Last year I got a curious e-mail buried in the pile of auto-responses that clogged my inbox. Someone using a forged @limpag.com address not only sent spam to scores of poor souls all over the world, he or she also spammed Pulitzer Prize-winning columnist Charles Krauthammer.
That spurred me into action. I use my limpag.com domain for my personal e-mail as well as that of immediate family members.
I initially used Windows Live Custom Domains to manage my limpag.com e-mails. But I, as well as other Limpags, didn’t use it much. For one, it came with the old Hotmail interface and while it promised a 25MB storage for non-US folks, we only got 2MB of inbox storage because you had to undergo a verification process in order to get the full 25MB.
When Google launched its Google Apps for domains, I immediately transferred e-mail service. Google Apps lets you manage your domain’s e-mails through GMail, and with it came excellent spam controls and a 2Gb of storage. It also offers such things as a shared online calendar as well as documents storage.
It was after the transfer that I noticed that spammers were forging e-mail addresses using my domain. My main limpag.com e-mail addresses was getting auto-replies indicating that spam messages, including e-mails with virus attachments, were being sent from @limpag.com addresses.
But it was this auto-reply that spurred me into implementing Sender Policy Framework (SPF) for my domain:
date: Nov 26, 2006 10:04 PM
subject: Re: Re:
Thank you for your e-mail to Charles Krauthammer. You can be assured that your letter will be read. However, we receive hundreds of e-mails every day, and cannot guarantee that you will get a personal response.
If you wish, you can also submit your letter as a letter to the editor. The e-mail address for the Washington Post Letters to the Editor is [email protected]. Alternatively, you can submit a letter to your local newspaper; in most cases, they publish an email or mail address on the opinion page, as well as on their website.
If you need any further assistance, please do not hesitate to contact us.
Thank you very much,
The Washington Post Writers Group
I told myself, what if, by chance, someone who actually knows me gets to receive one of the spam messages. They’ll be ripe for the picking and many would likely click on attachments included in the message because 1.) they’d assume, based on the fact that the e-mail ends with limpag.com, that it’s another of my crazy experiments; 2.) they won’t put selling Viagra and various sexual contraptions beyond me.
I immediately searched for ways to implement SPF or Sender Policy Framework for my domain. With SPF, I can specify which computers are allowed to use the @limpag.com e-mail address as sender address. Google has instructions for Google Apps users here.
I use a shared server with A Small Orange. If you want to use SPF in A Small Orange, you have to send a support request so that its tech staff can include it in your domain records. I was told that an SPF record was already set but I didn’t bother checking it.
I was, thus, surprised when after a few weeks, I still got auto-replies indicating that the forging of @limpag.com addresses continued. Last week, I checked my domain with this tool from Microsoft and sent the result to A Small Orange. It turned out that the text record wasn’t set properly so they fixed it.
I haven’t been receiving auto-replies indicating continued e-mail address forgery since. I’m crossing my fingers that using SPF is sufficient to stop the use of my domain in spam messages. But up to now, I’d still wonder what e-mail was sent to Charles Krauthammer. Was it even grammatically correct?