Proper Ways to Dispose of Spam?

An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed." In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?

The toilet

[antifoidulus]

regardless of whether it comes out the back port or the front(both are equally likely).

Re:The toilet

[kfg]

You have already failed the first rule of disposing of Spam:

1. For goodness sake, whatever you do, don't eat the stuff!

KFG

Re:The toilet

[avronius]

And on a day that I don't have mod points!

+1 Insightful
+1 Informative
+1 funny

- Avron

Re:The toilet

If it's so bad for you, why does it have to taste so damn good?

Re:The toilet

[kfg]

How the hell should I know? See rule one.

KFG

Re:The toilet

How the hell should I know? See rule one.

Touché.

Proper disposal of spam

[gentimjs]

Either call the EPA and get them to declare a superfund site in your compost pile, or use it as fuel in home-brew nuclear fusion experiments. The end results will likely be simmilar. I'm told its also a good substitute for bathroom grout.

Re:Proper disposal of spam

[alexandreracine]

You could always follow his advice or ask him about that...

SPF!

[Alphager]

Two of my domain-names are in several spammer-tools and i was inundated by spam-bounces (and auto-replies). With SPF, i am down to one bounce every now and then.

Re:SPF!

[crow]

I found SPF to be nearly useless. I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Re:SPF!

[stg]

That was the same in my case. I still get about the same number of bounces from spammers after adding SPF.
The only thing that did solve it was killing all addresses I don't use and adding filters for the most common bounces.

Re:SPF!

[Alphager]

We are talking about spam-bounces, not the spam itself. Of course using SPF as sole spamfilter is useless (spammers quite frequently kite domains and set up an SPF-record allowing everybody to send mail for that domain). But most spam-filters know that a false-positive with SPF is not possible (if you ignore email-forwarding, of course) and won't bounce the mail to the innocent domain.

Re:SPF!

[stoolpigeon]

This has been a problem for me for quite a while and I assumed there was nothing I could do.

I've just googled spf and gone to the site, but could someone give me a quick summary of how I might set it up. Can I do it or do I need to have my hosting company take care of it?

Right now I don't use my own email servers - I use the servers provided by the people who host my web site. (As is probably already obvious - this is not an area where I am terribly proficient.) I'm going to keep reading at the spf site but since there seem to be so many here who already use it, I figured it couldn't hurt to ask.

Re:SPF!

[silas_moeckel]

If you just care about outbound SPF assuming your hosting provider also runes your DNS severs they can add it in easily.

Re:SPF!

[qbwiz]

Right, but that post was saying that he thought that spammers would avoid forging a domain with SPF on it, because it would be more likely that their mail would be rejected. Therefore, if you add SPF to your domain, you shouldn't get as many bounces, as spammers won't want to forge that as the sender.

Re:SPF!

[stoolpigeon]

i've read some more - and i guess i have a better picture of it all. my domain is registered with go daddy and they are the ones who point my domain at the ip address where my site is -- so godaddy is who i need to add the spf record?

Re:SPF!

[poot_rootbeer]

I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Spammers don't care about hit rates and neither do the folks that employ them. Who cares if it's 10 people out of 100 that fall for the bait or 10 people out of 100,000 -- it's still 10 sales that they can credit to spamming.

Re:SPF!

[funfail]

Domain registrars (GoDaddy in your case) rarely point to the web server's IP address. Instead, they point to the nameservers that point to the web server. If this is the case, most probably your hosting provider is also providing you with DNS service. You should ask them.

To put it another way, just do a whois query for your domain and look at the nameservers. If they look like ns1.yourhostingprovider.com, then your hosting provider is responsible for DNS (thus SPF).

Re:SPF!

[mophab]

I have had problems with spammers using one of the domains I owned.
I added an SPF record and within two months they quit using my domain.
I suspect spammers avoid domains with SPF records, for now.

Re:SPF!

[ednopantz]

You mean to tell me my bounce flood is what happens *with* spf?
I'd hate to see it without.

Re:SPF!

[TubeSteak]

Of course hit rates are important. That's why spammers blast out huge numbers of e-mails.

It's kinda easy to see the difference between a 10% hit rate and a .01% hit rate.

If they could get a 10/100 hit rate, everybody would be doing it.

Re:SPF!

[DigitalRaptor]

I want to add SPF to my domains, but I send email from GMail as if it were being sent from my domain.

But if I add GMail's servers as valid sources for my domain, then any gmail user can send email as if it were from me.

If I don't, it makes the email I send look less valid and more likely to be rejected or flagged as spam.

How do I avoid this catch-22?

Re:SPF!

[ahodgson]

The people (and software) that send out NDR's to spam, instead of just rejecting it outright, are already busy polluting the Internet. Why would they take the time to add SPF checking to their already misconfigured systems? Hell, they'd probably send NDR's for that, too.

Re:SPF!

[gb3]

Doesn't Gmail require users to verify they can receive E-mail on an account before they are able to send with that account? Or is there a way around that I'm not aware of?

Re:SPF!

[DigitalRaptor]

Good point, I'm not sure. I do have my accounts setup that way, and yes, they send a confirmation email with a link you have to click.

When I setup my domains and listed GMail servers as valid senders, I saw a big increase in spam bounces that were being sent from that domain.

Maybe I had it setup or it was just a coincidence and had nothing to do with GMail.

Thanks.

Re:SPF!

[davburns]

I suspect that there is a high correlation between sites that check SPF and sites that reject (5xx) spam. If not, sites that check SPF are (almost) a proper subset of sites that reject spam. (If I had time and resources to do only one or the other, I'd do the former; I suspect almost anyone else would do the same.) The main place where SPF will help is if software checks it before sending vacation (and similar) messages.

Re:SPF!

[Medieval_Gnome]

My domain (and email) is hosted with godaddy, and it was trivial to set up SPF.

Go into your hosting account, then open the control panel for the domain you want to set up SPF for.

On the page that opens up, select DNS Manager.

Scroll down to the bottom of that page, and there should be a button saying something like "Add SPF Record."

Assuming you use smtpout.secureserver.net to send your email, the defaults should work splendidly, and it should be good to go.

Re:SPF!

[darkonc]

I'd say turn on SPF for your domain no matter what the varied effect for other users...

Even if there's only a 25% chance that it blocks the spam where the spammers are trying to send it, that's a 25% chance that you won't have to do much more.

For those of you trying to use it, SPF isn't going to do that much more to prevent YOU from receiving spam, but it will make that much harder for spammers sending spam to use your domain as a source. -- (and, thus, for you getting bounces and blame for that spam).

If everybody were to use spf, however, then spammers would have a very difficult time. In the mean time, however, you have the pleasant side effect of getting fewer bounces.
((of course, the percentage drop in bounces will depend on where the spammers are trying to deliver their spam. Id they are attempting to delever to sites that use SPF (like Google), then they'll get blocked. On the other hand, if they're trying to deliver to random yahoo small-site servers that are still back in the 80's for their email delivery software, then you'll continue to get bounces from them -- simply because they won't be paying attention to SPF))

Re:SPF!

[sumdumass]

Well it is all acedemic at this pint because SPF does nothing to a spammer when sending spam from a domain that uses SPF. So what if your server verifies the email it recieves, It is unlikley your domain is going to be on the send list rather the from list.

They can use whatever spam protection on thier domain that they want. It is the persons recieving the mail that counts. When I asume someones domain and send spam on it, the spam never hits that persons server to see what they have in place. It goes directly to the delivery addresss and then chalenges thier spam protection. The point is that the domain it is from doesn't matter as much as were it is sent to.

And people with SPF or other spam protections aren't liley to the the type of people answering spam adds so if the 99,900 people in the 10 out of 100,000 people have the content protections, then the 10 out of a hundred is were the hits are. So yea, I would agree. 10 out of 100 is the same as 10 out of 100,000 under some circumstances. It just doesn't really cost any more to include the other 990,000.

Re:SPF!

Well it is all acedemic[sic] at this pint[sic]

So how many pints did it take to reach your obviously drunken state?

anyone have a domain where this DIDN'T happen?

[Subgenius]

Welcome to my hell. I've had this happen to 8 of my domains over the last couple of years, typical spam runs of 30k at a time, based on all of the 'bounce back' messages that tell me 'my' mail is spam, or worse "go F** yourself, spammer" crud. SPF might fix this, but only if it was mandatory and ALL ISPs blocked non-commercial email servers (DO NOT WANT the latter to occur).

Good Luck.

Re:anyone have a domain where this DIDN'T happen?

[Southpaw018]

Ahhh, I had one of those -yesterday-. We have SPF implemented, and it still doesn't work very well, alas.

I got a call from a sysadmin somewhere in nowheresville USA. The minute I picked up the phone, the guy started berating me, since I was destroying his domain, and it was all my fault, because I'm running Exchange and obviously I was infecting him with Winblows.

After I finally got things sorted out, I walked him through exactly how and why it wasn't our domain a'tall, which would have been obvious had he looked at the headers of any one of the thousands of emails he claimed he recieved. If he knows how to read any of them. When he realized he was wrong, he slammed the phone down midsentence.

Point of the story: SPF is great, proper mail server administration is great, but there will always be jerks who think they know what they're doing when they don't, and they're the bane of the whole system, more like a wolf in sheep's clothing than a known enemy.

SPF somewhat effective

[asc4]

SPF is only somewhat effective as unfortunately only some have adopted it. Still, it takes all of a few seconds to add an SPF record for your domain. It can't hurt. Also, try reporting the servers hitting you with backscatter to Spamcop. Again, it might not help much, but it can't hurt.

Re:SPF somewhat effective

[zyl0x]

Join now and start losing those extra pounds of SPAM today! We guarantee results in 12 weeks!

Re:SPF somewhat effective

[zyl0x]

..and my browser totally posted this under the wrong parent, thus nullifying the funniness of this comment with a +2 bonus.

Re:SPF somewhat effective

[Shaman]

Actually outside of a small server, it can do great harm. The DNS system is heavily loaded worldwide now... SPF just adds yet another DNS request to each e-mail.

Re:SPF somewhat effective

[Albanach]

The DNS system is heavily loaded worldwide now

I'm not sure what you mean by this - surely with a properly caching nameserver, you add almost no additional load to the root nameservers by performing SPF lookups as the query never goes near them? Your own DNS servers might be heavily loaded - in which case you should can additional ones or pay for someone else to provide DNS service. DNS scales easily so that shouldn't be an issue.

A DNS request is tiny compared to bouncing about bits of mail - if you can reject the message before even processing the body thanks to SPF you significantly reduce bandwidth consumption, much more than that spent on a DNS lookup, especially now there are so many image based spams floating about.

Re:SPF somewhat effective

[oyenstikker]

How was it your browser's fault and not your own? What browser were you using?

Re:SPF somewhat effective

[zyl0x]

Well, not so much my browser, as it was me hitting the back button *on* the browser. So, it was the browser's fault, but mostly my fault by proxy.

Re:SPF somewhat effective

[oyenstikker]

The cursed back button. Arch enemy of every web application developer and user.

I have a similar problem

[SkunkPussy]

I get about 50-75 bouncebacks a day on my domain, although I believe some of them at least are "false bouncebacks" from spammers, the idea being im more likely to read a bounceback than a spam.

SPF is effective... sort of

[XenoPhage]

SPF is only effective if everyone uses it. It's pretty much that simple. Problems with forwards and mailing lists aside, SPF seems to work pretty well. I've been using it for a while now and I like it.

As for what to do... It's a tough call. You're being affected by a "Joe Job" [http://en.wikipedia.org/wiki/Joe_job] .. Defending against this is not the easiest thing in the world. Filtering is probably the only route you can go right now. you should be able to filter based on the subject and To: address, looking for MAILER-DAEMON messages to the users being affected. That's how I would deal with it to begin ... Then perhaps limiting SMTP from the outside world, prioritizing local user traffic. That should calm the server down a little.

For the record, every mail server I've worked on has been set up to reject. I learned a long time about that bounces and double bounces can easily kill a server. Great idea in theory, but the low-lifes on the net make good ideas regretful..

Easy

[JamesP]

Two big guys and a baseball bat

Oh, you mean SPAM, I read that as spammer...

Re:Easy

[Xugumad]

Just one baseball bat? Erm, budget cutbacks?

Re:SPF is effective... sort of

[Thansal]

for refference, the point of Joe Jobbing some one is to ruin their reputation.

General spoofing is just there to hide their tracks, and make it more likely that the mail will be delivered.

SPF is Marginally Effective

[prothid]

I am having this same issue. I have SPF set up with '-all' on the end of it. This still lands me with a lot of bounces every day. I am using Gmail for my mail and I have about 10 to 20 bounces that didn't get caught by their spam filter sitting in my inbox every morning.

Here is the SPF line I am using with Gmail (with an irrelevant ip4 entry omitted):

@ IN TXT "v=spf1 mx include:aspmx.googlemail.com -all"

I figure that at worst, I am keeping myself off blacklists because the ones likely to blacklist my domain have at least implemented SPF. It is still a fairly annoying situation. It is probably worth noting that I have a catch-all alias for inbound emails. I like to give a different email address for each site I go to so that I can track who is sending me spam. The downside to this apparently being that it potentially opens your domain up to being used TO spam.

Re:SPF is Marginally Effective

[Neon+Spiral+Injector]

Spammers *love* domains with catch-all aliases and specifically target them for impersonation. I would suggest finding an easy way to add new aliases as needed (so you can create one just before you sign up on a site) and kill the catch-all.

Re:SPF is Marginally Effective

[prothid]

Yeah, I may end up having to do this. It was nice while it lasted! I could probably get away with doing a catch-all on a subdomain.. hmm...

Re:SPF is Marginally Effective

[milgr]

I don't think that the spammers realize that a domain is read by only one person. Frequently, if they know that billg@microsoft.com is a possibly email address, then they will send spam to billg@microsoft,com, and replace billg with plenty of other common names, such as dave@microsoft.com, bill@microsoft.com, etc.

My email addresses also have a catch all. At one point I needed to implement a filter to ignore lots of common names (ie., tom, dick, and harry).

I have received lots of bounces to email that purports to come from my email account but doesn't. There is nothing you can do about it. A common spam technique is to have the from address be a valid address - of someone else.

Good luck.

Re:SPF is Marginally Effective

[Neon+Spiral+Injector]

There is something you can do about it, just what I was suggesting: Kill the catch-all. Spammers will stop abusing your domain (as much), you won't get bounces to addresses you don't use, and any server that performs sender address verification callouts will know that the MAIL FROM: is bogus and reject the message right away.

Re:SPF is Marginally Effective

[Kalriath]

If gmail is hosting your domain, you already have a "catch all to one mailbox" option available to you - GMail uses the little understood "+" specifier in email addresses. Just use an email of the format whatever+mailboxname@domainname.com - this will still go to your inbox without you needing to run a catch-all. And if they do share it, just create a filter for all emails to nastyspamsharer+mailboxname@domainname.com to go straight to /dev/null.

Re:SPF is Marginally Effective

[prothid]

I am hosting other domains at Gmail, but not this one. I use postfix to forward email address to myself and others, along with a catch-all.

Re:My way

[OneSmartFellow]

Also usefull as bait for carp. They seem to really like, and fight to get on the hook.

Re:My way

[Ruzty]

Cubed with diced potatoes and onions. Fry in a bit of butter. When it's nearly done toss in a few cubes of Velveeta. As soon as the "cheese" melts toss it on a plate and enjoy! I prefer some pickled jalapeños with mine and a nice cold Diet Pepsi.

*drool*

No

[Otter]

If you reject instead of bouncing then legitimate mail senders will still know there is a problem.

I've been hit by the same problem (and eventually gave up on my own domain and decided to let GMail deal with it) so I sympathize, but this simply isn't true. Bounces are much more effective.

Re:No

[Neon+Spiral+Injector]

You should not generate the bounce, a 5xx responce to an SMTP command is all your server should do. If it is a real mail server talking to yours it will generate the bounce for the user that is relaying through it (hopefully including the text of your 5xx reply).

Re:No

[Otter]

Ahhh, if that's what he mean by "reject", then I agree.

Re:No

[arivanov]

Exactly

And as far as the stream of bounces flowing at the moment I think this has mostly to do with this: http://www.theregister.co.uk/2007/01/09/scam_decli ne/

One of the SPAM botnets was lost over Christmas (I guess, not only NASA and ESA can lose systems by bogus commands/software uploads). As a result the spamgangs have ordered a couple of clones of old beaten up viruses to go and capture new zombies. At least some of these use the codebase of one of the old crap pieces of code that generated fake addresses in known domains. As a result - loads of bounces for fake names.

The only way of dealing with these is to filter for valid names on your frontline relay. This is a well known problem without a good solution as this means that the frontline has to do full alias expansion. I have some ideas on how to do that for exim, but have not got the time to do it at the moment.

Re:No

[Akatosh]

Spam is spam. I don't care if it was relayed by using the victim address in 'rcpt to:' (traditional spamming) or 'mail from:' (blowback spamming). So you stuck three lines of text above it then relayed it on to the victim. Good job, by bouncing instead of rejecting you're an open relay. You even add some additional bayesian slaying text to the top. That's how I see it.

It's really not that difficult to configure your mail systems to reject instead of accept then bounce. I see this as becoming manditory, similar to how it used to be ok to have an open relay, then over time it became a sin.

Who gets overwhelmed by spam bounces these days?

[Bright+Apollo]

I own a handful of domains, and I have little if any problem setting up autoreject for invalid email addresses. The only problem I can't easily handle is when a valid email account is used by a spammer. I think you should strongly consider changing your domain host if you've got these issues in 2007.

-BA

Disposing spam...

[__aaclcg7560]

If I haven't eaten it...

[Please insert wow ur fat joke here.]

I put the spam into the trash, tie the top of the trash bag, and throw trash bag into the dumpster outside. I don't know what the fuss is about disposing spam. Spam is spam. :P

Gmail checks SPF...

[rthille]

But doesn't follow the spec and reject on fail :-(
So I'm not sure what value that is, and I'm not sure if google forms a bias against spam from my domain, even though it's verifiable that the spam is a forgery and that my domain had nothing to do about it.

Other lameness are domains like hotmail.com and aol.com which publish records which indicate you shouldn't reject mail claiming to be from them from servers that they don't control. (soft-fail or neutral results).

How I dispose of spam.,..

[Lord_Slepnir]

You'll need a dog. I simply feed him my excess cans of spam. If you're dealing with spam e-mail, then simply print out the spam, and use it to paper train the dog after it's gorged on Spiced HAM.

Backup MX is to blame for some of this bouncing

[artifex2004]

It's great to set up your mail server to reject the mail up front. But many spammers know people are doing this, so they connect to backup MX, often the one with least priority. From what I've read, that's how spammers' mail blasting programs are written these days.

Are you running your own backup MX? Probably not. It's often a generic spooler your ISP lets you use for convenience. Even if you do, does your backup MX have all your rules in place, so it knows what to reject? No, I bet not. So this backup server accepts the mail without question, then passes it to the primary, and then it gets bounced.

We need to either have a way to give our backup MX our rulesets (which the people who run the backup servers understandably won't like), allow backup and primaries to just silently discard (which legitimate senders and receivers won't like), or, quite possibly, stop using backup MX entirely, and then if the primary goes down, the originating mail servers should do their normal pattern of retrying for 5 days, or whatever.

Large companies who need 100% instant availability of mail shouldn't be using backup MX anyway, (I've seen backup MX servers configured to hand off to primary hourly or even daily, not to mention those that hold until the primary asks for the mail) they should be using a ring of servers sharing primary preference. I'd expect the ruleset to be identical across the ring, thus allowing for instant rejection all the time.

Re:Backup MX is to blame for some of this bouncing

[GreggBz]

Your right. I work for a smallish ISP and notice that spam-bots usually prefer the backup MX record.

For smaller domains and people with fewer resources having one MX record is impractical. For larger systems, like say an ISP, their is typically only one MX record, which really points to a virtual server that exists in a Foundry switch or some such. This is then load balanced round-robin style to a group of identically configured servers, preferably that are geographically distributed. This is a little more straight forward then the ring of servers, but has it's own issues.

The one headache that I have with this set up is the tedious log searches that you end up doing trying to find out what happened to customer x's email, or just troubleshooting in general.

It's a pain shelling into 4 different servers and greping through each maillog. I'd like to find a solution to this.

Re:Backup MX is to blame for some of this bouncing

[Kissing+Crimson]

You could use a central syslog server: HOWTO

Re:Backup MX is to blame for some of this bouncing

[Plug]

A useful thing to do (although in no way a solution) if you need a backup MX and can't use exactly the same rules on one as the other, is to set up priorities as such:

10 primary
20 backup
30 primary

This way, if spammers prefer the highest MX, which they are known to do, you get all the benefit of the filtering on the primary, as well as backup if the primary goes down.

Re:Backup MX is to blame for some of this bouncing

[dodobh]

Unix MTAs log to syslog. Syslog is perfectly capable of sending stuff over the network.

Grab a PC, setup a syslog server on it listening to the network, tell your MTAs to log there in addition to local logging.

SPF hasn't helped me much

[Slashdot+Parent]

I publish SPF records for all of my domains, and I still get a ton of blowback. Here are the options that I evaluated:

1. Don't use catch-all addresses. Normally blowback is not addressed to a valid user. This was not an option for me, but it may be for you.
   
2. Reject invalid bounce messages. Any message coming with an empty envelope sender to an address that has never sent mail on my system is considered invalid and rejected during SMTP with a message stating why. This is what I chose.
   

The reason for my choice is that it consumes minimal resources (all that's required to reject a message is one SQL query against a small, in-memory table), informs the bouncer of the problem, and eliminates 99.99% of blowback (some incorrectly-configured MTAs produce bounce messages that don't have empty envelope senders... I get like one of those per month).

And I second your pleading: Please, please, please, mail admins, please reject email during SMTP instead of producing bounce messages! Please!

Donate it

[emil10001]

I believe that smalltime is accepting cans of spam to fuel their "Find-the-Spam" game. They're capitolizing on the idea that this is obviously something that only a hobo would eat, and turning it into a fun game.

PS. - For added entertainment, try the text version!

My idea

[QueePWNzor]

I have an old FreeBSD mailserver that uses Exim. You should set up an intermediate domain/DNS system that can destroy the wrong usage of your name outgoing through the system. Then, I reccomend looking through Perl scripts, because though one is not definative, try, try again and you might partially suceed. Also, be sure to do security and firewall updates as mine was hacked... I don't know everything that you've tryed, but if you haven't done all of those thouroughly, then you're screwed:) It'll never be perfect, though.

A recent conversation with a would-be vendor:

[PFI_Optix]

"Okay, I'd like to send you some more information and need to verify your e-mail address."

"Alright"

"Is it jay ewe inn kay at blah blah blah dot com?"

"uhh...Yep, that's me. John Unk."

Only trusted vendors get real e-mail addresses here. I don't even get spam on my home e-mail. Absolutely none, after three years of having the same e-mail.

Re:A recent conversation with a would-be vendor:

[bcrowell]

Unfortunately, many people don't have this option. If you're running a web-based business, you may need prospective customers to be able to e-mail you for the first time without making them jump through hoops, because you don't want to lose their business.

Re:A recent conversation with a would-be vendor:

[PFI_Optix]

In that case, forms are your friend. You might even include a little note that you use the form because publishing your e-mail address directly would result in it being flooded with junk mail. Users will understand that, even if (like me) they aren't fond of using web forms to make contacts.

I know next to nothing about JavaScript, but I'm wondering whether there's a good way to obfuscate an e-mail address using JS or some other client-side script so that the spam crawlers don't see it because it would only show up on mouseover or something like that. Guess I need to learn JS and see if I can make something like that work...

Re:A recent conversation with a would-be vendor:

Just google: javascript email obfuscation

I found the following quite useful:

http://reliableanswers.com/js/mailme.asp

I'm sure there are other ways to do it, but this looks as straightfoward as they get.

Spam disposal

Simple: Burn it onto DVD-minus-R. Then nobody will ever be able to read it ever again!

Why the forging in the first place?

[mabu]

I believe the main reason why spammers are forging in the first place is to taint relay blacklists. RBLs hurt spammers more than anything else. When they forge from addresses they cause legitimate relays to be spammed by other legitimate relays and this in turn may prompt some relays to blacklist legitimate smtp servers and tarnish the effectiveness of RBLs. However, most admins are now wise to this and differentiate between the different types of traffic.

If you run any mail server for a reasonable amount of time, until the feds decide to get off their lazy asses and prosecute these criminals, you're going to run into this problem. It usually passes after a few days. If I run into it, I will sometimes change the MX record of the offending domain to 127.0.0.1 temporarily. And rule number one is avoid *@domain.com mail mappings...

Re:Why the forging in the first place?

[Robotech_Master]

In my experience, some spammers will also forge the 'from' address to be the address of the intended recipient of the spam, and then send it to an address they know will bounce (i.e. with an autoresponder) to try to get past spam filters or something.

Re:Why the forging in the first place?

[Kelson]

There's also a mundane reason for it:

1. Using your own address makes you more traceable and means you have to deal with bounces, complaints, etc.
2. Using a forged address saves you that inconvenience.
3. Completely bogus addresses will have a low throughput, because it's trivial for a receiving server to check whether a domain name exists or not.
4. Verifying a specific address at a real domain, however, is more involved.
5. Solution: Use a bogus address at a real domain name.

This solution expresses itself in both throwaway domains (where the spammer registers it for cheap, figuring they only need it for one spam run) and forged addresses using bystander's domains. Forging is cheaper, since you don't have to register a domain, and while it's illegal, enforcement is rare.

spamassassin

[stuff-n-things]

I run a domain which receives a few thousand spam messages a day (one every 15-30 seconds or so). Postfix, amavis, clamav, spamassassin, and procmail are my friends. Use amavis rather than spamc/d to keep spamassassin running and to get clamav too. You're mailer will have to send all messages to amavis like it's forwarding all mail to another email server, and listen on another port so that it doesn't loop back to amavis. Have the mailer send catch all addresses to an alias, then have the spamassassin configuration score anything going to that alias as almost spam. Have spamassassin configurations like

header MAILBOX subject =~ /mailbox/i

with a score that isn't high enough to automatically make it a spam, but close. This weeds out 'mailbox full' messages. Do the same for 'Delivery Status Nofication', etc. The more common rules for porn, refinancing, etc. will force more catch-all email to spam, as well as mark regular user's email. Don't bounce or reject for the catch-all address, just tell procmail that /dev/null is the mailbox for anything marked spam. What little remains, I get, and I only get a few spams a month. The system (a 2.8GHz Xeon) runs at 1-3% CPU to handle spam--plenty of RAM helps with this too.

Simple, check the Received: envelope headers

You start by rejecting outright email for non-existant email addresses. That gets rid of all bounces that come from addresses the spammers have made up. Then you look at the Received headers of the email that you supposedly sent and validate that it did indeed come from your IP and the header is of the form that your MTA generates. If not, somebody was impersonating you and you reject the bounce. See Stopping Backscatter Email.

Don't use a catch-all

[Kelson]

The problem of invalid bounces drops dramatically if you set up your incoming server so that invalid addressees are rejected with a "User unknown" note at SMTP time. If you're using Sendmail with a virtual user table, this is as easy as adding the following at the end of the file

@example.com error:nouser 550 5.1.1 User unknown

It's important to do this on the server that accepts mail from the outside. If you have a setup with an antispam/virus gateway that then relays to an internal server, you need to make the gateway aware of the valid/invalid addresses.

By rejecting invalid senders in the SMTP transaction, you only get bounces from the few messages that forged an actual sender. In my experience, the addresses tend to look like ashawuiefgfyig@example.com, so most of the bounces will just disappear into the ether(net).

Re:Don't use a catch-all

[christophe.vg]

And your bounce bounces into someone elses mailbox, or even worse, if that emaI address also bounces, it bounces back and back until ... ?!?

Re:Don't use a catch-all

[Kelson]

And your bounce bounces into someone elses mailbox

No, the point is that it doesn't bounce. It's rejected in the SMTP transaction, which means that the connecting server just sees "500 user unknown" before it even transmits the message body -- no new bounce message is created. And if the message you're rejecting is a bounce in the first place, it should have a null sender, which means that the connecting server won't try to generate a new bounce either.

Re:Don't use a catch-all

Quite right, but some horribly configured systems will INSIST on still generating a bounce message to your postmaster.

"Excuse me, but this piece of spam that was sent to a non-existent user on my system? Well, when I tried to bounce it to a non-existent user on your system, you rejected my bounce! Obviously that is a horrible mistake, so here is your spam so you understand what couldn't be delivered. Glad to be of service, and try to be more careful with your addressing. Not every system is as helpful as this one!"

SPF seems like a good idea but...

[jazman]

...are MAILER_DAEMONs and their friends who are so stupid they bounce instead of reject likely to be intelligent enough to check an SPF record before sending a bounce message to someone who obviously didn't send it?

I too get loads of spam bounces sent to non-existent addresses "from" (random string)@(my domain), not to mention "please validate your message" challenges and autoreplies; my approach is one enormous blacklist that just autodeletes any messages from postmaster, mailer_daemon etc that aren't to my sending address, which works until some stupid postmaster decides to call himself Mail Delivery System or Mail Delivery Subsystem and so on, plus non-English versions, and the numer of variants on "undelivered mail" is equally astonishing - that, Mail delivery failed, delivery status notification, returned mail, delivery failure, mail system error, undeliverable, cannot be delivered, foreign variants...

The subject is apparently incorrect...

[Kumba]

It should be "Proper Ways to Dispose of Spammers?"

I propose the firing squad or hanging. By their balls (if they have any).

Maybe evisceration?

filtered catch-all

[bcrowell]

It is probably worth noting that I have a catch-all alias for inbound emails. I like to give a different email address for each site I go to so that I can track who is sending me spam.
I could probably get away with doing a catch-all on a subdomain
What I do is I use e-mail addresses that look sort of like this: slashdotcrowell07@mydomain.com. On the front is the name of the business, so if I get mail at that address, I know it was because I gave it to them. Next is my name. Next is the last two digits of the year. In my mail filters, I reject anything that isn't of the form .*crowell\d\d@mydomain.com. That way if some spammer is just trying to guess an address like dave@mydomain.com, it's not going to work. If I start getting a pile of spam to, say, the slashdotcrowell07 address, I just stop accepting mail at that address. The year is because most addresses eventually start getting more and more spam. So right now if someone sends mail to me at an 07 address, it goes to my inbox; if they send it to 06, it goes in a special box so I'll realize I need to give them the new one; if they send it to 05, it gets marked as probable spam, and I won't look at it until I get around to looking through my spam box; 04 goes straight to the bitbucket.

Re:filtered catch-all

[prothid]

Right now I just use the domain name without the tld. I like your idea though, I will have to start doing that. Thanks!

Re:filtered catch-all

[grimwell]

I do something similar. I use businessname@subdomain.mydomain.com. When I start receiving spam at that address I setup an alias to automatically forward it to spam@uce.gov. I do like your idea of adding a date to the name, I'll probably start doing that.

I can't see handing out a new email address every year... just too much of PITA, especially with the older relatives and ones I only hear from a couple times a year.

Re:filtered catch-all

[Etcetera]

Or you could just use qmail :)

Nowadays, when I give out an email for anything it's to
"smith-businessname@domain.com" or something similar. Anything at smith-* will end up at my smith account automatically. Allows for great automatic tracking, and now pre-setup needed (I make them up on the fly). If one of them ever gets compromised, I can simply add a config in there that handles that extension specifically. Furthermore, no automatic spamming bot is going to create wildcards and a blah-* like that.

Re:filtered catch-all

[bcrowell]

I can't see handing out a new email address every year... just too much of PITA, especially with the older relatives and ones I only hear from a couple times a year.
I just whitelist them.

Re:filtered catch-all

WTF? Get a girlfriend, dude.

Postfix Backscatter HOWTO

[alanxyzzy]

Knowing that a common term for this is "backscatter" may help you search for other hints and tips.

There is a Postfix backscatter HOWTO at http://www.postfix.org/BACKSCATTER_README.html

The solution: Bounce Keys

You add an encrypted header to all outgoing emails which says "Yes, this email came from this server." Then, when you receive a bounce message, you check for the key. If it has it and its correct, it gets through, and if it doesn't, it gets rejected. This stops ALL normal bounces that result from spammers, and the only thing you do get are auto-responders which aren't actual bounces.

Here's the Exim howto http://psg.com/~brian/software/authbounce/configur e-authbounce.txt

Difference between bounce and reject.

[Vellmont]

Can someone tell me the differences in terms of when each happens, and what happens on the other end between a bounce and a reject? I _think_ I understand the difference, but I'm not certain.

My understanding is that a reject is sent by the receiving SMTP server before it's accepted the mail. I.e. server a->server b, server a says mail is to: bill@serverB_Domain.com from: john@spoofedaddress.com. Server B can then accept the mail, or reject it (with various different codes for each). If B accepts it, it's server B's responsibility to handle it. If it rejects it, it's server A's responsibility to handle it.

So, (if I understand this right) the problem the submitter is getting at is that server B accepts the mail, but then later bounces it. (Because a spammer is obviously not going to bother bouncing the mail when it's rejected).

Why would Server B accept mail from Server A if it's only later going to bounce it? I can think of at least once case (and one I have experience with). If Server B is acting as a relay host for Server C, then it's difficult (but not impossible) for Server B to know if Server C will accept or reject the mail. So Server B just accepts all mail, but later has to bounce some of it when Server C rejects the mail.

I've dealt with this problem, and only recently fixed it when I rebuilt the relay server. I use Postfix, which now supports validating recipient addresses for relay hosts. Essentially what happens (in terms of my little scenario) is before Server B accepts a message, it connects to server C and sends a test message addressed to the recipient. If server C rejects the message, Server B rejects the message from Server A. (Yah, it's a little more complicated than that and involves caching, but that's the general idea). The previous version I was using didn't support this feature, so I wound up with a lot of bounce messages going out for spam addressed to invalid addresses.

The other scenario I can think of is that Server B later figures out that the mail is spam. But why in the world would you decide to bounce the mail at this point, since it's very likely the return address is fake, will never accept mail, etc? Either throw the mail away entirely and forget about the whole ugly mess, flag the mail as spam and delivery it to its destination, or squirrel it away somewhere just in case someone really really needs to see it (like it's a false positive).

What I do is flag the mail and stick it in the users spam folder. Then no one complains about not getting mail.

Re:Difference between bounce and reject.

[kitterma]

Your understanding of bounce versuse reject seems correct to me.

Re:Difference between bounce and reject.

[SuiteSisterMary]

PersonA gets virus. Virus on PersonA's machine connects to PersonA's ISP SMTP server, and sends out ten thousand messages as personb@example.com.

PersonA's ISP server dutifully accepts these messages, and tries to send them. Each and every one, in this example, is to an invalid recipient. So each and every message goes like this:
ISP Mail server: telnet recipient.mail.server 25
HELO it.is.me!
MAIL FROM: personb@example.com
RCPT TO: invalidaddress@mail.server
550 unknown address

'Oh, noes!' thinks the ISP mail server. 'This poor message can't get sent! I better let the sender know! Lets see, the sender would seem to be....personb@example.com! I will send them a delivery status notification, also known as a bounce message, immediately!'

And personb gets 10,000 'undeliverable message' messages.

Re:Difference between bounce and reject.

[Akatosh]

reject:
mail from:
250 Sender ok
rcpt to:
550 does not exist here

If it was a virii sending this, it just stops there. No one gets any message. If there's a mail server inbetween, then the sender side mail server would generate a bounce to me@here.com. Most virii are sending direct with no mail server in between.

bounce:
mail from:
250 Sender ok
rcpt to:
250 Recipient ok
data
354 Enter mail, end with "." on a line by itself
lolspamspam wonderfull spam lovely spam
.
250 Message accepted for delivery.

It then sends the spam message to me@here.com with a few lines about it being undeliverable at the top. Every time. Think of it as an open relay that adds a bayesian slaying text block to the top.

Re:Difference between bounce and reject.

[Vellmont]

Well, person A's ISP should be have a virus scanner in place to prevent this kind of garbage. If you detect the mail is a virus, silently drop it (and perhaps log the IP address it came from). In any case, I can see how that'd present a problem.

I've also seen some backscatter mail from poorly configured virus scanners that don't know that viruses spoof the from: or reply-to: address.

Re:Difference between bounce and reject.

person A's ISP should be have a virus scanner in place to prevent this kind of garbage

But why? The pain to Person A and Person A's ISP isn't that high.

Re:Difference between bounce and reject.

[Vellmont]

But why? The pain to Person A and Person A's ISP isn't that high.

To avoid producing all that useless bounce messages, to be a decent business that doesn't cause problems, to avoid Corporation XYZ (who was infected by a virus from Person A's ISP) suing person A's ISP for gladly spreading viruses around when there's simple, inexpensive technology available that would have prevented it. Or maybe just providing an additional service to Person A who'd appreciate not sending out viruses to his family and friends.

Re:Difference between bounce and reject.

Look, Person A and his ISP aren't feeling any pain from any of that. Heck, they aren't even aware anything is going on. Yes, a good citizen and a good corporation would do The Right Thing. It might even save them money in the long run. But until they have some motivation, Person A and ISP A don't care that Person B woke up this morning to a smoking hole where his domain used to be hosted.

Re:Difference between bounce and reject.

[SuiteSisterMary]

I've also seen some backscatter mail from poorly configured virus scanners that don't know that viruses spoof the from: or reply-to: address.

Ah yes, stupid virus scanners, at both the mailserver and the user level, that send back a bounce. Especially the extra stupid ones that include the original message in a bounce, which sends the virus laden message to an innocent third party...who's antivirus then bounces the virus laden message right back....

a HOWTO for Postfix and SpamAssassin

[jmason]

I've been dealing with this a lot recently -- I just wrote up a short howto doc over on my blog yesterday, in fact, using Postfix on the MX to catch most of the bounces, with SpamAssassin to filter out the remainder.

Re:a HOWTO for Postfix and SpamAssassin

As someone else also notes in your blog comments, your advice is overly restrictive.

You block all daemon replies.
You block the null user which also maps to mailer-daemon.

BATV

[Patrin]

Take a look at Bounce Address Tag Validation (BATV). http://mipassoc.org/batv/index.html There even is an implementation for EXIM. This drops spam bounces like you wouldn't believe.

Envelope Sender Signature

[mossmann]

Check out the Envelope Sender Signature technique described here:

http://howtos.linux.com/howtos/Spam-Filtering-for- MX/collateral.shtml

The idea is to tag outgoing messages in such a way that legitimate DSNs are distinguishable from illegitimate backscatter (which can then be discarded).

Rejecting spam bounces

[CustomDesigned]

Speaking from 2 years experiences with rejecting 11000+ spams a day, publishing SPF records helps, but not enough folks reject mail with SPF fail for it to help a lot with spam bounces. The real solution to spam bounces is to "sign" your MAIL FROM, using SRS for example. (SRS is not just good for forwarding.) Then you just reject bounces without a proper signature. After signing, your MAIL FROM would look like this:

<SRS0=WHEtL=GU==user@example.com>

The current main benefit to SPF is that when you get an SPF PASS, you can be reasonably sure that the MAIL FROM wasn't forged. This is comforting when I get mail from online banks and vendors (that I actually use). Also, I reject not only on SPF fail, but on softfail for selected domains (e.g. ebay.com). Getting an SPF pass is a two edged sword for a spammer. I track reputation (using pygossip) for validated MAIL FROM and HELO domains. So after a few trips through the content filter, they get rejected in SMTP envelope:

2007Jan11 14:19:47 [244] Received-SPF: pass (mail.bmsi.com: domain of identity-star.com designates 209.205.201.41 as permitted sender) client_ip=209.205.201.41; envelope_from="42991_VMTA2574-alb=BMSI.COM@identit y-star.com"; helo=mx2574.identity-star.com; receiver=mail.bmsi.com; mechanism=mx; identity=mailfrom
2007Jan11 14:19:47 ham: 0, spam: 23
2007Jan11 14:19:47 ID identity-star.com:SPF reputation: -76.159416,2.209194
2007Jan11 14:19:47 [244] X-GOSSiP: 0Q1xs3S.9Tt$ySk.$6w1Mg,-76,2
2007Jan11 14:19:47 [244] rcpt to <alb@BMSI.COM> ()
2007Jan11 14:19:47 [244] REJECT: REPUTATION

Re:Rejecting spam bounces

[Sancho]

Can you elaborate on the FROM signing? What mail clients might support this (I use mutt, so I assume I can wedge this functionality in). Are individual mails signed differently?

Do you have a package that does this, specifically?

It sounds like an interesting solution to one of the most frustrating spam problems I have.

Re:Rejecting spam bounces

[CustomDesigned]

I use pysrs from the pymilter project for MAIL FROM signing. It adds a macro to sendmail, and installs a pysrs daemon as a sendmail socket map. The SRS library could be used by a python script to integrate with mutt I suppose (I always do all my filtering in the MTA - so I can't offer advice). Example code (with random spaces inserted by slashdot):

>>> srs = SRS.new(secret='boo')
>>> srs.sign('user@example.com')
'SRS0=dqj5=GU==user@ example.com'
>>> srs.reverse('SRS0=dqj5=GU==user@example.com')
'us er@example.com'
>>> srs.reverse('SRS0=fake=GU==user@example.com')
Tra ceback (most recent call last):
...
AssertionError: Invalid hash

There are also C libraries like libsrs and libsrs2.

Detecting the bogus bounces in mutt is less than optimal - because you have already received the SPAM. By checking in the MTA, you reject the bounce before SMTP DATA.

Gmail Sender overrides your From for SPF checks

[Matthew+Bafford]

Gmail sends the mail as coming from your domain, but the sender header is listed as coming from your gmail address. Because of this, the SPF testers seem to care about Gmail's SPF check, not your domain's. For example, send an email to the address given by this site:

http://senderid.espcoalition.org/

For example, in my case, I see:

MAIL FROM: me@gmail.com
PRA: me@gmail.com
SPF-Record-Classic: v=spf1 redirect=_spf.google.com

In the headers send in the email, I see:

From: me@example.invalid
Reply-To: me@example.invalid
Sender: me@gmail.com
To: random@senderid.espcoalition.org

For a while I actually had my domain's SPF records set to deny all. Worked out well enough, since Gmail sent all of my domain's email back then.

I assume you're using a catch-all

[GWBasic]

I assume you're using a catch-all email account, like I do. I get about 100 SPAMs/bounces a day. Here are techniques that I use:

• My reply-to address doesn't go to my catch-all. This way, all undeliverable bounces in my catch-all are only from SPAM.
• Almost everyone who I email on a regular basis figures out my REAL email address, thus the special account for my reply-to address has very little SPAM.
• I use Apple's mail program instead of Microsoft's mail programs. It's much easier to see what's SPAM because Apple displays the "TO" and "FROM" addresses without me having to open the email.

No Bounces

[the+eric+conspiracy]

Eaaasssyyy. Just set your MX record to 127.0.0.1!

You will never get a bounce.

gmail SPF no problem but other domains need DKIM

[johnjones]

hey there

gmail will be correctly set as the sender so SPF records will be correct

the problem is other domains that do not...

basically we need DKIM that signs the message so that when we get somthing back we examin the sig and if it does not have our DKIM we reject it

simple we need both SPF and DKIM in the real world