As Mike Richter would write in part:
Spammers forge the email addresses into the "From" addresses of their spam
all the time. There is no known method of making them stop. Fortunately, it
is very likely to stop on its own in a short time (typically, a few days
unless you have gotten the spammer angry at you).
Even more fortunately, no responsible individual or ISP will blame you
for the spew. You may get some irate e-mails from those who are truly
clueless, but your IP address won't show up on a blocklist for such a
forgery.
You are not supposed to report bounces or the content of bounces with
the SpamCop Reporting Service, but you can use its parsing portion to help
you compose your own reports. UPDATE: "Misdirected bounces" now "may be reported" per On what type of email should I (not) use SpamCop?.
Full Version: FAQ Entry: Why am I getting all these bounces?
Stolen from the spamcop newsgroup;
Onyx wrote:
> Ok, I just recieved cca 100 messages notifying me of failed delivery of
> emails I didn't send and they keep coming, woo hoo. Apparently, spammer
> vermin used email on my domain as a return address for their spam.
>
> Two questions:
> 1. What would be the best way to deal with this?
First of all, check your mail server to make sure that it will not relay
for a spammer forging a real user on your domain. Apparently there is a
popular mail server software out there that is designed to do that and
there is no way to disable that feature except to enable SMTP-AUTH for
all e-mail. This is what I have picked up from the admin(at)dsbl.org
list's public archives.
Then assuming that your mail server is not the one that is affected by
this feature:
File abuse reports about the delayed bounces with each mail server that
is doing the delayed bounce.
Such delayed bounces are now reportable by spamcop.net:
See a recent post in spamcop.help by Larry Kilgallen for a sample text:
: As I report that spam (the message claiming I sent a message
" I did not) I include something like the following text in my
: SpamCop report:
Believe it or not, spammers lie.
Please adjust your software to not send these meaningless warnings
blindly to the "From:" address, but instead respond within the
SMTP dialog, so your comments get to the actual originator rather
than pestering an innocent bystander.
While the bounces are allowed by RFC, it is from a time when third party
open relays were also allowed.
Most mail servers do an SMTP reject, which means that any bounce message
will come from the original sending mail server, and the only ones of
those that are relaying spam are either the domain that should receive
the abuse report of one of their users, or an open relay. Open relays
should be blocked on site.
When mail servers do not do an SMTP reject, and do an accept and bounce,
then they are participating in a DDOS to victims like you.
There have also been several recent posts on news.admin.net-abuse.email
about the practice of abusive bouncing of spam.
There are some mail server operators that claim that it is not practical
to convert to SMTP rejects instead of bouncing.
These mail server operations must be bigger than AOL.COM which had
several years ago announced on the SPAM-L mailing list that they
recognized that such bounces where abusive to the rest of the internet
and were switching over to only using SMTP rejects.
It seems that for every example of someone claiming that their network
is too large to convert, an example can be found of a larger network
that did so. And I suspect that it is a much lower operational cost to
use SMTP rejects instead of doing the accept and then bouncing.
> 2. Could this possibly get my domain listed on anti-spam lists?
Only if the mail server operator is either incompetent, or is so small
that it is unlikely that they will ever receive a legitimate e-mail from
your domain.
According to posts on news.admin.net-abuse.email, even the conservative
spamhaus.org will eventually list I.P. addresses that bounce spam to
forged addresses.
It is far more likely that the I.P. addresses of the mail servers that
are bouncing the spam will get put on local and public blocking lists
than the I.P. address of your domain.
Most medium to large mail servers pay a metered rate for their
bandwidth, and accepting fake bounces or spam needlessly increases their
operating costs.
So if the only e-mail they have ever seen from an I.P. address is spam
or fake bounces, many mail server operators that are paying for
bandwidth out of their profits or pockets will block that I.P. address.
-John
wb8tyw <at> qsl.network
Personal Opinion Only
EDIT: Wazoo edited the above, based on jeff G's observation, a few newsgroup replies that pointed to the same situation, and John's later post;
Onyx wrote:
> Ok, I just recieved cca 100 messages notifying me of failed delivery of
> emails I didn't send and they keep coming, woo hoo. Apparently, spammer
> vermin used email on my domain as a return address for their spam.
>
> Two questions:
> 1. What would be the best way to deal with this?
First of all, check your mail server to make sure that it will not relay
for a spammer forging a real user on your domain. Apparently there is a
popular mail server software out there that is designed to do that and
there is no way to disable that feature except to enable SMTP-AUTH for
all e-mail. This is what I have picked up from the admin(at)dsbl.org
list's public archives.
Then assuming that your mail server is not the one that is affected by
this feature:
File abuse reports about the delayed bounces with each mail server that
is doing the delayed bounce.
Such delayed bounces are now reportable by spamcop.net:
See a recent post in spamcop.help by Larry Kilgallen for a sample text:
: As I report that spam (the message claiming I sent a message
" I did not) I include something like the following text in my
: SpamCop report:
Believe it or not, spammers lie.
Please adjust your software to not send these meaningless warnings
blindly to the "From:" address, but instead respond within the
SMTP dialog, so your comments get to the actual originator rather
than pestering an innocent bystander.
While the bounces are allowed by RFC, it is from a time when third party
open relays were also allowed.
Most mail servers do an SMTP reject, which means that any bounce message
will come from the original sending mail server, and the only ones of
those that are relaying spam are either the domain that should receive
the abuse report of one of their users, or an open relay. Open relays
should be blocked on site.
When mail servers do not do an SMTP reject, and do an accept and bounce,
then they are participating in a DDOS to victims like you.
There have also been several recent posts on news.admin.net-abuse.email
about the practice of abusive bouncing of spam.
There are some mail server operators that claim that it is not practical
to convert to SMTP rejects instead of bouncing.
These mail server operations must be bigger than AOL.COM which had
several years ago announced on the SPAM-L mailing list that they
recognized that such bounces where abusive to the rest of the internet
and were switching over to only using SMTP rejects.
It seems that for every example of someone claiming that their network
is too large to convert, an example can be found of a larger network
that did so. And I suspect that it is a much lower operational cost to
use SMTP rejects instead of doing the accept and then bouncing.
> 2. Could this possibly get my domain listed on anti-spam lists?
Only if the mail server operator is either incompetent, or is so small
that it is unlikely that they will ever receive a legitimate e-mail from
your domain.
According to posts on news.admin.net-abuse.email, even the conservative
spamhaus.org will eventually list I.P. addresses that bounce spam to
forged addresses.
It is far more likely that the I.P. addresses of the mail servers that
are bouncing the spam will get put on local and public blocking lists
than the I.P. address of your domain.
Most medium to large mail servers pay a metered rate for their
bandwidth, and accepting fake bounces or spam needlessly increases their
operating costs.
So if the only e-mail they have ever seen from an I.P. address is spam
or fake bounces, many mail server operators that are paying for
bandwidth out of their profits or pockets will block that I.P. address.
-John
wb8tyw <at> qsl.network
Personal Opinion Only
EDIT: Wazoo edited the above, based on jeff G's observation, a few newsgroup replies that pointed to the same situation, and John's later post;
QUOTE
A typo on my part, I meant to type now instead of not. In this case
though it may not have been obvious.
-John
wb8tyw <at> qsl.network
Personal Opinion Only
though it may not have been obvious.
-John
wb8tyw <at> qsl.network
Personal Opinion Only
QUOTE(Wazoo @ May 3 2005, 12:41 AM)
Such delayed bounces are not reportable by spamcop.net
...
-John
wb8tyw <at> qsl.network
Personal Opinion Only
Yes, they are (now). Please see my UPDATE above in Linear Post #1.
...
-John
wb8tyw <at> qsl.network
Personal Opinion Only
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.