Bouncing Seems to Work

[OldWiseMan, or am I?]

There are two separate arguments here.

1) Does bouncing reduce the spam you receive ?

All I'm saying is that on my limited trial so far, it appears to do
so. I've
checked the spam tracking sites mentioned above and my own reduction
seems
much greater than the general trend; again, I realise that this trial
of
mine is only a limited one but the results so far would make me at
least
question the conventional wisdom that bouncing has little or no
impact.

Have you actually tracked to whom you are sending all those bogus NDRs?
Did you review the headers in them to see if the sending mail server or
relay even matches the domain of the purported sender? How many
casualties have there been using this approach (i.e., how many innocents
get hit with your bogus NDRs)?

You say that YOUR level of received spam has increased. Whether this be
from a reduction in general spam quotas, a reduction on spam hitting
your particular e-mail domain, or something else is unknown. You don't
know if ANY of your bogus NDRs ever targeted the real sender of a spam.

2) Is bouncing a responsible way of dealing with it?

Previously, I would have been inclined to say yes but to be honest, I
hadn't
really given it a great lot of thought as I believed the 'responsible'
argument was irrelevent if bouncing didn't work anyway. Now that it
*seems*
to work, I have to think more deeply about the 'responsible' part.

I take on board the points that are made above, like everyone here, I
hate
spam/junk mail with a passsion and the last thing I want to do is add
to the
problem by pushing that mail out to innocent people. The only argument
I
could perhaps use is that if somone else's email address has been
hijacked
my a spammer, then that's their problem, not mine and getting email
bounced
back to them might at least get them to pay attention to the fact that
it
has been hijacked. That sounds selfish but isn't meant to be.

Vanguard here.

If you feel compelled to continue issuing bogus NDRs, you'll need a
different product than Mailwasher. For example, those spams you receive
that have an IP address assigned to a dial-up or cable/dsl user are
probably from folks who are infected with a mailer daemon (i.e., they
have a trojanized PC). Sending a bogus NDR won't help because: (1) They
won't know why they got the NDR for an e-mail they don't know they sent;
and, (2) The mailer daemon sends crap but it doesn't listen for inbound
NDRs. SpamPal offers a MXblocking plug-in that detects e-mail
originating from dynamically assigned IP addresses but it is a passive
spam filtering product (so it can tag the spam mails but doesn't go
blasting out bogus NDRs in response to them).

No one can do anything about their e-mail address getting hijacked.
After all, how are you going to stop someone on the street saying that
they are you? You are using Outlook Express. Go look in your e-mail
account definition(s). See, even you can enter anything you want in the
From and E-mail fields so you can pretend to be anyone that you want to
be. The From, To, Cc, Subject, Reply-To header are all part of the
*data* that he sender composes. They are NOT added by the mail server.
That means the sender can specify any value they want in those fields.

 

[Roger Wilco]

While it is possible for spam software to determine that your bogus NDR
(non-delivery report) did NOT come from the receiving mail server, it is
not likely than many spammers would bother. They would to run a mail
server that accepted inbound e-mails. That puts them at risk for
exposure, retaliation, and disconnect. So it is possible to validate
e-mail accounts based on receiving bogus NDRs from clients as
differentiated from getting NDRs from the ISP's mail server to which the
e-mail was delivered but it is not a likely scenario.

Agreed, but the modern spamming software has this ability and feature to
help the spammer cull the address database. Blank e-mails don't
advertise anything (not UCE spam) and yet can show delayed returns from
desktop bouncing thus validating them as "good" addresses. Not a likely
scenario for a spam run though because as you say there needs to be a
valid return address for the email for the spammer to see the bounces.

 

[C A Upsdell]

I hate spam/junk mail with a passsion and the last thing I want to do is add to the
problem by pushing that mail out to innocent people. The only argument I
could perhaps use is that if somone else's email address has been hijacked
my a spammer, then that's their problem, not mine and getting email bounced
back to them might at least get them to pay attention to the fact that it
has been hijacked.

And what can the innocent person do if they find out that a spammer is
faking their email address in spam?

I have often been victimized in this way. There was a time when I would
use the information in the bounced spam to identify the real source of
the spam and to complain to the host: but some hosts just don't care
(e.g. many in Brazil); and for those that do care, the spammer just
changes their domain name and host ... and often continues to use my
faked email addresses in future spam. In one case the spammer switched
domain names and hosts four times, continuing to use my faked email
address for each name and host.

In the end it was just costing me too much time, and was ultimately
futile, so I gave up, then added filters to trash email being bounced to me.

 

[Snowsquall]

here
*Bouncing* doesn't sound so good to begin with and how it is possible for
someone to subscribe to such a tactic, escapes me.
Try to correct your mistake in a hurry, OldWiseMan.

If you bounce with "reply to sender" the attachment does *not* go with it.
But attachments go with mails that are forwarded.
With links, thats a little different. Links travel better.
BTW I received an email from EBay to renew or lose account. I figured this
was a phishing trick but I figured clicking on the link only asked for info
which I never intended to give. I don't even *have* an Ebay account!!!)
However when I clicked on the link my AntiVirus popped up with "Redlof.A"
virus!! So bouncing an email like that could potentially infect someone that
has poor computer security with a virus.

 

[Norman L. DeForest]

[New info about MailWasher below]

The same with automated returned messages saying an e-mail containing a
virus has received with the From address.

[snip]

At least one anti-virus company has a clue:

"Why (some) anti-virus companies are to blame for the recent e-mail flood."
http://www.f-prot.com/news/gen_news/030910_open_letter.html
"Yes, (some) antivirus companies are spammers."
http://www.f-prot.com/news/gen_news/040130_open_letter.html

[snip]

I just had a look at the web site,
http://www.firetrust.com/
and it appears that they are the distributors of MailWasher:

: [1] Firetrust anti-spam and anti virus software [2] German[3] Spanish
: [4] Firetrust inbox protection and email security solutions
[snip]
:Firetrust offers anti-spam and email security solutions for users seeking
:ultimate inbox efficiency and protection.
:
: Our intelligent and empowering approach to email security means
: maximum choice, convenience, minimum disruption and intelligent email
: management, with the confidence of full technical support.
: [12] MailWasher® Pro is the ultimate innovation in anti-spam software.
: Stop spam and unwanted email with MailWasher Pro. It's easy to use and
: very effective. Over 5 million downloads!
[snip]
: [16] MailWasher® Pro
: Delete spam, viruses and unwanted emails right at the server.
: ONLY US$37.00
: [17] Read More
: [18] Download Free Trial
: [19] Buy Now [20] MailWasher Pro anti-spam software
[snip]

Exactly *why* was I looking at their website?

It was because I just received the following from one of their servers
(text added by the filters local to here removed for clarity):

: >From <> Mon Mar 14 03:50:42 2005
: Received: from lich.chebucto.ns.Ca ([192.75.95.79]:36575 "EHLO
: lich.chebucto.ns.ca") by halifax.chebucto.ns.ca with ESMTP
: id S1862AbVCNHru (ORCPT <rfc822;[email protected]>);
: Mon, 14 Mar 2005 03:47:50 -0400
: Received: from lobster.firetrust.com ([69.59.174.220]:7901 "HELO
: lobster.firetrust.com") by lich.chebucto.ns.ca with SMTP
: id <S416521AbVCNHrp>; Mon, 14 Mar 2005 03:47:45 -0400
: Received: (qmail 1855 invoked for bounce); 14 Mar 2005 07:47:03 -0000
: Date: 14 Mar 2005 07:47:03 -0000
: From: (e-mail address removed)
: To: (e-mail address removed)
: Subject: failure notice
: Message-Id: <[email protected]>
: Return-Path: <>
:
: Hi. This is the qmail-send program at lobster.firetrust.com.
: I'm afraid I wasn't able to deliver your message to the following addresses.
: This is a permanent error; I've given up. Sorry it didn't work out.
:
: <[email protected]>:
: Sorry, no mailbox here by that name. vpopmail (#5.1.1)
:
: --- Below this line is a copy of the message.
:
: Return-Path: <[email protected]>
: Received: (qmail 16037 invoked from network); 14 Mar 2005 07:44:20 -0000
: Received: from unknown (HELO chebucto.ns.ca) (218.24.142.194)
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
Note the HELO forgery. 218.24.142,194 is nowhere near my ISP's netblock.

: by lobster.firetrust.com with SMTP; 14 Mar 2005 07:44:20 -0000
: From: (e-mail address removed)
^^^^^^^^^^^^^^^^^^^^

Forged by the worm.

: To: (e-mail address removed)
: Subject: Error
: Date: Mon, 14 Mar 2005 15:42:19 +0800
: MIME-Version: 1.0
: Content-Type: multipart/mixed;
: boundary="----=_NextPart_000_0003_BD09DF8E.9F22C21C"
: X-Priority: 3
: X-MSMail-Priority: Normal
:
: This is a multi-part message in MIME format.
:
: ------=_NextPart_000_0003_BD09DF8E.9F22C21C
: Content-Type: text/plain;
: charset="Windows-1252"
: Content-Transfer-Encoding: 7bit
:
: The message contains Unicode characters and has been sent as a binary attachment.
:
:
: ------=_NextPart_000_0003_BD09DF8E.9F22C21C
: Content-Type: application/octet-stream;
: name="data.exe"
: Content-Transfer-Encoding: base64
: Content-Disposition: attachment;
: filename="data.exe"
:
: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
: ZGUuDQ0KJAAAAAAAAACVNPth0VWVMtFVlTLRVZUyiHaGMtNVlTKqSZky01WVMlJJmzLAVZUyOUqf
[BIG SNIP]
: AGtlcm5lbDMyLmRsbAAAAEdldFByb2NBZGRyZXNzAAAAR2V0TW9kdWxlSGFuZGxlQQAAAExvYWRM
: aWJyYXJ5QQAAAAAAAAAAAAAAAABsjwQAXI8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
:
: ------=_NextPart_000_0003_BD09DF8E.9F22C21C--
:

According to F-Prot on my machine, "data.exe" (128000 bytes) was a copy of
the "W32/Lovgate.X@mm" worm.

They are allegedly in the anti-spam and anti-virus business and they are
bouncing complete copies of worms to forged addresses? Furrfu!

 

[Fuzzy Logic]

There are two separate arguments here.

1) Does bouncing reduce the spam you receive ?

All I'm saying is that on my limited trial so far, it appears to do so.
I've checked the spam tracking sites mentioned above and my own
reduction seems much greater than the general trend; again, I realise
that this trial of mine is only a limited one but the results so far
would make me at least question the conventional wisdom that bouncing
has little or no impact.

Totally a perception. Bouncing in no way reduces spam. As a postmaster for
my company I can assure you that most addresses are forged and those that
aren't have been harvested by a virus or web site.

2) Is bouncing a responsible way of dealing with it?

Previously, I would have been inclined to say yes but to be honest, I
hadn't really given it a great lot of thought as I believed the
'responsible' argument was irrelevent if bouncing didn't work anyway.
Now that it *seems* to work, I have to think more deeply about the
'responsible' part.

I take on board the points that are made above, like everyone here, I
hate spam/junk mail with a passsion and the last thing I want to do is
add to the problem by pushing that mail out to innocent people. The only
argument I could perhaps use is that if somone else's email address has
been hijacked my a spammer, then that's their problem, not mine and
getting email bounced back to them might at least get them to pay
attention to the fact that it has been hijacked. That sounds selfish but
isn't meant to be.

BTW, I have read here before about people setting up their mailserver to
reject certain types of email. What is the difference? In this case does
the email not get returned and just disappear into cyberspace?

My boss had her email address used by a spammer (she's not dumb and doesn't
readily give out her address). This resulted in literally thousands of
bounced email messages a day. It lasted for about 3 weeks until the spammer
switched to another address. It's real simply don't bounce spam. There is
enough of it going around without you adding to the problem.

 

[Hatto von Hatzfeld]

Bouncing in no way reduces spam. As a postmaster for my company I can
assure you that most addresses are forged and those that aren't have
been harvested by a virus or web site.

I think one has to distinguish.

It's good to "bounce" spam mails rejecting them *within* the SMTP
dialog. This does no harm to anybody (at least if you have not directed
a forwarding service to your address).

It's VERY bad to accept them first and to reply then by a (real or
faked) non-delivery report (NDR) because this normally hits innocent
people.

A domain of mine last week has got about 9,500 NDRs a day - quite a lot
of them result of clueless postmasters who *think* that they have found
the definitive solution to the spam problem.

So my advice: Do not send non-delivery report (or "faked bounces") as
reply to spam mails.

Bye,
Hatto