What to do about fake bounces?

[mikesmithfl]

I've seen a couple of message regarding faked bounces in the past, but haven't seen anything that looks like it is actually going to deal with them.

Has anybody come up with some way of reporting this new succesful spam phenomona? I realize the TOS here restricts us from reporting bounces (even spam-bounces aka 'rubber spam' ) but I'm now getting several hundred of these each week, sometimes hundreds even in one day. Since they 'appear' to be from a role individual, they get right on through.

Since I've got my own domain name with my own virtual hosting, I'm the one that gets all the postmaster messages.

Ideas?

Mike

(I did search here and with google and yahoo, but still looking for better ideas)

[Wazoo]

Have to start from the beginning on this one. The "bounced" e-mail itself .. the problem starts with the issues of just what was bounced, what the bounce contains .. if the entire "original" e-mail is contained, there once was a time that one could extract that and run it through the parser, kick out the complaint. However,though this worked for those that could read the headers and pull out just the right stuff, too many folks that didn't have this knowledge got to trying it, causing multitudes of ISP complaints over the bad reporting. So, no more reporting of "other people's spam" (based on the fact that it was allegedly addressed to go elsewhere, yada yada ...)

Then there's the bounced e-mail that has had the content stripped. Those obviously are a lost cause.

So, if you have one out of these hundreds that still contain the original e-mail, technically, one can extract that, run it through the parser if necessary, get the complaint addresses, cancel the SpamCop report, then generate your own manual complaint to the idiots that are still bouncing to forged "From:" addresses in an attempt to enlighten them.

Not a bright prospect, but the only advice really allowed in order to keep you from getting your account into trouble and then having you point to "me" as being the reason you did things in some other fashion <g>

[dra007]

Actually I did just what Wazoo suggested and stopped the bounces.

[studog]

Uh... I read:

mikesmithfl - Posted on Jul 6 2004, 08:32 AM

I've seen a couple of message regarding faked bounces...  Has anybody come up with some way of reporting this new succesful spam phenomona?

which is a legit question asking about how to stop actual real spam that merely looks like a bounce, and then read:

Wazoo - Posted on Jul 6 2004, 12:32 PM

Have to start from the beginning on this one. The "bounced" e-mail itself .. the problem starts with the issues of just what was bounced...

which is a reply concerning actual bounces. I do not believe mikesmithfl's actual question was answered. And if it was, I'll now pose the question just in case:

Are we allowed to report spam that is disguised as a bounce? ie spam that looks like a bounce from elsewhere, but in actual fact is not.

...Stu

[turetzsr]

<snip>

Are we allowed to report spam that is disguised as a bounce? ie spam that looks like a bounce from elsewhere, but in actual fact is not.

...FWIW, SpamCop FAQ: On what type of email should I (not) use SpamCop? reads, in part:

Do not use SpamCop to report anything except spam. This includes bounces and other legitimate responses to your SpamCop reports.

<snip>

For SpamCop, spam must be:

• unsolicited (I didn't request it), and
  
• automated/bulk (this same email was sent to many people at once).
  

There are other situations that qualify, but the bulk of spam will meet the above requirements. You have to use your own judgment. This is weighed against the judgment of the person who will eventually receive the spam report - the network administrator. This person will look at the email, see if they think it constitutes abuse of their system and then decide whether to honor your request for disciplinary action.

Bounces:

Bounces generated because of a forged email (often spam or viruses claiming to be from you) are a nuisance, and by some people's definition, they are spam. However, reporting them accomplishes nothing. The system which generated the bounce is not guilty of any sin - bounces are generally a good thing.

If the bounce message contains spam, it is not permitted for you to report the spam contained within the bounce, even if it includes what appear to be the full original headers. This is someone else's spam, not yours. It is expected that you can verify the headers of reported mail are accurate, something you can't do for mail received on a network you are not familiar with.

<snip>

...All this leads me to believe that as long as the "fake bounce" is

• unsolicited (I didn't request it), and
  
• automated/bulk (this same email was sent to many people at once).
  

then it may be reported via SpamCop's reporting system.

...And you can always manually LART!

[dra007]

I even got virus attacks that were disguised as bounces. It is certainly a legit question. The point Wazoo makes is how to report what looks like a bounce and still contains the original spam.

And Steve's discussion clears all that up, eventhough it is starting to look like a circular argument. In the event the bounce is due to a forged header a request to their abuse desk to look into it is also legit, and in my experience has positive results. But you have to do the reporting on your own, not through SpamCop.

[turetzsr]

I even got virus attacks that were disguised as bounces. It is certainly a legit question. The point Wazoo makes is how to report what looks like a bounce and still contains the original spam.

...Sure. And I take the FAQ to mean that:

• if it's a bounce, it's only to you (therefore not bulk) and is someone else's spam, not yours -- therefore, you can't report it via SpamCop's reporting system
  
• if it's a fake bounce (the subject of the question), and if it's sent to others in addition to you, then it's your spam and therefore reportable via SpamCop's reporting system
  

...Do I have that right?

[dra007]

Sounds good to me. A true bounce is to one recipient only, faked header or not. Yet I got what looked like bounces addressed to me only (i.e. rejected message with usual/standard content). Yet it contained a virus. You would think a responsible ISP would not sent viruses with a legitimate bounce. Here is an example I recieved recently:

Received: from source ([217.156.87.150]) by exprod7mx5.postini.com ([12.158.38.251]) with SMTP;

Tue, 06 Jul 2004 00:00:14 CDT

From: grv[at]aol.com

To:  [at]pitt.edu

Subject: Mail Delivery (failure  [at]pitt.edu)

Date: Tue, 6 Jul 2004 08:03:57 +0300

MIME-Version: 1.0

Content-Type: multipart/related;

type="multipart/alternative";

boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"

X-Priority: 3

X-MSMail-Priority: Normal

X-pstnvirus: Exploit-MIME.gen.c

boundary="

--------------------------------------------------------------------------------

Date: Tue, 6 Jul 2004 08:03:57 +0300

From: grv[at]aol.com

To:  [at]pitt.edu

Subject: Mail Delivery (failure  [at]pitt.edu)

Content-Type: application/octet-stream

Content-Transfer-Encoding: base64

VmlydXMgdmFyaWFudCBkZXRlY3RlZCBhbmQgZGVsZXRlZC4=

It contains a mime exploit virus as detected by the filter on my server.

See my post in the Lounge on this particular spam gang known to send out trojans and the like.

[Wazoo]

There is a post over in the spamcop newsgroup, put there just a couple of hours ago, from Ellen. Post title is "report spam from bounces" .... Ellen's response is;

It is and has been against the SC TOS/AUP to report bounces or the spams contained in bounces using SpamCop.

Ellen

SpamCop

So to try to sum it up, if you have to ask about how or "can I" .. you'd probably be best served by not trying it.

[Miss Betsy]

I have not ever seen one, but I think I remember people posting spam - emails that were never bounced - that had something in the email that caused spamcop to reject it as a bounce.

Usually, however, when someone refers to fake bounces, they are referring to emails that are informing you of 'undeliverable' email, yet contain spam or a virus.

A. Some of those are sent by ISPs who accept all the email and then send an email to those it can't deliver saying it is undeliverable (this is RFC compliant, BTW, however with the common spammer practice of forging the return path, these emails have become as much of a nuisance as spam). A true bounce is email rejected at the server level, returned to the IP address it came from with a code message which the administrator translates to a message which he sends to the original sender.

B. Some of the emails sent as 'bounces' are sent by those who use the 'bounce' feature on Mailwasher, spamassassin, and perhaps other programs who offer to 'send the spammer a bounce message' Since the returnpath is always forged by the spammer to avoid getting these bounces, they only go to innocent people.

C Some of the emails that look like undeliverable email are a particular virus (I forget the name) that uses variations of 'postmaster' and 'undeliverable' in the sender and subject lines.

Since the OP is running a server, what he needs is advice from other people who are running servers on how to handle what he terms 'fake' bounces which may be either A or B. OTOH, he may be talking about a real 'fake' bounce, an email designed by the spammer to look like a bounce, but sent directly through an open proxy or spam and with a legitimate 'postmaster' name in the To line which must always be delivered. Again, the advice he needs is from other people who run servers. If he is interested (he hasn't posted again, has he?), I suggest that he post in spamcop.geeks and specify A, B, or C or if it is not one of those, exactly what the characteristics are.

Miss Betsy

[mikesmithfl]

Thanks Miss Betsy, I was in the middle of composing my reply when I read yours. The correct choice is A. I'll head on over to .geeks and see what I might find over there.

I believe the spammers are effectively using the MTA's (or mail servers, not sure of correct acronym) as open relays (if I'm using the term correctly). They're sending the spam to as many random addresses as possible and relying on the MTA to 'forward' the spam as a DSNF (delivery status notice - Failure) to the 'From' address listed in the spam. And since the bounces are supposed to be accepted by your own mail server, they get right on through the spam detectors.

Although, there are several messages that appear to be designed to actually 'impersonate' a DSNF.

Nearly all (probably 80%) of the messages have the exact same spam cargo inside, some kind of ad for new stocks trading undervalue and with a link to msn.com for further info on the stock. It doesn't take much paranoia or imagination to think of a link to terrorist organizations trying to boost the value of stock they just bought and then selling it after their free advertising campaigns provided by improperly configured mail servers. (edit) Maybe I should say ineffectively configured)

Thanks all!

[turetzsr]

I have not ever seen one, but I think I remember people posting spam - emails that were never bounced - that had something in the email that caused spamcop to reject it as a bounce.

<snip>

...Miss Betsy brings up a point I neglected to include in my earlier posts. When I wrote, "... therefore reportable via SpamCop's reporting system" I should have added, "unless rejected as a bounce." IIUC, if it's rejected as a bounce and thus stops the reporting process, you are not permitted to modify the spam to make it appear to not be a bounce so that the reporting process will complete. However, as I understand it, you may modify it so that it will tell you to whom it would submit the reports, cancel the report, and manually LART.

[studog]

turetzsr - Posted on Jul 6 2004, 08:15 PM

• if it's a fake bounce (the subject of the question), and if it's sent to others in addition to you, then it's your spam and therefore reportable via SpamCop's reporting system
  

...Do I have that right?

Yes. My intent was to clearly delineate between spam-disguised-as-bounces and

actual bounces, because it seemed that the conversation so far had been talking

about two different things. This has happened. Thank you all.

I do have one question though: as a mere end-user, how are you supposed to

determine if a spam was mailed to multiple people if it only contains your address

as the destination?

...Stu

[turetzsr]

<snip>

I do have one question though: as a mere end-user, how are you supposed to determine if a spam was mailed to multiple people if it only contains your address as the destination?

...IIRC, Miss Betsy posted a good answer to this when it was posed in another thread some time ago. Drat, I can't find it! Hopefully she'll drop in and add her comments.

...A very great deal of my spam is addressed "To" someone other than me -- that tells me that there's a good chance that it was sent to multiple people. Other spam has multiple entries in the "To" or "Cc" lists. Yet other spam has a greeting that includes someone else's name other than mine. Sometimes, the content of the spam makes it reasonably clear that it's directed to more than one person. Finally (and I'm sure others will be able to add clues that they use), there are spam that would otherwise appear to be only to me or which I would otherwise not be able to tell but I've received the same or similar content in previous spam that I concluded was to more than just me.

[Miss Betsy]

I don't remember my reply. But I can think of the only one thing besides all the pointers that Steve listed.

If the email is unsolicited, then it can be reported. If it is spam, then the abuse desk will be getting enough complaints to determine that it is bulk. You are only the reporter. The abuse desk is the one who determines what action should be taken.

Since I look at questionable email in OE's message source, it is easy to see the hash busters on the emails that say "Hi" in the subject and the sender might be a name of a friend. Also, if the parser says it's an open proxy, it is likely to be bulk. If the parse seems to be pretty straightforward, then I might check again to make sure I have not tagged a real email as spam. I believe that individual unsolicited email that is commercial in nature is considered spam UCE. If worst comes to worst, and you report something that is not unsolicited, they can always contact you by emailing the report # address so you can straighten it out.

So the bottom line is that you, the reporter, are reporting that this is an unsolicited email. You don't have to determine anything else. IMHO, it is better not to report spam from prior relationships and to be careful that you have not overlooked a real email.

Miss Betsy

[turetzsr]

<snip>

If the email is unsolicited, then it can be reported.

...Well, not precisely correct, according to the SpamCop Rules in SpamCop FAQ: On what type of email should I (not) use SpamCop?

For SpamCop, spam must be:

1. unsolicited (I didn't request it), and
   
2. automated/bulk (this same email was sent to many people at once).
   

If it is spam, then the abuse desk will be getting enough complaints to determine that it is bulk.  You are only the reporter.  The abuse desk is the one who determines what action should be taken.

...Yes, I'm pretty certain that was it!! <g>

[studog]

turetzsr - Posted on Jul 8 2004, 01:08 PM

A very great deal of my spam is addressed "To" someone other than me -- that tells me that there's a good chance that it was sent to multiple people.

Easily faked.

Other spam has multiple entries in the "To" or "Cc" lists.

Easily faked.

Yet other spam has a greeting that includes someone else's name other than mine.

Irrelevant.

Sometimes, the content of the spam makes it reasonably clear that it's directed to more than one person.

Example? I can't think of one that can't also simply be the spammer lying.

Finally (and I'm sure others will be able to add clues that they use), there are spam that would otherwise appear to be only to me or which I would otherwise not be able to tell but I've received the same or similar content in previous spam that I concluded was to more than just me.

Since you still haven't proven that any spam was sent to multiple people your previous spam set is empty therefore this rule also doesn't apply.

Miss Betsy - Posted on Jul 8 2004, 05:50 PM

Since I look at questionable email in OE's message source, it is easy to see the hash busters on the emails that say "Hi" in the subject...

Irrelevant.

...and the sender might be a name of a friend.

Irrelevant.

Also, if the parser says it's an open proxy, it is likely to be bulk.

Circumstantial.

So the bottom line is that you, the reporter, are reporting that this is an unsolicited email.

Exactly...

You don't have to determine anything else.

Yes you do, according to the SpamCop Rules.

For SpamCop, spam must be:

1. unsolicited (I didn't request it), and

2. automated/bulk (this same email was sent to many people at once).

My point is that #2 is pretty much impossible to prove from an end-user standpoint. Therefore either only sysadmins should report spam (they can see the envelope headers) or #2 should be deleted.

...Stu

(I don't actually care that much, more just playing Devil's Advocate.)

[Miss Betsy]

It is true that there are certain unsolicited emails that are not reportable via spamcop: viruses, bounces when your email address is forged in the return path, personal email from someone who is harassing you, and confirmation emails.

If it is true that sysadmins can detect bulk email from the 'envelope', then the spam problem is solved because all bulk email can be blocked at the server level except those specifically whitelisted by clients as part of the confirmed subscription process.

People make a big fuss about spamcop reports being totally accurate (and of course, if they were not mostly accurate, they would be useless), however, they are only REPORTS - the bulk aspect can only be a conjecture on the part of the reporter based on the various signs that the person is trying to evade the spam filters such as forged addresses, the presence of hashbusters, the subject, etc. All the reporter is doing is reporting that the email is unsolicited. It is up to the receiver of the report to determine if it is bulk or not.

People can report any kind of unsolicited email on their own (and many people do report viruses and email bounces). Reports through spamcop need to adhere to certain guidelines so that the receiver knows what a spamcop report denotes. Reporters who check out emails that do not have the obvious signs of illegitimate bulk email are more likely to not report those emails through spamcop that are not according to spamcop guidelines.

Therefore, having #2 in the spamcop guidelines prevents mistakes and does not hamper the reporting of unsolicited email suspected to be bulk by end users.

Miss 'I do love a debate' Betsy

[turetzsr]

turetzsr - Posted on Jul 8 2004, 01:08 PM

A very great deal of my spam is addressed "To" someone other than me -- that tells me that there's a good chance that it was sent to multiple people.

Easily faked.

Other spam has multiple entries in the "To" or "Cc" lists.

Easily faked.

...Well, I was trying to answer your question:

<snip>

I do have one question though: as a mere end-user, how are you supposed to determine if a spam was mailed to multiple people if it only contains your address as the destination?

If the "To:" or "Cc:" lists are faked to make it appear that the spam was sent to more than just you then I believe you are still entitled to conclude that it was sent to more than just you. You can't be expected to do more than you can reasonably do. <g>

Yet other spam has a greeting that includes someone else's name other than mine.

Irrelevant.

...Maybe to you but not to me. If an e-mail that I receive begins, "Hi, John," then I believe I am entitled to assume that it was sent to someone named John as well as to me.

Sometimes, the content of the spam makes it reasonably clear that it's directed to more than one person.

Example? I can't think of one that can't also simply be the spammer lying.

...You can always conclude that a spammer is lying. But IMHO you can still use the content to conclude that there's a good chance that the spam was sent to more than just you.

<snip>

My point is that #2 is pretty much impossible to prove from an end-user standpoint.

...It may be hard to prove. I don't think that matters. IMHO, if you can defend your conclusion (as something that could be reached by the "reasonable ordinary prudent SpamCop reporter"), then that should be sufficient.

Therefore either only sysadmins should report spam (they can see the envelope headers) or #2 should be deleted.

...Then SpamCop is a worthless tool to any but SysAdmins, so what are we all doing here? <g>

[studog]

Miss Betsy - Posted on Jul 9 2004, 07:54 AM

Therefore, having #2 in the spamcop guidelines prevents mistakes and does not hamper the reporting of unsolicited email suspected to be bulk by end users.

I concur.

...Stu, I sometimes play Devil's Advocate to create a good debate...

[Miss Betsy]

I concur.

...Stu, I sometimes play Devil's Advocate to create a good debate...

And I was just getting started....

Miss 'love a debate' Betsy

[dschlegel]

What I am looking for is a simple recipe against what are probably dozens (and soon hundreds) of "bounces". I don't have the time or appetite to understand the mechanisms why this occurs and/or why [at]spamcop.net - who after all run my mail server - do not seem to have a mechanisms in place to kill those incoming e-mails. Whether spam in the sense of an academic sense or not - this is stuff that I have not triggered whatsoever, and which I don't want. I.e., there should at least be an option to kill it at the mail server and/or spam filter level.

Below is an example of what I mean:

This message looks like a bounce, will not report.

Do not report bounces as spam!

Message is old

Nothing to do.

see also:

http://www.spamcop.net/sc?id=z542637035z3a...2d9125ec5b85ccz

[dra007]

Write to postmaster[at]telecable.es and ask them not to send you bounces, explain that your e-mail adres was presumably forged in the mail header...That usually did the trick for me!

[dschlegel]

Thanks! I also have simply added them to my blacklist

[petzl]

You can report bounces without using spamcop?

You can use spamcop to Identify the source of IP that is using your email address but you are not allowed to report this/bounces through SpamCop