Jump to content

FAQ Entry: Misdirected Bounces/Backscatter Q&A


Recommended Posts

Starter post ... John provided a great response to a question over in the newsgroups. Miss Betsy took that response and turned it into this Question/Answer format. A bit later, Miss Betsy posted this into the newsgroup area as a "regularly posted FAQ item" .... and the storm began .... questions were too rude, answers weren't exactly right, the sun was blotting out the moon, on and on ... I copied this from the Topic she first posted this to and dropped it here ... looking for other input on editing befor linking it into the Forum FAQ .... and with the goal in mind that if/when Miss Betsy posts it again, there won't be any more discord .... (we actually still aren't over all the fallout & changes in the "Why am I Blocked? item after she started posting that in the newsgroups!)


You might find this answer of John's to be helpful (someone in the newsgroup did) to understand and be able to explain to your ISP why backscatter is not good.

I have added the Q's and A's

Misdirected Bounces/Backscatter Q&A

Q: We do require from our email server to auto-reply to undeliverable emails due to the business requiremnents. Our clients and partners do require notification should email not reach the intended recipient.

A: The SMTP protocol does not guarantee notifications will be made of delivery success or failure. If you mail server does not respond or issues an SMTP reject for undeliverable e-mail, then if the sender's mail server is set up correctly they will get notified by their mail server that it could not deliver the message.

Your auto-replies to spam or viruses are effectively a denial of service attack on the owners of domains that the spammers are forging.

Q: My company can loose money, if our email servers aren't doing this. This is RFC822 compliant and SpamCop should not arbitrary change the RFC.

A: The RFCs may permit such bouncing, but that method is no longer acceptable to much of the internet. Even the very conservative spamhaus.org is now starting to list mail servers that are so abusive when they do not stop it after receiving complaints.

And the spamhaus.org service is far more widely used than spamcop.net.

I know of at least two large U.S. ISPs that will quicly put a local block on your IP address if any of their users complain about backscatter from it. It seems to take a lot more hoops to get off of those ISP's local blocking lists than spamcop.net and it seems that it is extremely easy to get on them, and no way to tell until your e-mail is rejected that you are even on their local list.

The RFCs are guidelines. The bounce part of the protocol was when most e-mail when through one or more unknown third-party relays before it reached the destination mail server. The end system would issue a reject, and the intermediate relays systems would generate the bounce message.

As the internet facing mail server of a company is the destination, and not an independent third party relay, it should be able to check if the e-mail is deliverable or not before accepting it, and issue the SMTP rejection.

Even independent third party relays are now probing the destination server for delivery before they accept a mail for relay, and will reject it if they can not get an assurance that the destination will accept the mail.

Q: The worst is that in the US anyone is considered innocent until proven guilty. The exception is SpamCop where they pronounce you guilty and then you have jump through loops to prove that your are not guilty.

A: While your operation may pay a fixed rate for your e-mail systems, for large operations, they have to pay a metered rate.

Accepting your backscatter to forged addresses greatly increase the costs of operating a mail server that is on a metered rate connection. The faster that a source of spam, virus or backscatter can be identified, the less money is needlessly spent on bandwidth. Why should my mail server operators pay two to three times as much per month so that your mail server can auto reply to forged addresses instead of using SMTP rejections?

Q: [There is] Marginal effect at best to the spam emails. SpamCop's action does hurt legitimate businesses and does nothing to the spammers.

Spamcop.net makes them switch more often, and network operators with a clue use the spamcop.net reports to quickly remove zombies from their networks because they know that every second that the zombie is on their network it is needlessly costing them operating cash.

There are people and companies that have lost the use of their e-mail addresses because of the volume of abusive bounces was so high that either their individual mail quota was used up, or either their bandwidth or mail server was not up to the capacity.

It is particularly a problem for some domains that people think do not exist, so use them for posting to avoid spam themselves.

The best known example of that is TEST.COM, they made the national news about the bounces from abusive mails servers effectively wiped out their mail server.

HERE.COM does not seem to have an I.P. address allocated assigned to it at the moment, but google shows over 100,000 hits on the e-mail address you used for posting, which means that if the owner of that domain actually were to try to use it for e-mail, the backscatter from the viruses and spam would likely overload their connection or server.

Is that fair to the legitimate owner of a domain? A domain that otherwise would have great marketing value?

Q: Just for your knowledge most, if not all cable service provider issues DHCP IPs for their subscribers. Should I shut down my cable modem, then the next time I'll have a different IP address. That IP might already be on the SpamCop BL despite the fact, that I have nothing to do with the previous history of the IP address currently assigned to me.

A: If your brand new DHCP address was already listed with spamcop.net, or any DHCP addresses on your subnet are listed with spamcop.net, it likely means that there is a computer on your cable modem leg that is compromised and controlled by a zombie.

Since the spammmers will be periodically pushing as much spam through it as your ISP's network capacity can handle, the compromised computer is likely causing noticable slowdowns if not complete outages for you and your neighbors.

I did an experiment last year on a forum where people were complaining about outages and severe slow downs on their cable modems. In every case a search using google revealed the IP address of one or more compromized system in their area, and since the people that post such evidence publically also ususally send notifications to the abuse or postmaster addresses, the ISP should have been aware of what it took to fix the problem for days before they started issuing refunds or credits to the affected users.

The problem was is that the ISP was giving the owners of the infected machines 5 business days to fix their machine before cutting them off, without realizing all the damage and costs those infected machines were causing them.

Almost all mail server operators now use blocking lists that list DHCP addresses. A spamcop.net listing of a DHCP address would probably not be noticed as the DHCP blocking lists are in far more common use than spamcop.net.

Q: If spam fighting is a war, then we are loosing judging by the percentage of spam increase on my spam filtering server at work since last year.

A: It is only the people whose mail server operators do not know how to keep spam out that are losing the battle.



Personal Opinion Only

Link to comment
Share on other sites

Enter Jeff G., wearing his "copy editor", "semanticist", and "pedanticist" hats...

I like the Q&A, but I have some quibbles regarding spelling and capitalization, as follows:

The attribution at top and bottom should probably change to a revision history, and "I" should probably be noted as referring to John.

"requiremnents" should probably change to "requirements".

"loose" should probably change to "lose", and "loosing" to "losing".

"quicly" should probably change to "quickly".

All references to "Spamcop" should probably change to "SpamCop", and all references to "spamcop.net" should probably change to "SpamCop.Net".

"google" should probably change to "Google" (multiple instances).

"DHCP IPs" should probably change to "DHCP IP Addresses", and "That IP might" should probably change to "That IP Address might".

"spammmers" should probably change to "spammers".

"noticable" should probably change to "noticeable".

"compromized" should probably change to "compromised".

"publically" should probably change to "publicly".

"ususally" should probably change to "usually".

Link to comment
Share on other sites

That would work, too. I thought we were going for "General Q's" rather than "One PO'd Admin's Q's". Of course, if y'all want to keep leaning towards "One PO'd Admin's Q's", giving that Admin credit for its [lack of] writing skill would help. :)

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...