Jeff G. Posted February 4, 2004 Share Posted February 4, 2004 As Mike Richter would write in part: Spammers forge the email addresses into the "From" addresses of their spam all the time. There is no known method of making them stop. Fortunately, it is very likely to stop on its own in a short time (typically, a few days unless you have gotten the spammer angry at you). Even more fortunately, no responsible individual or ISP will blame you for the spew. You may get some irate e-mails from those who are truly clueless, but your IP address won't show up on a blocklist for such a forgery. You are not supposed to report bounces or the content of bounces with the SpamCop Reporting Service, but you can use its parsing portion to help you compose your own reports. UPDATE: "Misdirected bounces" now "may be reported" per On what type of email should I (not) use SpamCop?. Link to comment Share on other sites More sharing options...
Wazoo Posted May 3, 2005 Share Posted May 3, 2005 Stolen from the spamcop newsgroup; Onyx wrote: > Ok, I just recieved cca 100 messages notifying me of failed delivery of > emails I didn't send and they keep coming, woo hoo. Apparently, spammer > vermin used email on my domain as a return address for their spam. > > Two questions: > 1. What would be the best way to deal with this? First of all, check your mail server to make sure that it will not relay for a spammer forging a real user on your domain. Apparently there is a popular mail server software out there that is designed to do that and there is no way to disable that feature except to enable SMTP-AUTH for all e-mail. This is what I have picked up from the admin(at)dsbl.org list's public archives. Then assuming that your mail server is not the one that is affected by this feature: File abuse reports about the delayed bounces with each mail server that is doing the delayed bounce. Such delayed bounces are now reportable by spamcop.net: See a recent post in spamcop.help by Larry Kilgallen for a sample text: : As I report that spam (the message claiming I sent a message " I did not) I include something like the following text in my : SpamCop report: Believe it or not, spammers lie. Please adjust your software to not send these meaningless warnings blindly to the "From:" address, but instead respond within the SMTP dialog, so your comments get to the actual originator rather than pestering an innocent bystander. While the bounces are allowed by RFC, it is from a time when third party open relays were also allowed. Most mail servers do an SMTP reject, which means that any bounce message will come from the original sending mail server, and the only ones of those that are relaying spam are either the domain that should receive the abuse report of one of their users, or an open relay. Open relays should be blocked on site. When mail servers do not do an SMTP reject, and do an accept and bounce, then they are participating in a DDOS to victims like you. There have also been several recent posts on news.admin.net-abuse.email about the practice of abusive bouncing of spam. There are some mail server operators that claim that it is not practical to convert to SMTP rejects instead of bouncing. These mail server operations must be bigger than AOL.COM which had several years ago announced on the spam-L mailing list that they recognized that such bounces where abusive to the rest of the internet and were switching over to only using SMTP rejects. It seems that for every example of someone claiming that their network is too large to convert, an example can be found of a larger network that did so. And I suspect that it is a much lower operational cost to use SMTP rejects instead of doing the accept and then bouncing. > 2. Could this possibly get my domain listed on anti-spam lists? Only if the mail server operator is either incompetent, or is so small that it is unlikely that they will ever receive a legitimate e-mail from your domain. According to posts on news.admin.net-abuse.email, even the conservative spamhaus.org will eventually list I.P. addresses that bounce spam to forged addresses. It is far more likely that the I.P. addresses of the mail servers that are bouncing the spam will get put on local and public blocking lists than the I.P. address of your domain. Most medium to large mail servers pay a metered rate for their bandwidth, and accepting fake bounces or spam needlessly increases their operating costs. So if the only e-mail they have ever seen from an I.P. address is spam or fake bounces, many mail server operators that are paying for bandwidth out of their profits or pockets will block that I.P. address. -John wb8tyw <at> qsl.network Personal Opinion Only EDIT: Wazoo edited the above, based on jeff G's observation, a few newsgroup replies that pointed to the same situation, and John's later post; A typo on my part, I meant to type now instead of not. In this case though it may not have been obvious. -John wb8tyw <at> qsl.network Personal Opinion Only Link to comment Share on other sites More sharing options...
Jeff G. Posted May 3, 2005 Author Share Posted May 3, 2005 Such delayed bounces are not reportable by spamcop.net ... -John wb8tyw <at> qsl.network Personal Opinion Only 27509[/snapback] Yes, they are (now). Please see my UPDATE above in Linear Post #1. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.