Jump to content

FAQ Entry: Why am I getting all these bounces?


Jeff G.

Recommended Posts

As Mike Richter would write in part:

Spammers forge the email addresses into the "From" addresses of their spam

all the time. There is no known method of making them stop. Fortunately, it

is very likely to stop on its own in a short time (typically, a few days

unless you have gotten the spammer angry at you).

Even more fortunately, no responsible individual or ISP will blame you

for the spew. You may get some irate e-mails from those who are truly

clueless, but your IP address won't show up on a blocklist for such a

forgery.

You are not supposed to report bounces or the content of bounces with

the SpamCop Reporting Service, but you can use its parsing portion to help

you compose your own reports. UPDATE: "Misdirected bounces" now "may be reported" per On what type of email should I (not) use SpamCop?.

Link to comment
Share on other sites

  • 1 year later...

Stolen from the spamcop newsgroup;

Onyx wrote:

> Ok, I just recieved cca 100 messages notifying me of failed delivery of

> emails I didn't send and they keep coming, woo hoo. Apparently, spammer

> vermin used email on my domain as a return address for their spam.

>

> Two questions:

> 1. What would be the best way to deal with this?

First of all, check your mail server to make sure that it will not relay

for a spammer forging a real user on your domain. Apparently there is a

popular mail server software out there that is designed to do that and

there is no way to disable that feature except to enable SMTP-AUTH for

all e-mail. This is what I have picked up from the admin(at)dsbl.org

list's public archives.

Then assuming that your mail server is not the one that is affected by

this feature:

File abuse reports about the delayed bounces with each mail server that

is doing the delayed bounce.

Such delayed bounces are now reportable by spamcop.net:

See a recent post in spamcop.help by Larry Kilgallen for a sample text:

: As I report that spam (the message claiming I sent a message

" I did not) I include something like the following text in my

: SpamCop report:

Believe it or not, spammers lie.

Please adjust your software to not send these meaningless warnings

blindly to the "From:" address, but instead respond within the

SMTP dialog, so your comments get to the actual originator rather

than pestering an innocent bystander.

While the bounces are allowed by RFC, it is from a time when third party

open relays were also allowed.

Most mail servers do an SMTP reject, which means that any bounce message

will come from the original sending mail server, and the only ones of

those that are relaying spam are either the domain that should receive

the abuse report of one of their users, or an open relay. Open relays

should be blocked on site.

When mail servers do not do an SMTP reject, and do an accept and bounce,

then they are participating in a DDOS to victims like you.

There have also been several recent posts on news.admin.net-abuse.email

about the practice of abusive bouncing of spam.

There are some mail server operators that claim that it is not practical

to convert to SMTP rejects instead of bouncing.

These mail server operations must be bigger than AOL.COM which had

several years ago announced on the spam-L mailing list that they

recognized that such bounces where abusive to the rest of the internet

and were switching over to only using SMTP rejects.

It seems that for every example of someone claiming that their network

is too large to convert, an example can be found of a larger network

that did so. And I suspect that it is a much lower operational cost to

use SMTP rejects instead of doing the accept and then bouncing.

> 2. Could this possibly get my domain listed on anti-spam lists?

Only if the mail server operator is either incompetent, or is so small

that it is unlikely that they will ever receive a legitimate e-mail from

your domain.

According to posts on news.admin.net-abuse.email, even the conservative

spamhaus.org will eventually list I.P. addresses that bounce spam to

forged addresses.

It is far more likely that the I.P. addresses of the mail servers that

are bouncing the spam will get put on local and public blocking lists

than the I.P. address of your domain.

Most medium to large mail servers pay a metered rate for their

bandwidth, and accepting fake bounces or spam needlessly increases their

operating costs.

So if the only e-mail they have ever seen from an I.P. address is spam

or fake bounces, many mail server operators that are paying for

bandwidth out of their profits or pockets will block that I.P. address.

-John

wb8tyw <at> qsl.network

Personal Opinion Only

EDIT: Wazoo edited the above, based on jeff G's observation, a few newsgroup replies that pointed to the same situation, and John's later post;

A typo on my part, I meant to type now instead of not.  In this case

though it may not have been obvious.

-John

wb8tyw <at> qsl.network

Personal Opinion Only

Link to comment
Share on other sites

Such delayed bounces are not reportable by spamcop.net

...

-John

wb8tyw <at> qsl.network

Personal Opinion Only

27509[/snapback]

Yes, they are (now). Please see my UPDATE above in Linear Post #1.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...