On Friday, August 22, 2003, 10:54:04 PM, Cyberspace Publishing commented: CP> Jon, I agree with this... *in theory*, but nearly all the spam I CP> receive indicates that the majority of spammers don't perform CP> "Joe Jobs". They generally put random addresses in the "From:" CP> field - usually either the recipients own address, or a munged CP> address using the recipient's domain or username.
Tom, every day of the week, I receive between 20 and 200 bounce messages from spam that was sent either my address or my company's email address -- these are usually valid email addresses. I admit that the recent flood was due to Sobig rather than spammers, but I have seen enough spam hawking porn and cut-rate mortgages under our name to know that it is often deliberate. CP> My personal feeling is that if one aggravates a spammer to the CP> point that the spammer uses the "poor sod's" address in 10,000 spams, CP> it is no longer spam, but a personal attack against the "poor sod" CP> and a personal problem of the "poor sod", who now, has grounds to go CP> after the spammer in the legal system and collect major damages. No, when we have had this stuff going on I have done IP traces and found that the spammer who uses our domain name is always using an open relay, generally one based in Asia. In fact, based on this experience I feel that the most effective thing you can do to stop spam is to use open relay RBL's to completely block email -- if all the major ISP's did this, the Joe Job's wouldn't work. Spoofing a domain to send spam is a felony in the state of Virginia, where our servers are located -- but there is absolutely no way we are going to trace these spammers with the resources we have. Even if we did, we would NOT be able to collect "major damages" unless we could prove that our business was damaged. I'm sorry, but I practiced law for 20 years, and the one thing I know is that litigation is expensive and messy, and often is bad for business as well. CP> Another way this can happen is if the "poor sod" has an "Open CP> Relay", or an insecure cgi script, on his domain. In that case, CP> he deserves the bounces - they will open his eyes in a hurry and CP> he'll learn a valuable lesson in the experience! No, the bounces don't go back to the IP, they go to whatever domain is written in the reply-to field. People who abuse open relays SOMETIMES try to use the domain name where the relay is to exploit possible security weaknesses, but they often use other domain names as well. Here's an example of the most recent attempt to use my company's server as an open relay, taken from our logs. (We get about 100 attempts like this daily): <XX>Aug 23 10:21:12 sendmail[36000]: h7NGL6uL036000: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=ACC1CEED.ipt.aol.com [172.193.206.237], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied. Proper authentication required. The "Relaying denied" message tells you that this didn't work. But the email being used was not ours (dyslexia.com), but some company called globaltravel.com -- and I'd be willing to bet that "onlineres" is a real address on their system. So if we did have an open relay, then some spammer using an AOL connection would send out thousands of emails through our site, and Globaltravel would get all the bounces. [You can be sure that this is not a regular AOL connection, either - a real AOL user would have an mx.aol.com IP assigned - this is the work of a hacker] CP> MailWasher Pro's bounces, under normal circumstances, cannot and CP> will not create any such problems. It only creates problems for CP> the few spammers that use their real addresses. And for all of rest of us who for business reasons have published email addresses that are likely to be exploited by spammers. CP> It doesn't even CP> bounce the messages if the address is fraudulent - it simply CP> deletes it from the server so it doesn't have to be downloaded to CP> one's computer. Does it correlate the email address with the IP via reverse DNS? If so, you are correct that it won't bounce to innocent victims..... on the other hand, it won't do much good. Most of the the spammers who actually use their own domain name with a validly configured reverse DNS are major mass marketing firms that probably would actually unsubscribe you on request -- perhaps Mailwasher PRO would do better to have an automatically configured "unsubscribe" response. Despite rumors to the contrary, I HAVE had excellent results with following unsubscribe routines when the spam looks like it is emanating from a *real*, easily identifiable source. (Not always: it is true that sometimes the spam increases rather than decreases, but about 9 times out of 10 the unsubscribe request is actually honored) CP> 2. If set to use the local SMTP server only, the system sends a bounce CP> message through the SMTP server you specified in the account options CP> or properties. Tom, this is NOT a "bounce" message - no matter what it looks like, if Mailwasher SENDS a message, it is NOT a "bounce". A bounce is when the MTA refuses to accept the email for delivery in the first place. What happens when you use Mailwasher is: spammer sends to your SMTP spammer's MTA receives message indicating that the message was accepted for delivery [Example, for AOL, my sendmail logs reflect "stat=Sent (OK)"] Sometime later, spammer receives an EMAIL generated by Mailwasher that looks like a bounce, but isn't. The spammer will receive hundreds or even thousands of such bounce messages, but unless their software is configured to automatically remove all email addresses that bounce, they won't do anything about it -- it's too much trouble. Most likely, assuming that they used a legit address to send the email, they also have their systems automatically configured to delete all such bounce messages, in the same way that I solved my Sobig-bounce problem this week by creating a filter to trash all virus-related bounces. They have no incentive whatsoever to clean their list based on bounces, because it doesn't cost them anything to send email to bad addresses. It doesn't inconvenience them in any way, because no human ever sees or reads those messages. CP> MailWasher uses an algorithm to determine the best route to send the CP> bounced message back (from, reply to, return path) and actually sends CP> the bounce back via your ISP's postmaster, so it looks exactly like it CP> has come from your ISP and not from you at your address. That's illegal, Tom. That is, if I send an email to you that says it comes from [EMAIL PROTECTED], I am doing the same thing the spammers do, spoofing a domain name. CP> The bounced messages look exactly like a returned mail message you CP> would receive if you sent an email off to a wrong address. There is CP> no way the spammers can tell it is not genuine. Tom, that statement is just not true. They can tell it's not genuine by the headers and routing info. They can tell it's not genuine by their own server logs. They can tell it's not genuine in the SAME WAY that a recipient of spam can tell when the spam has been forged. What makes you think that Mailwasher has the ability to create a better forgery than the spammers can with their own software? If you want, I'll send you an email that you can bounce with Mailwasher, and then I'll show you the difference between what your bounce looks like and what a genuine bounce looks like. -Abigail ____ • The WDVL Discussion List from WDVL.COM • ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] Send Your Posts To: [EMAIL PROTECTED] To set a personal password send an email to [EMAIL PROTECTED] with the words: "set WDVLTALK pw=yourpassword" in the body of the email. To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]