![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: Failed delivery nightmare
John E. Malmberg
wb8tyw at qsl.network
Tue May 3 00:13:09 EDT 2005
Onyx wrote:
> Ok, I just recieved cca 100 messages notifying me of failed delivery of
> emails I didn't send and they keep coming, woo hoo. Apparently, spammer
> vermin used email on my domain as a return address for their spam.
>
> Two questions:
> 1. What would be the best way to deal with this?
First of all, check your mail server to make sure that it will not relay
for a spammer forging a real user on your domain. Apparently there is a
popular mail server software out there that is designed to do that and
there is no way to disable that feature except to enable SMTP-AUTH for
all e-mail. This is what I have picked up from the admin(at)dsbl.org
list's public archives.
Then assuming that your mail server is not the one that is affected by
this feature:
File abuse reports about the delayed bounces with each mail server that
is doing the delayed bounce.
Such delayed bounces are not reportable by spamcop.net:
See a recent post in spamcop.help by Larry Kilgallen for a sample text:
: As I report that spam (the message claiming I sent a message
" I did not) I include something like the following text in my
: SpamCop report:
Believe it or not, spammers lie.
Please adjust your software to not send these meaningless warnings
blindly to the "From:" address, but instead respond within the
SMTP dialog, so your comments get to the actual originator rather
than pestering an innocent bystander.
While the bounces are allowed by RFC, it is from a time when third party
open relays were also allowed.
Most mail servers do an SMTP reject, which means that any bounce message
will come from the original sending mail server, and the only ones of
those that are relaying spam are either the domain that should receive
the abuse report of one of their users, or an open relay. Open relays
should be blocked on site.
When mail servers do not do an SMTP reject, and do an accept and bounce,
then they are participating in a DDOS to victims like you.
There have also been several recent posts on news.admin.net-abuse.email
about the practice of abusive bouncing of spam.
There are some mail server operators that claim that it is not practical
to convert to SMTP rejects instead of bouncing.
These mail server operations must be bigger than AOL.COM which had
several years ago announced on the SPAM-L mailing list that they
recognized that such bounces where abusive to the rest of the internet
and were switching over to only using SMTP rejects.
It seems that for every example of someone claiming that their network
is too large to convert, an example can be found of a larger network
that did so. And I suspect that it is a much lower operational cost to
use SMTP rejects instead of doing the accept and then bouncing.
> 2. Could this possibly get my domain listed on anti-spam lists?
Only if the mail server operator is either incompetent, or is so small
that it is unlikely that they will ever receive a legitimate e-mail from
your domain.
According to posts on news.admin.net-abuse.email, even the conservative
spamhaus.org will eventually list I.P. addresses that bounce spam to
forged addresses.
It is far more likely that the I.P. addresses of the mail servers that
are bouncing the spam will get put on local and public blocking lists
than the I.P. address of your domain.
Most medium to large mail servers pay a metered rate for their
bandwidth, and accepting fake bounces or spam needlessly increases their
operating costs.
So if the only e-mail they have ever seen from an I.P. address is spam
or fake bounces, many mail server operators that are paying for
bandwidth out of their profits or pockets will block that I.P. address.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the SpamCop-List
mailing list