On Saturday, August 23, 2003, 4:44:56 PM, Cyberspace Publishing commented: CP> I, too, CP> receive spam using my domain name in the "From:" field, but I CP> seldom receive any bounces from other domains with any of my CP> domains in the "From:" field - except the occasional virus as CP> I decribed in another post.
That may simply reflect the high visibility and longevity of our site - we have email addresses that have been in use and published since 1995, and very high Google page ranking. A spammer who is dishonest enough to steal a domain name and wants the email to get through is probably going to borrow names from fairly well-recognized domains. I mean, I see a lot that purports to come from ebay or microsoft. Big spam run today under one of our user's aliases. CP> All had been sent from different CP> IP#'s and to different addresses and subjects such as "Ilknur CP> zehra mine uikorbt". Yeah, that's what the spam bounces I saw today looked like. Garbage subject line, but there was real text in the body. CP> You may get spams with yourdomain in the CP> "From:" field, but the same spam sent to me would have mydomain in CP> the address of the "From: field. At least, that has been my own CP> experience and observation. No, I'm not talking about spams we get, I am talking about BOUNCES we get from spams that were sent out via open relays (apparent in the headers) with specific addresses taken from our domain. We get lots & lots of these, especially from AOL which apparently does not do any sort of reverse IP checking. CP> If you get a ton of bounces from a lot CP> of different domains - all with similar messages and all with your CP> domain in the address in the "From:" field, then you are under an CP> attack and need to save the bounces and act on them. There is no action to be taken -- again, the IPs ALWAYS turn out to be open relays in Asia, often not even traceable to a specific ISP. This is a continuing and regular problem that most server administrators are very well aware of, it is extremely common -- it comes up again and again on other mailing lists -- and it is a waste of time to do anything other than delete them. Again, if all the ISPs did open relay/open proxy RBL blocking, most of this would go away. >>CP> It doesn't even >>CP> bounce the messages if the address is fraudulent - it simply >>CP> deletes it from the server so it doesn't have to be downloaded to >>CP> one's computer. >> CP> MailWasher composes the body of the message, adding a couple of CP> lines to the header of the original message, and then passes it CP> off to either the original sender's SMTP server for 'bouncing' or CP> to your own local SMTP server to do the 'bouncing. If the bounce CP> is bounced back, your SMTP server treats it appropriately and just CP> ignores it or deletes it - it doesn't go back into your mailbox. You don't get it: I AM the SMTP server (administrator) -- if someone uses mailwasher to bounce back email to anyone on our system, I am going to have to see it and deal with it. I don't need the headache created by this stuff. I see enough bounce messages as it is, and I have to look at bounces to be aware of legitimate issues with communication to our customers and clients. >>CP> The bounced messages look exactly like a returned mail message you >>CP> would receive if you sent an email off to a wrong address. >> >>Tom, that statement is just not true. CP> That, again, was quoted verbatum from the FAQ page at the MailWasher CP> site. Well, that's hype to sell a product. It doesn't make it true. The fact is that the bounce message is a sham, and spammers will recognize it as such because if they were even going to bother looking at the bounce messages, they would have plenty of legit ones from your ISP. CP> Sure, it doesn't look *identical* to the bounce my server CP> sends out, but neither do the bounces I get from all the other CP> servers! In fact, they are *all* differently formatted - some CP> similar to what MailWasher sends while others look like they were CP> written by a computer novice. But all the Mailwasher ones look alike, right? I mean, different ISP names, but always the same message. I'm sure you could filter on the Mailwasher message the same way I am now filtering on language the virus-bouncers have. CP> If you collected 50 bounces from 50 different servers and one of CP> them was from MailWasher, I doubt that you, or anyone else, that CP> hadn't specifically researched and noted the exact format used by CP> MailWasher, would be able to pick it out of the lineup. :) But any spammer that cares enough to read and act on the bounce messages HAS researched and noted the exact format of the Mailwasher bounce. It is their business - and what a Mailwasher bounce tells them is that the email address they used was good, because it got delivered. So for the unscrupulous spammers, a Mailwasher bounce is the same as an entry on a phony unsubscribe form -- it tells them that they got through. If your email goes through any major ISP, then the spammers are going to be well aware of what bounces from that ISP look like. I mean, I see so many legit Yahoo, AOL & MSN bounces in my work that I could probably quote them verbatim in my sleep. CP> It CP> even pointed out a fallacy in the article I wrote at the IMF CP> forum, that I'm now going to have to retract and post a more CP> accurate review - thanks for that! ;-) I'd be curious as to what that fallacy was. :) Best, Abigail >>-Abigail CP> Cheers, CP> Tom CP> -------------------------------------------------------- CP> Try MailWasher Pro for 30 days, or grab MailWasher Free! CP> http://entier.ecosm.com/link/?iqbeoyr CP> Sell MailWasher Pro for 40% Commissions! CP> http://entier.ecosm.com/join.php?pid=4&aid=2853 CP> -------------------------------------------------------- CP> ____ • The WDVL Discussion List from WDVL.COM • ____ CP> To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] CP> Send Your Posts To: [EMAIL PROTECTED] CP> To set a personal password send an email to [EMAIL PROTECTED] with the words: "set WDVLTALK pw=yourpassword" in the body of the email. CP> To change subscription settings to the wdvltalk digest version: CP> http://wdvl.internet.com/WDVL/Forum/#sub CP> ________________ http://www.wdvl.com _______________________ CP> You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] CP> To unsubscribe send a blank email to %%email.unsub%% -Abigail ____ • The WDVL Discussion List from WDVL.COM • ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] Send Your Posts To: [EMAIL PROTECTED] To set a personal password send an email to [EMAIL PROTECTED] with the words: "set WDVLTALK pw=yourpassword" in the body of the email. To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
