Jump to content
Sign in to follow this  
IHateSpam

Can I report Bouced Spam to Spamcop

Recommended Posts

Good day,

Some moronic spammers have gotten a hold of my domain name and are using it as a the sender source (IP's used and mail server aren't mine so I'm pretty sure that I’m not sending it).

In addition to getting nasty emails from people demanding that I stop spamming them, I'm also getting a lot of bounced email being delivered back to me (spam rejected, user known, mailbox full, etc).

So my question is: Can I report this email to the [at]spam.spamcop.net email address (basicly just by forwarding it).

I'm a bit nervous that my IP address could somehow been interpreted as the sender of the source email) since the message has been bounced back to me; and so have been extracting the source email (when included) and posting it into the web submission form..

The problem is that I've gotten at least 100 bounce backs today alone and the whole process is becoming very tedious

Any one help alleviate my fears?

Thanks

Paul

Share this post


Link to post
Share on other sites

Hi, Paul,

...In a word: no, you can't. See SpamCop FAQ: On what type of email should I (not) use SpamCop? (the paragraphs labeled "Bounces).

...IIUC, you are the victim of what is called a "Joe Job" (see entry labeled "joe" at The Net Abuse Jargon File).

...The people who are flaming you are ignorant. Savvy e-mail users are aware that "From" addresses in Internet headers (which is where they are most likely seeing your e-mail address) can be easily forged.

...The good news is that these kinds of "attacks" usually stop after a short while, as the spammers move on to other victims.

Share this post


Link to post
Share on other sites

I have been getting a lot of bounces recently myself. Seems to be a recent trend and was discussed in more than one thread here. Bottom line is that it is against SpamCop policy to report bounces.

You also have to be careful opening some of these bounces, as most I have recieved recently contained MIME-exploits which can damage your system files!!!

Good luck!

Share this post


Link to post
Share on other sites

"Joe-Jobs" are generally taken to be malicious. This kind of using a domain name (or an email address) is not intended to hurt the owner, but just so the spammer is harder to trace - spammers don't care who is inconvenienced or hurt by their actions.

However, if you are getting angry emails, it is a good opportunity to enlighten those who don't know about forgeries and to direct them how to do something positive. You can write an 'educational' email back about how 'From' is almost always forged, etc. and also put a disclaimer on your website.

There are others who have had similar problems and lots of people who think that these kinds of bounces are as bad as spam and ought to be reported. However, it has to be done on your own (you can use spamcop to find abuse addresses by entering just the headers and being sure to cancel the report.)

If you are getting loads, then just doing what can be done and filtering the rest to trash is probably all you can do.

Miss Betsy

Share this post


Link to post
Share on other sites
"Joe-Jobs" are generally taken to be malicious.  This kind of using a domain name (or an email address) is not intended to hurt the owner, but just so the spammer is harder to trace - spammers don't care who is inconvenienced or hurt by their actions.

<snip>

14681[/snapback]

...Thanks for correcting my misunderstanding! :) <g>

Share this post


Link to post
Share on other sites

I'm going to suggest that Miss Betsy was typing too fast and forgot to insert one word ....

.... This kind of using a domain name (or an email address) is not intended to hurt the owner ....

I'm thinking that the word "forged" didn't make it to the screen ....

Share this post


Link to post
Share on other sites

Evening all

Thank you for your replies

I have sent some Notifications to some of the ISP in charge of the network segments where the spam comes form (manually reading the smtp headers and then using whois to try and identify who's managing the ip address); with little success (out of the 10 I sent manuall) with only one replying to say it wasn't their network segement; but hasn't replied back to my 2nd reply showing whois data confirming that their email addresse is attached to the IP range in question.

In addition, alot of the IP ranges in use are listed as being managed by ARIN.NET (when Whois'd) and they've responded that they're not responsable for the IP in question (even though they're identified as the contact person under whois - go figure eh)

Just a little more clairification on Bounce backs.

If a spammer sends a spam type email to someone with a forged (but valid) source email address which is then bounced back to the the forged sender address, then is this still not spam?

It usually contains the spammers source message (which usually contains all the smtp headers including the source IP addres)

I'm not saying that the bounce back is spam (Bounces are great [ better than sliced bread] as I know that my domain name is being used in forged emails, and most cases the original email is included so I can figure out the Source IP)

I was kinda hoping that Spamcop would be able to process the spammers address from the bounced email from within the original source attachment (I'm able to do it). Then have the Web interface confirm that what it processed is what should be reported (to help stop false submissions)

If I were working for spamcop, I'd be interested in the people who are getting bounce backs.. It be a great source of fresh spammer information. Look at me. I have 200 + bounce backs which I want to investiage and inform the correct persons to whats going on (its quazi personal now ;). How many people would spend the time to report spammers (not too many as I'm just as guilty of just deleting them when they come in without even reading them).

Anyhow, what I tried to do (but gave up after about the 10th email) is extract the original spammer email (Using View message source on the bounced email) when its included in the bounce back email (usually as an attachement) and then manually submitting it via the spamcop web interface.

As it stands, I must have about 200 bounced spammer emails (alot of different source addresses).. Now lets say that 1% are being bounced back to me.. that would mean that the spammer could be sending at least 20,000 emails (most likely a lot more) using my domain name. Now how many of thoses people receiving the spam will report it (I'd guess not too many)

Thanks for listening

Paul

Share this post


Link to post
Share on other sites
I'm going to suggest that Miss Betsy was typing too fast and forgot to insert one word ....

.... This kind of using a domain name (or an email address) is not intended to hurt the owner ....

I'm thinking that the word "forged" didn't make it to the screen ....

14689[/snapback]

Hi Wazoo,

Never thought it was personal.. Usually when spam gets personal, the attacker make the spam look like it came from you.. I had a client who had a x-worker who was spaming on behalf of the company.. It was real nasty (False quotes, email of viruses).. Eventually they paid 'em off to leave 'em alone cause no one else was able to do anything about it.. We had proof (IP's Server logs, etc) ISP wouldn't do anything, cops wouldn't do anything.. So Eventually they had a lawer talk directly to 'em and some form of arrangement was done. Too bad they never got back the hardware that the x-worker stole.

I was just hoping that there was some way (unknown to me) to get this to stop quickly. I think this is the 3rd time that my domain has been used in the last few years.

Getting a little fed up with not being able to easily do something with the spammer information contained in the bounce backs, and am getting tired of writting "Dear <Insert Name Here>. I'm writing to inform you that I am not actually spamming your email address.. Someone is forging the source email address using my domain name.. Please check the following links to help identify the perpertrators" emails..

Paul

Share this post


Link to post
Share on other sites

Fearing that this might turn into another one of my novels .... have to start with the initial problem in the these bounces are not handled in a "standard" fashion. Some ISPs kick back the entire original e-mail with an added rejection note, some send the rejection note with a bit of the original e-mail, some simply send a rejection notice.

Now we jump to Julian's tool set. Originally written from the perspective that an e-mail would look like an e-mail, the user submittal of this e-mail would still have it looking like an e-mail, and things would distill the pertinent data, and the reports would end up in the hands of someone that would take real action. As in the early days of the 'net' , instructions were sparse to non-existent, so those that used the tool-set generally "knew" at least some of the background on how e-mail and NNTP worked. Time moved on, SpamCop became more popular for varying levels of experience users, at the same time becoming a target for the spammers to try to outwit.

This leads one to the "gound rule" for s spam submittal, that it look like an actual e-mail (going to frop NNTP for now) ... When a submittal arrives that doesn't look "right" .. the questions include; did the user screw-up, did the spammer mangle something, was data dropped during any of the operations occurring between the user "reading" the spam and handing the spam to the parser; is there something in the code-base that's screwed up, .... From the programming side, things are much easier when the decision is made that if it doesn't have all the necessary parts, in the right order, parsing is halted rather than risking making / selecting the wrong "notifies" about a wrong item.

The problem with these bounces (reaching back to the first paragraph) is that getting a good and accurate parse out of it with correct targets identified goes directly to the experience and knowledge of the submitting user (and again, assuming that the actual / original / complete spam was included within the bounce) being able to extract the actual spam for submittal. Unfortunately, there are too many users that don't have this knowledge, don't spend the time, screw up and run on autopilot, etc. that were generating too many reports to go to the wrong targets. The only solution is the simple ban on reporting bounces (programming again brings up the decision points needed to sort out why the e-mail doesn't "look right" .. too many headers, too many blank lines in the wrong spot, how mangled did the actual spam get during all the processing - line wraps, word / address divisions, etc. ...)

Now all that said, if you do know what you're doing, can see what you've actually got, then yes, you can still use the parsing tool to help you find the right targets, but the current rules are to then cancel that report and send your own complaint to these targets.

ARIN (American Registry for Internet Numbers) in general assigns the blocks of IP addresses. If the IP address you're looking up references that it's controlled by ARIN, did you then go to the next level and use ARIN's whois to get to the next level of actual assignment? http://www.arin.net/whois/index.html This might be a bad analogy, but complaining to ARIN would be something like complaining to Ford Motor Corporation about the problems you had with a Ford that you'd rented from AVIS ... Granted, the car may have been built and even delivered to AVIS by Ford, but that burnt-out headlight is clearly an AVIS problem ....

Here's hoping that you can find a glimmer of something good in this (but guessing not <g>)

Share this post


Link to post
Share on other sites

Hello

Just a small update.. Up around 4200 bounced spam messages so far

I'm hoping this will end soon and that postmasters aren't looking to add my dns name as a spam filter ;(

I'm actually thinking about writing a parser my self in perl to parse out the source IP on my collection of bounced email to try and see If I can identifty all the IP's being used

Oh well. Back to fighting with my in-box

Paul

Share this post


Link to post
Share on other sites

Please forgive my playing the Devil's advocate.

Is it not possible that spammers have been clued in to the ban on reporting bounced messages, and are now intentionally forging their messages to look like bounced messages?

As evidence of this I note that almost all the bounced messages I get seem to come from blocked domains, and I seem to get a lot more bounced messages than I ever used to. Also, I think all of these bounces contain the entire original message, whereas many legitimate bounced messages from months/years ago contained only a snip.

How can I tell whether a "bounced message" is really bounced - versus just made to look that way?

Share this post


Link to post
Share on other sites

I'll just point out that it's a known fact that the SpamCop newsgroups and Forums have long been read by some spammers. Analyzing spam for source, construction, and content simply boils down to doing the research and learning what the data bits are in those spams. Start by looking at your "good" e-mail, compare to the "bad" stuff and search out the differences, then figure out "why" the spammer did things different <g>

Share this post


Link to post
Share on other sites

However sincere and advanced you may be, your answer is less than helpful. I am well aware that spammers read these discussions.

I am already all too familiar with determining the likely IP of the originating source.

I don't know what you mean by "good email" and I don't know what you mean by "bad stuff". I'm not particularly interested in "why" spammers do things. I don't know what you mean by "different" - different from what?

For example, suppose I have a message that appears prima facie to be a bounced message from a Joe job (fraudulently using my e-mail address). I determine the originating IP from the Spamcop automation. The likely originating IP is one that is currently listed on one or more blacklists. Isn't it entirely possible that this message was never bounced at all, and in fact came directly from the spammer in exactly this form?

Put yet another way: Couldn't a spammer intentionally send all his spam to the same invalid address of an ISP who dutifully reports bounced e-mails, changing only the reply-to e-mail address for each message (to match the real intended recipient)? Wouldn't this spammer have the effect of all his spam being delivered to all of his intended victims, in a form that is identical to a bounced message, and in a format that is not reportable through SpamCop?

Perhaps I really shouldn't have posted this thought here?

Please reconsider more thoughtfully.

Share this post


Link to post
Share on other sites
However sincere and advanced you may be, your answer is less than helpful.  I am well aware that spammers read these discussions. 

I am already all too familiar with determining the likely IP of the originating source.

I don't know what you mean by "good email" and I don't know what you mean by "bad stuff".   I'm not particularly interested in "why" spammers do things.  I don't know what you mean by "different" -  different from what?

All that dealt with reading and understanding headers. I'm confused that you state that you understand all that, but are confused over my terms "good" and "bad" e-mail ...???? good = stuff your Mom sent you ..... bad = some lowlife crap .. where do I go from here?

Isn't it entirely possible that this message was never bounced at all, and in fact came directly from the spammer in exactly this form?

Yes it's possible. Happens every day.

Wouldn't this spammer have the effect of all his spam being delivered to all of his intended victims, in a form that is identical to a bounced message, and in a format that is not reportable through SpamCop?

Yes, thus the pointing out that spammers read up on how to get around the various blocks, traps, filters, and reporting tools. Again, I don't see what I missed before.

Perhaps I really shouldn't have posted this thought here?

Please reconsider more thoughtfully.

I'm still a bit lost. Yes, this stuff is done. I'm not sure how much more thought you need on this. If it's just that you're ticked about not being able to report it, that's something you'll have to take up with Julian himself, realizing that a lot of his "rules" stem from folks that don't know what they are doing or take no care in the results.

By the way, the simple forging of address data is not the same as a joe-job.

Share this post


Link to post
Share on other sites
For example, suppose I have a message that appears prima facie to be a bounced message from a Joe job (fraudulently using my e-mail address). I determine the originating IP from the Spamcop automation. The likely originating IP is one that is currently listed on one or more blacklists. Isn't it entirely possible that this message was never bounced at all, and in fact came directly from the spammer in exactly this form?

Put yet another way: Couldn't a spammer intentionally send all his spam to the same invalid address of an ISP who dutifully reports bounced e-mails, changing only the reply-to e-mail address for each message (to match the real intended recipient)? Wouldn't this spammer have the effect of all his spam being delivered to all of his intended victims, in a form that is identical to a bounced message, and in a format that is not reportable through SpamCop?

IIUC, you have two different examples here of how a spammer could get a spam message delivered past different filters.

However, it all depends on what you mean by 'orginating IP address' - if you mean the 'spam' originating address, then there is no surprise that it is coming from an IP address that is on several blocklists. OTOH, 'bounces' from IP addresses that are listed on blocklists could be that the policy of the IP addresses is to email bounce undeliverable mail, have not listened to complaints, and in consequence, are listed because they have been sending email to spam traps since often spammer mailing lists contain spam trap addresses - if you mean the originating IP address is the address from which the bounce came.

In the second example, it certainly is possible for a spammer to determine that an ISP is still using the 'email bounce' and change the reply to address to match his mailing list so that his spam gets delivered (spam gets eaten; spam gets delivered. spam is the registered trademark for the luncheon meat. Hormel has been very indulgent about the use of the word 'spam' for unsolicited email and serious spamfighters should respect the difference). However, the person to report to is the ISP who is still using email bounces.

There are two possibilities for reports in every 'bounced' spam: one - a report to the ISP who 'bounces' it to complain about their use of an outdated undeliverable message protocol and two - a report to the ISP of the actual spam (if the headers are included in the bounce). The latter report is for forgery of your email address. Neither report is a report of UCE - which is partly why spamcop does not allow the reporting of bounces. The main reason, however, is that the parser just can't assess all the different possibilities in a reasonable length of time and with reasonable accuracy.

IMHO, spammers don't deliberately try to bounce spam messages because I don't think there would be enough return from buyers. If only 1% buy, then the percentage who would buy from a bounced email would probably be miniscule. I think they don't care whether 50% of the spam run gets bounced around. (though my theory is that a certain percentage of spam doesn't really try to sell anything - like the virus authors, some people probably get perverse pleasure from just evading the filters).

I don't know whether this viewpoint helps you to understand spamcop's ban on bounces or not.

Miss Betsy

Share this post


Link to post
Share on other sites

Thankyou for all the information in this thread.

I do feel for Paul, and for others in this position: I've had the odd bounce before, but not a flood, like today.

Fortunately I could Jabber my husband at work, our local ISP, and ask him to block part of the message text (which was identical in all cases), and the flood dropped to a trickle (auto-aways and those which snip the body text).

All the same, that isn't doing anything about the spamming, and from what you have all said above, there doesn't seem to be much we can do.

I haven't received any personal email (flames, complaints), my flood consisted of auto-bounces and auto-aways ("I'm away right now, not reading my email" etc.). I doubt very much if writing to the ISPs auto-bouncing would achieve anything, but I'll give it a go.

Edit: I was about to do so, discussing it with my husband, when he said that sending a message to the perceived sender when an email is undeliverable is in the RFCs. So it's not only defensible, it's almost mandated. He said, if it's hard for a human to work out if a header is forged, what hope does an ISP have, working automatically with thousands of them? Admittedly, the relevant RFCs were written before the spam/virus plague, but there doesn't seem to have been an update to deal with it.

All of this out of my sphere, but leaves me wondering if there is _anything_ I can do. :( end edit.

What horrifies me (and I'm sure upsets others in this position) is the thought that probably thousands of emails are bothering innocent people, with my name on them. It's really amazing how many people spammers can annoy, when they put their, um, wits into it. Strange use of resources, however sparse.

Thanks for the info above: it really helped to be able to come here and have this thread available.

from Clytie <stirring her inbox around cautiously with a stick>

Edited by clytie

Share this post


Link to post
Share on other sites
I was about to do so, discussing it with my husband, when he said that sending a message to the perceived sender when an email is undeliverable is in the RFCs. So it's not only defensible, it's almost mandated. He said, if it's hard for a human to work out if a header is forged, what hope does an ISP have, working automatically with thousands of them? Admittedly, the relevant RFCs were written before the spam/virus plague, but there doesn't seem to have been an update to deal with it.

Your husband is correct that there is an RFC; however, although the RFC has not been revised (AFAIK), the problem has become so widespread that clueful ISPs are no longer using 'email bounces' One reason is that some part of those thousands are hitting spamtraps and they are getting listed (not just by spamcop). Ditto with auto bounces and virus notifications.

You can't report it through spamcop, but it is certainly worthwhile to report it to the offending ISP - particularly if you point out that you are doing them a favor by notifying them. I always point out that the number of real undeliverable mail perhaps lost is miniscule compared to the annoyance caused by the bounces to innocent people. And mention that it (and out of office auto replies) are some other things that have been spoiled by the spammers.

I don't think anyone answered me when I asked this before, but I don't know why the ISPs can't run the 'bounce' emails through a spam content filter set on high before they send them and dump those that don't pass. Also, an ISP could write a parser for its own use - in fact some of the bounces that I have received actually had the correct IP address added. The reason that there isn't another available for other people on the web is spamcop's ability to deal with many different header configurations. A private one also doesn't have to send reports or look up abuse desks. That is one reason why it is so stupid that ISPs send email bounces to the 'returnpath' - if they feel that they can't dump undeliverable mail, there are ways to send it to the proper place - it just costs more.

I believe that even aol (one of the worst offenders) has agreed that it is not a good idea to use email bounces.

Glad that your ISP was so helpful. <Knock Knock> I haven't had a flood. Then it would be difficult to notify everyone. At one time, the advice was to complain to the originating ISP about 'forgery of your email address' and that sometimes the originating ISP would listen while it would not stop spammers. I expect that advice is out of date just like the RFC.

Miss Betsy

Share this post


Link to post
Share on other sites

To all who replied as a result of my inability to understand: Thank you.

I still only understand about 80% of the responses, but I get the gist of it: spammers are winning, and there is very little we can really do.

Miss Betsy: Thank you for pointing out the distinction between the trademark and the annoyance. This was news to me. I shall type "spam" in the future.

I was spoiled by SpamCop's amazing false positive rate of only 5 in 45,000, coupled with a false negative rate of only about 4% for my address. But this morning the bounced e-mails really started flooding my inbox, at a rate as high as 15 per minute at one point.

For future reference, I am not ticked at Julian or anyone at SpamCop. Just frustrated and depressed by my inability to solve or productively address even my personal spam problem.

Share this post


Link to post
Share on other sites
Just frustrated and depressed by my inability to solve or productively address even my personal spam problem.

Don't let it get you down. It certainly seems that way when the flood comes in, but if you look at the history of spam, the good guys are steadily winning and driving the spammers into desperate measures like using viruses to spread their spew.

Usually the flood doesn't last long so do what you can to control it. And since it is an ever-increasing phenomenon, measures to counteract it will start to be established.

Miss Betsy

Share this post


Link to post
Share on other sites

Thanks for the responses. My husband did say that smarter ISPs don't bounce, but his point was that it's hard to criticize the others doing something that's in the RFCs. I take your point that we can still suggest that they don't do it.

I think one of the worst things about this, as Brian says, is the feeling of powerlessness. Your inbox is swamped, people are attaching your identity to acts of harrassment (which I firmly believe spams are) and you appear to have no decision power at all. Just wait it out, or change your address.

Please point me to any link that shows we are winning against spammers: I need the moral lift. :(

from Clytie <staring glumly at the huge pile of bounces and aways, clogging her mail pipe>

Share this post


Link to post
Share on other sites
Thanks for the responses. My husband did say that smarter ISPs don't bounce, but his point was that it's hard to criticize the others doing something that's in the RFCs.

15891[/snapback]

...Fair enough -- until someone points out why it's a bad practice. After they know, I would expect them to stop, forthwith! :) <g>

I take your point that we can still suggest that they don't do it.

<snip>

15891[/snapback]

Share this post


Link to post
Share on other sites

When spamcop first began, there were many, many ordinary businesses who thought sending email ads were a great idea. Now, there are few, if any, legitimate businesses who would send unsolicited commercial email (there are still a few, but they get clued in very quickly that unless you have confirmed subscription list, you are going to have problems). Only a couple of years ago there were numerous ISPs who didn't respond to reports of spam or didn't have TOS's and AUP's - now they all do. Spammers now have to use Chinese ISPs or trojaned machines to deliver their spew. Even Comcast finally caved in and, at least, said they would do something about the hundreds of trojaned machines that were sending spam. I haven't seen as many from Comcast as I used to (but that doesn't always mean anything - perhaps the list I am on has changed hands).

Since more and more people are dealing with flooded inboxes with bounces, sooner or later the clueless ISPs will find themselves on blocklists and start listening up. Perhaps even doing something about the source.

Just remember that the squeaky wheel gets the grease. I have been saying forever that if the techie types would only enlist the 'average' spam recipient in demanding blocking that the 'tipping point' would come and spam would no longer be a viable occupation. ISPs have realized that reduction of spam is what most of their customers want. There are certainly more legitimate email users' dollars than spammer dollars.

Miss Betsy

Share this post


Link to post
Share on other sites

Thanks, Miss Betsy, that is encouraging. What I really had in mind was spammers in stocks, having rotten tomatoes thrown at them (eggs are too expensive nowadays), but what you say is helpful if less satisfying. :D

from Clytie

Share this post


Link to post
Share on other sites
What I really had in mind was spammers in stocks, having rotten tomatoes thrown at them

15961[/snapback]

It won't be long........ :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×