How do I report forged headers

[lars30]

Hello,

I've a few thousand bounces and otherwise machine replied responses to emails that are the result of a large spam event that someone undertook in which they forged my email address as the "from" field.

Since these emails are replies/bounces and not original spam messages i'm unclear how to report them. Still I'd like to.

I've narrowed the user down to three email addresses he's registered for and used in the 'reply-to' fileld. Witht that info I've reported these accounts to the respective ISPs. I've had SPF and DKIM signatures on my mail host for some time.

Is there anything I can provide spamcop.net with to assist?

Are there any other options that you suggest (in addition to SPF and DKIM) that would more strongly discourage this. It's the second time it's happened this year.

Thanks,

Larry

[turetzsr]

<snip>

Since these emails are replies/bounces and not original spam messages i'm unclear how to report them. Still I'd like to.

<snip>

...Bounces are reportable to the abuse address of the machine that is doing the bouncing, not to the abuse address of the spam source (unless they serendipitously happen to be the same) -- see SpamCopAdmin's reply in SpamCop Forum "thread" "Quick SPF question." However, you can complain directly to the abuse address of the spam source, if you wish -- just don't reference SpamCop when you do that.

Is there anything I can provide spamcop.net with to assist?

<snip>

...If you wish to communicate with SpamCop staff about this, I would recommend that you send an e-mail to the SpamCop Deputies at address deputies[at]admin.spamcop.net.

...Good luck!

[lars30]

Thanks for the info. I've already reported to the abuse address of the spam source. It would be quite a task to report these to all the bouncing addresses abuse accounts. I'll look into it.

Thanks for the help!

Larry

[Farelf]

Hi Larry,

Those misdirected bounces (mail admins simply "returning" undelivered mail to the forged address in the "From:" or "Reply-to:" addresses) should not happen - rfc "standards" required that action once upon a time, before 90% of all messages came to be spam, much of it sent to non-existent/abandoned email addresses (spammers don't care, they know enough of it will get through). If the receiving server accepts the message and drops the connection to the sending server without ensuring deliverability then they should just drop it on the floor if they can't deliver.

As you have seen, you only get such bounces (NDRs) in great numbers when it is your turn to be spoofed as the "sender" in a major spam run, and then when the spatter is handled by clueless mail handlers. Such runs usually don't last long (someone else gets to be spoofed) but you should report as many as you can in the hope that a few more mail handlers allow themselves to be educated. Generally a special kind of report will go out for misdirected bounces which tries to lead them to the light.

What you should not do though SpamCop reporting is to report any original spam that may be included in the bounce. You would have to modify the bounce message (extract from it) to get at that - and altering the reported message is a big "no-no". See On what type of email should I (not) use SpamCop? and read spam within other messages. You can of course use SC tools to get reporting addresses for a "manual" (non-SpamCop) report based on the headers you discover. That is much more work than simply reporting the entire bounce message but if there are only a few behind it all you might think it is worth it.

If I had to suppose, I would suppose that enough SC reporters and/or spamtraps might get hit by deliveries of the original spam to their accounts to list the offending IP addresses anyway, without you having to put yourself out. If not, then it is a botnet sending over thousands (or more) subverted machines and individual reports are probably never going to do much good in such cases. SC of course does not report on the email addresses in spam headers or in spam bodies (not even when they are "Nigerian 419" scams) - the IP address of the source is the SC target. If "drop box" email addresses are the sort of thing that you're targeting then it is definitely manual report territory (though the parser, via the webform submission box, will help you with the reporting addresses if you just paste in the email address).

[turetzsr]

I've already reported to the abuse address of the spam source. It would be quite a task to report these to all the bouncing addresses abuse accounts. I'll look into it.

...My pleasure. But note that the normal SpamCop parse/ report mechanism will identify the abuse addresses of the bouncing servers and generate the complaint e-mails for you to send by clicking the appropriate button on the parse results screen.

<snip>

If "drop box" email addresses are the sort of thing that you're targeting then it is definitely manual report territory (though the parser, via the webform submission box, will help you with the reporting addresses if you just paste in the email address).

...But please be sure to cancel the parse results when you have finished so that someone else can't (easily) send the complaint e-mails!