"This message is not spam."

[Farelf]

Date: Fri, 30 May 2008 07:59:14 +0400

From: kamrad[at]df.ru

Message-ID: <646507241.20080530075914[at]df.ru>

To: <x>

Subject: Spamcop report id:3149912609

kamrad[at]df.ru wrote:

>Hello SpamCop user,

>

>This message is not spam.

Oh yes it is господин kamrad - we are talking about http://www.spamcop.net/sc?id=z1937169956z1...;action=display

Your "Undeliverable mail" notice was sent to the FORGED sending ("From:") email address in the attglobal.net domain - from the header of a spam which originated with dsl88-229-49881.ttnet.net.tr (88.229.194.217). That *real* sending server has nothing to do with attglobal.net, nor with the email address owner. The attglobal.net address has originated no message since 29 December 2005, it now only EVER relays to one of my other addresses.

When mail services bounce non delivery notices to a forged address used in a spam run, that (innocent) address can receive thousands of such messages a day. That is a WRONG thing. That is network abuse. If you can't reject during the SMTP transaction, don't bounce. For an explanation of the problem, see http://www.spamcop.net/fom-serve/cache/329.html#bounces - you need to understand this stuff.

Please excuse me for not replying directly. I do not give away my email addresses. Besides which other mail admins in similarly urgent need of education might happen to read it here.

[Miss Betsy]

Please excuse me for not replying directly. I do not give away my email addresses. Besides which other mail admins in similarly urgent need of education might happen to read it here.

Although I understand the rationale about replying in a forum where other misguided mail admins might read it, isn't that what hotmail or yahoo or sneakemail addresses are for?

Miss Betsy

[Farelf]

Although I understand the rationale about replying in a forum where other misguided mail admins might read it, isn't that what hotmail or yahoo or sneakemail addresses are for?...

Well that's what sneakmail and the like are for, I don't really consider the others 'disposable' just because they are/can be free. Save the planet and all that (yeah, I reuse/recycle plastic shopping bags too). Maybe if I get around to it, sneakmail ... good opportunity, maybe. Thanks for the prod.

[Miss Betsy]

I didn't dispose of the hotmail account I opened to 'talk' to potential spammers and I used the same one for all such contacts. When I sent a manual report (munged heavily to avoid giving away real address) to suspected spamvertized site (after unchecking the spamcop one), I received a spam within minutes with 'sorry to bother you' in subject line. Of course, then I couldn't prove that it was the spammer responding because the email was used for other people. Now that hotmail is so aggressive with filtering, it gets very little spam in spite of having been in direct contact with several spammers so that address must be widely circulated. It used to receive a lot.

Miss Betsy

[Farelf]

I didn't dispose of the hotmail account I opened to 'talk' to potential spammers and I used the same one for all such contacts. When I sent a manual report (munged heavily to avoid giving away real address) to suspected spamvertized site (after unchecking the spamcop one), I received a spam within minutes with 'sorry to bother you' in subject line. Of course, then I couldn't prove that it was the spammer responding because the email was used for other people. Now that hotmail is so aggressive with filtering, it gets very little spam in spite of having been in direct contact with several spammers so that address must be widely circulated. It used to receive a lot.

Good to hear, but part of my point being - all that filtering has a hidden cost. Not to say that the truly disposable addresses (the ones that evaporate after a set time or number of messages, there are a number of choices, it seems) don't incur a bit as well - spam might be sent to them for years after they are gone forever. But never making it past the initial SMTP session, therefore no relay of the content, saving some bandwidth. Whereas spam rejected on filtering, by the necessity, involves "looking" at the content at the delivey point or immediately before, meaning greater bandwidth consumption.

There's 'economics' and there's actual economies differentiating the cases it seems to me, where 'economics' is the sort of thing that allowed cabbages to marketed in Singapore (at one time, maybe still?) cheaper than local produce - that is if you ignore the hidden cost of farm subsidies, fuel subsidies and subsidized transport. All of which also points to the real argument for the SCbl and some/many others - rejection of messages depending on source IP, before the payload gets involved (remembering some of those payloads can be massive, as reported elsewhere, if not they are very, very numerous). All very imperfect in terms of (certainly) blocking innocent mail at times but it may also be all that allows the internet to limp along at all, in times of stress, nevermind that others then feel free to claim superiority in terms of minimal false positives. It's not really a competition, even if the beneficiaries might see it in those terms.

Foregoing utterly uninformed by real knowledge or actual statistics (net stats will always be very volatile though, I'm guessing). Just clutching at patterns and drawing inferences.

[Miss Betsy]

There's 'economics' and there's actual economies differentiating the cases it seems to me, where 'economics' is the sort of thing that allowed cabbages to marketed in Singapore (at one time, maybe still?) cheaper than local produce - that is if you ignore the hidden cost of farm subsidies, fuel subsidies and subsidized transport. All of which also points to the real argument for the SCbl and some/many others - rejection of messages depending on source IP, before the payload gets involved (remembering some of those payloads can be massive, as reported elsewhere, if not they are very, very numerous). All very imperfect in terms of (certainly) blocking innocent mail at times but it may also be all that allows the internet to limp along at all, in times of stress, nevermind that others then feel free to claim superiority in terms of minimal false positives. It's not really a competition, even if the beneficiaries might see it in those terms.

Well, I am glad you said that!!! I cannot understand why content filters are still used (except to filter out incoming spam where the IP address has not been identified).

The additional benefit of using blocklists at the server level is that if it is a legitimate email, the sender gets notified.

Miss Betsy

Side note, although I know that occasionally one or two false positives were not accepted by hotmail, I think that the reason there is a reduction in spam even getting to the junk folder is that once a compromised computer is identified, it can be blocked at the server level with no bad results since it is not a mail server. I forget the statistics on how much spam is sent by compromised computers but IIRC it is a large chunk.

[Farelf]

...I think that the reason there is a reduction in spam even getting to the junk folder is that once a compromised computer is identified, it can be blocked at the server level with no bad results since it is not a mail server. I forget the statistics on how much spam is sent by compromised computers but IIRC it is a large chunk.

Sounds reasonable.

[btech]

So in other words: When I receive a rash of these emails because my address was spoofed, I should report them?

[Farelf]

So in other words: When I receive a rash of these emails because my address was spoofed, I should report them?

You are entitled to - see http://www.spamcop.net/fom-serve/cache/14.html - down the page

Messages which may be reported:

There are several types of responses to forged email that SpamCop has in the past prohibited. However, these messages have become a big enough problem that we now allow them to be reported as the spam that they technically are.

Examples of messages in this category:

1. Misdirected bounces

2. Misdirected virus notifications

3. Misdirected vacation emails

4. Misdirected challenges from challenge/response spam filtering systems

There's nothing like coming home from a hard day at work to be greeted by "You have 429 messages" or whatever. You should not be subjected to that sort of clueless nonsense, perpetrated by people who are actually paid to know better (mail admins and/or their tech staff).

I think we could all forgive the occasional one or two (perhaps even take the effort to educate the benighted souls responsible) but when it's your turn at the wheel it is going to be many, many more than that. And you are unlikely to be feeling particularly charitable. But forget any vengeance aspect - in the normal course of events they are never going to be blacklisted (on the basis of your reports alone). But they (or some of them) will get reports and the opportunity to find out why they are deemed to be in the wrong. Before they start bouncing to forged spamtrap addresses (and *do* get themselves listed).

[btech]

Seems to me that if *I* send to someone and it bounces, that should not be reported... but when I'm spoofed, it should be.

The question is: Are they really 'misdirected bounces'?

My address appears to be where it came from, so the recipient is responding as it should, to the sender address. It's not as if it can see that X address is not Y IP address.

Thoughts?

[Wazoo]

The question is: Are they really 'misdirected bounces'?

Please see the Dictionary, the Glossary, the SpamCop FAQ, and the SpamCop Wiki for the definition of and information about "Misdirected Bounces" ....

My address appears to be where it came from, so the recipient is responding as it should, to the sender address. It's not as if it can see that X address is not Y IP address.

Thoughts?

As seen in the above references, there is more to a "Misdirected Bounce" then the contents of the From: field. There's the whole SMTP process involved for starters, then there's the configuration of both servers involved, and it's only after all that does one get down to the From: and/or Reply-To: fields As to "responding as it should" .. there once was a time before spammer abuse many, many, many moons ago. That time does not now exist. The current Internet was not designed with the concept of spammers, hackers, and bad folks in mind.

[Farelf]

And it should be pointed out that some/many of the SC bounce reports are just that - a special bounce report including a link to http://www.spamcop.net/fom-serve/cache/329.html (reporters sending 'full' reports can always add that to the notes for any that are not correctly identified during the parse process, which unfortunately seems to include many of the 'early responders'). As said, these people are paid to know better or have their handling configured to avert the massive, brutal abuse that is the whole 'misdirected bounce' scenario. For most of us this is a totally unmistakable circumstance - going from a few/few dozen unsolicited messages a day to maybe hundreds/thousands, depending mostly on exterior factors.

[rconner]

The question is: Are they really 'misdirected bounces'?

If you get a bounce for a message you did not send, it is by definition misdirected. This sort of thing is far more likely to happen with operations that don't follow proper procedure in accepting and delivering incoming mail, and usually when they decide to return mail that they have already accepted for delivery.

As Farelf indicates, you are now entitled to report misdirected bounces via SpamCop. This may perhaps be a bit of "social engineering" to get mail services to bring their hosts into compliance with strict SMTP, which does not allow messages to be bounced for "frivolous" reasons after these have been accepted for delivery.