Looks like a faked mail delivery failure message

[MyNameHere]

Hi.

At the risk of repeating something that already has been discussed...

I just got what looks like a spam message entitled "Returned Mail:Error During Delivery." When I forwarded it to the reporting URL, it was parsed as coming from my work mail server (i.e., where it was allegedly sent from when it "failed.") However, looking at the mail source, it looks to me like someone just cleverly forged a mail delivery failure. Or is there a PC at work that is a 'bot?

Tracking URL: http://www.spamcop.net/sc?id=z1749577119z9...1b8519dd6d9a8dz

[Wazoo]

I just got what looks like a spam message entitled "Returned Mail:Error During Delivery." When I forwarded it to the reporting URL, it was parsed as coming from my work mail server (i.e., where it was allegedly sent from when it "failed.") However, looking at the mail source, it looks to me like someone just cleverly forged a mail delivery failure. Or is there a PC at work that is a 'bot?

To my eyes, there are a number of possibilities involved here ... but the 'cleverly forged' scenario you are trying to suggest wouldn't be one of them.

The part of your submittal that was parsed was the actual header section of the e-mail 'created' by your own system/software ... note the single Received: line.

The actual spam/rejection notice that you were wanting to report was not provided to the SpamCop.net parser in a 'correct' format .... specifically the ages-old issue of 'in-line' as compared to 'attachment' .....

[MyNameHere]

The actual spam/rejection notice that you were wanting to report was not provided to the SpamCop.net parser in a 'correct' format .... specifically the ages-old issue of 'in-line' as compared to 'attachment' .....

Now that I look at it again, there was a spam message that appears to be the same as the "undeliverable" portion of the bounce message (identical message id), and it arrived a few seconds before the bounce message. The spam message (in Outlook) indicates it was from me, but my address does not appear anywhere in the raw message text.

So it appears that I received a spam message from myself and then a few seconds later received a message saying the spam message had bounced.

I checked what happens when I send an e-mail from my SpamCop address using an "identity" that is my work address, to a nonexistent address at work. (Did that make sense? I have a SpamCop identity that uses my work address and I used it to send a message to a nonexistent address at my workplace. So I have sent a message with a "forged" sender -- sort of.)

What happens is, the mail server sends the "Error During Delivery" message to my work address and for some reason the junk filter puts it in my junk e-mail folder.

I think what this means is the spammer sent the spam message with my work address as the "sender" and one of the recipient addresses was bad, so I got the bounce and it ended up in my junk mail because of some bogus junk mail filtering process.

Does that make sense?

[turetzsr]

<snip>

I checked what happens when I send an e-mail from my SpamCop address using an "identity" that is my work address, to a nonexistent address at work. (Did that make sense? I have a SpamCop identity that uses my work address and I used it to send a message to a nonexistent address at my workplace. So I have sent a message with a "forged" sender -- sort of.)

What happens is, the mail server sends the "Error During Delivery" message to my work address and for some reason the junk filter puts it in my junk e-mail folder.

I think what this means is the spammer sent the spam message with my work address as the "sender" and one of the recipient addresses was bad, so I got the bounce and it ended up in my junk mail because of some bogus junk mail filtering process.

Does that make sense?

...Yes, it does! It sounds like a misdirected bounce to me. You need to educate the administrators of your outgoing e-mail system, if I am understanding the situation correctly.

...On another subject: your topic subtitle includes the word "spam" in all capitals. "spam" is a trademark of Hormel Corporation, so please do not use it here to refer to unsolicited e-mail (spam). Please see "spam and the Internet," especially the third paragraph. Thanks for complying with Hormel's polite request! <g> I am taking the liberty of changing that part of your topic title.

[MyNameHere]

Thanks, Steve!

My apologies to Hormel and to Monty Python.

spam, spam, spam, spam, spam and spam.

[Mikescki]

Hi there,

I am still cleaning up after a massive (2,000+) "Undelivered"s hit my email in box. :angry:

One of my email addresses had been forged onto someone's daily spam output and I was the (un)happy recipient of all the fallout!

I had to burn that email address and open new ones.

It took some time before I started getting proper emails back again as I had been blocked on a number of routes for being a "Spammer".

I am trying to get interest in having the "From:" hardwired into the email from the computer / sender who actually generates the email but, so far, no one has seemed to worried as the "know all about the problem".

Regards

Mike

[StevenUnderwood]

I am trying to get interest in having the "From:" hardwired into the email from the computer / sender who actually generates the email but, so far, no one has seemed to worried as the "know all about the problem".

You will have to prove your case a bit more as I have never heard of ANY blocklist that uses the (often) forged sender email address as basis for a listing. Provide your proof please. That would include the bounce messages and the IP address of your mail server.

Also, after 2000+ bounces, it is quite possible you were near the end of the spam run using your old address. Recently at work a couple of different addresses have had this problem, each collecting about 200 bounces before tailing off.

[Mikescki]

You will have to prove your case a bit more as I have never heard of ANY blocklist that uses the (often) forged sender email address as basis for a listing. Provide your proof please. That would include the bounce messages and the IP address of your mail server.

Hi there,

I had my mail {at}sussexkarate.com used by a spammer.

This is a divert through our website on UK2.

The ntl/Virgin is at 81.99.151.96

It seems that it was Virgin/ntl who spotted the misuse and/or my mail box was filled up.

Either way I was not getting any proper emails through and it was very sporadic for the next 24 hours.

The plain address at ntl was OK, it was those diverted via UK2 which appeared blocked.

Even after I removed the mikes{at} from the divert list.

I called Virgin and sent them an on-line form and after that it was OK.

I did not save any of the offending emails.

I clear emails through MailWash before I let them onto Outlook.

(It's OK my son has already told me that I am being lazy using Outlook!)

Just noticed that info{at}combat-karate.com has started to be used so I have burned that one too.

I may not be techie enough to understand, but why the hell isn't a proper "From:" hardwired into the the email? (Even [especially?] if that is a zombie box.)

Yes, you can add all the "Pls reply to" you like but, if it is a pure bounce, surely it MUST go back to the REAL "From:"!

BTW

Is SpamCop working at its limit?

I only ask because when I am reporting emails I often have a "server refused" - the "Blue notice" - after a few (approx 10) have gone through and I have to wait for a while until I can continue sending. This is especially between 8 and 9 in the morning but it can happen at any time.

Regards

Mike

[Miss Betsy]

This is my non-technically fluent explanation:

Back when the internet was new and everyone was trusted, it was common to accept email and if it could not be delivered to, return it to the FROM or return-path. This was convenient because one could put whatever address one wanted in the FROM or return-path so one could send an email from work and receive the reply at home, for instance. The way that one did this was to put a different return address in the email client.

And, because it is too difficult to change the basic design of email, this method is still possible. If one signs up for a news group, for instance, one can put a different address in the FROM so that one's address is not harvested.

However, once the spammers started to operate, they soon discovered that they could 'forge' an email address in their spam runs and avoid getting 'bounces' from bad addresses or irate people who didn't want spam or people who use programs like Mailwasher to 'bounce' the email back to the spammer. Now it is routine for them to forge the return path as well as the FROM (which can be any sender name like the ones that spell Viagra twenty different ways).

Once receivers of spam started getting 'bounces' they found that it was just as irritating as getting spam. Sometimes it was even more so, since they could get a lot of 'bounces' as you did, making their email almost unusable during the spam run. Even official spamcop argued against reporting these 'bounces' because of the usefulness to many of legitimate changing the return-path. But finally, major ISPs decided that accepting email and bouncing it was causing more people to be spammed by the 'bounces' and started using an alternative 'return to sender' method - or rigorously filtering incoming mail for spam before sending an email to the return-path. Blocklists, including spamcop, now will list those who use the old 'bounce' method or allow NDRs to be sent to email that has been accepted for delivery without making sure that it is legitimate email.

The alternate is to reject the email at the server level. At the server level, before the Data part of the email is accepted, the servers communicate by code. The accepting server knows the IP address of the sending server, but that is all - it doesn't know what the subject of the email is or the exact email address the email is coming from without additional hardware (because, I think, it takes longer to go through the process and so they need more hardware to keep up normal delivery times). Anyway, they can tell from comparing the IP address with various blocklists whether this IP address sends spam and can reject the email, send it back to the source IP address, with a code that the sender server converts into an email and sends to the user saying the email has been rejected for whatever reasons (there are numerous codes). They can also tell whether they have that email address or not, I believe, but that takes longer or requires more equipment.

On the receiver end, server admins have had to turn off their 'catch-all' functions because the spammers are now sending spam to every user name they can think of plus every user name they have ever harvested plus the domain name.

There have been several attempts to 'register' IP addresses so that servers know that this IP address can be trusted to not send spam, but it is very difficult to do because of the millions of servers out there - as you know, not all of them have heard that it is not a good idea to accept email and send an NDR to the return path. Most of the 'registration' attempts require a fee so that there is leverage if the IP address does send spam so that even fewer server admins will 'register' - only those who are running an email service.

If an email is sent from an infected computer, that normally does not send email, if the email is rejected at the server level, there is no place for it to 'go back' to since the sending computer doesn't have any way to 'talk' to the receiving server. Therefore the email is just 'dropped' or ceases to exist. I would imagine that most server admins use the blocklist that lists infected computers so they don't even bother to try to 'reject'

Individuals who run their own mail servers can block all the IP addresses of China, Brazil, and Russia since they do not have email correspondents in those countries. So can users of Mailwasher.

And, I do hope that you are not using the 'bounce' function of Mailwasher. If you are, then you are sending hundreds of spam to completely innocent people who never sent it.

HTH,

Miss Betsy