Fake Bounces

[sstarke]

I am having a problem with "bounces" to user names (that I have never heard of) at my domains, who apparantly tried to send an email to another person I have never heard of. These began to appear in my inbox when I set a catchall email forwarding address for each domain. I don't know whether a spammer is using my domain names and I am getting their bounces, or whether this is a new technique to send spam to me by getting me to read what I believe to be a bounce.

If spammers forge your domain name on their spam, do you get their bounces? Has anyone else had this problem, and does anyone know what to do about it?

Thank you!!

[sstarke]

I am replying to my own post because I found an answer on "Spamlinks" and hope it helps someone else. The bounces are apparently the result of spammers forging my address as their "from" address. Spamlinks said:

When the "From" address in a spam is forged to that of a third party, bounces from non-existent addresses can flood the mailbox of the victim. If you use a spam filter that sends fake bounces, you are contributing to the flood of unwanted email, called backscatter that these people receive: stop it.

Examples of "from:" address forgery, while distressing to the victim, are far too numerous to list, unless they are unusually deliberate, persistent or damaging.

[Wazoo]

Ignored: How to use .... Instructions, Tutorials

System parts & Functions not fully explained under an existing Help menu / option .... Questions still needed to be asked about How to use/do something are to be posted into that function's Forum section.

Ignored: all links to the SpamCop FAQ"

Ignored: "Search" functions/tools

It's nice that sstarke returned and provided his/her own answer that was found elsewhwere .... just a bit amazed at the posting into the "Tutorials / Instructions" Forum section, the apparent lack of looking around "here" .... moving this to the Lounge area .... will / should eventually merge this into one of the many existing Topics on the same subject ....

don't we actually have a definition for a catch-all account?

Anyway, moving into a more appropriate Forum section with this post.

One entry in the SpamCop FAQ 'here' is found at;

Overview of SpamCop Services (currently under revision)

How does SpamCop reporting work?

Why am I Blocked?

Has your email been blocked? (ISP, Mailing List Admin, Advertiser)

SpamCop Blocking List - Am I listed?

SenderBase's "Magnitude" Explained

Why am I getting all these bounces? Updated!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[StevenUnderwood]

These began to appear in my inbox when I set a catchall email forwarding address for each domain.

Another, better solution is to turn the catch-all forwarding back off. This is NOT a new problem and has made catch-all addresses virutally useless.

[dra007]

That backscatter is also called

when the shyte hits the fan!

[sstarke]

Another, better solution is to turn the catch-all forwarding back off. This is NOT a new problem and has made catch-all addresses virutally useless.

Your'e right - but the problem was new to ME! I'd never gotten a fake bounce before, had never heard of them, and suddenly my inbox was full of them.

The only problem with turning off the catch-all accounts, it seems, is that it would stop you from getting bounces but wouldn't stop the spammers from using your domain. At least the bounces alerted me to the fact that they were doing it. Now, I wish I could find a way to stop them!

By the way, Admin, I'm new to the forum too, and there's no need to be quite so hard on us newbies if we overlook something or put something in the wrong place. We will eventually learn, and everyone has to be a newbie sometime. (BTW, I'm a she.)

Blessings!

[turetzsr]

<snip>

By the way, Admin, I'm new to the forum too, and there's no need to be quite so hard on us newbies if we overlook something or put something in the wrong place. We will eventually learn, and everyone has to be a newbie sometime.

...Not to worry or fear, Wazoo (the Admin) was not being judgmental about you, personally. His post was just his way of giving you (and other "newbies") the benefit of his knowledge of how to decide where to post and the contents of this Forum and how you might go about finding what you need. You might even be able to apply such knowledge in other areas (especially web-based information).

[sstarke]

...Not to worry or fear, Wazoo (the Admin) was not being judgmental about you, personally. His post was just his way of giving you (and other "newbies") the benefit of his knowledge of how to decide where to post and the contents of this Forum and how you might go about finding what you need. You might even be able to apply such knowledge in other areas (especially web-based information).

Thank you!

I just figured out something that might be useful if the IP address given in the bounce is the spammer's real one. Since the bounces give the IP address of the sender, I just forwarded one (I get them only rarely now) to spam[at]uce.gov. (If this isn't the best place to forward them, surely you can tell us what is!) Maybe we should all turn our catchall accounts back ON and use them to catch spammers!

I said in my second post that I didn't just want to stop getting bounces, I wanted to stop spammers from using my domain. Maybe this is one way to at least stop the ones we know about.

Blessings!

[Miss Betsy]

If you read about spamcop, you will find that you can report 'misdirected bounces' thru spamcop - not the spam, but the email bounce that you got. That alerts server admins who are behind the times to stop using the forged return path.

There is no way to stop the spammer from using your domain name. Some domain owners post an explanation on their website for those who don't know about forged return addresses.

Blocklists, and there are lots of them, are used by server admins to block known spam sources. If all server admins used them, then very little spam would be received by people. Blocklists that reject at the server level are very different from content filters that have to receive the email to determine that is spam.

I would encourage you to read the articles posted here about email and spam and how spamcop works.

Miss Betsy

[Falcon39]

I have a similar situation as that of sstarke. I just received a bounce notice for mail I know I did not send. The DNS is a reserved name " example.com "

How would using my address line assist anyone when mailing to an adress that is sure to bounce?

[rconner]

I have a similar situation as that of sstarke. I just received a bounce notice for mail I know I did not send. The DNS is a reserved name " example.com "

How would using my address line assist anyone when mailing to an adress that is sure to bounce?

I believe that the usual reason for spammers using forged from-addresses is it helps them to get mail delivered to mail hosts that demand to see a realistic looking return-path address. If they used a fake domain, or a malformed return path, then these hosts might reject their mail.

As for the address being "sure to bounce," spammers send millions upon millions of messages, and usually don't care should some of them bounce.

I am developing a new page in the SpamCop Wiki that attempts to explain this behavior.

By the way, what do you mean by "the DNS is a reserved name example.com?" I don't follow you. If you mean that the message was sent to an e-mail address in the example.com domain, then, yes, this domain is reserved and presumably can't have working e-mail addresses. That doesn't stop spammers from trying to mail to them anyway.

-- rick

[Wazoo]

How would using my address line assist anyone when mailing to an adress that is sure to bounce?

You are showing that you've not looked around much. FAQ entries 'here' galore on things like this, thousands of previous discussions that shoot all over this type of question.

First of all, no one here is going to try to explain the mind of a spammer.

Easiest and most obvious answer to your specific question is .... "What Bounce?" Spammer-for-hire shows his/her log files with millions of e-mails sent. Using "your" address iin the From: line in sures that his/her server will not see any of those Bounces, so when making his/her claim to get paid, it looks like all the e-mail went out/through.

Another viewpoint, of those that went through, probably 90%+ of the recipients still think that "you" sent it.

I invite you to peruse the data and facts that already exist in abundance 'here' ...

[Falcon39]

By the way, what do you mean by "the DNS is a reserved name example.com?" I don't follow you. If you mean that the message was sent to an e-mail address in the example.com domain, then, yes, this domain is reserved and presumably can't have working e-mail addresses. That doesn't stop spammers from trying to mail to them anyway.

A number of first and second tier DNSs are reserved by agreement to never be available to allow for testing and such so as not to be using a DNS that might one day be registered and then be confusing. example.com, example.net, and example .org are among them.

Choosing to send to these are what is confusing to me. Unless it is just a dictionary assault, I can't understand why the guy would have deliberately chosen it.

Moderator Edit: deleted the second copy of 'everything' included in this Post. While doing that, I also deleted the content of the quoted post that wasn't being replied to .. an action described in the Forum FAQ here ...

[Farelf]

...Choosing to send to these are what is confusing to me. Unless it is just a dictionary assault, I can't understand why the guy would have deliberately chosen it. ...

The selection of address is not deliberate. Someone sold a spammer a list with some dud target addresses. It happens. Or someone, somewhere, is working through a Telnet tutorial. There's no MX for example.com, which doesn't prevent anyone's provider from forwarding it, breaking the SMTP chain. I'm not sure how far it gets or how long it takes before a relaying server decides it's "no go". And I should think it far from assured that the final server will then attempt a return to the From: or Reply-to: address (though it seems many do interpret the rfcs to mean that they are obliged to). You got one. Goodness knows how many you didn't get. spam is (almost always) impersonal, and mass produced and disseminated at the lowest available cost/effort. You can't think about it the way you do about real mail.

[rconner]

A number of first and second tier DNSs are reserved by agreement to never be available to allow for testing and such so as not to be using a DNS that might one day be registered and then be confusing. example.com, example.net, and example .org are among them.

Choosing to send to these are what is confusing to me. Unless it is just a dictionary assault, I can't understand why the guy would have deliberately chosen it.

Thanks for the clarification. I was confused by your use of the term "DNS" where others would use "domain name." And, yes, I was aware that the domain names "example.*" are reserved. In the usual direct-to-MX technique spammers use, the message delivery to such a domain should have failed (for lack of an MX) and there would have been no bounce. However, if the spammer is using an open SMTP relay (i.e., not direct-to-MX), then very likely this relay would send an immediate bounce to the return-path (that's you).

Following up on what Farelf says: to say that a spammer "chooses" to send to a particular e-mail address is like saying that a steamroller "chooses" to run over a particular pebble. If your "business" depends upon an abysmally small response rate per spam run, and if your spam run is perforce in the millions of addresses, then you simply don't care about all the messages that are undeliverable. If you've used a forged return-path, you don't even have to worry about getting the bounces (and you can imagine what might happen to a spammer's own inbox if he actually did get all the bounces that were coming to him).

Following up on what Wazoo says, it is hard to read the minds of spammers. Usually what they do makes technical sense (at least from their point of view), but often (actually very often) they do things that are stupid and illogical. That's why they are spammers and not CEOs of multibillion dollar internet advertising agencies.

-- rick

[Falcon39]

By the way, what do you mean by "the DNS is a reserved name example.com?" I don't follow you. If you mean that the message was sent to an e-mail address in the example.com domain, then, yes, this domain is reserved and presumably can't have working e-mail addresses. That doesn't stop spammers from trying to mail to them anyway.

A number of first and second tier DNSs are reserved by agreement to never be available to allow for testing and such so as not to be using a DNS that might one day be registered and then be confusing. example.com, example.net, and example .org are among them.

Choosing to send to these are what is confusing to me. Unless it is just a dictionary assault, I can't understand why the guy would have deliberately chosen it.

Moderator Edit: As was done in the Linear Post #13 above, duplicated content removed, quoted content not replied to edited out - again, as per the Forum FAQ

[Farelf]

...Choosing to send to these are what is confusing to me. Unless it is just a dictionary assault, I can't understand why the guy would have deliberately chosen it.

As I responded 12 hours previously:

The selection of address is not deliberate. Someone sold a spammer a list with some dud target addresses. It happens. ... spam is (almost always) impersonal, and mass produced and disseminated at the lowest available cost/effort. You can't think about it the way you do about real mail.

Or maybe you don't accept any of that?

[Wazoo]

Posting the same unedited quoted material, the same reply data, the same text repeatedly isn't going to fly. Totally ignoring that those previous posts were "Moderated and edited" and simply re-posting the same content (wondering why one would have saved the complete post to begin with) .. in this case three times .. is not going to fly.

[Falcon39]

I believe that the usual reason for spammers using forged from-addresses is it helps them to get mail delivered to mail hosts that demand to see a realistic looking return-path address. If they used a fake domain, or a malformed return path, then these hosts might reject their mail.

As for the address being "sure to bounce," spammers send millions upon millions of messages, and usually don't care should some of them bounce.

I am developing a new page in the SpamCop Wiki that attempts to explain this behavior.

By the way, what do you mean by "the DNS is a reserved name example.com?" I don't follow you. If you mean that the message was sent to an e-mail address in the example.com domain, then, yes, this domain is reserved and presumably can't have working e-mail addresses. That doesn't stop spammers from trying to mail to them anyway.

-- rick

A number of first and second tier DNSs are reserved by agreement to never be available to allow for testing and such so as not to be using a DNS that might one day be registered and then be confusing. example.com, example.net, and example .org are among them.

Choosing to send to these are what is confusing to me. Unless it is just a dictionary assault, I can't understand why the guy would have deliberately chosen it.

[Wazoo]

Fourth time tilted the balance. Good-bye!

[Farelf]

Of "academic interest", perhaps. Message to example.com from our corporate server took 3 days (and 1 hour) to bounce - the NDN coming from our provider, no evidence it ever left the provider's network.

Final-Recipient: rfc822;test[at]example.com

Action: failed

Status: 5.0.0 (permanent failure)

Diagnostic-Code: smtp; 5.4.7 - Delivery expired (message too old) 'timeout' (delivery attempts: 0)

Reporting-MTA: dns; icp-qv1-irony-out2.iinet.net.au

So, as Rick mentioned "using an open SMTP relay" seems likely to be the only way to pull off the To: address of x [at]example.com - apart from a straight-forward counterfeit bounce of course. In any event, deliberate choice of the address seems a lesser probability than the dirty list explanation.