. When this happens, you get a bounce notification from the server your email was addressed to informing you that the message was undeliverable. I received over 300 of these! Each stated that the sender was from my server but each used a different name, none of which existed. I immediately changed all my passwords, and contacted my host to let them know what was up. Then I started scouring my sites.
Every 10 minutes or so I would check my email again and there were another 20 or so bounce notifications each time.
Why Is This Bad?
Each server on the internet maintains a spammer list and automatically block incoming messages from anyone on those lists. The lists can contain individual email addresses, IP addresses, or they may block entire servers. With the volume and frequency that emails were being sent from my account, I was afraid that servers would start adding my domain to their spammer lists. Once added, I wouldn't be able to email anyone on those servers.
How Did Someone Get Access To My Server
I have put in place extensive security measures to protect my site. I've started using lengthy passwords consisting of random alpha-numeric strings. Various measures ensure against brute force dictionary attacks. I verify that all user inputs are sanitized and all urls are cleansed before being evaluated. No user has any unnecessary rights and I only use admin accounts when needed, using lesser accounts for day to day work.
I was floored by the idea that someone had gotten through my defenses although that was clearly what must have happened.
I Thought It Was Fixed
A few hours after I changed my passwords, the volume started to lessen. After a day, I thought they had stopped. Then a couple of days later, they started right back up. I received over 200 more all at once.
Disgusted, I altered my catch-all email account to trash email to undefined accounts instead of forwarding it to my main account. This kept the bounce notifications from flooding my inbox but at the risk of losing emails that I might want to see.
Web Host Support
Through all this I finally received an email from my host (22 hours after submitting my ticket) saying that the best thing I could do was to change my passwords and upgrade to the newest version of whatever CMS software I may be using. Tech support people like that should have their head on a pike!
I've been with my host, Media Temple, for some time and would like to say that they are a spectacular host. Most of my dealings with tech support have left me amazed that they had such patient and well-informed people working for them. This was just bad luck that I happened to get an apparently new tech that presumably won't be around much longer. I sent a response, that I hope I kept polite, expanding on the problem and asking for assistance.
I received an email promptly from a different tech explaining that my account was probably not hacked after all. Instead, he suspected that I was the victim of email spoofing. I was so busy looking for signs of an intruder that it never occurred to me that someone was simply spoofing the headers of messages that they sent from somewhere else.
Preventing Email Spoofing
The Media Temple tech went on to say that the best way to prevent email spoofing was to set up a SPF record for my domain. When a server receives an email message, the server can check electronically with whomever is hosting that domain and check for an SPF record. This record gives them a list of authorized originators for emails sent from that domain. If someone spoofs the headers of an email message originating elsewhere, it is detectable and the receiving server knows that the message has been forged and therefore doesn't attempt to deliver it. Furthermore, they know that the stated domain had nothing to do with it and does not add them to the spammers list.
It is always a good idea to check with your host first before doing something like this!
For Media Temple customers, here is a link that will walk you through setting up an SPF record:
To reiterate… It is always a good idea to check with your host first before doing something like this!
One Last Word About SPF Records
If you do anything unusual with your email from the domain in question, where your emails originate from somewhere else, you will need to alter the SPF record to include these other sources. Otherwise, those emails will appear to be forged as well.
Not all hosts check SPF records so this is not 100% effective yet, but the use of SPF records is increasing and it appears that they will be used almost exclusively in the near future.