Spam Trap address forged resulting in FALSE listin

[DaveReno]

A spammer has used one of the SpamCop monitored spam trap addresses and that resulted in our mail server being falsely listed.

We have an aggressive spam system and in fact use SpamCop. Our system rejected the spam to the forged address.

How do we get removed? Previously this happened in May 2003 and we had an email address to report it and that no longer works.

Our ip is 65.207.108.31, there is no report ID listed to use the web based system.

[Merlyn]

When you rejected it did you sent it to the invalid "From" address?

Bouncing email back to the "From" address is a form of spamming because almost all spam has forged/invalid "From" addresses so you are sending them back to innocent victims which many feel is as bad as spamming.

You should never bounce mail back to the "From" address.

You might also like to see:

http://www.stop-spam.info/lookup.php?ip=65.207.108.31

You have hit their spamtraps and are listed as: Abusive/Unresponsive Host

[DavidT]

Our system rejected the spam to the forged address.

Please elaborate on "our system rejected the spam." If your system sent some sort of bounce message as an actual email, then you should change your system so that it doesn't do that. If your system rejected messages during the SMTP session, then your IP wouldn't be accused of sending mail to a SpamCop spamtrap.

Take a look at the Senderbase information on your outgoing email traffic:

http://www.senderbase.org/?searchBy=ipaddr...g=65.207.108.31

Under "Vol Change vs. Average," your server has had an 1125% increase over the last day! I suspect that if your server is not actually compromised, that it's probably sending out a LOT of those pesky bounce messages, some of which went to spamtrap addresses. If that's true, reconfigure the server so that it doesn't send bounce emails.

DT

[Wazoo]

This does seem to be something that warrants a pointer to the FAQ here, to include the "Why am I Blocked" item, also found as a Pinned item.

[Merlyn]

Do you actually think he will come back to read the replies?

[DavidT]

Do you actually think he will come back to read the replies?

Maybe. I just used the "Contact" form at their website to invite him back to do so.

DT

[DavidT]

Update: it turns out that the server admins at "StateAuto.com" are indeed sending bounces for undeliverable mail, instead of having their server reject the incoming message during the SMTP transaction. I sent a test message to a nonsense address "[at]stateauto.com" and received a

Subject: Delivery Status Notification (Failure) -- Unknown Recipient(s)

back from their Postmaster address. This confirms our previous suspicions, and so if the OP ever comes back to read the responses, he should change the configuration of his server so that it doesn't send bounces like this. Unfortunately, a server that sends bounces will send them willy-nilly to innocent third parties who didn't actually transmit email to the server, which is apparently how the server wound up sending to spamtrap addresses.

DT

[Merlyn]

Yes, that would be terrible if someone sent mail to that address with all the blcoklists on the internet as the from or reply-to address.

[DaveReno]

Yes I planned to come back, however I thought I would receive an email when there was a reply as I had checked that option but never got an email. I did check our logs and found no rejected email to me from here. Should the email notices of replies work for this forum? Below this form it confirms it "You are currently receiving email notification of replies "

Thank-you to "David T" for using the web form to alert me.

Yes we do send non delivery reports back for spam and failed recipients for most cases except certain attachments (likely virus), or matches on certain blackhole servers we trust to have very few false positives.

Our system is custom written SMTP event sink for Exchange and works after the SMTP session so we can not deny at that level. We have plans to work on a system to validate sender using SPF or DNS before we reject but have not yet implemented that.

We reject to the "reply-to" address if given, the from address if not.

If I could find the sample we sent I could research it further. Is there any way to find out the sample email, spam trap address, IP or anything such that I can find it in our logs and research it more?

[DaveReno]

We just received an email from an admin at spam Cop and will make a revision recommend that will let spam Cop identify our NDR's as automatic replies. I will work on that today. I also will step up the development of ability to validate senders.

Thanks all for the replies, even if I didn't necissarily like them! ;-)

[dbiel]

We just received an email from an admin at spam Cop and will make a revision recommend that will let spam Cop identify our NDR's as automatic replies.  I will work on that today.  I also will step up the development of ability to validate senders.

Thanks all for the replies, even if I didn't necissarily like them!  ;-)

18785[/snapback]

A special thankyou to you for posting the resolution.

Wazoo, could you consider updating the FAQ with this option for dealing with NDR's?

I am fairly confident that Admin would not like the actual procedure posted as they would probably want to confirm the validity of the replies first rather than giving spammers another tool to avoid spam traps; making it available on a case by case basis only.

But just knowing that there is an option would be helpful to some.

Note: previous text deleted due to reply from Admin.

[Wazoo]

As this is the first I've heard about it, I'm not sure what I could put in the FAQ. The "will make a revision" sure has sounds of a construct being used, which also suggests that it would be easy to adapt .. so wondering if this was meant to be exposed here at all? Note kicked to Deputies for some data on this.

[Merlyn]

We just received an email from an admin at spam Cop and will make a revision recommend that will let spam Cop identify our NDR's as automatic replies

I can't believe a spamcop admin would do this. They are not automatic replies they are mechanized spam.

We reject to the "reply-to" address if given,  the from address if not. 

18784[/snapback]

This is still wrong.

You cannot tell if the addy is forged and it usually is.

You run a mail server like many of us and we are tired of receiving notices of virus that never came from our servers.

You should rethink your priorities.

Many admins consider NDR's sent to innocent victime as spam and IMHO they are.

[SpamCopAdmin]

Just so there is no confusion...

All mail that hits our traps is fair game. Our traps don't send mail, so they shouldn't be getting any kind of delivery failure notices, autoresponder messages, or anything like that. Sending even a very small amount of mail to our traps virtually guarantees that a server will go on our blocking list.

We used to filter against bounces, but the spammers took to forging them more often, so we don't do that anymore.

The information I gave to the admin about his bounces was meant to help our *users* identify his NDRs and hopefully not report them. Unfortunately, I was not clear on that point and I misled him.

We do remove servers from our list when it's clear that the traffic causing the listing is a bounce, but that's the extent of our cooperation in the matter.

- Don -

[DavidT]

Thanks for the clarification, Don. So, the OP should be urged to STOP sending NDRs as email messages after the fact.....just don't do it!

DT

[Merlyn]

Thanks Don,

That is what I thought.

Like I said it will not be long before this type of activity gets him blocked everywhere on the web.