Receiving hundreds of Delivery Failure emails - how to report these

[geistman]

For the last several days, I have been receiving hundreds of delivery failure notices (in various forms from Undelivered mail, Mailer-daemon AntiSpam BOL, Postmaster, ...) to my email account every day. I am certain that my computer is not the source of these messages; my system is spyware and virus-free. It looks like somebody's infected computer is pumping out spam messages with my email address as the return address.

I don't want my email address or domain to be considered a spam site because of this. I would like to stop this from occurring, if possible.

I realize that the delivery return messages are not, themselves, spam, but is there a way I can get information from the header and then submit that message to spamcop? Or is there some other way I can control this?

Thanks in advance.

[Telarin]

Actually, spamcop DOES consider these misdirected NDRs to be spam, and you can report them through spamcop. Spamcop has no interest in the email addresses listed on the message, as they are trivially forged, the only information that spamcop is concerned with are the actual IP addresses in the message header, which can not be forged.

A properly configured mail server will not produce bounces to a forged from address, however, as you have found out, there are many many mail servers on the internet that are not properly configured.

You can submit these misdirected bounces to spamcop as you would any other piece of spam.

[Farelf]

In support of Will's advice, note the official SC FAQ On what type of email should I (not) use SpamCop?, particularly

Messages which may be reported:

There are several types of responses to forged email that SpamCop has in the past prohibited. However, these messages have become a big enough problem that we now allow them to be reported as the spam that they technically are.

Examples of messages in this category:

1. Misdirected bounces

2. Misdirected virus notifications

3. Misdirected vacation emails

4. Misdirected challenges from challenge/response spam filtering systems

...I am certain that my computer is not the source of these messages; my system is spyware and virus-free. It looks like somebody's infected computer is pumping out spam messages with my email address as the return address.

The proof of that would be that it is not your IP address shown as the origin of the bounced spam. Confidence in AV and firewall protection is sometimes sadly misplaced but it certainly would not be usual practice for spam to be going out using your domain address if you were infected. If you have difficulty reading the headers on that bounced spam you could always snip a sample and post into the parser just to see what it makes of it. Just be sure to cancel, not report the results. That is not "your" spam to report, of course.

[Miss Betsy]

And while all domain owners want to STOP the forging of their domain in the From - some even would prefer the perpetuators to be boiled in oil - There is not much you can do about stopping them. Fortunately, few people on the internet today would think it was really your domain, and no one with any authority to enact any punitive measures would do so.

If you are getting hundreds, it might be a good idea to turn off your 'catchall'

Miss Betsy

[Telarin]

And while all domain owners want to STOP the forging of their domain in the From - some even would prefer the perpetuators to be boiled in oil

Very, very hot oil...

[davidwalker]

In support of Will's advice, note the official SC FAQ On what type of email should I (not) use SpamCop?, particularly The proof of that would be that it is not your IP address shown as the origin of the bounced spam. Confidence in AV and firewall protection is sometimes sadly misplaced but it certainly would not be usual practice for spam to be going out using your domain address if you were infected. If you have difficulty reading the headers on that bounced spam you could always snip a sample and post into the parser just to see what it makes of it. Just be sure to cancel, not report the results. That is not "your" spam to report, of course.

This has happened to me on average once per month for the past 6 months and my e-mail address is being faked by a true spammer. Woke up this morning with more than 700 delivery failure,auto-responses,challenges etc. And while the actual (forged?) IP address is somewhere in Asia according to APNIC there are a number of firewalls that block my IP temporarily.

I have reported the spam to the companies that are being "promoted" but only one has taken any action. I have been totally ignored by all the rest.

While it is not "my" spam, is there any way I can report it???

David

[Miss Betsy]

<snip>And while the actual (forged?) IP address is somewhere in Asia according to APNIC there are a number of firewalls that block my IP temporarily.

What do you mean that there are 'firewalls' that block your IP? No server admin would block your IP address because of a forged From. The IP address cannot be forged by the receiving computer. It is only the From and the return path that can be forged.

I have reported the spam to the companies that are being "promoted" but only one has taken any action. I have been totally ignored by all the rest.

While it is not "my" spam, is there any way I can report it???

The clue is in your comment 'only one has taken any action' - unless it is a mistake (including infected computers on smaller networks), neither sources nor spamvertized sites take action against spammers.

Although spamcop was designed with the idea that server admins would take action and stop spam, most spam is now sent from places that prefer spammer money and even if spamvertized websites are taken down, spammers have hundreds of domain names to use.

The way to stop spam is to block it at the server level from those places that send it. And that includes the people who accept spam and then send emails to the return path. You can report these through spamcop.

If you want to want to be ignored, then you can report the spam contained in the 'bounces' manually. You can use the parser to find the correct abuse address, but be sure to cancel the report.

Miss Betsy

[agsteele]

This has happened to me on average once per month for the past 6 months and my e-mail address is being faked by a true spammer. Woke up this morning with more than 700 delivery failure,auto-responses,challenges etc. And while the actual (forged?) IP address is somewhere in Asia according to APNIC there are a number of firewalls that block my IP temporarily.

I have reported the spam to the companies that are being "promoted" but only one has taken any action. I have been totally ignored by all the rest.

While it is not "my" spam, is there any way I can report it???

Hi David!

You can submit a report via SpamCop of the spam that you receive and only the spam that you receive. So, it is NOT permitted to reconstruct a spam item sent to someone else that bounces to you. You can report the bounce but not the message that caused the bounce.

All that said, the reports are to the SpamCop system which alerts the ISP which was used to send the message. But these are not reports in the sense that you refer to ie telling a company that their products are being promoted via spam.

In any case, telling these companies is likely to be fruitless since they are probably well aware that they have employed spam techniques to promote their products and have done so intentionally

Andrew

[PaulOsborn]

I'm having exactly the same problem as geistman and found this discussion very useful. Can I just ask for confirmation (to see if I've got it right) - I can report the "returned email" "undeliverable" etc mails through SpamCop as spam in themselves as I didn't generate the email that they are responding to. However, this doesn't get to the originator of the spam that's using my email address for the return?

I'm receiving around 50 of these returns a day so it doesn't seem too practical to report every one and in any case, there doesn't seem to be a pattern so even if one genuine company or individual that's sent a return stops, there will be a different 50 sending them to me tomorrow!

Conclusion? There's no way that SpamCop is able to use the header info I've got in the returned mails to identify the spam originator (who's using my address as the return) so effectively there's no solution?

Sorry if I should have understood this from the previous mails, but I'd like to make sure I've got it right before I give up on my long-standing email address!

Thanks in advance.

[Wazoo]

I'm having exactly the same problem as geistman and found this discussion very useful. Can I just ask for confirmation (to see if I've got it right) - I can report the "returned email" "undeliverable" etc mails through SpamCop as spam in themselves as I didn't generate the email that they are responding to. However, this doesn't get to the originator of the spam that's using my email address for the return?

What you will be reporting is the 'misdirected bounce' ... this term is defined in numerous places. The ISP/system that generated this 'bounce' is who will come up as the target for your report.

The spammer forged your address into the From: and/or Reply-To: lines in the e-mail header, some ISP received that e-mail then decided that 'you' didn't exist on that network, so then later got around to sending out the notice that the e-mail didn't go through. Back in the early days, this was normal. Once the spammers started abusing this 'function' .... it is no longer considered appropriate.

[turetzsr]

<snip>

Can I just ask for confirmation (to see if I've got it right) - I can report the "returned email" "undeliverable" etc mails through SpamCop as spam in themselves as I didn't generate the email that they are responding to. However, this doesn't get to the originator of the spam that's using my email address for the return?

<snip>

...IMHO yes, you have it right.

...SpamCop is just a tool that helps us identify the source of the spam we ourselves have received and to send complaints on our behalf to the abuse desk of those sources. It does this by analyzing the e-mail Internet headers that it believes it can trust to provide valid information. The e-mail Internet headers added by the server prior to the one that sent it to you can not be trusted to be accurate (they could be forged) and it would be those headers that SpamCop would have to rely on to go back to the originator of the spam.

Conclusion? There's no way that SpamCop is able to use the header info I've got in the returned mails to identify the spam originator (who's using my address as the return) so effectively there's no solution?

<snip>

...Not quite. You can use the SpamCop parser by entering the e-mail Internet headers you believe identify the source of the original spam, cancel the reports SpamCop offers to send on your behalf, and send your own reports manually (being sure to not mention SpamCop as being your source of information in your reports).

[Miss Betsy]

Before you give up on your address, this phenomenon usually doesn't last very long. (unless you are using a catchall address also).

And, if you do change your address, be sure to make a 'strong' one that contains numbers or symbols so that dictionary spammers can't guess it. i.e. pau!0sborne and don't post it on the internet.

Miss Betsy

[PaulOsborn]

Many thanks for that ... it'll be a relief when it does stop! Could you tell me what a "catchall address" is tho? Don't think I have one, but you never know!

Many thanks to all for the responses ... advice is much appreciated.

Paul

[Wazoo]

Could you tell me what a "catchall address" is tho? Don't think I have one, but you never know!

SpamCop FAQ .. Dictionary .. Glossary ... Wiki .... search tools .... all linked to at the top of this page

[StevenUnderwood]

Could you tell me what a "catchall address" is tho? Don't think I have one, but you never know!

2 Questions:

Do emails to <anything here>[at]yourdomain get to you?

Are any of the bounces being sent to unassigned email addresses as the forged sender?

If the answer to either question is yes, you are using a "catch all address". It was designed to eliminate the problem of typos in email addresses (anything sent to your domain will be delivered to you). It has outlived its usefulness because of the spammers.

[bwawsc]

One thing that can be done about the forging of sender addresses is for every sending domain to publish an SPF policy, and every receiving server to check and process mail against it. Adoption is slow, but at some point a critical mass will be reached which will allow this to be effective.

OpenSPF Foundation

--

Bill

[Wazoo]

One thing that can be done about the forging of sender addresses is for every sending domain to publish an SPF policy, and every receiving server to check and process mail against it. Adoption is slow, but at some point a critical mass will be reached which will allow this to be effective.

Not good .. leaving out sall the down-sdie on that suggestion.

[Farelf]

Slashdot discussion at http://ask.slashdot.org/article.pl?sid=07/06/22/1547225 presents some thoughts. A reasoned "pro" observation within that on the current state of play (last June) is http://ask.slashdot.org/comments.pl?sid=24...mp;cid=19614885

[bwawsc]

Not good .. leaving out sall the down-sdie on that suggestion.

Sorry, Wazoo - I don't understand this comment at all. Are you saying that there is a significant downside to senders publishing an SPF policy, or to receiving servers checking SPF? Both? What is the downside you are referring to? My personal opinion (I know, we all have one) is that there is no cost to the owner of a domain and a potential big payoff, even if it takes a while to develop. I felt I was offering a constructive suggestion and didn't realize I was leaving out the downside. I sincerely would appreciate enlightenment.

[StevenUnderwood]

Are you saying that there is a significant downside to senders publishing an SPF policy, or to receiving servers checking SPF? Both? What is the downside you are referring to?

If EVERYONE in the world (or at least the part you want to communicate with) adopts SPF, it might be usable, but a pain in the neck for several classes of users. This is based on my last inspection of this about 3-6 months ago.

1. Everyone will need to use the ISP account they are currently connected to as the return address in order to use that SMTP server. Otherwise, everyone will need to contract with a separate mail provider to keep a uniform presence.

2. Forwarding services are also troublesome for the same reason, you can not have an alternate sender set in your email.

[bwawsc]

If you include the SMTP servers you want to use in your domain's SPF policy, then those servers are "permitted" (the downside to that being that you are also permitting anyone else who uses that SMTP server to send from your domain as well). This can get cumbersome, if you have many users and they all send from a variety of SMTP servers. In those cases, you might want to provide them with an authenticating SMTP server to use, independent of their ISP connection of the moment.

There are methods for forwarding services to use - but of course, they have to use them. If they are SPF-illiterate, they will cause problems.

The biggest problem seems to be learning (as a domain owner) how to construct a "proper" SPF policy. Many domain owners have no idea what SMTP servers their mail might be sent from, and get no help from their domain hosting service. It took me weeks and considerable persistence to get the information (only one host, not one of my MX servers - a very simple case). The second-biggest problem is learning how to publish the SPF record you have composed (most people have no direct access to their zone file, no idea where their authoritative name server is, and no idea how/who to contact about it).

Big companies should have no problem with any of this - but even so, it can be difficult to educate the network group about the needs of the email group. My company still hasn't published an SPF policy after months of badgering from within.

[StevenUnderwood]

Some suppliers still do not allow the TXT entries to be entered or modified which is required for SPF and is one of the major complaints against SPF in that it is taking over what is in the DNS definition an optional field, and giving it a specific purpose.

Prior to my leaving in the spring, I asked the provider for my previous employer and they stated they had heard several requests for it but had no plans to change their policy.

[bwawsc]

The RFC (4408) defines a new resource record Type SPF (code 99) but allows the publication of the SPF Policy in a TXT record for backward compatibility with early implementations. Unfortunately, many DNS management tool implementations do not yet support publication of code 99 (Type SPF) records, and some email receiver packages that support "SPF" do not check for code 99 records, only TXT. I don't think it is intended to "take over" TXT - it can still be used for many other purposes. It's just a convenient way to get SPF policies published without waiting for DNS server implementations to support a new Resource Record Type.

[StevenUnderwood]

The RFC (4408) defines a new resource record Type SPF (code 99) but allows the publication of the SPF Policy in a TXT record for backward compatibility with early implementations. Unfortunately, many DNS management tool implementations do not yet support publication of code 99 (Type SPF) records, and some email receiver packages that support "SPF" do not check for code 99 records, only TXT. I don't think it is intended to "take over" TXT - it can still be used for many other purposes. It's just a convenient way to get SPF policies published without waiting for DNS server implementations to support a new Resource Record Type.

http://www.ietf.org/rfc/rfc4408.txt

IESG Note

The following documents (RFC 4405, RFC 4406, RFC 4407, and RFC 4408)

are published simultaneously as Experimental RFCs, although there is

no general technical consensus and efforts to reconcile the two

approaches have failed. As such, these documents have not received

full IETF review and are published "AS-IS" to document the different

approaches as they were considered in the MARID working group.