![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SC-Help]
Re: Loads of spam showing "Delviery Status Notification", "Failure
Notice" etc.
Chris Wright
chris.a.wright at gmail.com
Tue Apr 18 10:24:13 EDT 2006
Ant wrote:
> "rowan" wrote:
>
>> I've recently started receiving loads of spam messages which purport to
>> be delivery failure messages. They are always addressed to a
>> non-existent user at my domain, e.g. ojvnyo@, ejrzx@, rrl@ etc.
>
> I, and a lot of customers at my old ISP, am getting the same because
> we have unlimited email addresses of the form:
> <[anything]@[account name].[ISP name].co.uk>
>
>> They
>> can have a variety of failure messages, and purport to tell me that a
>> message that I sent to an address that I have never sent to in my life
>> could not be delivered.
>
> They are genuine non-delivery messages from mail servers that have
> accepted the mail, and then decided to bounce it later. The spammer
> has forged your address in the "From:" line. These NDRs are called
> backscatter, and this belated bouncing should not be happening
> nowadays.
>
>> The message sometimes contains a load of Base64
>> code, presumably some kind of malware, or a scanned page of text.
>> Sometimes there's no obvious payload.
>
> All mine are pump & dump stock spams in the form of gif images,
> so there is no URL to click on.
>
>> Where are these messages coming from? Why have they suddenly started
>> (or at least, suddenly started finding me)? Why are they getting
>> through my ISP's spam filter (which is normally very good)?
>
> Lots of people are asking the same questions. Mine are being tagged
> as spam when a copy of the actual spam is attached, because the body
> also contains the usual spammy hash-busting text.
>
>> What can I do to get rid of them?
>
> Don't accept mail for non-existant users.
>
>
How difficult is it for a mail server to determine if the header is
forged and not reply with a 'Delivery Failure' message.
I've seen a massive increase in this type of abuse in the past 2 weeks.
Originally, I had the catchall set up to forward to a 'honeypot', but
since the deluge of Non Delivery Messages, I've switched it off.
But I am sure it can't be that difficult for the server to determine
that the header was faked and therefore ditch the message in the first
place.
More information about the SpamCop-Help
mailing list