Jump to content
clivel

Reporting bounced spoofed emails has no effect

Recommended Posts

Hi,
Earlier this week a spammer used my email address as the "from" address for a Nigerian Scam type email. As a result, despite having an SPF record, for the past three days I have been receiving 1000's of bounced emails, the majority from one server: 5.172.188.193  (as per the example at the bottom of this message).  On Monday I received about 1000 bounces, Tuesday I received 8000 and today it is already up to 2000.

I have setup an email  filter which I run manually to forward small batches to Spamcop, I then also have to do the "Report Now" manually so I have only been able to actually report a few hundred of these bounces.
Despite these  100s of reports forward to  the administrator of the offending server they seem to have no intention of fixing it so it is disappointing that the server is not listed on on any blacklists which may be the only way that they take notice:

Using best contacts abuse@x.y.z
Message is 8 hours old
5.172.188.193 not listed in cbl.abuseat.org
5.172.188.193 not listed in dnsbl.sorbs.net
5.172.188.193 not listed in accredit.habeas.com
5.172.188.193 not listed in plus.bondedsender.org
5.172.188.193 not listed in iadb.isipp.com

How many hundreds of reports are necessary before they will appear on a blacklist?

Thanks,
Clive

Return-Path: <>
Received: from ser204.sbsb.local ([5.172.188.193]) by mx.perfora.net
 (mxeueus003 [74.208.5.3]) with ESMTP (Nemesis) id 0MF2Rp-1gDFmq0ZJL-00GJhG
 for <xxx@yyy.com; Tue, 20 Nov 2018 09:08:51 +0100
From: postmaster@sbsb.local
To: xxx@yyy.com
Date: Mon, 19 Nov 2018 01:20:48 +0100
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="9B095B5ADSN=_01D4461B17EC24000000DA6Aser204.sbsb.loca"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
Message-ID: <4nPPu1OOL00004615@ser204.sbsb.local>
Subject: Delivery Status Notification (Failure)

Share this post


Link to post
Share on other sites

Of course the Bounce messages are not coming from one IP address, but one from each of the different addresses the spammer is sending to.  As a result you may not get any IP address on the blocklist, and the internet service providers that are bouncing the spam are also victims of the spammer. Although  Problem: Misdirected bounces is addressed to ISP's or managers of mail services, It will give you insight into the cause of the problem.

Does the bounce include the header of the original spam so you can identify the source?  Are the original spams all from one source? Or are several bots sending the messages?

Share this post


Link to post
Share on other sites
1 hour ago, clivel said:

Earlier this week a spammer used my email address as the "from" address for a Nigerian Scam type email. As a result, despite having an SPF record, for the past three days I have been receiving 1000's of bounced emails, the majority from one server: 5.172.188.193  (as per the example at the bottom of this message).  On Monday I received about 1000 bounces, Tuesday I received 8000 and today it is already up to 2000.

The SPF record does not protect the from but does protect the mfrom.  These two addresses can be separate.  The mfrom is found in the headers, usually in the received line, and the from will be below it.  You might notice a mailing list will change the mfrom and add a reply-to, but they usually do not change the "from".  The bounces will be coming from the mfrom.

Hopefully the bounces indicate some sort of rejection due to SPF.  If not, you may need to look that your record uses the "-all" instead of the "~all".  Both are different, but only one will cause a receiver to reject email, the other will cause the receiver to send it to a spam folder.

It might be good to include a tracking URL from one of the munged reports.

Share this post


Link to post
Share on other sites

Lking and gnalrymarley thanks for the replies.
I was under the impression that the SPF record was intended to prevent wholesale bounces to a from address as it is trivially easy for anyone to set the from address to whatever email address they want. I have checked my SPF and it is set to "-all".

I haven't really examined the bounces closely. When one is being inundated with this many emails it was all I could do to report a few hundred via spamcop and delete the rest without deleting legitimate emails at the same time.

Almost all the bounced emails I am getting are from 5.172.188.193. Spamcop forwards them all to them same abuse@xx.yy.zz address. One would hope that if anyone is actually monitoring the abuse reporting address receiving them that they would have done something to stop this wholesale abuse.

Also, I would have thought that by reporting via spamcop, enough reports would eventually have put 5.172.188.193 onto at least one blacklist hopefully causing them to take some sort of action to stop bombarding me with what I consider spam.

As you might gather I am not too familiar with the mechanisations of the whole email system, but from what you have both posted  it seems as if I am wasting my time reporting any of these emails to spamcop and would be better of simply deleting them. Is that correct?

Thanks again,
Clive

 

 

Share this post


Link to post
Share on other sites
2 hours ago, clivel said:

I was under the impression that the SPF record was intended to prevent wholesale bounces to a from address as it is trivially easy for anyone to set the from address to whatever email address they want. I have checked my SPF and it is set to "-all".

 

SenderID was to protect the "from".  However, the original folks that worked with Microsoft to on senderID said it was a mistake, and that protecting the mfrom was better.  This is why I have a senderID record that says don't check the from, but in your case, it may have saved you if they were sending to hotmail or exchange server.  This is probably a good time to verify your record if you need more information about how it works.

2 hours ago, clivel said:

I haven't really examined the bounces closely. When one is being inundated with this many emails it was all I could do to report a few hundred via spamcop and delete the rest without deleting legitimate emails at the same time.

The limit was raised if you wanted to report more.  See this page: https://www.spamcop.net/fom-serve/cache/350.html.  If you are attaching then to emails (for forward-as-attachment, you can attach more than one bounce to the same email and get back more than one tracking URL in the reply email.  This might help you report them faster.  I am not sure if there is a limit on how many attachments may be on one forwarding email, but I have done as much as three in the past.

2 hours ago, clivel said:

Also, I would have thought that by reporting via spamcop, enough reports would eventually have put 5.172.188.193 onto at least one blacklist hopefully causing them to take some sort of action to stop bombarding me with what I consider spam.

SpamCop has a special algorithm that would mean it would prefer it coming into a spamtrap for it to get onto the blacklist.  I believe you might be able to do it yourself, but it could take a while.

 

2 hours ago, clivel said:

As you might gather I am not too familiar with the mechanisations of the whole email system, but from what you have both posted  it seems as if I am wasting my time reporting any of these emails to spamcop and would be better of simply deleting them. Is that correct?

 

I think this whole thing is someone didn't check your email address for SPF and tried to use it in their scam and that is why it has bounced.  I do not think you are wasting your time reporting them.

Share this post


Link to post
Share on other sites
1 hour ago, gnarlymarley said:

 I am not sure if there is a limit on how many attachments may be on one forwarding email, but I have done as much as three in the past.

The linit is a size limit 5Mb email total not a number of attachments.

Share this post


Link to post
Share on other sites

Thanks again gnarlymarley and Lking,

That is very helpful. I will continue to report the emails. Unfortunately the time consuming part is not forwarding the emails to Spamcop, it is  clicking on the "Report Now" link, waiting a few seconds for the page to load and then having to click the "Send spam report(s) Now Link .

I am tearing my hair out over this, I was feeling good earlier today, I received no bounces for a few hours and thought that i had stopped, and then I suddenly received another flood of emails about an hour ago, just over 3000 more arrived in my inbox making the total for today well over 5000. There seems to be no end in sight.

Thanks ,
Clive

Share this post


Link to post
Share on other sites
9 hours ago, clivel said:

Received: from ser204.sbsb.local ([5.172.188.193]) by

Clive, this idea might help if you own access to your email server.  If their hostname is always *.local, then you might be able to block it based on the hostname or the IP, or else firewall it.  The emails will fill up and their sysadmin will have to deal with the space.  I had put in the following check (below is exim for my server) years ago which would straight up block those emails.

# Helo can't be localhost, *.local, *.localdomain or *.lan
#  defer
  deny
    message   = HELO can't be $sender_helo_name. Please contact your ISP.
    local_parts = !postmaster
    condition = ${if match\
      {$sender_helo_name}\
      {\N(localhost|\.local(domain)?|\.lan)$\N}\
    {yes}{no}}

 

Share this post


Link to post
Share on other sites

Thanks gnarlymarley, that is an excellent idea, but unfortunately I used a shared hosting provider so don't have access to the server.

I really don't know what to do right now.Clearly from my perspective reporting the emails to Spamcop has  been a complete waste of hours and hours of my time.

I woke up this morning to no bounces overnight, once again thinking that the flood of emails may have stopped.

No such luck, just as I started composing this message they started pouring in, already up to 12,000 this looks like the worst ATTACK so far!! And I call it an attack because they all originate from 5.172.188.193 and despite abuse@man.olsztyn.pl having received hundreds and hundreds of reports from  Spamcop they are doing nothing about it.

And the worst is it seems as if the majority of bounces in this latest flood  are  "Delivery Status Notification (Delay)"  which means I can look forward to another 12,000 or so Failures arriving soon.

And while I was typing this another few thousand arrived, now up to 23,000 for the morning. Just deleting them takes me ages.  I really don't know what to do to try and stop these F*****KNG idiots!

Clive

 

 

 

Share this post


Link to post
Share on other sites
2 hours ago, clivel said:

5.172.188.193

"cert [at] cert [dot] pl" tell them  "abuse [at] man.olsztyn [dot] pl" are asleep at wheel  "5.172.188.193" seems a compromised email account probably a botnet sink. Need a SpamCop track (just 1 not dozens). Possibly bouncing spam to your email if in from address. 

http://www.man.olsztyn.pl/31-2/

found the polish web site for that email server it has email addresses on page

Edited by petzl

Share this post


Link to post
Share on other sites

petzl,
Thank you very much for the link to the web site and the suggestion to contact Cert. I have emailed all the addresses on the page as well as Cert hopefully something positive happens soon.

 

This is now getting ridiculous, each day it gets worse and worse during the last two hours I have just received another batch of bounces - 59,177 currently sitting in my spam folder where I have them redirected.
That makes the total for today over 82,000 emails and there is still a few hours left in the day. This is more than I have received the whole week so far and it looks as if there is no end in sight.

I am extremely disappointed that despite having forwarded hundreds of theses bounces to Spamcop that the server is not black listed, this is an unprecedented flood of spam surely there must be some way I can have the server placed on a blacklist?
Clive

 

Share this post


Link to post
Share on other sites

In the last half an hour I have just received another wave of bounces just over 13,000 so far and they are still coming in thick and fast. At this rate it will be well over a 100,000 by the end of the day.
The last four days have been a nightmare deleting spam has taken up almost all my time.  And for awhile I wastedan enormous amount of time trying to report a few hundred of these bounces to spamcop for apparently no point whatsoever.
Clive

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×