But it didn't bounce. The spammer replied as [EMAIL PROTECTED], only after a couple messages did I receive mail from MAILER-DAEMON.
According to the log you posted, the spammer never actually replied:
Date: Sun Feb 1 00:21:11 EST 2004
From: "" <[EMAIL PROTECTED]>
Rept: "" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subj: Re:are you fat bdkruud ray ri v
Actn: CONFIRM (to [EMAIL PROTECTED] confirm) (1829)
- At this point (Feb 1, 00:21:11) a spam message with the subject "Re:are you fat bdkruud ray ri v" has been caught by TMDA, so TMDA sends a confirmation request message to "[EMAIL PROTECTED]". Don't be fooled by the "Re:" at the beginning. This spammer is probably trying to lower his spam score by pretending to be sending a response to you. Some badly-made filters may let through all email with a subject starting with "Re:" assuming that it is a reply to something you sent, so some spammers try to slip through that way.
Date: Sun Feb 1 00:21:11 EST 2004
From: "" <[EMAIL PROTECTED]>
Rept: "" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subj: Re:are you fat bdkruud ray ri v
Actn: CONFIRM pending 1075612871.84850.msg (1829)
- Next step, the message is put into the pending queue with ID 1075612871.84850
- Now the mail system at spammer.com receives the message and tries to deliver it to the user "smith". It does not find it and sends you a bounce with the subject "Returned mail: User unknown". Due to a misconfiguration, it sends this bource to your "reply-to" address (which is "[EMAIL PROTECTED]" instead of your envelope address which would not cause confirmation of the original message).
Date: Mon Feb 2 06:29:08 EST 2004
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subj: Returned mail: User unknown
Actn: CONFIRM accept 1075612871.84850.msg (5443)
- Now (Feb 2, 06:29:08) TMDA receives the bounce and notices that the "to" address is a confirm tag. It processes the confirmation request, releasing the message from the pending queue with ID 1075612871.84850. The spam is delivered to your inbox.
Date: Mon Feb 2 06:29:08 EST 2004
Sndr: <>
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subj: Returned mail: User unknown
Actn: CONFIRM_APPEND /usr/home/kai/.tmda/lists/confirmed (5443)
- Next step, the Return Receipt from the original message ([EMAIL PROTECTED]) is appended to your whitelist
Date: Mon Feb 2 06:29:08 EST 2004
Sndr: <>
From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subj: Returned mail: User unknown
Actn: NOREPLY (envelope sender = <>) (5443)
- Next step, TMDA would normally send a reply to the envelope of the confirmation response message (to say "Your message was confirmed"), but sends nothing because the envelope sender is "<>".
TMDA sent the confirm request to smith, smith replies as smith. The confirmation request acceptance message bounced.
I don't see [EMAIL PROTECTED] replying at all in this log. I see [EMAIL PROTECTED] replying with what looks like (from the subject) a bounce.
It's almost as if the spam was confirmed, then the account was removed, so that the confirmation request acceptance message then bounced.
Is this just a confused spammer realizing his mistake and now hoping to hide from any inquiries? That's about the best I can really gather.
I really believe that the spammer pretended to send from "[EMAIL PROTECTED]", which was NOT the spammer's real address, so that the spammer's computer isn't bothered by bounces. Because there is no account "[EMAIL PROTECTED]" and the mail software at "spammer.com" is misconfigured, it sent a bounce to the wrong address inadventently releasing the spam and adding "[EMAIL PROTECTED]" to your whitelist.
Unless there is more in your log from "[EMAIL PROTECTED]" than you posted here, that is my conclusion.
-- Jim Ramsay "Me fail English? That's unpossible!"
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
