Jump to content

What about reporting forged sender bounces?


wpietri

Recommended Posts

I get a lot of bounces from spam with forged sender lines. Before the mailhost was made mandatory, I was in the habit of using SpamCop to report the ones where the bounce contained complete headers and the full message.

But now, any bounced spam that I try to report is rejected. It says, correctly, that it didn't come through one of my registered mail hosts. How can I report forged-sender spam through SpamCop?

Thanks,

William

Link to comment
Share on other sites

Before the mailhost was made mandatory, I was in the habit of using SpamCop to report the ones where the bounce contained complete headers and the full message.

That practice was a violation of your agreement with Spamcop because the spam was not "sent" to you directly and could have gotten you fined or worse.

You should have been manually reporting those spams using the information spamcop parsed. You can still use spamcop to look up where to send reports for a certain IP but you need to parse the headers yourself.

Since mailhosts were introduced, I have been asking for a parse only form that does not use mailhosts for this and for helping others with parsing problems.

I send manual reports to the postmaster bouncing both viruses and spam showing them where the message originated (when possible) and why he should not be redirecting his "garbage onto my lawn", so to speak. The original spam, each time I looked was already reported and the IP usually already on the blocklist, so I never bothered reporting it.

Link to comment
Share on other sites

I get a lot of bounces from spam with forged sender lines. Before the mailhost was made mandatory, I was in the habit of using SpamCop to report the ones where the bounce contained complete headers and the full message.

But now, any bounced spam that I try to report is rejected. It says, correctly, that it didn't come through one of my registered mail hosts. How can I report forged-sender spam through SpamCop?

Thanks,

William

Please do not report *any* bounce mails using SC.

Link to comment
Share on other sites

Ok, I understand that y'all don't want any forged-sender messages reported via spamcop, and I will refrain from doing that in the future. That's certainly disappointing to me; I look at spamcop as a tool I pay for to handle the hassle of reporting spam, so this seems like an inexplicable flaw to me. Rather than menacing me with vague, dire penalties, perhaps you could explain the reason why it's bad?

Thanks,

William

Link to comment
Share on other sites

The reason that is bad is that there can be legitimate bounces and it is also one of the RFC's (which IMHO, should be changed since events have overtaken its usefulness).

I am not an admin so I don't know all the reasons why an admin would prefer to accept all email and then sort it (one reason may be economy). However, if an admin does accept an email and it turns out to be undeliverable, then the only way to return it is to use the return path (which until the spammers started forging it, was where the sender wanted it returned and is not necessarily the server - IP address - from which the email came).

IMHO, the number of people who send email from one IP address, but want the answer at another, who would be inconvenienced by email that disappears because it was undeliverable is very small compared to the number of people who are inconvenienced by receiving 'bounce' emails because their address was forged.

Although it is nice to have the feature of 'bounces,' it certainly is not something that is essential. Snail mail sometimes totally disappears and people have learned to deal with that. If bulk emailers could be induced to use the RFC that identifies the email as a bulk email and if any IP address that didn't insist that customers sending bulk email use it, were blocked, then the problem could be solved. Bulk email that was not wanted and non-conforming IP addresses would be rejected at the server; any email that was accepted would be individual emails and bouncing them would probably not cause any problems even if there were a mistake.

Miss Betsy

Link to comment
Share on other sites

I totally understand Wpietri's comment. I too signed up for spamcop and payed for it. Now it seams i am still vulnerable to spam like those nasty bounces. I have to deal with them like i used to deal with spam earlier. Regarding weather or not we accepted the agreement, i think we are in title to an understandable explanation (we are not all computer specialists) and no threats with fines etc... and we just wanted to get rid of spam and were willing to pay for such a service.

Link to comment
Share on other sites

I totally understand Wpietri's comment. I too signed up for spamcop and payed for it. Now it seams i am still vulnerable to spam like those nasty bounces. I have to deal with them like i used to deal with spam earlier. Regarding weather or not we accepted the agreement, i think we are in title to an understandable explanation (we are not all computer specialists) and no threats with fines etc... and we just wanted to get rid of spam and were willing to pay for such a service.

We have 2 issues here -- the first is the MTA that sends the bounce; that should not be reported as that is an RFC standard function. Regardless of whether the RFC makes sense right now or how annoying the bounces are. The other issue is the spam enclosed in the bounce text message. And for the enclosed spam there are a couple of reasons but the main one is that there is no way to know whether the headers enclosed in a bounce are legit or not; complete or not. The parser cannot know when it parses those headers whether which headers are forged and which aren't. Some MTA's deliver good bounces and some don't; there are dozens of formats -- or more than dozen's -- for the layout of the bounce message itself. Some of the bounces are double bounces.

Not this is not to say that this all isn't a hot topic of conversation around here cause it sure is but the technical details of handling these are not trivial and possibly not realistically do-able by a piece of software that is supposed to be able to handle anything and everything thrown at it.

Link to comment
Share on other sites

First of all, you agreed to the "rules" set forth by Julian when you signed up to use the SpamCop tool set .. Please see http://www.spamcop.net/fom-serve/cache/14.html ....

To my mind, these sorts of responses are worse than useless, serving only to alienate users, potential and actual.

My understanding is that Spamcop exists to help fight spam. That's great; that's why I am here, why I support Spamcop with my cash, time, and promotional effort. I strongly believe that collective action, like through Spamcop, can be much more powerful than individual action.

So when I come here with a legitimate question about how to report real spam, I'm looking for a reasonable answer. Being told that it's against the rules an unhelpful answer, and being told it again after I had said that I understood and would obey the rules is just insulting.

If you have something helpful to say, like an explanation of the rule or, better, a way to improve the rules or the software, then great, speak up. But if your only contibution is going to be unhelpful and negative in tone, then I'd suggest you pipe down. Spammers are doing well enough without your help in alienating people who are trying to fight them.

Link to comment
Share on other sites

perhaps you could explain the reason why it's bad?

Sorry, I fail to see where my 'First of all, you agreed to the "rules" set forth' is not an appropriate starting point.

looking for a reasonable answer.

Pointing to the terms of a "contract/agreement" is unresonable?

Being told that it's against the rules an unhelpful answer, and being told it again after I had said that I understood and would obey the rules is just insulting.

see the above once again

But if your only contibution is going to be unhelpful and negative in tone

You're entitled to your own opinion, but suggest you do some research before exposing one's self like this. You might be surpized at what you learn by doing a bit more reading.

Link to comment
Share on other sites

So when I come here with a legitimate question about how to report real spam, I'm looking for a reasonable answer.

A bounce is not "real spam" and if reported correctly without modifying the body of the message, you would report a server that is following the rules (RFC's). The "real spam" was not sent to you but to a third party and was misdirected to you because of outdated but valid RFC's.

You can send manual reports anywhere you want (for the original spam and/or the bounce). You can even use spamcop to determine where those reports should go. You just are not to use spamcop to report them because it could give spamcop a bad reputation with ISP's and the reports others make following the rules would become worthless.

Please see Ellen's response as that is as close to a company policy statement as you are likely to get. She is paid (not enough ;) ) by spamcop to be a deputy here to assist with things that go beyond what a normal user has access to.

Link to comment
Share on other sites

We have 2 issues here -- the first is the MTA that sends the bounce; that should not be reported as that is an RFC standard function.

That makes perfect sense. Sorry if I was unclear; I'm only talking reporting the spam that triggered the bounce, not reporting the bounce itself.

And for the enclosed spam there are a couple of reasons but the main one is that there is no way to know whether the headers enclosed in a bounce are legit or not; complete or not. The parser cannot know when it parses those headers whether which headers are forged and which aren't. Some MTA's deliver good bounces and some don't; there are dozens of formats -- or more than dozen's -- for the layout of the bounce message itself. Some of the bounces are double bounces.

I agree that the parser may have a hard time with these, and that they're hard to verify.

However, in my case, I only bother with this when I have 20 or 30 forged-sender bounces from one spam run. Some of those are indeed useless for spam reporting purposes, but enough of the MTAs out there will include the original message with full headers that I can find a few solid copies of the spam to report.

So although the parser certainly can't do all the work, that's ok with me; I've been reporting spam since long before spamcop. I just want to use spamcop to handle the ISP reporting, anonymization, and blacklist feed parts of the process.

Not this is not to say that this all isn't a hot topic of conversation around here cause it sure is but the technical details of handling these are not trivial and possibly not realistically do-able by a piece of software that is supposed to be able to handle anything and everything thrown at it.

That's ok by me; as a writer of software myself, I have a fine appreciation for the fact that for a given amount of effort, software only takes you so far. I'm glad to manually do the necessary work so that I'm only feeding in high-quality spam for reporting.

Link to comment
Share on other sites

Question: What about spam that Spammy built to appear as a forward? For example, one I received yesterday had bogus "headers" in the "forwarded message" spam. Spamcop wouldn't accept it.

If Spammy figures that one out, no spam will be reportable.

Link to comment
Share on other sites

Question:  What about spam that Spammy built to appear as a forward?  For example, one I received yesterday had bogus "headers" in the "forwarded message" spam.  Spamcop wouldn't accept it. 

If Spammy figures that one out, no spam will be reportable.

...See Pinned: Spammer Rules rule #3. :) <g>

Link to comment
Share on other sites

Question:  What about spam that Spammy built to appear as a forward?  For example, one I received yesterday had bogus "headers" in the "forwarded message" spam.  Spamcop wouldn't accept it. 

If Spammy figures that one out, no spam will be reportable.

You have a sample of this?

Link to comment
Share on other sites

Question:  What about spam that Spammy built to appear as a forward?  For example, one I received yesterday had bogus "headers" in the "forwarded message" spam.  Spamcop wouldn't accept it. 

The SpamCop parser starts with the premise that it's going to be looking at a "correct" set of headers. There are many things that it will not accept.

If Spammy figures that one out, no spam will be reportable.

Yep, that's what the spammers have been trying to accomplish for a number of years now, and yet .....

Link to comment
Share on other sites

  • 2 weeks later...

Sorry for the slow reply on this.

perhaps you could explain the reason why it's bad?

Sorry, I fail to see where my 'First of all, you agreed to the "rules" set forth' is not an appropriate starting point.

[...]

Being told that it's against the rules an unhelpful answer, and being told it again after I had said that I understood and would obey the rules is just insulting.

see the above once again

Yes, I still feel that your post was worse than useless. My question was about how to fight a particular spammer. Your pointing to the rules didn't aid me at all; it blocked action, rather than aiding it. Note that after further discussion, you still haven't made a positive contribution; you're just implying that I don't know what I'm doing. If you were interested in making a difference, you'd tell me how to learn whatever it is that you think I'm missing.

But if your only contibution is going to be unhelpful and negative in tone

You're entitled to your own opinion, but suggest you do some research before exposing one's self like this. You might be surpized at what you learn by doing a bit more reading.

Well, since you're taking the pose of an expert, you might demonstrate that by saying what I should be researching. I'd be intrigued to hear it. I've written both MTAs and MUAs, albeit small ones, and wrote a chapter of a book (IDG's Internet Secrets, Volume 2 on how email works). I've been programming for twenty years, using the internet for fifteen, and running mail servers for more than ten. So I'd be eager to hear your pointers to any further research I should be doing on the topic.

Link to comment
Share on other sites

So when I come here with a legitimate question about how to report real spam, I'm looking for a reasonable answer.

A bounce is not "real spam" and if reported correctly without modifying the body of the message, you would report a server that is following the rules (RFC's). The "real spam" was not sent to you but to a third party and was misdirected to you because of outdated but valid RFC's.

You can send manual reports anywhere you want (for the original spam and/or the bounce). You can even use spamcop to determine where those reports should go. You just are not to use spamcop to report them because it could give spamcop a bad reputation with ISP's and the reports others make following the rules would become worthless.

Hi! I'm sorry if I wasn't clear, but I do not want to report the bounce. Bounces are fine. I like 'em, and have no issues with them.

What I want to report is the spam that triggered the bounce. A spammer regularly forges random addresses in my domain, causing me to recieve maybe 50 bounced spams per day. Perhaps 20 of those contain the spam with a full set of valid headers, including a good set of Received headers. I would especially like to report those because A) I don't like it when people forge my domain, and B) it lets Spamcop and the SBL get reports on spam that might otherwise go uncaught.

Back before the introduction of mailhosts, I could and would report those spams. In general, I think the mailhosts feature is a great idea, but it is stoping me from reporting certain real spams.

I gather that the party line on this is that although I might be able to fish out the reportable spams happily, the folks at Spamcop don't trust average users to manage the task. In which case, fine, I understand that there's only so much they can do. It disappoints me, as the only reason I pay Spamcop money is so that I can easily report spam, and this is perhaps 90% of what gets through my filters these days.

But as long as they're aware that they've just disabled a feature, albeit an unintentional one, that I used a lot and liked, that's all I'm after.

Link to comment
Share on other sites

Back before the introduction of mailhosts, I could and would report those spams. In general, I think the mailhosts feature is a great idea, but it is stoping me from reporting certain real spams.

And the words suggesting that the Mail-Host thing will be a "requirement" in the future bothers a lot of folks. Most of the "old-timers" have found that converting also runs into the same issues that you're raising .. "we" / "they" can no longer try to parse someone else's spam to diagnos the errors that someone else is seeing, because the parsing stops with the "not your mail-host" condition ... I've seen posts from some of the Deputies that asked for the account name of the complaining user so that they could run the parse "as that user" .. so even those most trusted insiders are having this same issue.

I gather that the party line on this is that although I might be able to fish out the reportable spams happily, the folks at Spamcop don't trust average users to manage the task. In which case, fine, I understand that there's only so much they can do. It disappoints me, as the only reason I pay Spamcop money is so that I can easily report spam, and this is perhaps 90% of what gets through my filters these days.

The "folks at SpamCop" is a bit open to interpretation. There's Julian managing the code base, JT handling the e-mail and newsgroups servers, and a handful of Deputies that handle various issues, some of them being paid staff .. but the "decisions" and "flow" of the SpamCop reporting side of things all comes from Julian. If you hit the newsgroups, you'll find that you're not alone in some of your concerns. The 'best' recommendation (at this point . before the mandatory use of Mail-Host anyway) is to generate a new 'free' account that isn't tagged to a mail-host configuration. On one hand, this will let you parse those special spams. On the other hand, there are issues with this due to the cookie login feature.

But as long as they're aware that they've just disabled a feature, albeit an unintentional one, that I used a lot and liked, that's all I'm after.

Technically, there is no "they" ... code is constructed and maintained by Julian. The rest of the "they" do handle their e-mail, monitor the newsgroups, and when they have the time, may come through these Forums and throw in an answer here and there ... If you want to more directly voice your concerns, take it to the newsgroups (news://news.spamcop.net/spamcop ) and join in some of the existing threads there, or contact the Deputies <at> admin.spamcop.net to see if one of them will either address your issues specifically or pass them on to Julian. Again, you're not alone in the fallout of this mail-host thing, but noting that this thing was put in place due to spammer forging and bad reporting.

Link to comment
Share on other sites

Sorry for the slow reply on this.

Yes, I still feel that your post was worse than useless. My question was about how to fight a particular spammer. Your pointing to the rules didn't aid me at all; it blocked action, rather than aiding it.

And based on your post on May 21 2004, 10:47 AM stating - "Sorry if I was unclear; I'm only talking reporting the spam that triggered the bounce, not reporting the bounce itself." .... your response to other posts by other folks advising you not to report bounces .. you're still taking me to task for making the same mis-read of your original query?

Note that after further discussion, you still haven't made a positive contribution;

and also note that you didn't respond to my offer of fixing your "ugly" post, but see that this was not seen as a "helpful" post .. Ok ...

you're just implying that I don't know what I'm doing. If you were interested in making a difference, you'd tell me how to learn whatever it is that you think I'm missing.

I don't see where I made any comments about your knowledge. There are several posts by other people that offered up other reasons for "not reporting bounces" as based on your original post .. why repeat / beat the dead horse?

Well, since you're taking the pose of an expert, you might demonstrate that by saying what I should be researching. I'd be intrigued to hear it. I've written both MTAs and MUAs, albeit small ones, and wrote a chapter of a book (IDG's Internet Secrets, Volume 2 on how email works). I've been programming for twenty years, using the internet for fifteen, and running mail servers for more than ten. So I'd be eager to hear your pointers to any further research I should be doing on the topic.

At this point, you've already changed the premise and tone of your original query, so I'm not sure what you want from me. If you want to compare resumes, that can be done elsewhere. I'll just state that I date back to the days of electron tubes that were replaced by transistors, that were replaced with Integrated Circuits, spent my hours re-indexing boxes of Hollerith cards, toggling in "programs" via front panel switches, started my first BBS on a Franklin 1200 (an Apple II+ clone) with a 300 baud modem, was using the ARPANET when the "phonebook" was less than a dozen pages of double-spaced phone numbers of contact points to verify the "physical address of the day" as it was based on the address of the particular network card installed on the system actually hooked up, was the maintenace guy in charge of supporting systems ranging from those that took up a half of a building to those alleged portables that weighed in a 50 pounds to the TI-99/4 I've been thinking of unpacking and seeing what I can remember about it ... I can't begin to recall all the operating systems I had to figure out in order to know enough to sort out the hardware/software determination of a problem .... feel better now?

What is it that you'd want explained about header data of an e-mail? You've already indicated you know the details. As stated, the original issue was your "reporting of bounces" and you've since changed that scenario.

Link to comment
Share on other sites

The bottom line on 'bounces' is that you cannot get the spam within them parsed by spamcop if you have signed up for mailhosts.

The fact is that what is gained by mailhosts preventing inaccurate reporting has hurt just plain 'research' by competent people.

Since even the deputies are experiencing inconvenience, there may be a feature that will just parse (no reports) for those who want to use spamcop that way. I hope Julian saved a copy of how spamcop used to work. <g> Or it may not happen since the tweaks that have to be made to keep spamcop accurate may not be able to be incorporated into two different systems.

Until that time, people who want to report spam in bounces will have to read the headers manually. (or maybe a line at a time - that still works doesn't it?)

And there is always the challenge to those who know how to write code to write their own program to parse bounces or report viruses. Is Julian the only one who can do it? I expect that he would be happy to have someone create these services to keep the complaints off his back.

Miss Betsy

Link to comment
Share on other sites

This is going in circles again, but...

Back before the introduction of mailhosts, I could and would report those spams. In general, I think the mailhosts feature is a great idea, but it is stoping me from reporting certain real spams.

It is my belief that this practice is one of the reasons (not the primary) that Mailhosts are being made mandatory.

You are not supposed to use spamcop to report spam that was not sent to your account. The bounce was sent to your account but the spam was not. It was sent to another (non-existant or protected) account. Mailhosts protect spamcop from you reporting something that should not be reported through spamcop.

If you have the headers, you can still use spamcop to determine where reports should go and send manual reports. You need to parse the headers yourself to determine the actual source. In my configuration, I always use the source that sent it to my mail handler, the same as mailhosts does.

Link to comment
Share on other sites

<snip>

perhaps you could explain the reason why it's bad?

Sorry, I fail to see where my 'First of all, you agreed to the "rules" set forth' is not an appropriate starting point.

[...]

Being told that it's against the rules an unhelpful answer, and being told it again after I had said that I understood and would obey the rules is just insulting.

see the above once again

Yes, I still feel that your post was worse than useless. My question was about how to fight a particular spammer.

...That's not how I interpret "...perhaps you could explain the reason why [reporting a bounce] is bad?" IMHO that's the best reason to not do something when using a product like SpamCop. Note that Wazoo's reply did not say that this was the only reason, just that it was "First."

Your pointing to the rules didn't aid me at all; it blocked action, rather than aiding it. Note that after further discussion, you still haven't made a positive contribution;

...Others already did that; why should Wazoo repeat what they wrote, just so that (s)he could make a personal "positive" contribution (in your eyes)? That would, IMHO, be unnecessarily redundant.

you're just implying that I don't know what I'm doing.

...IMHO, I don't see how is response implied anything like that. I can see that you could interpret it that way -- can you see that it might not have been meant that way?

If you were interested in making a difference, you'd tell me how to learn whatever it is that you think I'm missing.

<snip>

...Wazoo did that, by referencing the link where the rules reside. IMHO, he (reasonably) concluded from the question you posed that you were "missing (not aware of)" thoee rules. You later explained that you didn't actually want to report the bounce but rather the original spam; others have since explained why you can't / shouldn't do that. Again, anything Wazoo might add to her/his earlier post would have been redundant.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...