Bounced Email - Dealing w/ the Latest Type of Spam?

heretic108 asks: "For 3 years, I've been running a home office EXIM mailserver to handle mails on my 3 personal domains. All had been fine - I'd fastidiously configured EXIM to guard against relaying, and even now receive a clean bill of health from the various relay-checker sites. Spam levels were moderate, and mostly arrested by SpamAssassin and Thunderbird's inbuilt filters, until today. I got up this morning to find 3500+ e-mails in my inbox. All were bounces - spoofed and genuine, and came from a vast variety of IP addresses (eg lots of AOL users' IPs), which indicates they're being sent largely via compromised windows boxen, as well as from inadequately-configured corporate/ISP mailservers which don't bother to check the purported 'from' addresses against the originating domains. This hurricane continues, with 10-30 new incoming spams every minute! I've re-enabled Active Spam Killer, but this is next to useless, since ASK passes all 'bounce' messages, real or otherwise, to the mbox without challenge. I'm hoping to hear from anyone who can share success stories in dealing with such a menace, without undue complication or loss of legitimate mail. Thanks in advance for all your constructive and positive suggestions." It seems that dealing with regular Spam is almost easy in comparison to dealing with its consequences: bounced emails. Does anyone have suggestions, or filters on how to handle bounced e-mail that has resulted from someone using your e-mail address to spam someone else?

Baysian Spam Filter

[Marxist+Hacker+42]

This is how I do it anyway- there are several out there but I use SpamBayes because I've got my mailserver on a Windows box.

A baysian spam filter can learn to filter ANYTHING!

Re:Baysian Spam Filter

[Guspaz]

He's using Thunderbird's built in spam filter, which is a bayesian filter already.

Re:Baysian Spam Filter

[fm6]

So big deal. Writing an effective content-based spam filter isn't hard. Writing an effective content-based spam filter without false positives is just about impossible. If you don't mind missing some of your email, fine. But most of us don't have that luxury.

Re:Baysian Spam Filter

[Vengie]

Parent post isnt flamebait. It is the very essence of why spam filtering is a sucky solution at best. Even a single false positive is simply unacceptable! (because when you have 4million pieces of spam and 1 false positive, you're never going to notice it when you go into your "spam" folder) and it could be important! Speaking from personal experience. My father emailed me from a new email address -- he scanned my law school acceptance letter and just sent it to me, no subject line. Stupid inbox filtering (work email) thought it was spam....I realize it is anecdotal, but ALL false positives are anecdotal, and these are the exact anecdotal reasons that they arent acceptable.

Re:Baysian Spam Filter

[fm6]

Hey, everybody knows that "Flamebait" is shorthand for "You suck!"

Re:Baysian Spam Filter

[Marxist+Hacker+42]

SpamBayes seems to have accomplished this- but by erring on the other side. I've had NO false positives in the 4 months I've been using it. I get about 5-10 false negatives and 20-30 false "maybes" a day though- but the point is that I haven't seen a bounce message that didn't come from my own mailserver in 2 months now- it ALL gets positively marked as spam.

The problem with err-on-the-side-of-caution bayesian filters is that they take time to tune correctly- but once you get them tuned, they're very effective.

Re:Baysian Spam Filter

[Marxist+Hacker+42]

Absolutely agreed- I use two different spam filtering solutions- one on my aracnet account and one on seeberfamily.org. The one on my aracnet account was set up by the ISP and is a combination of procmail filtering and a more traditional blacklist/whitelist filter, by Symantec. It gets FALSE POSITIVES so often that I can no longer use that account for business (but at least spam never reaches my inbox on it either). I use Spambayes on my seeberfamily.org and informationrus accounts on client side, not server side (server delivers everything, client sorts) and I've yet to see a false positive. False negatives, however, happen quite regularly, especially on badly misspelled 419 scams.

Re:Baysian Spam Filter

[fm6]

I have to admit that the Adaptive Filter in Firefox seems to have similar effectiveness. (Since I don't own my email server, I have to rely on client-side solutions.) I still get nervous about not seeing all my email.

Re:Baysian Spam Filter

people over value their email.

so they didnt get a random forward from their aunt.

most email is useless to begin with.

why do we hold email to a higher standard than the post office.

Re:Baysian Spam Filter

[Marxist+Hacker+42]

The problem comes in on any server-side implementation I'd have to say- because the spam folder, if it exists at all, is on the server rather than in the client program, it's MUCH harder to use a web interface to search through. In addition to that- SpamBayes and apparently Firefox (both are open source, I'll bet they're using the same code for this) err on the side of caution by double-weighting ham and only single-weighting spam (which means, basically, that every time you recover a message from the spam filter, it gets the original spam score removed from any given word, AND it gets 2 points added on the ham side. Where deleting as spam merely gives one point to the spam side score for the same word). Thus the scoring errs towards marking messages as e-mail rather than spam, by default.

Re:Baysian Spam Filter

[Marxist+Hacker+42]

why do we hold email to a higher standard than the post office

You do know, right, that the modern post office is so accurate that bankruptcy courts count putting the bill into a blue box as being equivalent to the debt holder having recieved a payment, right?

Re:Baysian Spam Filter

[Anonymous+Brave+Guy]

Hey, everybody knows that "Flamebait" is shorthand for "You suck!"

Hey, at least it wasn't (-1, Overrated), which is shorthand for "You suck, because." :-)

Re:Baysian Spam Filter

[fm6]

I'm pretty sure "Overrated" is shorthand for, "Oh, shut up!"

Re:Baysian Spam Filter

[Synapsys]

What kind of spam bulk do you get? I doubt you would see a false positive if you are getting 100+ spam emails a day. I own several domains and have a catchall email account for one of those. This is a calculated risk because it is not a TLD, (.id.au) and isn't well known. I just use the built in spam filter in Mail.app (Mac OS X) and I rarely get any spam in my inbox. I do, however have to check my spam box, because the filter is still learning.

Re:Baysian Spam Filter

[Marxist+Hacker+42]

What kind of spam bulk do you get? I doubt you would see a false positive if you are getting 100+ spam emails a day. I own several domains and have a catchall email account for one of those. This is a calculated risk because it is not a TLD, (.id.au) and isn't well known. I just use the built in spam filter in Mail.app (Mac OS X) and I rarely get any spam in my inbox. I do, however have to check my spam box, because the filter is still learning.

I was talking about two different filters- the Symantec filter doesn't learn terribly well, it's not designed to. That's the one I get false positives on (about 500 messages a day). The Spambayes learning filter I get false negatives on, about 30/300 spams a day get through the filter.

Postmaster - /dev/null

[David+Muir+Sharnoff]

I get a lot of bounces from mail I didn't send. Things that come from postmaster or mailer-daemon aren't a big deal: send 'em all to /dev/null with procmail. The larger problem is vacation messages. I haven't figured out any good way to filter them. Ideas?

My SpamAssassin rules do a pretty good job of filterering messages about viruses I didn't send but even then I can't get 'em all. I wish there was standard for email generated in response to other emails.

Re:Postmaster - /dev/null

[AndroidCat]

What about bounces from mail you did send? You'd probably want to know when that ASAP email you sent hit a full mailbox or their server was struck by lightning.

Re:Postmaster - /dev/null

[usrusr]

that's the core of the problem.

if the filtering is done inside the user agent it shouldn't be impossible to whitelist bounces from mail you really sent.

did anybody already implement this?

Re:Postmaster - /dev/null

[DrZaius]

That's only a problem if you're sending from the account that is getting spam. A lot of people have 'catchall' style domains -- messages sent to *@domain funnel to one pop account. This is brutal when dealing with spam -- a lot of spammers run dictionary attacks at domains and this just populates their lists with your addresses.

Probably the only thing you can do is drop the addresses that are getting the bounces. In fact, it's best to configure the mail server to deny those addresses at the SMTP level and not let it re-queue another bounce to the bounce. Well, in this situation anyway.

Re:Postmaster - /dev/null

[macdaddy]

Don't ever, EVER post to the PHP-Install list. That list is all but unusable. I can't recall the last time I saw a legit message on it. It's all spam, infected mail, and vacation messages. I kid you not, I posted on stinkin' little message to the list and received 12 (12!!!!) vacation messages of all kinds. Many weren't even in English. I swear it was a damned joke. I mailing the admins of the list and postmaster@php.net didn't even get a courtesy "who cares" message. A joke indeed.

BTW, ^FROM_DAEMON and ^FROM_MAILER in Procmail can be quite useful for filtering out MTA bounces.

Did you piss anyone off lately?

[HotNeedleOfInquiry]

Getting hit with a "joe job" is sometimes used as an act of revenge for a protest or flamewar. Best to keep your home email address out of the limelight for that reason.

Re:Did you piss anyone off lately?

[nocomment]

mod parent up, that's exactly what happened to him. Just be patient the wave will subside in about a week. Most mail servers are set to bounce mail after 7 days for domains that don't exist. IT will slow down some over the next days with the last bounce happening in a few days.

I too was joe-jobbed once and it is not pleasant.

Re:Did you piss anyone off lately?

[noahm]

mod parent up, that's exactly what happened to him. Just be patient the wave will subside in about a week. Most mail servers are set to bounce mail after 7 days for domains that don't exist. IT will slow down some over the next days with the last bounce happening in a few days.

Sadly, it may not subside so quickly. A couple of years ago I was really strict about reporting open relays and proxies and other spam-resenders to the ISPs responsible for the netblock on which they reside. Unfortunately, I think I sent a report to the abuse contact for some netblock that was actually controlled directly by spammers, or something like that. Ever since then, I've been under an almost constant joe-job. I don't have my mailer configured to copy postmaster on every bounce, but I see all sorts of bounce delivery attempts every day to accounts that have never existed.

All I can think of is that it's an ongoing attempt to discredit my domain. I'm sure they're not targetting me specifically at this point, but have simply added my domain to a list of domains from which they send their forged mail.

noah

Re:Did you piss anyone off lately?

[artifex2004]

This is exactly what's happened to me, also. At the one domain I used to report everything through Spamcop, uce@ftc.gov, etc., I now get a lot of these bouncebacks. I've got the same domain under other TLDs and I get no bouncebacks of forged messages. SPF still seems to be uncommon enough that this hasn't slowed after setting up the text record, either. Interestingly, though, unlike the late 90s, I *never* get email from people who think my domain sent them the spam - people are at least learning not to believe the from: line, or more likely have just stopped bothering to complain and just delete everything.

Re:Did you piss anyone off lately?

[John+Hasler]

It probably isn't revenge. Most mail servers reject messages from non-existent domains so the spammers forge a real one. They just happen to have chosen yours. They've also chosen mine. I send all bounces not addressed to a real user to /dev/null. I have Gnus sort the rest into my "bounces" folder, but there are so many now that I just delete them unread. Until something effective is done about forgery it would be better for admins to stop sending bounces at all.

Widespread adoption of SPF would solve this part of the spam problem.

Re:Did you piss anyone off lately?

[jafuser]

This started happening to me about two months ago as well. It hasn't stopped, and I can't find any fool-proof way of handling all the thousands of "Undeliverable", "User does not exist" and vacation email responses that come back.

I sent a few messages to administrative contacts, but nothing has happened -- and I don't expect anything to, since they are located in China.

Their website is such a con too, with friendly warm graphics to make them look professional. They mention secure and reliable transaction, but they don't even use SSL, or provide any contact information except a form-to-mail (which is probably what their order form does as well).

Anyone know of a tool to poison a form-to-mail gateway with enough well constructed bogus data they will have to wade through tons of crap to get their legitimiate orders? =)

Re:Did you piss anyone off lately?

[stephenbooth]

Same is happening to me and has been for the last 2 years, about 10,000 bounce messages a day right now, they are arriving literally faster than I can download them. Fortunately I nolonger use that account for email (just webspace and backup dialup incase my main ISP has problems) so at least I'm not losing legitimate mail. I'm thinking of asking the ISP to just redirect all mail to my domain into /dev/null.

Before this started I used that address for complaining about spam so I can only assume that somewhere along the line some spammer got hold of it and decided to use it as their spoof address.

Stephen

I had this problem once

[waynegoode]

I had this problem a few years ago. I received up to 20 messages (bounces, out-of-office, mailbox full, authentication request, etc.) a minute at the peak. In total I received about 100,000 messages over a few weeks before it stopped.

I called the company spamming and they "took a message". However, I was able to filter them because they were coming to a few specific random accounts, such as vxxylj@sample-domain.com and rtyylhi@sample-domain.com for example.

I could not find any other way to filter them because it seems that there are several dozen formats for bounces. That made me wish there was a standard format for bounces, or at least a standard subject line or sender address.

newly obligatory twisted Dave Barry quote

[Naikrovek]

quoted from http://www.miami.com/mld/miamiherald/living/column ists/dave_barry/6649728.htm?1c
and twisted to change the subject to spam.

===

People do not like spam.

And how has the spam industry responded to this tidal wave of public hostility? It has issued this statement: "Gosh, if these people really don't want us to email them, then there's no point in our emailing them! We'd only be making them hate us more, and that's just plain stupid! We'll try to come up with a less offensive way to do business."

No, wait, that's what the spammers would say in Bizarro World, where everything is backward, and Superman is bad, and spammers contain human DNA. Here on Earth, the spammers are claiming they have a constitutional right to email people who do not want to be emailed. They base this claim on Article VX, Section iii, row 5, seat 2, of the U.S. Constitution, which states: "If anybody ever invents the Internet, Congress shall pass no law prohibiting salespeople from using it to completely fill your inbox."

Re:newly obligatory twisted Dave Barry quote

Yes and pirates claim they have the right to pirate anything they want. Pirate motto: What isn't bolted down is mine.

Re:newly obligatory twisted Dave Barry quote

Actually as long as I can remove it with a hack saw it's mine.

Related topic... URL blacklist attack spam.

[Rahga]

For the last few months, using surbl (dot org) as to detect spamvertised URLs worked nicely, but this Christmas weekend, the company I work for got a ton of e-mails crammed with URLs with good websites. I'll have to check out spamassissin 3 to see if it gets around any of these problems, but it looks like this tactic kept my dns and spamassassin daemon busy enough to start letting e-mails through without getting scanned.

Just a heads up... It's the next phase in the arms race for me, and I'm not seeing this bounced traffic problem like the poster is.

Bounces are a problem

[AndroidCat]

Back in the old days, a bounce email to the "sender" of the email was the proper way to do things. Now, a straight 5xx rejection response should be given as much as possible.

Re:Bounces are a problem

[menscher]

Nothing has changed... a 5xx rejection is given if the receiving machine can make the decision. The problem is there are frequently mail relays before the final destination, and they might not know whether they can reject. Making the decision as far upstream as possible is the only answer.

Re:Bounces are a problem

[AndroidCat]

Large networks where the border mail relays don't know if an inside mailbox exists or not are a problem, true. I was thinking more of late spam and virus filters that generate idiot bounces. (Most virus scanner bounces are just disguised advertising or spam themselves.) At that point tag it, bag it in a spam folder, or even /dev/null it, but don't bounce it.

And if I ever get something from someone's lame challenge/response system, I will respond to it so that the spammer's next load goes through to the other end. :)

Re:Bounces are a problem

For some systems, all the challege/response does is get an email sent to the owner to request a whitelist entry. Responding to the challenge doesn't automatically open the floodgates.

Publish SPF Records

[bill_mcgonigle]

This isn't magic, but if everybody publishes SPF Records for their domains and checks them (SpamAssassin 3) joe jobs become much, much harder.

So do the right thing and publish them. 5 minutes a domain tops if you're familiar with DNS.

Re:Publish SPF Records

[drinkypoo]

Or impossible, if you don't want to pay for dns and your provider doesn't support txt records. I can't run DNS on MY system because my IP is dynamic...

Re:Publish SPF Records

So you need to either request your provider to provide txt records or change to a provider which does.

Re:Publish SPF Records

[liqnitro]

The solution is to to use a dynamic dns service like www.dyndns.org. Purchase the custom dns service and you will be able to control everything with your domain.

Re:Publish SPF Records

[V.+Mole]

You are looking for www.zoneedit.com

Supports all record types, dynamic updates, and it's free for first 5 domains.

But you don't want to run a mailserver on a dynamic DNS machine anyway. When the IP changes, some of your mail will be delivered to some other machine until all the DNS caches expire. If you're lucky, than other machine won't be running a server, and it will just bounce. If you're unlucky, the other machine will reject the mail, and you'll never see it.

Re:Publish SPF Records

[drinkypoo]

Thanks for the heads up on zoneedit, for which I have just signed up. I do have a secondary MX.

Re:Publish SPF Records

[Ash-Fox]

try http://www.xname.org/ too :)

Re:Publish SPF Records

[V.+Mole]

A secondary MX won't help for the case where the machine that gets your old dynamic address happens to be running a mail server. Depending on how unlucky you are, the message will be rejected (because the address isn't valid on that machine), or worse, accepted. In either case, the secondary MX will never see it. Admittedly, this is unlikely, but it *could* happen.

How to fix (Postfix)

[fsck!]

Can't say how to do this with exim because I've been using Postfix for as long as I can remember. Here's how I get around this:

show_user_unknown_table_name = no

smtpd_helo_required = yes

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
check_policy_service inet:127.0.0.1:60000,
permit

smtpd_data_restrictions = reject_unauth_pipelining permit

content_filter = lmtp-amavis:[127.0.0.1]:10024

This enables greylisting, antivirus via amavis, rejecting unknown users at the SMTP stage, and I also publish SPF records. These together mean I see about 6 junk messages a month to my account. There are about 100 mailboxes on this server, and I they all report about the same level of noise.

Re:How to fix (Postfix)

[Elwood+P+Dowd]

This enables greylisting

...

I see about 6 junk messages a month to my account.

And you see about 0 messages from Lotus Notes users. I think we'll roll out greylisting at our company later.

Re:How to fix (Postfix)

[Matt+Perry]

Maybe you should roll out a new MTA first. Treating temporary failure codes as permanent failures means your current MTA is broken.

Re:How to fix (Postfix)

[drinkypoo]

The sad part is that all he has to do is install a relay host to handle the outgoing mail delivery... He doesn't have to change MTAs (however broken his might be, and if it's notes, it's pretty broken) but just add one, and it doesn't even have to receive mail - though if he's smart he'll use it for filtering the most obviously bogus messages, like those with very high spam scores or those with viruses in them.

Re:How to fix (Postfix)

[Elwood+P+Dowd]

That's not what I mean. Our MTA is fine. If we would like to receive mail from Lotus Notes users, though, we can't use greylisting.

Re:How to fix (Postfix)

[fsck!]

Very rarely, I do hear about messages strangely not arriving. I'm lucky in that I have a small enough user base (and loyal enough clients) that I can investigate these. All greylist daemons come with whitelist support.

Bounce Keys

Basically, you add an encrypted header to all outgoing emails which says "Yes, this email came from this server." Then, when you receive a bounce message, you check for the key. If it has it, it gets through, and if it doesn't, it gets rejected.

Here's the Exim howto http://psg.com/~brian/software/authbounce/configur e-authbounce.txt

Re:Bounce Keys

[drinkypoo]

That sounds ideal. Anyone know how to implement this for qmail? I could hack it up myself, maybe, but I'd rather not as I prefer not to break my MTA.

Re:Bounce Keys

Yeah, download exim :)
It's amazing what you can do with exim from the configure config file...

Re:Bounce Keys

[HeelToe]

If you find out, can you share? I'm interested in it as well.

I don't see a lot of true joe-jobs, but my domain is named such that many people put addresses @mydomain in email boxes they want to fill with some bogus data.

Re:Bounce Keys

Kudos, this is the ONLY answer in this discussion that makes sense...

Procmail recipe

[Matt+Perry]

This procmail recipe will at least get them out of your inbox. I got this from someone here on slashdot and I forgot to write down who it was from. Thanks anonymous slashdot procmail guru.

# This recipe catches most DSNs
:0HB
* -1^0
* 1^0 ^FROM_MAILER
* 1^0 ^Status: 4.2.0
* 1^0 ^Status: 4.4.1
* 1^0 ^Status: 4.4.2
* 1^0 ^Status: 4.4.6
* 1^0 ^Status: 4.4.7
* 1^0 ^Status: 5.0.0
* 1^0 ^Status: 5.1.1
* 1^0 ^Status: 5.1.2
* 1^0 ^Status: 5.1.6
* 1^0 ^Status: 5.2.1
* 1^0 ^Status: 5.2.2
* 1^0 ^Status: 5.2.3
* 1^0 ^Status: 5.3.5
* 1^0 ^Status: 5.4.7
* 1^0 ^Status: 5.5.0
* 1^0 ^Status: 5.7.1
* 1^0 ^554 5.0.0 Service unavailable .*
* 1^0 ^Remote host said: 550.*User unknown
* 1^0 ^Remote host said: 554.*doesn't have a yahoo.com account.*
* 1^0 ^User.*not listed in public Name & Address Book
* 1^0 ^Sorry, no mailbox here by that name.
* 1^0 ^<.*>: Unkown user:
* 1^0 ^User mailbox exceeds allowed size:
* 1^0 ^.*No matches to nameserver query
* 1^0 ^A message that you sent could not be delivered
* 1^0 ^.*550 unknown user
* 1^0 ^This is a permanent error; I've given up.
* 1^0 ^The user(s) account is temporarily over quota.
* 1^0 ^Receiver not found:.*
* 1^0 ^Requested action not taken: mailbox unavailable.
* 1^0 ^--AOL Postmaster
* 1^0 ^I'm sorry to have to inform you that the message returned
* 1^0 ^550 5.1.1 <.*>... User unknown
* 1^0 ^550 <.*>\.\.\. User unknown
* 1^0 ^Subject:.*failure notice
* 1^0 ^did not reach the following recipient\(s\):
* 1^0 ^The following recipient(s) could not be reached:
* 1^0 ^.*550 Mailbox quota exceeded
* 1^0 ^.*550 Access Denied
* 1^0 ^550 5.0.0.*Can't create output
* 1^0 ^.*There is no such addressee as
* 1^0 ^Mail Delivery Failed... User unknown
daemon-msgs

Re:Procmail recipe

[drinkypoo]

So, I take it you don't want to know about legitimate bounces, so you can just believe that your mail always succeeds?

Re:Procmail recipe

[jim3e8]

This recipe is less comprehensive but works for me. It puts messages from mailer daemons (and the like) not specifically addressed to me into the spam-mailer mailbox. If my real address is forged, the bounce will unfortunately get through, but nearly always the forged address is just random_chars@mydomain.org. As a bonus, legitimate bounces are passed through. YMMV.

:0
* ^FROM_MAILER
* !^TO(jim@|root@|postmaster@)
* !^X-Cron-Env:
spam-mailer

Re:Procmail recipe

[Matt+Perry]

So, I take it you don't want to know about legitimate bounces, so you can just believe that your mail always succeeds?

Sure I want to know; I just don't want those notices mixed into my inbox. The recipe only puts the DSNs into a separate folder so that they aren't mixed up with other mail. If you're getting hammered with 3000+ DSNs per day in your inbox like the article submitter is, then it'd help to filter them somewhere else so that you can deal with other mail that isn't from mailer daemons.

Re:Procmail recipe

[DrEasy]

You'll probably also need to filter bounce messages in other languages. I used to get them in Spanish and French also! I'd post my procmail file if I had it handy...

Re:Procmail recipe

[Matt+Perry]

That's a great idea. I'll add those as I get them.

You're already using Thunderbird's filters.

[Guspaz]

The post already says that you're using Thunderbird's built in bayesian filtering. So what's the problem here? Thunderbird should be (If you train it properly) filtering out all those nasty bounce emails into your spam folder.

So, then, what's the problem?

Spammers reading the RFCs, and 5xx countermeasures

[powdered+toast+dude]

What troubles me lately is that some of the spammers are starting to wise up to certain loopholes in the RFCs. Namely, that mail with an envelope sender of <> or a recipient of postmaster@example.com must be accepted. I've begun receiving spams of this nature in increasing quantities, and without effective countermeasures, they get right through -- because the RFCs say they should.

The solution I'm currently experimenting with is to use simscan with qmail to pipe the mail through spamassassin before indicating final acceptance to the remote MTA. Even if it's sent by <> or sent to postmaster, SA3's scoring rules identify it remarkably well and the sending MTA gets a 5xx and it's game over. As another poster mentioned, 5xx errors are a great way to reduce bounce spam. Plus, legitimate senders who get false positives will know something went wrong, instead of their email going into the black hole of a spam folder.

$0.02,
ptd

Re:Spammers reading the RFCs, and 5xx countermeasu

I allow abuse and postmaster through for any of my domains, but spammers should be aware they will be reported to the ISPs through spamcop if they use them. If they want to spam the admin on purpose, they're just asking for trouble.

Re:Spammers reading the RFCs, and 5xx countermeasu

RFCs are NOT LAWS

you are perfectly free to violate them

Backscatter

[bob@dB.org]

Spam lingo for this phenomenon is "backscatter" or "outscatter" (I prefer the last one, as the bounces are not actually sent "back", but to an innocent third party). Spam Links as a link collection to get you up to date at:

http://spamlinks.net/filter-bounce.htm

A nice solution is Bounce Address Tag Validation (BATV), described at:

http://www.ietf.org/internet-drafts/draft-levine-m ass-batv-00.txt

Abstract:

The envelope of Internet mail contains an RFC2821.MailFrom command, which may supply an address to be used as the recipient of transmission and delivery notices about the original message. Existing Internet mail permits unauthorized use of addresses in the MailFrom command, causing notices to be sent to unwitting and unwilling recipients. Bounce Address Tag Validation (BATV) defines an extensible mechanism for validating the MailFrom address. It also defines an initial use of that mechanism which requires no administrative overhead and no global implementation.

Re:Backscatter

[marcsherman]

Has this been implemented in any of the major MTAs? I just got a legitimate bounce for the first time in a fair while, and it was also only the second false positive I've _ever_ gotten with my spam filters. So a way to configure my MTA to reliably recognize real bounces from my messages would be quite nice, I think.

blame the feds

The feds won't prosecute spammers when they break the law. Forging headers is a violation of law, but since the authorities bury their heads in the sand on issues like this, there's really nothing you can do but deal with the flood. I've had it happen many, many times.

What I recommend is that you file a case with the local FBI. At least go on file. If they get enough complaints, maybe some day they'll do something about the digital criminals that operate without any fear of justice being served.

Re:blame the feds

[zerkon]

start by forwarding all that spam to the fbi...

because they are still being flooded out?

[johnpaul191]

even if you filter it to trash, you still have to deal with the volume of mail.

i actually just lost my email on my hosting (shared hosting) because i was GETTING too much email. they claimed my incoming mail was flooding out their servers.

this story submitter said they host their mail server so it's an inhouse hog of bandwith.

Re:because they are still being flooded out?

[Guspaz]

The volume is irrelevant. No matter where or how you deal with this, be it client side or server side, the server IS going to get a huge volume of mail. Even if you manage to blacklist it on the server it's still going to have to deal with each and every message.

Besides, a hundred thousand messages is still only about a hundred megabytes worth of messages, or two hundred megs, which is a drop in the bucket on a real server (Or even a budget one http://servermatrix.com). Heck, the "flood" wouldn't even stress the mail server I used to host on my DSL connection.

Re:because they are still being flooded out?

[Da+Web+Guru]

Besides, a hundred thousand messages is still only about a hundred megabytes worth of messages, or two hundred megs, which is a drop in the bucket on a real server

You must have missed the part where the parent poster said "shared hosting". Many shared hosting providers don't like for you to keep *any* mail on their mail servers. They want you to download it as often as possible. And to make sure you do that, you sometimes only get around a 50MB (or less) quota. If he had the time, patience, and skill to run his own server, then there would be no issues with disk space.

Re:because they are still being flooded out?

[johnpaul191]

well my case with my shared hosting company was weird. i was WAY under disk space, i have an app running to connect POP3 and get mail every hour and it leaves it on the server for one day then is removed. the repointed my mail's MX entry to disable:disable or something. i guess thinking it would deflect my spam? my account is for 10 gigs of bandwith and 1 gig of disk storage.

if the orig poster was running an old linux box as a mail server on a home network it might just get really annoying to deal with all that mess? as long as it is making it into the house it will have to be dealt with. bouncing it will just more than double the traffic because bouncing back bouncebacks will just bounce back again and go on forever till your wires melt. or maybe not.

Re:because they are still being flooded out?

[Guspaz]

On a home network it's no problem.

If it's being filtered client-side, it's not so bad.

Mail is delivered to your server, assuming 20 emails per minute (That's about two hundred thousand mails a week), consuming roughly half a kilobyte per second of downstream. You could run your mail server on DIALUP and that would STILL be a small amount. These are bounce mails, they're all text and probably only about 2KB (I'm guessing, but they can't be that big)

And say you cleared out your local mail server to your client (downloaded your mail) once an hour, each hour you'd download over your LAN. That'd be about 2.4MB of email every hour, which would take less than one second to transfer over a LAN (Probably longer due to transfering each email seperately).

From there all the crap would be filtered, and as far as you're concerned, you are not getting any crap.

Bayesian filtering

[enigma44]

These guys sure like to play cat and mouse games. Bayesian filters like Spam Bully http://www.spambully.com/ can filter these kinds of messages I have found on my office computer.

Send all bounce msgs to /dev/null/

[sakusha]

You should dump ALL bounce messages. When was the last time you got a legit bounce message from something YOU sent? Never? Years ago?

Re:Send all bounce msgs to /dev/null/

[Dark+Nexus]

Months ago, and barely months.

Legitimate bounces DO still happen. Not often for most people, but they are still a reality.

Re:Send all bounce msgs to /dev/null/

[DrEasy]

That's what I thought too, but I've been burnt by that. Nowadays with smart email address auto-complete features, such as what you can find in Thunderbird or Mail.app, you sometimes end up using email addresses that were incorrectly entered by *other people*.

And how do you know that you never get a legit bounce since you filter those too?

Re:Send all bounce msgs to /dev/null/

[HeghmoH]

Last week.

I e-mailed a contact address that was no longer valid. If I had just trashed the bounce, I never would have known that my e-mail had failed, and I would have assumed that the people I was trying to contact were a bunch of jerks, instead of tracking down a working address for them. This kind of stuff happens fairly often for those of us who don't live in a cave.

Re:Send all bounce msgs to /dev/null/

[SkunkPussy]

You should dump ALL bounce messages. When was the last time you got a legit bounce message from something YOU sent? Never? Years ago?

Full and mispelled hotmail accounts. fairly frequently.

Re:Send all bounce msgs to /dev/null/

For a 75 person law firm, we see it several times a week. Without those bounce messages we'd lose clients. e-mail communication is vital.

I had over 6,000 in less than 3 days

[GiZiM]

I had the same thing happen to me a few weeks ago they used my website that uses php-nuke againest me and i got over 6,000 bounced emails in less than 3 days.

550 user not know

[martin]

is very useful for my domain. I get Exim to check valid users and 550 reject them if not valid.

That way I drop about 66% of inbound email before it enters my email gateway.

I thought I shot a putty tat?

"It seems that dealing with regular Spam is almost easy in comparison to dealing with its consequences: bounced emails. Does anyone have suggestions, or filters on how to handle bounced e-mail that has resulted from someone using your e-mail address to spam someone else?"

My sympathies for your plight. However what you seek is a technological solution to what is essentially a social problem (much like the 'war on drugs' or 'war on copyright violaters'). What that basically means is that you'll win a few, and they'll win a few. Seesawing back and forth, like the US and Terrorism. So this week it will be "How do I?", and next week will be "I got the dirty bastard". Then back to "Ah crap! Another one", and so forth, and so on. Still up for a run? Or do you think mankind someday, will be mature enough to hear the real answer? But then again, If they were? We wouldn't be having this "Ask Slashdot".

5 minute kill sequence for all spam

[shade2600]

change your email address Then on your old address set an out of office message pointing people to the new address. Gee... that was hard. Sounds stupid but nobody realizes if a spammer had to correct a few hundred thousand email addresses... the message would not get sent. As it is, they never send the messages from a valid address - so who cares if your replying to their spam with your real address? It will take a good year or so before you see another spam. If everyone did this, it would immediately invalidate all spam databases and cause the spammers a LOT of work.

Re:5 minute kill sequence for all spam

[John+Hasler]

> As it is, they never send the messages from a
> valid address...

Yes they do. It just isn't their valid address.

> ...so who cares if your replying to their spam
> with your real address?

Me, when I receive your replies to the spams sent with my address forged.

NEVER REPLY TO SPAM

Re:5 minute kill sequence for all spam

[graphicsguy]

Sounds good on the surface. Of course, you still have to deal with the dozens of web sites with user accounts named by your e-mail address. I suppose as long as you keep the old account around, you could scan it for e-mails from specific vendors when you are expecting some notification. It also doesn't deal well with legitimate business-related mailing lists. Some of these are decentralized, with no easy opportunity to change your address (ad-hoc, handed around as necessary). Sure, these ad-hoc lists are a poor way to operate, but still pretty common, I think. So in short, changing your e-mail address isn't an easily solution for lots of people.

Re:5 minute kill sequence for all spam

[suwain_2]

As it is, they never send the messages from a valid address - so who cares if your replying to their spam with your real address?

Except now you're causing the problem that led to this question in the first place: now you're sending crap out to random people, because, as you yourself just said, they never used a real address. It often ends up going to someone real, though.

Re:5 minute kill sequence for all spam

[shade2600]

It would be simple to write a web based script that would auto rotate valid email addresses in tune with the email server that autorotates valid email accounts.

The beauty of it is, instant feedback to someone who uses the wrong address. Nothing is lost if someone sends a message to your old address unless:

a) they're not using a valid address to talk to you - pretty unlikely if you really want to hear from them

b) they don't go to the effort of following your auto reply message and forewarding it to your new address. If they wont go to this 30 second effort chances are they arent going to sell to you, or buy anything from you anyway.

Re:5 minute kill sequence for all spam

[shade2600]

Could that real person do the same thing to avoid my "crap"?

Are the people recieving these messages random or are they individuals who's address is known by spammers who continue to use the same address? Chances are any real person who's address is used by spammers get so much crap anyway, their address is already near useless.

Who do you blame? Me adapting to the spam, your the friend who gave your address to the spammer, or the person who wrote the spam?

I thank you making for this point however, it made me realize I should add to my messages that go out to these poor souls that they can do the same thing and avoid getting my useless messages.

One thing I neglected to mention; if people increase the frequency of address changes, they will be able to hunt down the absolute sources of their personal spam, and make sure thier next address is not given to that source.

Not only that but they will be able to discuss it with others, and people will know a lot more about who is responsible for this stupidity.

Re:Spammers reading the RFCs, and 5xx countermeasu

[Ash-Fox]

And then organisations like sourceforge will get all horny and not users subscribe to mailinglists untill one can deliver to postmaster@domain.

Drop all spam bounces

[Zaffle]

I had a similar joe job.
The way I delt with it was simple;
All (afaik) legitimet bounces include a copy of at least the headers of the original email that was bounced.

If the email came from my system, those headers will contain reference to my system.

At receipt time (Eg before the MTA accepts the message), my filter scans bounce messages for my mail system name.
If it doesn't have it. its either:
a) A bounce for a message where the MTA doesn't include a copy of my original email. (oh well).
b) A bounce for a message that I sent from me, but through another MTA (unlikely, since I use spf codes and authenticated relaying)
c) A joe job email.

Problem, solved.

Re:Spammers reading the RFCs, and 5xx countermeasu

However, the RFCs governing mail transport are Internet Standards. Some of us feel that following commonly accepted rules is more important than personal convenience, and thus are prepared to work hard to find spam filtering solutions that do not violate RFCs.

In fact, in some circumstances it can be more reasonable to break stupid laws than to break stupid RFCs, since humans at least can deal with unexpected behaviour, unlike computers.

The method you describe is incorrect

The bounce messages you are receiving are not messages being bounced back at you to get past your message filters, they are the result of a spammer spoofing your domain name in outgoing mail in an attempt to get through another person's mail filters.

Why is one false positive too many?

[cgenman]

Nobody should assume a single mail message sent out into the ether constitutes a final and iron-clad communication. While it is bad to miss an e-mail message from a client or another person, if the chance of losing a message is slim and the amount of time you aren't dealing with your clients' needs due to spam bloated inbox is large, you should filter. There are many ways to lose e-mails. It can get lost in transit (actually does happen). It can get mistaken for spam by the person looking at the inbox and thrown out. It can be forgotten. The person can send it to the wrong address. The person's ISP could have an overloaded mailserver. Having a healthy e-mail ecology means having less spam, and by having less spam more real messages will get through.

There is no such thing as a perfect filter. But there is also no such thing as a perfect e-mail system. By the post office's own estimates %10 of their mail gets lost, yet we routinely rely upon that for business purposes, with the addition of redundant communication in case there is an error. There are tradeoffs involved, but if the benefit outweighs the drawbacks, and for a lot of us it does, filter your inbox.

On the other hand, Bayenesian filtering is not the be-all-end-all technology it has been propped up to be, but it is relatively good.