The postmaster faq for altavista.com

Suggested text for “THIS DOMAIN IS NOT USED FOR EMAIL” page.

All mail for “altavista.com” and some other domains is being bounced with this message:
554 5.1.2 THIS DOMAIN IS NOT USED FOR EMAIL – ANY MAIL FROM THIS DOMAIN WAS FORGED – questions contact postmaster@av.com

We still get a number of questions. I am thinking of directing users to this info on a page instead of to “postmaster@av.com”.


Q: Why is email to all users at altavista.com (and other domains) bouncing back with a “THIS DOMAIN IS NOT USED FOR EMAIL message?”

A: This domain was used for email a long time ago, but the email services were all shut down in April 2002. If you were expecting to reach a real user at altavista.com, their email address is no longer active, and hasn’t been for 20+ months. We do not have forwarding addresses for any previous users.

We use “av.com” for our employees, and “support.altavista.com” for our customer service mail.

Q: But I just got mail from altavista.com! It says so in the From: address. Surely it must be one of your users?

A: Any email now claiming to be from altavista.com is forged. Unfortunately, we are a frequent target for spammers looking for a fake address. They need the domain part to be real, because most mailers will check to see if the domain is real (that is, the part after the @, like @altavista.com). “altavista.com” is a valid web site, so most mailers assume that it is valid for email too.

“Forged” means that the email address in the From: field is fake. Yes, this is possible because standard mailing protocols were created in earlier, simpler times, and they are trusting and gullible. The From: line is just another part of the message and the spammer can type whatever he wants in that field. In order to figure out where the message came from, you need to analyze the “Received:” lines in the headers, or use a tool that does this for you. We recommend “www.spamcop.net” to analyze spam and report it to the right place.

There are ways that your mail admin (at your ISP or IT department) can detect such forged mail and block it… SPF is one way to do this. Check out the technical details section for info.

Q: I don’t understand. Why are the messages forged?

A: If the messages are marked as being from (something)@altavista.com, then the return address is forged. The original sender is doing this to hide the real origin, because they are betting that users will complain to the wrong place and fewer complaints will reach the real ISP they are abusing.

Since the messages did not pass through our network, we have no way to assist. Please contact your ISP or your local helpdesk for help in tracing where the message really came from.

Q: What can I do about the spam? I tried clicking on Opt Out or Remove and it doesn’t work.

The spammers are using deceitful tactics to hide their tracks. This is abusing our name, abusing your mailbox, and is also probably against the law in the US. If the message is definitely forged, this is a good indication that the email sender is not running a legitimate operation.

This explains why the Opt Out links don’t work – typically spammers just use the Opt Out as a confirmation that you are active and reading the messages and will add you to even more lists. Usually the reply addresses or remove links intentionally don’t work, or if they do, they will often be closed down soon after the spam is sent.

If you want to spend some time and report the spam to the real ISP, you may want to check out www.spamcop.net – it has some excellent resources for analyzing and reporting spam. Most spammers sending out a lot of messages will get reported dozens of times in the first hour, so if you don’t want to take the time to report it, or if it has been more than a few hours, it’s OK to just delete it as well.

Unfortunately, reporting spam will usually not get you off the spammers list… about the only thing you can do to stop it is to change your email address. Your ISP should do this free of charge if you explain that you are getting too much spam.

Q: I was trying to email some other domain, not altavista.com. Does the same information apply to other domains?

Yes, the same is true for altavista.net and a number of country domains (altavista.de, altavista.co.uk, etc). Those domains are not used for email either, and have not been used for email in 18+ months. There are also other domains (various country-domains like altavista.xx as well as misspellings of our name like altavsita.com) that have never been used for email before.

If you got a bounce message that directed you here, whatever address you were trying to mail is on the same list.

If you are not sure what other domains are on the list, you can email “postmaster” at that domain, and if it is on our “not used for email” list, you will get the message “THIS DOMAIN IS NOT USED FOR EMAIL”

There is a quicker way to verify this using nslookup, see the technical details section for that info.

Q: I received a bounce message for a message I didn’t send. Someone else forged my address in a spam or a virus. Why are you bouncing the message back to me?

A: The bounce message you received wasn’t created by our server. Check the From: address of the bounce message to confirm this… it will usually be From: Mailer-Daemon@xxx. That is the address of the server which generated the bounce message. See the technical section for more info.

Q: You need to accept mail for postmaster! Internet rules say postmaster has to go to a real person.

Since the domain is not used for email, incoming or outgoing, the “postmaster” address is not strictly required. If you were directed to this page by a bounce message, chances are that you are concerned about an email issue and have contacted the wrong person. Start with your own mail admin (at your ISP or IT department) for help.

Technical folks who need to reach us for other matters not related to email may still do so using the contact info listed in Whois. See the technical info section for more details.

Technical section.

Q: I received a bounce message for a message I didn’t send. Someone else forged my address in a spam or a virus. Why are you bouncing the message back to me? (cont’d)

Our servers reject the mail transaction immediately, while the SMTP connection is in progress. This means that in the case of most spam and virus mail, the sending machine just closes the connection and goes on to the next person in the list, and no bounce message is generated. We make every effort to reject the message before it is actually sent, so that bounces to third parties won’t happen. Accepting the message and then bouncing it back to the (presumed) sender later just creates more junk mail, so we don’t do that.

However, some bounces may be created by other servers… this could be either your mail server, or more commonly, a third-party’s mail server which isn’t set up to guard against forged mail. This could be due to a spammer using an “open relay” to send spam. For example, instead of connecting directly to the end user’s mail server (such as ours), the spammer may drop off the mail with some other mail server that is not secured very well, which then has to forward it on. When the relay mail server gets rejected, it tries to bounce it to the presumed sender (possibly you).

In other cases it could be a virus-infected machine at a third party location, which sends the message to its default mail server instead of direct to the destination. In this case the sending machine is implicitly trusted, because it is on the same network, but the outgoing message is not checked to see if it is forged. When the forged message can’t be delivered, it is bounced.

Q: You need to accept mail for postmaster! Internet rules say postmaster has to go to a real person. (cont’d)

According to RFC2821,
Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox “postmaster” … This postmaster address is not strictly necessary if the server always returns 554 …

We believe our reject message is pretty clear about the domain not being used for email and the original claiming to be from our domain being forged.
554 5.1.2 THIS DOMAIN IS NOT USED FOR EMAIL – ANY MAIL FROM THIS DOMAIN WAS FORGED – questions contact postmaster@av.com

Because the domain is abused so often, virtually all the mail received by postmaster is spam, misdirected complaints, and misdirected virus warnings. In the 20+ months since we discontinued all email services, thousands of messages continue to pour in, and we do not have the resources to read them all. Virtually none of these messages had to do with our servers. We would rather reject the mail with an informative message than accept it into a black hole never to be read.

Folks who need to reach us for other matters not related to email may still do so using “postmaster@.av.com”. The contact info listed in Whois also works for admin and technical contacts.

Q: How can we verify if messages coming from your domain are forged?

A: We use DNS TXT records to communicate to the world that the domain is not used for email. You can check them with the nslookup command.

> nslookup -type=txt altavista.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
altavista.com text = “v=spf1 +exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com -all”
altavista.com text = “This domain sends no email”
altavista.com text = “Null SPF is for tracking purposes only”
altavista.com text = “All mail claiming to be from altavista.com is forged”

This provides an easy way to check the domain’s status manually.

If you want to automatically block forged email, SPF provides a way to do that, for domains that have chosen to publish SPF info (such as the v=spf1 record above). See http://spf.pobox.com/ for more information about this standard. There are relatively few domains using it now but hopefully it will catch on. SPF is a safe, effective way that domain owners can publish their details, and mail receivers can use the info to check if a message is forged or unauthorized.

End of document.
Feedback appreciated: gconnor@av.com, gconnor@nekodojo.org

Leave a Reply