Analyzing header, What adress is it sent TO? Options

[ZoRaC]

Since I use a "catch-all" adress on my domain, I want to be able to know what adress the spammer have sent the email TO, so that I can deactivate that perticular email on my server.

I thought the "Delivered-to" in the header would tell me this, but it seems it don't.
Can the spammer spoof this part of the header?
Any other way to find out?

Best regards,
Sven-Ove

[dra007]

What you are calling for is tantamount to listwashing. Spammers spoof everything except for the IP of injection. They often hide the real recipients in bcc and since they use dictionary attacks many the Deliver to: are bogus.

[Wazoo]

Since I use a "catch-all" adress on my domain, I want to be able to know what adress the spammer have sent the email TO, so that I can deactivate that perticular email on my server.

?????

catch-all typically means 'nothing is defined for specific accounts' ....
therefore "deactivate that specific account" doesn't really make a lot of sense.

add that to the many and various ways e-mail addresses are 'created' by spammers, this seems like a losing game .. why not simply define certain accounts, reject anything else?

[DavidT]

Since I use a "catch-all" adress on my domain

Sorry, but that's really a bad idea. I strongly recommend that you set up specific aliases/forwards for all desired addresses. Here's a quote from JT, the admin of the SpamCop email system:

We really discourage catch-all domains like you have set up because you end up receiving hundreds or thousands of spams that could have been trivially rejected just by asking your domain host to only accept valid email addresses. Catch-alls were fine 10 years ago, but aren't any more.

DT

[showker]

Spammers spoof everything except for the IP of injection.

So -- can you illustrate WHAT the "IP of injection" is ???

And, is that the IP one would BLOCK at server level?

[dbiel]

So -- can you illustrate WHAT the "IP of injection" is ???
And, is that the IP one would BLOCK at server level?

Maybe the best way to start is to look at how mail travels through the internet.
Every time a server receives a mail message it knows the IP address that it came from by the packet header (not the email header)
When the server forwards the message it should add to the email header the information (including IP address) of where the message came from and where it is going to be sent to.
If a spammer has control of the server the recorded IP address can be forged along with any other recorded data.
The first properly configured mail server that receives the message out side of the control of the spammer can be considered the injection point (the point that the message enters the "internet") Anything prior to that point could be considered intranet regardless of the fact that it may be using internet connections. Zombie computers are actually a part of the Spammers intranet as they have control over them.

[MikeRG]

Sorry, but that's really a bad idea. I strongly recommend that you set up specific aliases/forwards for all desired addresses. Here's a quote from JT, the admin of the SpamCop email system:
DT

(I am a domain owner using a hosting provider.)

I am currently Using Catchall and it has worked well in the past, but, with the devious methods that spammers are now using to obtain mail lists I am beginning to realise the error of my ways. Currently receiving an average of 214 spams per day sent to Invented, harvested and immorally (if not illegally) passed on addresses. All to ***[at]mydomain.xyz.
Many that use a legitimate prefix and add one or two characters to it.

Like many others, I originally used catchall so that when I needed to supply an email address on line, I used part of their name as the prefix. That way I would know if they had passed it on to spammers.
The trouble is that over the last 10 years or so, I have given out many different addresses that I have not kept track of.

I am currently reporting the 214 spams per day (137 today and its only 10:15am), and analysing the Sent To addresses so that I can add the genuine ones as separate pop3 accounts, eventually eliminating the need for catchall.

Some statistics that you may (or may not) find interesting.

Using 1392 reported spams (6.5 days)
My interpretation of the way that Email addresses originated
Harvested.........................13%
Passed on.........................67%
Invented...........................20%

Spammed addresses..........27 (***[at]mydomain)
Domains Received from....475 (***[at]anydomain)
. . . . . . yahoo[dot]com.......99 = (8.6%) Top culprit
. . . . . . fastmail[dot]ca.......17 = (1.5%) Second culprit

These are genuine as of 10:27am Oct-17-2006 (GMT)

This is why I now only give out my Hotmail email address to On line requests. Hotmail accounts being free, I may open a few more and use them the same way. (IMG:style_emoticons/default/smile.gif)

When I stop using my catchall facility, what should I do with rejected mail?
Bounce it
or
Delete it
These are the two choices that my host offers.

I understand that to bounce could cause problems for innocent victims of spammers using false Sent From addresses and increases traffic. To delete, will not inform the sender that this address does not exist and they will still keep sending.

I hope the stats help.
Thanks and regards to all
~Mike~

This post has been edited by MikeRG: Oct 17 2006, 05:23 AM

[Miss Betsy]

So -- can you illustrate WHAT the "IP of injection" is ???

And, is that the IP one would BLOCK at server level?

Actually, I thought that the only IP address that couldn't be spoofed is the IP address that your ISP receives the email from (because they get it from the 'packet' not the headers).

After that, one needs to be able to distinguish whether the header line was added by a legitimate server or not. That's what the parser does by checking DNS, etc. A human reading the same header lines may be able to see things the parser doesn't in complicated cases. However, the parser does it much faster than a human can for most email - which is why people use spamcop reporting services. And then there are others who don't understand headers who use spamcop because they can't read headers.

If the parser (or a human) come to a header line that doesn't seem to be real, then the header line before that (tested to be a real IP address) is considered the 'injection' IP address and the place to send reports. Intranet (servers passing email within its network) are not something that an outsider can test so, in most cases, when the parser comes to a line it can't test, it finds the computer where the spam was 'injected' into the internet.

That's a layman's explanation. There are all kinds of details that I left out (or perhaps not properly described).

Miss Betsy

[turetzsr]

<snip>
When I stop using my catchall facility, what should I do with rejected mail?
Bounce it
or
Delete it
These are the two choices that my host offers.

...FWIW, my choice would be option 3: find a provider that rejects with a 500-level message or accepts it but allows you to direct it to a separate inbox. In the meantime, of the two choices you have, IMHO a delete would be the choice of a better netizen.

[DavidT]

I am currently reporting the 214 spams per day (137 today and its only 10:15am), and analysing the Sent To addresses so that I can add the genuine ones as separate pop3 accounts, eventually eliminating the need for catchall.

I went through that painful process a few years ago, and might have missed a few, but oh well.

However, I don't understand why you'd want to create unique POP3 boxes for each of the many addresses you've "made up" for use with vendors, etc. If you're the only one who needs to receive those messages, you should be able to set up "aliases" that forward the special addresses wherever you want, such as collecting them all into your main POP account, or some combination of those techniques, if you want to have some stuff collect and then POP it separately. I have hundreds of aliases, but only a few POP accounts.

DT