Spam, spam and more spam

[Zukiwi]

Today I have had the unpleasant surprise of finding some 200 postmaster replies in my mailbox. One of my email accounts was spoofed by a spammer somewhere in China it appears (221.221.245.208). I reported the spam, but to some extend ... are the postmaster not also being used as a tool by the spammers - their replies are definitely unsolicited with the spammers attachement ..

Is there not a more intelligent way for postmaster to reply and not use the email address but rather verify the IP versus the domains before determining if the alleged email is in a legitimate use ? And aside from reporting the abuse, what else can be done to prevent sources from spoofing emails ?

Please excuse me if I did not post this at the correct place, I'm new here and just was not sure where to put this ... but it's a rant for sure ;-)

Thank you for any help or insight

[rconner]

Is there not a more intelligent way for postmaster to reply and not use the email address but rather verify the IP versus the domains before determining if the alleged email is in a legitimate use ? And aside from reporting the abuse, what else can be done to prevent sources from spoofing emails ?

Indeed there is a better way for the postmaster to reply, which is NOT TO REPLY IN THE FIRST PLACE. If the receiving mail service had followed proper SMTP procedure and rejected the mail when it was offered (by throwing it back at the spammer's sending host), you would not have received any of these bounces. Because the service accepted the mail and then decided later that it did not want to deliver it, the only info it had by which to bounce it was your e-mail address. This is known as a "delayed bounce" and is a feature of many lazy or substandard mail systems.

See the Wiki articles for bounces and misdirected bounces where you will note that these message can be reported by you via SpamCop.

I would not say that the postmasters are collaborating with the spammers; however, I would say that they should not be delay-bouncing mail that they do not intend to deliver.

-- rick

[Farelf]

Today I have had the unpleasant surprise of finding some 200 postmaster replies in my mailbox. One of my email accounts was spoofed by a spammer somewhere in China it appears (221.221.245.208). I reported the spam, but to some extend ... are the postmaster not also being used as a tool by the spammers - their replies are definitely unsolicited with the spammers attachement ..

Reports concerning 221.221.245.208 go to abuse[at]cnc-noc.net (or are dropped) but that party would have nothing to do with postmaster replies to your address which was spoofed. Those would be the result of other parties sending misdirected bounces/backscatter to your spooded address. You should report these too (as mentioned in the reference), perhaps a proportion of them will learn the error of their ways as a result. NO-ONE should respond to the From: or Reply to: address in spam (because it is almost always a spoofed address) and certainly postmasters are expected to know better. Who are the postmasters doing this?

Of course there is a class of spam (often actually a virus delivery) which pretends to be a bounce but that should be reported too.

[Zukiwi]

Reports concerning 221.221.245.208 go to abuse[at]cnc-noc.net (or are dropped) but that party would have nothing to do with postmaster replies to your address which was spoofed. Those would be the result of other parties sending misdirected bounces/backscatter to your spooded address. You should report these too (as mentioned in the reference), perhaps a proportion of them will learn the error of their ways as a result. NO-ONE should respond to the From: or Reply to: address in spam (because it is almost always a spoofed address) and certainly postmasters are expected to know better. Who are the postmasters doing this?

They were from all over the planet ! Some send a *response challenge * which might be a new thing to see if there are people behind the mail, but still a bounce: Some of those were multid.qc.ca, jaeger-heizungsbau.de. creditUnion1.org, noc.dls.net, svpx02.dutchtone.nl, kpnxchange.com, spb-volna.ru, and more (like I said 200 !)

I have never seen something so acute. Must have been a world-wide spam campaign last night, I got the bounces in different languages, I am pretty sure they are original bounces (and not the virus spreadking .zip postmater I have also see more of lately)

Thank you for your help ! It is much appreciated ...

Indeed there is a better way for the postmaster to reply, which is NOT TO REPLY IN THE FIRST PLACE. If the receiving mail service had followed proper SMTP procedure and rejected the mail when it was offered (by throwing it back at the spammer's sending host), you would not have received any of these bounces. Because the service accepted the mail and then decided later that it did not want to deliver it, the only info it had by which to bounce it was your e-mail address. This is known as a "delayed bounce" and is a feature of many lazy or substandard mail systems.

See the Wiki articles for bounces and misdirected bounces where you will note that these message can be reported by you via SpamCop.

I would not say that the postmasters are collaborating with the spammers; however, I would say that they should not be delay-bouncing mail that they do not intend to deliver.

-- rick

(edit & repost : I replied to the wrong post)

Thank you Rick, I was not implying they were willingly collaborating, but they sort of make *colateral* damages LOL. I will read your links, I sure want to know what I can do about this. spam abuse has been using lots of my time, and I try to spend of 2 hours a week in reporting.

Thank you both again for taking the time to respond, it is genuinely appreciated !

- Louise

[Farelf]

...They were from all over the planet ! Some send a *response challenge * which might be a new thing to see if there are people behind the mail, but still a bounce: Some of those were multid.qc.ca, jaeger-heizungsbau.de. creditUnion1.org, noc.dls.net, svpx02.dutchtone.nl, kpnxchange.com, spb-volna.ru, and more (like I said 200 !)...

Little fish - they are in urgent need of education. It would have been, indeed, an exceptional spam run to flush out such as these who have obviously not been hit very often before. Sympathy for it being your address which was used. I'm sure we'll all have "our turn" in the fullness of time. If we all report as much as we can of the backscatter when it occurs then maybe the word will spread. If a mail server can't bounce during the SMTP session (while it still has access to the sender/relay) then it shouldn't bounce at all. Some believe they are obliged to bounce by the relevant rfc. They are not - not if they don't know who they're bouncing to - [they ARE obliged to]/[it would be nice if they could] turn their brains on (occasionally).

[Javier]

My worst offender regarding backscatter lately is danger.com. I receive daily several dozens of misdirected bounces from these nerds and, as they used to slip under the SpamAssassin radar, I manually added their mailer-daemon[at] address to my SC mail blacklist and I report each one of his bounces. I will try my best to have their mailserver IP into all RBL lists I know. :angry:

Other than that, the "challenge-response" systems are also a big pain in the a**.