How do you deal with misdirected mail?

Post by Rob
Years ago I registered my co.uk domain with Demon, and as a hang over
from before spam filtering, I only collect the ones to 'real' people.
However, I get quite a few emails sent to it incorrectly. For example,
people faking an email address for a car insurance quote (Tesco,
Comparethemarket.com and Confused.com send emails to fake/mistaken
addresses cos they don't get people to opt in) or by people using a dot
rather than a hyphen (bob at bob.example.com rather than
bob-example.com).
I used to use MailWasher to bounce them but it seems that a lot of
senders ignore these replies and carry on sending. I even replied to a
few as postmaster, to either no effect or even a slightly shirty
response. Reporting them as spam is a waste of time.
I've now decided to ignore them so that Demon return them after a month;
if there are any obvious spam messages I report these and then delete.
What do you do?

You may not be aware that most spam is now sent by robot control from
infected networks of personal computers, the owners of which do not know
they are sending them. Bouncing the offending mail simply looks like
forged bounced mail in the owner's own mail boxes if - and only if - the
real sender's address is shown - many are forged.

Personally I let the mail (headers on the laptop) come down to
Thunderbird and let TB check it and put it in the junk file where the
vast quantites are easily and quickly checked and deleted with a click.

--
duncank

nev young

2010-06-18 17:54:35 UTC

Post by Duncan Kennedy

Oh yes please don't bounce the rubbish, just delete it.

I've had 4 DDOS attacks on one of my email domains in the last 3 years
caused by all the bounces from viagra spam spoofing the sent domain to
be mine, so I get millions (not an exaggeration) of bounces.

--
nev

Joe

2010-06-19 12:06:49 UTC

Post by nev young

Post by Duncan Kennedy

Oh yes please don't bounce the rubbish, just delete it.
I've had 4 DDOS attacks on one of my email domains in the last 3 years
caused by all the bounces from viagra spam spoofing the sent domain to
be mine, so I get millions (not an exaggeration) of bounces.

It's not a DDOS attack, it's the actual spam transmission mechanism.
Nearly all spam is now sent to deliberately made-up addresses, but with
genuine addresses listed as senders. When the receiver bounces it, the
spam now goes to the forged sender address, but from a legitimate email
server. Most mail servers will not accept mail from home computers,
which tend to be on dynamic IP ranges and not to have complementary
DNS/rDNS records, so relaying via a legitimate server is vital to spammers.

The problem is mostly caused by widespread use of domain-wide POP3, such
as Demon provides. If an SMTP server has access to the list of real
email addresses for its domain, it can simply break off a transaction
which does not refer to a real address. No bounce is generated, because
the sending server (the spammer) has been informed of the error during
the transmission attempt.

Where domain-wide POP3 is used, or an off-site backup SMTP server, then
the receiving SMTP server has no list of legitimate users and must
accept everything. When email to non-existent addresses does get to a
server which knows they are non-existent, the original SMTP email has
already been accepted, and now a non-delivery report must be generated
and sent to the 'sender', saying the message didn't get through after
all. The message is quoted in full, including attachments, and the spam
has been delivered.

For some years, I have been using non-Demon domains and have received
email directly by SMTP, but the Demon domain has still been responsible
for transmitting spam. I cannot ignore it because it's Demon's official
way of contacting me. I used to believe that domain-wide collection of
mail, or a catch-all mailbox, was necessary to collect legitimate mail
that had been misaddressed, but I now realise it's better to bounce
emails with typos so that the sender finds out quickly and can correct
the error. So now I collect from just a few addresses, including a newly
created specific contact address, and have eliminated the Demon spam.

If anyone's interested, my server gets between two and three thousand
SMTP connections a day, of which about a hundred are legitimate. Almost
none of the spams are directed to real addresses, or even addresses
likely to be real. One or two a day make it into a mailbox, and
Thunderbird spots at least 95% of them.

--
Joe

Andy

2010-06-19 12:31:50 UTC

In message <tp2Tn.56625$***@newsfe17.ams2>, Joe
<***@jretrading.com> wrote
[]

Post by Joe
Where domain-wide POP3 is used, or an off-site backup SMTP server, then
the receiving SMTP server has no list of legitimate users and must
accept everything. When email to non-existent addresses does get to a
server which knows they are non-existent, the original SMTP email has
already been accepted, and now a non-delivery report must be generated
and sent to the 'sender', saying the message didn't get through after
all. The message is quoted in full, including attachments, and the spam
has been delivered.

All the bounces I receive include only the first whatever lines of the
message, not the full code of a large attachment.

--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>

Joe

2010-06-19 15:42:47 UTC

Post by Andy
[]

Post by Joe
Where domain-wide POP3 is used, or an off-site backup SMTP server,
then the receiving SMTP server has no list of legitimate users and
must accept everything. When email to non-existent addresses does get
to a server which knows they are non-existent, the original SMTP email
has already been accepted, and now a non-delivery report must be
generated and sent to the 'sender', saying the message didn't get
through after all. The message is quoted in full, including
attachments, and the spam has been delivered.

All the bounces I receive include only the first whatever lines of the
message, not the full code of a large attachment.

Interesting. I don't get any significant NDR spam myself, but I've seen
it on clients' systems, and I've not seen cut-down emails. I've always
thought that doing as you describe was an obvious thing to do, but mail
servers don't seem to do it in my experience. I assume that some can be
programmed to do so.

Where the bounces really have been for mail from the client's own mail
server, and carry a message ID from that server, there's only a very
restricted message returned. That doesn't quote anything of the original
message at all, so it's not as you describe. Of course, most of them use
Exchange...

--
Joe

nev young

2010-06-19 16:09:13 UTC

Post by Joe

Post by nev young
I've had 4 DDOS attacks on one of my email domains in the last 3 years
caused by all the bounces from viagra spam spoofing the sent domain to
be mine, so I get millions (not an exaggeration) of bounces.

It's not a DDOS attack, it's the actual spam transmission mechanism.

I don't wish to get into semantics but:

<warning, I feel a rant coming on>

DDOS is what I call it.

The bounce emails I get are distributed.
The shear volume of them deny me service to (one of) my email servers.

Now this particular email server is, normally, a low traffic POP3 that I
connect to once a day. It has a limit of 5000 emails or or 100Mb, which
ever happens first. Although the traffic is low, the type of traffic is
such that I must receive it and act upon it.

The mechanism used is as follows:

a machine gets infected and it taken under the control of a spammer.
that machine starts to send millions of emails of spam.
those that do not have a valid address get bounced.
The bounces come to me.

eg. one I had started at 07:15GMT 10rd Apr 2009 (Good Friday)
The from address were of the form <randomlettersandnumbers>@mydomain.org.uk
each one appears to have a different from address.
They actually came from Portugal, adsl.eb23-pedroucos.edu.pt
(194.210.66.210) as can be seen from looking at the headers.

The bounces came from all over the world.

By 07:18 (that's 3 mins after the first spam was sent) on that day my
inbox limit was exceeded and no further mail could be received.

I had to keep the POP3 connection open and collect every 30 seconds to
keep it below the limit. This kept my email going until I blew demon's
50Gb/30day limit. Then I was stuffed.

adsl.eb23-pedroucos.edu.pt stopped sending spam some time on Tue 14th
Apr 2009. Clearly first day back after Easter.

Now if I can tell where the spam originated from by reading some of the
bounces, then why don't the bouncers send the bounces back to the
originator and not to the spoofed From address. Even now, 15 months
later, I am still getting the occasional bounce from that incident.

OK rant over.
I'll go back to sleep.

--
nev

Joe

2010-06-19 16:52:00 UTC

Post by nev young

Post by Joe

It's not a DDOS attack, it's the actual spam transmission mechanism.

<warning, I feel a rant coming on>
DDOS is what I call it.
The bounce emails I get are distributed.
The shear volume of them deny me service to (one of) my email servers.
Now this particular email server is, normally, a low traffic POP3 that I
connect to once a day. It has a limit of 5000 emails or or 100Mb, which
ever happens first. Although the traffic is low, the type of traffic is
such that I must receive it and act upon it.
a machine gets infected and it taken under the control of a spammer.
that machine starts to send millions of emails of spam.
those that do not have a valid address get bounced.
The bounces come to me.
eg. one I had started at 07:15GMT 10rd Apr 2009 (Good Friday)
each one appears to have a different from address.
They actually came from Portugal, adsl.eb23-pedroucos.edu.pt
(194.210.66.210) as can be seen from looking at the headers.
The bounces came from all over the world.
By 07:18 (that's 3 mins after the first spam was sent) on that day my
inbox limit was exceeded and no further mail could be received.
I had to keep the POP3 connection open and collect every 30 seconds to
keep it below the limit. This kept my email going until I blew demon's
50Gb/30day limit. Then I was stuffed.
adsl.eb23-pedroucos.edu.pt stopped sending spam some time on Tue 14th
Apr 2009. Clearly first day back after Easter.
Now if I can tell where the spam originated from by reading some of the
bounces, then why don't the bouncers send the bounces back to the
originator and not to the spoofed From address. Even now, 15 months
later, I am still getting the occasional bounce from that incident.
OK rant over.
I'll go back to sleep.

Sorry, no offence intended, clearly the volume is a problem, but what I
meant was that it is not likely that anyone has chosen you and
deliberately clogged your mail server.

It sounds like poorly-designed spam, since the object is usually to send
the message to as many people as possible rather than as many copies as
possible to one person. I often see a dozen connection attempts to
obviously invalid names on my domain, and an hour later another batch to
the same addresses, but with different 'senders'. You may be the victim
of a particularly stupid spammer.

--
Joe

David Bolt

2010-06-19 17:56:11 UTC

On Saturday 19 Jun 2010 17:52, while playing with a tin of spray paint,
Joe painted this mural:

<snip details about a bounce flood>

Post by Joe
It sounds like poorly-designed spam, since the object is usually to send
the message to as many people as possible rather than as many copies as
possible to one person.

It was most likely a combination of a bad zombie, that got stuck with a
single "from" address, and several mail servers that operate on an
"accept everything and bounce later" basis. While it's getting better,
there are far too many systems that will accept mail for any address at
the domains they serve, then decide they can't deliver it for whatever
reason, and so send a bounce back to the purported sender.

To make matters worse for Nev, his server appears to accept mail
addressed to anything@ his domain, and appears to be the same as Demons
mailboxes in operation.

Post by Joe
I often see a dozen connection attempts to
obviously invalid names on my domain, and an hour later another batch to
the same addresses, but with different 'senders'. You may be the victim
of a particularly stupid spammer.

Or a malicious spammer. Or maybe it was just a screw-up with the
zombie. Who knows?

Regards,
David Bolt

nev young

2010-06-20 07:36:17 UTC

Post by Joe
Sorry, no offence intended, clearly the volume is a problem, but what I

None taken.

Post by Joe
meant was that it is not likely that anyone has chosen you and
deliberately clogged your mail server.

Oh I'm pretty sure it's deliberate. I even have a name in mind, but no
hard proof. I won't say any more than that in public.

Post by Joe
It sounds like poorly-designed spam, since the object is usually to send
the message to as many people as possible rather than as many copies as
possible to one person. I often see a dozen connection attempts to
obviously invalid names on my domain, and an hour later another batch to
the same addresses, but with different 'senders'. You may be the victim
of a particularly stupid spammer.

Well the spam is for the infamous "Canadian Pharmacy".
I'm sure that many millions of people do receive it.
Sadly there are many millions more who don't and that is what causes
*my* problem.

Heck, I've even started to receive email from spammers using the fake
addresses used in the aforementioned post.

eg. I found this in my trash a day or so ago.

From: "Radcliffe Schools" <***@radcliffe.edu.in>
To: ***@xxxxxxxx.org.uk
Subject: Where learning goes beyond four walls of classroom
Sender: "Radcliffe Schools" <***@radcliffe.edu.in>
Date: Mon, 14 Jun 2010 15:59:34 +0530
Message-ID: <***@RF-M-MX-28>
Reply-To: "Radcliffe Schools" <***@radcliffe.in>
X-Priority: 1 (Highest)
Importance: High
X-Original-To: ***@xxxxxxxx.org.uk

So one spammer(canadian pharm) made up the address
***@xxxxxxxx.org.uk and used it to spam a
real address of a spammer (radcliffe school).
Now the second spammer is spamming the first spammer but it comes to me
because the first spammer spoofed my domain when they spammed the second
spammer. (cue Monty Python song)!

I simply trash it as I don't want to propagate the spam any further.

* clearly I have replaced my domain name with xxxxxxxx

--
nev

Paul Terry

2010-06-18 18:13:33 UTC

Post by Rob
I've now decided to ignore them so that Demon return them after a month;
if there are any obvious spam messages I report these and then delete.
What do you do?

I download everything, apart from that to a few addresses which I know
attract only spam and which are therefore rejected (which doesn't
generate a bounce message as I use POP3).

All the rest is filtered by K9 (a Windows-based Bayesian filter
application) - what it determines to be spam ends up in the junk folder,
which I check at intervals. By and large, K9 works well, and Demon's
spam filtering is pretty good (although there are occasional blips), but
this method does allow me to spot mis-directed but genuine email.

At the moment, I rarely get more than two spam emails a day, which are
dispatched to the wastebin in seconds, so spam is currently no longer
the problem than it was.

--
Paul Terry

Andy

2010-06-18 20:35:46 UTC

In message <rob-***@nntp.aioe.org>, Rob
<***@example.com> wrote
[

Post by Rob
I've now decided to ignore them so that Demon return them after a month;
if there are any obvious spam messages I report these and then delete.
What do you do?

I have two rejection rules (any with subject containing 'big5' as these
are in a Far Eastern language that I can't read; any addressed to a name
that contains a number as that's unlikely to be a typo and is probably
spam).

The rest I download.

I then have folders for mail to "anything followed by e or f followed by
w followed by two characters" which is the message-ID-spam; anything
from "whatever dot net dot tw" as it's invariably spam; and emails from
one special person which are sent to more than five people as they're
unfunny video clips. When there's nothing useful on the telly (like
tonight) I purge these folders.

The only spam I bother to report is phishing to HSBC who ask for this.
That and all other spam goes to 'missed' at Demon, in the fond hope that
it may train their filters to eat it.

And I empty the bin daily!

--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>

unknown

2010-06-21 10:17:19 UTC

Post by Andy
[

Post by Rob
I've now decided to ignore them so that Demon return them after a month;
if there are any obvious spam messages I report these and then delete.
What do you do?

I have two rejection rules (any with subject containing 'big5' as these
are in a Far Eastern language that I can't read; any addressed to a
name that contains a number as that's unlikely to be a typo and is
probably spam).
The rest I download.
I then have folders for mail to "anything followed by e or f followed
by w followed by two characters" which is the message-ID-spam; anything
from "whatever dot net dot tw" as it's invariably spam; and emails from
one special person which are sent to more than five people as they're
unfunny video clips. When there's nothing useful on the telly (like
tonight) I purge these folders.
The only spam I bother to report is phishing to HSBC who ask for this.
That and all other spam goes to 'missed' at Demon, in the fond hope
that it may train their filters to eat it.
And I empty the bin daily!

I get very little through Demon these days or the POP3 server I get most
of the fairfieldtowers email. Gets lots to other domains via the mail
server nestling at my feet that are either 550'd (I've had a few
spammers contact pedt.dcu directly to deliver mail) or get rewritten on
the mail server if they are not a local user (or an expected possible
typo) on that domain so finish up in my spam folder. The other servers
that handle the other domains for backup are rewriting so any recognised
email gets forwarded, unrecognised go to a catchall that gets downloaded
and disappears into dev/null in the depths of an SCO Xenix '85 system.
I've had one false positive so far - someone who wrote to pedant@ rather
than pedt@ which we eventually discovered was a Spill Chucker problem
they'd accepted the change for.

The small batch that reach TP I do tend to report. Spam levels seem down
at the moment, summer holiday break?, as I've gone from 6 figures to 4
for the other domains daily in the last few fortnights.

Seems to be domains and older MIDS not From: for Usenet or general "this
domain exists" (not that most mail clients will handle the LHS of Usenet
posts I've used for a long time now and the RHS is not routeable anyway)

--
Pedt

Stephen Wolstenholme

2010-06-18 22:12:46 UTC

I gave up on bouncing and reporting junk a long time ago. I find the
email junk detection in Agent works very well. After months of testing
there were no false positives so I now let Agent delete all the junk
it detects.

Steve

--
Neural Planner Software Ltd www.NPSL1.com
EasyNN-plus. Neural Networks plus. www.easynn.com
SwingNN. Forecast with Neural Networks. www.swingnn.com
JustNN. Just Neural Networks. www.justnn.com

Jim

2010-06-19 11:15:43 UTC

Of course they continue,because your bounces proclaim your address as
being alive.

Post by Rob
I've now decided to ignore them so that Demon return them after a month;
if there are any obvious spam messages I report these and then delete.
What do you do?

The same as Stephan described in his reply to your post.

Jim

Mike Henry

2010-06-19 16:41:43 UTC

Of course they continue,because your bounces proclaim your address as
being alive.

They aren't his bounces, they are Demon-generated "30-day unread"
messages. Do they actually confirm or deny the existence of destination
address? It would be helpful to see one of these Demon-generated "30-day
unread" messages and compare it with a "manual bounce" such as that
generated by Turnpike.

David Bolt

2010-06-19 18:14:25 UTC

On Saturday 19 Jun 2010 17:41, while playing with a tin of spray paint,

Post by Rob
I used to use MailWasher to bounce them but it seems that a lot of

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That says he was originally bouncing them.

Post by Jim
Of course they continue,because your bounces proclaim your address as
being alive.

They aren't his bounces,

The MailWasher bounces were his bounces.

Post by Mike Henry
they are Demon-generated "30-day unread"
messages. Do they actually confirm or deny the existence of destination
address?

A Demon bounce would confirm the address exists, but that it isn't in
use at the present time. Then again, if the spammer isn't a mainslease
type[0], the person getting the bounce would not be spammer, but
someone who had their address forged as the purported sender[1].

Post by Mike Henry
It would be helpful to see one of these Demon-generated "30-day
unread" messages and compare it with a "manual bounce" such as that
generated by Turnpike.

That's very easy to do, but does require some time. Just send a mail
from an address you control to an uncollected address at your Demon
host and wait for it to bounce.

[0] E.g. companies that request an address for one thing, and then
start sending marketing mails to it without permission all because
their marketing department can't resist sending to any address they can
lay their hands on, possibly ignoring any requests not to do so at the
time the address was given.

[1] If they are sent to a forged sender, the bounces are spam:

they're unsolicited by the forged sender;
even if a person only sends one, there are most likely others doing the
same, so they are bulk;
they're being returned via email;

All this makes them UBE or spam. And, if it was me receiving said
bounces, I wouldn't hesitate to report them as the spam and locally
block the sender.

Regards,
David Bolt

Mike Henry

2010-06-19 22:11:19 UTC

Post by David Bolt
On Saturday 19 Jun 2010 17:41, while playing with a tin of spray paint,

Post by Rob
I used to use MailWasher to bounce them but it seems that a lot of

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That says he was originally bouncing them.

Of course, I read that. But Jim snipped the next part which I shall now

Post by David Bolt

Post by Rob
I've now decided to ignore them so that Demon return them after a month;

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Post by David Bolt

Post by Jim
Of course they continue,because your bounces proclaim your address as
being alive.

They aren't his bounces,

The MailWasher bounces were his bounces.

Indeed. When I used the present tense to refer to the bounces I was
referring to the current Demon-generated "30-day unread" messages. I
didn't spot that Jim said "continue"/"proclaim" by mistake when referring
to the MailWasher bounces, instead of "continued"/"proclaimed" :-(

David Bolt

2010-06-19 14:19:39 UTC