SPAMCOP HOME · SPAMCOP FAQ · NEWSGROUPS · FORUM FAQ · WEBMAIL · SSL WEBMAIL · SPAMCOPWIKI


 Other words, data, places -->  SpamCop Pages V  FAQs & Words V  Newsgroups V  WebMail V  News-Recent Stuff V   Poll on menu

------>------> Latest and Current Announcements <------<------

Welcome Guest ( Log In | Register )

> This is a User to User Support Forum

The primary mode of support here is peer-to-peer, meaning users helping other users. (please remember this at all times!)
Another try:
This forum is composed of people who have used spamcop and those who are learning about anti-spam efforts.

 
Reply to this topicStart new topic
> Spammer Bounce Backs
RobertWilliams
post May 24 2005, 04:57 PM
Post #1


Member
**

Group: Members
Posts: 15
Joined: 20-May 05
Member No.: 4080



Here is a problem I'm hoping we can get resolved. I get roughly 500 bounce-backs each day from other companies that have received SPAM e-mail from people forging my domain in either the "From:" or "Return-Path:" header fields.

I don't want to report the companies that are bouncing them back to me, because they are just as much a victim as I am here. But, I do want to report the original spammers, because it is obvious that the receiving system(s) are not reporting them.

The bounce-backs (95% of the time) include all of the original header information from the spammers. However, when I copy just that information, I get an error from SpamCop stating:
QUOTE
Supposed receiving system not associated with any of your mailhosts

Your system will also report:
QUOTE
No unique hostname found for source: 82.122.203.44
But when I look it up in the RIPE whois, I find a hostname.

I guess the main problem here is that I cannot report it because the receiving system is not associated with any of my mailhosts.

Is there a way that this can be resolved? I really should be able to report any spam associated with my domain regardless of whether I'm receiving it, or it is being sent in my name.

Thanks

RW
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Wazoo
post May 24 2005, 05:11 PM
Post #2


What Life?
Group Icon

Group: Forum Admin
Posts: 13194
Joined: 22-January 04
From: Iowa
Member No.: 18



Your calling those other ISPs "victims" might have been somewhat acceptable even a year ago. Today, not true. If you want to handle it, try contacting thes folks and point them to the various FAQs here and elsewhere on the net about the problems today with (pick your word here, check the Glossary) blowback, misaddressed bounces, etc., etc., etc. The specific issue is whether it's cluelessness, ancient software, or just bad configuration ... take a look at some Topics opened up just today in the Blocking List Forum from "one of those ISPS" ....

Yes, you will run into problems reporting someone else's spam (which is the way the parser sees it after your MailHost configuration)

the no-host issue is offered with no context .. Tracking URL is needed if you want to talk to this issue ..
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
StevenUnderwood
post May 24 2005, 05:21 PM
Post #3


What Life?
Group Icon

Group: Membersph
Posts: 5207
Joined: 20-January 04
From: Whitinsville, MA USA
Member No.: 12



QUOTE(RobertWilliams @ May 24 2005, 05:57 PM)
I really should be able to report any spam associated with my domain regardless of whether I'm receiving it, or it is being sent in my name.
*


Actually, per the rules you agreed to obey for usingthe reporting site, you are NOT allowed to report the spams within other messages:
QUOTE
Spam within other messages

If you receive a message (perhaps a bounce) which contains spam, you should not report the spam contained within the message, even if it includes what appear to be the full original headers. This is someone else's spam, not yours. It is expected that you can verify that the headers of reported mail are accurate, something you can't do for mail received on a network you are not familiar with.

The bounce messages, as long as you did not send the original, are reportable, as most admins should know by now that sending any message to the possible forged From in a message is not a good thing.

Perhaps you should brush up on the current rules for reporting in the FAQ (a link can also be found in the Forum FAQ at the top of this page):
http://www.spamcop.net/fom-serve/cache/14.html


--------------------
Steven P. Underwood, DNRC
Whitinsville, MA
underwood+forum[at]spamcop.net

-No trees were killed in the sending of this message. However, a large number of electrons were terribly inconvenienced.-
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
RobertWilliams
post May 24 2005, 06:02 PM
Post #4


Member
**

Group: Members
Posts: 15
Joined: 20-May 05
Member No.: 4080



Ok then, I guess I'll spend the time and track down the admins of the systems that are bouncing the mails back to me. I can understand not reporting SPAMS inside of SPAMS, but when someone is forging my domain, I should be able to do something about that. I understand though, not your problem.

As for this:
QUOTE
as most admins should know by now that sending any message to the possible forged From in a message is not a good thing.

Auto-reponders have no clue what a forged "From" field looks like, all they know is that this is the person that sent the message. The person that can write a program that will tell a computer what a forged "From" field looks like, should win the Nobel Peace Prize.

I have turned my auto-responders off completely, because all it ever does is clogs my queue up. But there have got to be thousands, if not 10s of thousands, of IT managers, administrators, whatever you want to call them, that don't. Sure, they should be a little more knowledgeable about their system, but that doesn't mean they should be reported as spammers.

On the other hand, if I were to just report them, then they would almost be forced to fix their system. That is, IF they care.

Anyways,

Thanks for the help

RW
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Wazoo
post May 24 2005, 06:10 PM
Post #5


What Life?
Group Icon

Group: Forum Admin
Posts: 13194
Joined: 22-January 04
From: Iowa
Member No.: 18



You're getting to the arguement of SMTP rejection at the time of processing vice the "accept then eventually get around to bouncing" problem. This is the subject of much debate in many venues, folks pointing to the RFCs, others pointing out the 'vintage' of the RFCs being pointed at, the efforts on-going in developing 'new' RFCs to cover "today's" internet / spammer infestation ... and of course, not to forget that the spammers are still coming up with new ways to screw over the 'developed in a world of trust' Internet ....
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
StevenUnderwood
post May 24 2005, 06:19 PM
Post #6


What Life?
Group Icon

Group: Membersph
Posts: 5207
Joined: 20-January 04
From: Whitinsville, MA USA
Member No.: 12



QUOTE(RobertWilliams @ May 24 2005, 07:02 PM)
Auto-reponders have no clue what a forged "From" field looks like, all they know is that this is the person that sent the message. The person that can write a program that will tell a computer what a forged "From" field looks like, should win the Nobel Peace Prize.

I have turned my auto-responders off completely, because all it ever does is clogs my queue up.  But there have got to be thousands, if not 10s of thousands, of IT managers, administrators, whatever you want to call them, that don't.  Sure, they should be a little more knowledgeable about their system, but that doesn't mean they should be reported as spammers.
*


But the admins that allow the auto-responders to run know (or should know) that the majority of email messages now (since spam is making up better than 80% of the messages out there by some accounts, including my own numbers) have forged headers. Some people learn this the way you did with the queues filling up with dead messages. Other because of all the bounces they receive.

I believe it is currently a much smaller percentage of sites that allow these types of messages to leave their servers than you seem to indicate. I get very few auto-responders any longer and my users report probably less than 1 per week now (though that is partially educating them what is happening).


--------------------
Steven P. Underwood, DNRC
Whitinsville, MA
underwood+forum[at]spamcop.net

-No trees were killed in the sending of this message. However, a large number of electrons were terribly inconvenienced.-
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
RobertWilliams
post May 24 2005, 07:10 PM
Post #7


Member
**

Group: Members
Posts: 15
Joined: 20-May 05
Member No.: 4080



Wazoo, Steven, thank you both for your help.

Steven, I guess there is only one thing left to do then.....EDUCATE....If I had known about SBLs and RBLs a long time ago, I could have done something about it then. I stumbled upon it one day in my quest to stop the spam from hitting my office. Imagine all the people out there that still have no idea.

Can I (legally) send a SpamCop link to the people I'm getting bounced messages back from, or would that too be considered SPAM?

Thanks again,

RW

This post has been edited by RobertWilliams: May 24 2005, 07:10 PM
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Jeff G.
post May 24 2005, 09:29 PM
Post #8


T-shirt wearing out
Group Icon

Group: Membersph
Posts: 3730
Joined: 2-July 04
From: Northeast New Jersey (New York Metro Area), USA ... Please read my sig. :)
Member No.: 2041



QUOTE(RobertWilliams @ May 24 2005, 08:10 PM)
Can I (legally) send a SpamCop link to the people I'm getting bounced messages back from, or would that too be considered SPAM?
*
You probably can, but you should ask your ISP just to be safe.


--------------------
Best Regards, Jeff G. (full signature)
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Miss Betsy
post May 25 2005, 05:53 AM
Post #9


T-shirt wearing out
Group Icon

Group: Membersph
Posts: 3336
Joined: 2-February 04
Member No.: 174



QUOTE(RobertWilliams @ May 24 2005, 07:10 PM)
Wazoo, Steven, thank you both for your help.

Steven, I guess there is only one thing left to do then.....EDUCATE....If I had known about SBLs and RBLs a long time ago, I could have done something about it then.  I stumbled upon it one day in my quest to stop the spam from hitting my office.  Imagine all the people out there that still have no idea.

Can I (legally) send a SpamCop link to the people I'm getting bounced messages back from, or would that too be considered SPAM?
*


If you 'manually' make a report to them, you certainly could phrase your report to include 'education' and include spamcop as where you learned your knowledge or as a reference.

Miss Betsy


--------------------
an almost new internet user
if you don't think your post has been answered sufficiently, please email service[at]admin.spamcop.net
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
RobertWilliams
post May 25 2005, 11:12 AM
Post #10


Member
**

Group: Members
Posts: 15
Joined: 20-May 05
Member No.: 4080



Why thank you Miss Betsy, I will definitely take that into consideration.

RW
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
knol
post Sep 1 2005, 12:12 PM
Post #11


Newbie
*

Group: Members
Posts: 4
Joined: 1-September 05
Member No.: 4514



Hi all, never tought I would need something like spamcop.
Well, about my problem.
Someone is using my website adres as the sender.
Not fisicly, but as if they are coming form my site/server.
Over the last few days I got about 2000 bouncing mails in my inbox.
I use googlemail for the autoredirect, so most mails are directly put in the spambox.
I am from holland, never had anything like this before.
(lucky me?)
Anyway, now I do get them and going nuts.
I hope someone is able to help me out here.
I'm a nOOb about these things.
Reported the abuse at my server provider, they said nothing...
Below I'll put the source of the email, I hope sombody can tell me what I should do!
I am not understanding all the techtalk and had no idear what to search for, so please forgive me if I am posting in the wrong forums...
Please remember, this is a bouncemail which I received from an other server's mail. (IMG:style_emoticons/default/unsure.gif)
CODE

X-Gmail-Received: 397877d0102011bbc19958a09d593415041e8f6b
Delivered-To: knolsurft[at]gmail.com
Received: by 10.70.19.14 with SMTP id 14cs42623wxs;
       Thu, 1 Sep 2005 09:14:41 -0700 (PDT)
Received: by 10.54.56.56 with SMTP id e56mr1735945wra;
       Thu, 01 Sep 2005 09:14:40 -0700 (PDT)
Return-Path: <>
Received: from mail.pcextreme.nl (mail.pcextreme.nl [85.92.129.33])
       by mx.gmail.com with ESMTP id 35si805966wra.2005.09.01.09.14.40;
       Thu, 01 Sep 2005 09:14:40 -0700 (PDT)
Received-SPF: pass (gmail.com: domain of  designates 85.92.129.33 as permitted sender)
Received: (qmail 12019 invoked by uid 89); 1 Sep 2005 17:47:59 +0200
Message-ID: <20050901154759.12018.qmail[at]mail.pcextreme.nl>
Delivered-To: xuanu[at]knol-surft.nl
Received: (qmail 12008 invoked from network); 1 Sep 2005 17:47:59 +0200
Received: from mailer1.kmc-usa.com (12.9.192.45)
 by mail.pcextreme.nl with SMTP; 1 Sep 2005 17:47:59 +0200
Received:
From: <>
To: <xuanu[at]knol-surft.nl>
Date: Thu, 01 Sep 2005 09:00:59 -0800
Subject: b8 Nobody knows
X-Mailer: SurfControl E-mail Filter
MIME-Version: 1.0
Content-Type: multipart/report;
 report-type=delivery-status;boundary="--=_NextPart_ST_09_00_59_Thursday_September_01_2005_19991"


----=_NextPart_ST_09_00_59_Thursday_September_01_2005_19991
Content-Type: text/plain;

Your message could not be sent.
A transcript of the attempts to send the message follows.
The number of attempts made: 1
Addressed To: duvall[at]kmc-usa.com

Thu, 01 Sep 2005 09:00:59 -0700
Failed to send to identified host,
duvall[at]kmc-usa.com: [12.9.192.46], 550 duvall[at]kmc-usa.com... No such user
--- Message non-deliverable.



----=_NextPart_ST_09_00_59_Thursday_September_01_2005_19991
Content-Type: message/delivery-status;


Action: failed
Final-Recipient: rfc822;duvall[at]kmc-usa.com
Diagnostic-Code: smtp; 550 duvall[at]kmc-usa.com... No such user
Status: 5.0.0




----=_NextPart_ST_09_00_59_Thursday_September_01_2005_19991
Content-Type: message/rfc822;

Received: from Unknown [24.173.140.106] by mailer1.kmc-usa.com - SurfControl E-mail Filter (5.0); Thu, 01 Sep 2005 09:00:59 -0700
Received: from [192.168.2.53] (helo=chaste)
    by knol-surft.nl with smtp (Resentful ra 4.55 (Woeful))
    id YfHtLY-rvkEOv-Ny
    for duvall[at]kmc-usa.com; Thu, 1 Sep 2005 10:47:18 -0500
Message-ID: <005301c5af0c$6cd08380$3502a8c0[at]chaste>
Reply-To: "Xuan Woolsey" <xuanu[at]knol-surft.nl>
From: "Xuan Woolsey" <xuanu[at]knol-surft.nl>
To: "Ajith Lentini" <duvall[at]kmc-usa.com>
Subject: b8 Nobody knows
Date: Thu, 1 Sep 2005 10:47:15 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="--=_NextPart_ST_09_00_59_Thursday_September_01_2005_12035"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

----=_NextPart_ST_09_00_59_Thursday_September_01_2005_12035
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

He has been watching yous=3F&nbsp;struggle these last seven years. Understa=
nd thi=0D=0A
----=_NextPart_ST_09_00_59_Thursday_September_01_2005_12035
Content-Type: text/html;
    charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">=0D=0A<HTML><=
HEAD>=0D=0A<META http-equiv=3DContent-Type content=3D"text/html; charset=3D=
us-ascii">=0D=0A<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>=0D=
=0A<STYLE></STYLE>=0D=0A</HEAD>=0D=0A<BODY bgColor=3D#ffffff>=0D=0A<DIV>&nb=
sp;</DIV>=0D=0A<DIV><FONT face=3DArial>=0D=0A<TABLE cellSpacing=3D0 cellPad=
ding=3D0 border=3D0>=0D=0A  <TR vAlign=3Dbottom>=0D=0A    <TD rowSpan=3D2>H=
e has been watching you</TD>=0D=0A    <TD></TD>=0D=0A    <TD rowSpan=3D2>s=3F=
</TD>=0D=0A    <TD></TD>=0D=0A  </TR>=0D=0A  <TR>=0D=0A    <TD>&nbsp;strugg=
le these last seven years. Understand thi</TD></TR></TABLE></FONT></DIV></F=
ONT></DIV><DIV>&nbsp;</DIV>=0D=0A<DIV><FONT face=3DArial><A href=3D"http://=
long-sword.com/redirect.php=3Faction=3Durl&goto=3Dlong-sword.com/redirect.p=
hp%3faction=3Durl%26goto=3Dnextermest%252ecom">see  it.</A></FONT></DIV>=0D=
=0A<DIV><FONT face=3DArial></FONT>&nbsp;</DIV></BODY></HTML>=0D=0A
----=_NextPart_ST_09_00_59_Thursday_September_01_2005_12035--


----=_NextPart_ST_09_00_59_Thursday_September_01_2005_19991--
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Wazoo
post Sep 1 2005, 12:39 PM
Post #12


What Life?
Group Icon

Group: Forum Admin
Posts: 13194
Joined: 22-January 04
From: Iowa
Member No.: 18



knol's post mover/merged into this Topic/Discussion ... PM sent to advise.
Future recommendation - please use a more descriptive Subject line. It is assumed that there is a "Problem" that drove one to start a new Topic in one of the Help Forums. And of course, there is much talk about the use of a Tracking URL instead of cluttering up these Forum posts with generally unusable (and almost always unwanted complete) spam postings. See the Glossary, linked to from the SpamCop FAQ, linked to at the top of every page, a Pinned entry in each forum section for data on the use of and obtaining a Tracking URL.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
knol
post Sep 1 2005, 04:20 PM
Post #13


Newbie
*

Group: Members
Posts: 4
Joined: 1-September 05
Member No.: 4514



Again, I'm sorry for any inconvenience.
English is not my natural language and I find this forums and website very difficult. I understand there is actually nothing anyone can do to stop this? The ip addresses are forged and there is no way to obtain the offender, is that what I can aspect?
I do understand the copied mail was to long for the forum.
If I ever need to ask somteting again, I will try to only post mail headers or something.
It's just, I'm getting very anoid by all those emails and was hoping for somekind of resenably easy way to get rid of all this. This evening, in just over 3 hours, almost 300 email bounce messages. Please understand my website provider also charges for email traffic.
By the way, thnx for the pm.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Wazoo
post Sep 1 2005, 04:34 PM
Post #14


What Life?
Group Icon

Group: Forum Admin
Posts: 13194
Joined: 22-January 04
From: Iowa
Member No.: 18



Not 100% I'm following your setup .. so let's start with something 'easy' ... is xuanu actually a user / account? If not, then the general advice is to turn off the catch-all mode (accept all incoming e-mail) at that server. Limit actions to real / actual e-mail accounts on that system, reject the rest.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
knol
post Sep 1 2005, 05:00 PM
Post #15


Newbie
*

Group: Members
Posts: 4
Joined: 1-September 05
Member No.: 4514



This email is not one that exists.
It's just fake.
I will see if this at least stops al the mails from poring in my mailbox.
But the problem still exists after I turn of this option ofcourse. All those people will get these emails from "my" server. I hope there will be some sorth of action against those type of...
If the incoming bouncing emails stop I will let you all know... Aleady thanks for this advise! (IMG:style_emoticons/default/smile.gif)
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
turetzsr
post Sep 2 2005, 11:59 AM
Post #16


T-shirt wearing out
Group Icon

Group: Membersph
Posts: 4928
Joined: 26-January 04
From: Michigan USA
Member No.: 59



QUOTE(knol @ Sep 1 2005, 06:00 PM)
<snip>
But the problem still exists after I turn of this option ofcourse. All those people will get these emails from "my" server. I hope there will be some sorth of action against those type of...
*
...You could use SpamCop's spam reporting capability to report them to the appropriate abuse desks. You could also manually send a complaint to legal authorities, such as your local, regional or national authorities as well as the legal authorities in the country of the owner of the source of the spam (if you can find any such authority that might be interested in pursuing the criminal spammers).


--------------------
..Regards,
...Steve T

...A Happy SpamCop.net reporting user (not an employee)
...Please avoid replying via e-mail, as it is not secure
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
knol
post Sep 7 2005, 07:08 AM
Post #17


Newbie
*

Group: Members
Posts: 4
Joined: 1-September 05
Member No.: 4514



It seems to work!
Thnx again!
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
walkupright
post Apr 4 2008, 11:41 AM
Post #18


Newbie
*

Group: Members
Posts: 1
Joined: 4-April 08
Member No.: 8636



I'm having the same issue. Over the last few days, I have been receiving 100's of bounce back messages that say my email could not be delivered. When I look at the message, I see that it is spam that was sent with my email address in the header.

If I were to go through every header and try to contact the organization that sent the bounce back so that I could notify them and encourage them to change their settings to avoid sending me bounce backs, this task would take more time than I have.

What options do I have now? My hosting company told me to get a new email address. Ha. Funny. I've been using this address for almost 10 years. It's on my business cards, web sites, etc. Changing an email address sounds like a ridiculous solution.

So, what else can I do? Even deleting the 100's of messages every day is becoming a tedious task.

Thanks,
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
Wazoo
post Apr 4 2008, 12:48 PM
Post #19


What Life?
Group Icon

Group: Forum Admin
Posts: 13194
Joined: 22-January 04
From: Iowa
Member No.: 18



QUOTE(walkupright @ Apr 4 2008, 11:41 AM) *
If I were to go through every header and try to contact the organization that sent the bounce back so that I could notify them and encourage them to change their settings to avoid sending me bounce backs, this task would take more time than I have.

What options do I have now? My hosting company told me to get a new email address. Ha. Funny. I've been using this address for almost 10 years. It's on my business cards, web sites, etc. Changing an email address sounds like a ridiculous solution.

So, what else can I do? Even deleting the 100's of messages every day is becoming a tedious task.

One can only surmize that you do not yet have a SpamCop.net Reporting Account. These are described in various FAQ entries as Misdirected Bounces and as such are reportable via the SpamCop.net Parsing & Reporting System.

First and easiest suggestion other than riding out the storm .... sign up for a free Reporting Account at www.spamcop.net.
User is offlineProfile CardPM
Go to the top of the page
+Quote Post
agsteele
post Apr 5 2008, 04:15 AM
Post #20


Been There
Group Icon

Group: Memberp
Posts: 1199
Joined: 31-January 04
From: Keighley UK
Member No.: 148



QUOTE(Wazoo @ Apr 4 2008, 06:48 PM) *
First and easiest suggestion other than riding out the storm .... sign up for a free Reporting Account at www.spamcop.net.

Wazoo's advice is always useful... But bear in mind that reporting misdirected bounces will not, itself, stop the problem you are experiencing. You also need to implement a spam blocking/filtering/rejection mechanism at your mail server or on your local machine.

Andrew


--------------------
A SpamCop user - all comments I make are mine and not SpamCop's :-)

All comments in these forums are from users offering help to other users unless the user explicitly identifies themselves as SpamCop staff.

To contact SpamCop staff Email service[at]admin.spamcop.net
User is offlineProfile CardPM
Go to the top of the page
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

- Lo-Fi Version Time is now: 18th April 2014 - 06:16 PM