Bouncing Spam and SpamCop Reporting

[rossmpersonal]

When a SpamCop Reporting system user receives spam, does it make sense for them to report the spam with SpamCop AND bounce the spam message or just report the spam with SpamCop?

[Wazoo]

Bouncing as an end user of something sitting in your InBox is absolutely bad. For one reason, please read and interpolate the concept of "forged addresses" in the Pinned item at http://forum.spamcop.net/forums/index.php?showtopic=203 .... If you're using one of the many products that advertise the "bounce" feature, I suggest you turn that feature off. It is easy to see that it's not a bounce from the e-mail server of your ISP, and worst case, some ISPs have taken users to task over the results of using some of these products, as the "bounce" also uses a forged address like Postmaster of the ISP ... way too many forgeries involved here, the likely result is that you're bouncing to the wrong address, on and on ..

[F. Jones]

I definitely agree.

Unnecessary bouncing is why you get all those messages from people you've never heard of saying that the virus you sent them was intercepted.

I always try to convince admins to turn off this feature, at least for known worms. It makes sense to send a warning to those who sent infected Word documents and such, but those make up much less than 1% of all virus/worm/malware intercepts here.

[rossmpersonal]

I am a newbie. There are several things I don't understand. Please explain them to me.

I read through http://forum.spamcop.net/forums/index.php?...findpost&p=1018 .

You may get some irate e-mails from those who are truly clueless, but your IP address won't show up on a blocklist for such a forgery.

It is my understanding (possibly misunderstanding) that spammers test for valid e-mail addresses by randomly putting together combinations of letters to form an e-mail address, sending a forged e-mail to that randomly put together e-mail address, and adding e-mail addresses to their list which they do not receive bounce messages about in the mailbox for the forged address. I thought that bouncing messages would trick spammers into thinking an address is invalid. Please correct me if I am wrong.

Therefore, if the spammer sets up an account at the forged address, wouldn't the chance that an innocent victim would receive a bounce message be very small? Or am I wrong?

and worst case, some ISPs have taken users to task over the results of using some of these products, as the "bounce" also uses a forged address like Postmaster of the ISP

Why would an ISP have repercussions for users who send out bounce messages which are "effectively forged" to fight spam because aren't ISPs interested in fighting spam as well?

Unnecessary bouncing is why you get all those messages from people you've never heard of saying that the virus you sent them was intercepted.

I always try to convince admins to turn off this feature, at least for known worms. It makes sense to send a warning to those who sent infected Word documents and such, but those make up much less than 1% of all virus/worm/malware intercepts here.

I don't understand why e-mails saying a virus you sent was intercepted are a bad thing. It is my understanding (possibly false understanding) that those messages help people unknowing infected with a virus by notifying them that they have a virus. It is also my understanding (possibly false understanding) that those e-mails help people whose e-mail addresses are forged by viruses by notifying them that their e-mail address has been forged by a virus. Please correct me if I am wrong. Thank you.

[Wazoo]

that spammers test for valid e-mail addresses by randomly putting together combinations of letters to form an e-mail address, sending a forged e-mail to that randomly put together e-mail address, and adding e-mail addresses to their list which they do not receive bounce messages

First of all, this is the wrong place to ask "how and why" spammers do what they do <g> ... "test for valid" --- possibly some, usually a guess by those receiving "empty" spams, but .... All you have to do is buy one of those make-a-million-$ CD's, or some of that "great" software, etc .. and fire it up ... advertising says that there's at least many thousands of "known-good opt-in" addresses in each and every one of these fine products. Thinking that the larger spammers these days take the time to "analyze and fine-tune" their lists when they're cranking out 5 to 50 million e-mails a day to their "favorite customers" is giving a lot of credit to the spammer. I don't.

bouncing messages would trick spammers into thinking an address is invalid

Again, you're assuming that your spammer actually "works" at developing his/her clientele ... most don't. Where in the "load the 'details', fire up the machine to start the 50 million e-mail spam run of the day, then head for the beach" does actually sitting down and looking through the results in their server logs to cull those that might not want the spam of the day ... oh, wait, didn't we mention that most of the addresses involved in the e-mails are forged? ... guess what, no server logs to ruin the rest of a beautiful day ....

ISP have repercussions for users who send out bounce messages which are "effectively forged"

Again, one product specifically uses the "Postmaster" account in its "bounce" ... As such, "you" are forging your ISP's "name" in the outgoing e-mail ... take it to extremes, someone contacts the Postmaster, who hasn't a clue as to what they are talking about .... so when the copy is provided, why would you not think someone wouldn't be a bit peeved?

those messages help people unknowing infected with a virus by notifying them

Can we say "forged addresses" once again? I knew we could.

whose e-mail addresses are forged by viruses by notifying them that their e-mail address has been forged by a virus

Please try the above one more time. Again, it was bad enough when one or two a month showed up, even if the above was any where close to the truth, you think 3 to 500 incoming e-mails is really going to straighten anything out? You don't have to even try to think of an answer to that, because we're back to the addresses being forged, be it by virus or spammer, it's all the same. If it's the wrong address, it's the wrong address.

[WB8TYW]

Therefore, if the spammer sets up an account at the forged address, wouldn't the chance that an innocent victim would receive a bounce message be very small? Or am I wrong?

Very wrong.

The spammer picks someone's e-mail address and forges it in the spew so that they can trick people to complain to the wrong ISP.

When you fake bounce the spam to that address, if it is a real person, then you are relaying the spam to another victim that had nothing to do with it.

And that is a violation of the terms of service for every network provider that I know of, especially if you send it with the forged address of a role account.

If the spammer chose a spamtrap as their from address, your fake bounce could get your provider's mail servers listed.

Only a small number of spammers actually send from their own networks and e-mail addresses, and most mail servers operators have blocked them out because if they did not, the amount of spam from some of them would overload the mailservers.

The way that a true bounce works is that the receiving mail server rejects the mail in progress with a error code. The sending mail server sees the error code and then generates a bounce message.

That is the way that most mail servers on the Internet operate. A few will generate bounces after they accept a message and discover that it can not be delivered, but while that use to be a courtesy, it is now a very bad practice.

A spammer can easily tell your fake bounces from a real one if one actually reached a spammer. And they are more likely to take it as a confirmation that your e-mail address is valid to sell to other spammers than anything else.

I don't understand why e-mails saying a virus you sent was intercepted are a bad thing. It is my understanding (possibly false understanding) that those messages help people unknowing infected with a virus by notifying them that they have a virus.

But the e-mail addresses that the virus claims to come from are not from infected computers. The virus just found them from somewhere.

It is also my understanding (possibly false understanding) that those e-mails help people whose e-mail addresses are forged by viruses by notifying them that their e-mail address has been forged by a virus. Please correct me if I am wrong. Thank you.

Again you are wrong.

The only people that should be notified about a detected virus is the desiginated abuse or postmaster of the network that the virus was sent from, which can only be determined from the I.P. address that the mail server received it from.

To send a virus alert to any other place is aiding the virus writer in the mess that they are making. And if the virus harvested a spamtrap address, as many do, the virus report you send can cause your mail server to get automatically listed.

There are many blocking lists besides spamcop.net that operate spamtraps for early detection of spammers. Some of those lists are easy to get off of, some are not.

While it is against spamcop.net rules to use it to report bounces, real or fake, and the worthless virus notices the spamcop.net parser can be used to determine where the fake bounce came from. And I and others here will file non-spamcop abuse reports to any network that we (tinw) get fake bounces or misdirected and useless virus notices from, and we encourage others to file the reports also.

-John

Personal Opinion Only