Is A Catch-All Address Worth The Spam?

wildzeke writes "I plan on switching Internet providers this summer to get a faster speed. Since losing an email account is the biggest pain when switching providers, I decided to pay the extra money to have email for the domain I registered. One of the options provided is to make one of your email accounts a catch-all account. In other words, any email sent to this domain with out a valid user name, will be dumped in the catch-all account. The question I have, is this a good idea or not? On one hand, it may catch important email such as admin, or postmaster or simply mis-typed user name. On the other hand, the catch-all will open the flood gates to spam who will send to [all user names in the world]@domain.com."

It doesn't really happen

[mabinogi]

I've had a catch all address for over 4 years now...and whilst I get a fair amount of spam to that domain (just over 100 messages a day), the majority of those are to one real address I used years ago - and haven't used since. The rest is either to the main address I use, fairly standard guesses "sales@", "info@", "webmaster@", etc...or to one or two addresses that spammers seem to have made up, but have stuck. one of them is a misspelling of my name, another is "tressia" which I have no idea where that came from. But I definitely don't see "all usernames in the world"@mydomain

The problem is these newfangled worms...

[InakaBoyJoe]

I also use the method of giving out lots of different E-mail addresses to track down who sells my info. Those who say, "you can always turn off the catch-all" are missing the point, because those of us using this method don't usually remember all the addresses we've given out, and therefore, using a "whitelist" isn't practical.

Now, this system works great as others have said. You get a few occasional spams to things like webmaster@, sales@, info@, etc. but those can be easily filtered.

The big problem is with annoying worms that generate random E-mail addresses. Of course, all of them get sent to your catch-all account -- in one day I got 150 Zafi.B worm E-mails from somewhere in Mexico. When you get one of these, what do you do? If you don't bounce the message, it's likely that the randomly generated E-mail address will be treated as valid and added to some spammer's database. Sure, you can blacklist each address, but then you're playing catch-up to a random generator algorithm. Not likely to win at that kind of game.

Anybody know a good way to generate bounce messages in this kind of situation? Most mail bouncers assume you have only one address, and they create dangerous bounce messages that carry your *real* (i.e., desired) return address. I need a bounce script that grabs the "Received from... for ____" header and uses that to generate a bounce as if it originated from the randomly generated E-mail address.

Can anybody help?

PLEASE?

Thanks!

Re:No brainer

[amRadioHed]

As mentioned by others, RFC 822 does specify case sensitive addresses. This only makes sense since it is legal (though dumb) to specify two different users on a machine with names only differing by case. Applicable execerpts from the text:

The only syntactic units which requires preservation of case information are: ... - local-part, except "Postmaster"

addr-spec = local-part "@" domain ; global address
local-part = word *("." word) ; uninterpreted case-preserved

Note: The reserved local-part address unit, "Postmaster", is an exception. When the value "Postmaster" is being interpreted, it must be accepted in any mixture of case, including "POSTMASTER", and "postmaster".

Note: This reserved local-part must be matched without sensitivity to alphabetic case, so that "POSTMASTER", "postmaster", and even "poStmASteR" is to be accepted.