On Friday, August 22, 2003, 10:54:04 PM, Cyberspace Publishing commented:
CP> Jon, I agree with this... *in theory*, but nearly all the spam I CP> receive indicates that the majority of spammers don't perform CP> "Joe Jobs". They generally put random addresses in the "From:" CP> field - usually either the recipients own address, or a munged CP> address using the recipient's domain or username.
Tom, every day of the week, I receive between 20 and 200 bounce messages from spam that was sent either my address or my company's email address -- these are usually valid email addresses. I admit that the recent flood was due to Sobig rather than spammers, but I have seen enough spam hawking porn and cut-rate mortgages under our name to know that it is often deliberate.
My description was based on my own personal experience and observations as, I am sure, yours are. It just goes to show that everyone is going to observe different results - depending on their email settings, how their addresses are harvested or distributed, and the type of spam being received. I, too, receive spam using my domain name in the "From:" field, but I seldom receive any bounces from other domains with any of my domains in the "From:" field - except the occasional virus as I decribed in another post.
BTW, I received three more of those today - all from different domains with different usernames before the '@' symbol. All four contained a block of random characters - about 30 or 40 lines of equal length much like you'd see loading an image or pgp file into a text editor. All had been sent from different IP#'s and to different addresses and subjects such as "Ilknur zehra mine uikorbt".
Of course, those type of messages, I never bounce (or re-bounce.) What would be the point? That brings up another point - I don't just rashly bounce *everything*, nor do I suggest that anyone else do, either. You have to use a little judgement in whether you think it might do any goo or not.
CP> My personal feeling is that if one aggravates a spammer to the CP> point that the spammer uses the "poor sod's" address in 10,000 spams, CP> it is no longer spam, but a personal attack against the "poor sod" CP> and a personal problem of the "poor sod", who now, has grounds to go CP> after the spammer in the legal system and collect major damages.
No, when we have had this stuff going on I have done IP traces and found that the spammer who uses our domain name is always using an open relay, generally one based in Asia. In fact, based on this experience I feel that the most effective thing you can do to stop spam is to use open relay RBL's to completely block email -- if all the major ISP's did this, the Joe Job's wouldn't work.
MailWasher Pro makes use of ORDB's to pre-flag any email coming from IP#'s listed in the DB you are using. It comes with two already configured, but you can add others you find useful. I currently have mine set to use three different ones.
Spoofing a domain to send spam is a felony in the state of Virginia, where our servers are located -- but there is absolutely no way we are going to trace these spammers with the resources we have. Even if we did, we would NOT be able to collect "major damages" unless we could prove that our business was damaged. I'm sorry, but I practiced law for 20 years, and the one thing I know is that litigation is expensive and messy, and often is bad for business as well.
My brother is also a very successful litigation attorney, so I understand what you are saying about it being expensive. However, I have read of cases being won against spammers and enormous judgements being granted against them. I agree, it's not everyone's 'cup of tea', but it can, and is, being done.
If it can be shown that a spammer is maliciously targeting a specific individual or company, I'm sure it would take very little to have a court order granted to track them down. I believe it was the "Love" virus that the authorities were able to determine the source rather quickly - can't remember for sure as it's been a while. It's even easier with newer safeguards in place and more intelligent technology being available.
CP> Another way this can happen is if the "poor sod" has an "Open CP> Relay", or an insecure cgi script, on his domain. In that case, CP> he deserves the bounces - they will open his eyes in a hurry and CP> he'll learn a valuable lesson in the experience!
No, the bounces don't go back to the IP, they go to whatever domain is written in the reply-to field. People who abuse open relays SOMETIMES try to use the domain name where the relay is to exploit possible security weaknesses, but they often use other domain names as well.
As I explained in the post, that was based on my personal experience where an insecure cgi script was used to send out hundreds of thousands of spams from my own domain. My default mailbox contained nearly 500 meg of bounces! I didn't even try to download it - I just deleted it and fixed the problem.
Here's an example of the most recent attempt to use my company's server as an open relay, taken from our logs. (We get about 100 attempts like this daily):
<XX>Aug 23 10:21:12 sendmail[36000]: h7NGL6uL036000: ruleset=check_rcpt, arg1=<[EMAIL PROTECTED]>, relay=ACC1CEED.ipt.aol.com [172.193.206.237], reject=550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied. Proper authentication required.
The "Relaying denied" message tells you that this didn't work. But the email being used was not ours (dyslexia.com), but some company called globaltravel.com -- and I'd be willing to bet that "onlineres" is a real address on their system. So if we did have an open relay, then some spammer using an AOL connection would send out thousands of emails through our site, and Globaltravel would get all the bounces. [You can be sure that this is not a regular AOL connection, either - a real AOL user would have an mx.aol.com IP assigned - this is the work of a hacker]
I read that header a little differently. The email address in the header (arg1) was most probably the intended recipient of the spam that a hacker (probably logged on via AOL) was attempting to send via your 'sendmail' script - which would have given the appearance that it had been sent directly from your domain - or server. The from field would have probably been something like [EMAIL PROTECTED] or whatever your sendmail uses for it's "localhost" setting. Fortunately, your 'sendmail' script is obviously configured to reject any attempt to send from anywhere but is own domain - as it should be. :)
CP> MailWasher Pro's bounces, under normal circumstances, cannot and CP> will not create any such problems. It only creates problems for CP> the few spammers that use their real addresses.
And for all of rest of us who for business reasons have published email addresses that are likely to be exploited by spammers.
As I said in my earlier post, spammers don't normally use the same domain or address in the "From:" field of every spam sent. It is usually custom configured to be a munge of the domain or address of the intended recipient. You may get spams with yourdomain in the "From:" field, but the same spam sent to me would have mydomain in the address of the "From: field. At least, that has been my own experience and observation. If you get a ton of bounces from a lot of different domains - all with similar messages and all with your domain in the address in the "From:" field, then you are under an attack and need to save the bounces and act on them.
CP> It doesn't even CP> bounce the messages if the address is fraudulent - it simply CP> deletes it from the server so it doesn't have to be downloaded to CP> one's computer.
Does it correlate the email address with the IP via reverse DNS? If so, you are correct that it won't bounce to innocent victims..... on the other hand, it won't do much good. Most of the the spammers who actually use their own domain name with a validly configured reverse DNS are major mass marketing firms that probably would actually unsubscribe you on request -- perhaps Mailwasher PRO would do better to have an automatically configured "unsubscribe" response. Despite rumors to the contrary, I HAVE had excellent results with following unsubscribe routines when the spam looks like it is emanating from a *real*, easily identifiable source. (Not always: it is true that sometimes the spam increases rather than decreases, but about 9 times out of 10 the unsubscribe request is actually honored)
I agree with you - if you've been "automatically" subscribed to a list you don't want, and *if* you believe you can trust the list owner, then, try the "unsubscribe" link. Like you, though, my success rate for this has been very limited.
CP> 2. If set to use the local SMTP server only, the system sends a bounce CP> message through the SMTP server you specified in the account options CP> or properties.
Tom, this is NOT a "bounce" message - no matter what it looks like, if Mailwasher SENDS a message, it is NOT a "bounce". A bounce is when the MTA refuses to accept the email for delivery in the first place.
MailWasher doesn't 'send' the message in the same sense that your email client does - it doesn't put anything at all in the message to indicate that it has been sent by or from MailWasher.
MailWasher composes the body of the message, adding a couple of lines to the header of the original message, and then passes it off to either the original sender's SMTP server for 'bouncing' or to your own local SMTP server to do the 'bouncing. If the bounce is bounced back, your SMTP server treats it appropriately and just ignores it or deletes it - it doesn't go back into your mailbox.
What happens when you use Mailwasher is:
spammer sends to your SMTP
spammer's MTA receives message indicating that the message was accepted for delivery [Example, for AOL, my sendmail logs reflect "stat=Sent (OK)"]
Sometime later, spammer receives an EMAIL generated by Mailwasher that looks like a bounce, but isn't. The spammer will receive hundreds or even thousands of such bounce messages, but unless their software is configured to automatically remove all email addresses that bounce, they won't do anything about it -- it's too much trouble. Most likely, assuming that they used a legit address to send the email, they also have their systems automatically configured to delete all such bounce messages, in the same way that I solved my Sobig-bounce problem this week by creating a filter to trash all virus-related bounces. They have no incentive whatsoever to clean their list based on bounces, because it doesn't cost them anything to send email to bad addresses. It doesn't inconvenience them in any way, because no human ever sees or reads those messages.
I don't know about that. I only know that, happily, my spam is going down, so something appears to be working.
As far as the SoBig.F worm, From the onset, I was receiving a constant 10 to 12 bounces per hour right up until I started 'bouncing the bounces' with MailWasher Pro at 5:p.m. Thursday evening. From then until Midnight Thursday, I received 25 more bounces - about three and a half an hour - which I also bounced back. Between Midnight Thursday and 6:a.m. Friday morning, I received six more - or 1 per hour - which I again bounced back to the bouncers with MailWasher Pro.
I have set up no filters or taken any other action to stop the bounces - only MailWasher Pro. Would you care to guess just how many SoBig.F worm bounces I have received since 6:a.m. on Friday? It's now 7:30 p.m. on Saturday - 37 and a half hours later and I haven't received another single SoBig.F bounce - NOT A ONE! ZILCH! NADA! :) There isn't a person in the world that can convince me that using MailWasher Pro to start bouncing those instead of just deleting them had nothing to do with it stopping almost "Cold Turkey" the way it did.
CP> MailWasher uses an algorithm to determine the best route to send the CP> bounced message back (from, reply to, return path) and actually sends CP> the bounce back via your ISP's postmaster, so it looks exactly like it CP> has come from your ISP and not from you at your address.
That's illegal, Tom. That is, if I send an email to you that says it comes from [EMAIL PROTECTED], I am doing the same thing the spammers do, spoofing a domain name.
That was pretty much quoted verbatum straight from the FAQ page at MailWasher.net. I'm sure if it were breaking any laws, they'd have heard something by now. :)
CP> The bounced messages look exactly like a returned mail message you CP> would receive if you sent an email off to a wrong address. There is CP> no way the spammers can tell it is not genuine.
Tom, that statement is just not true. They can tell it's not genuine by the headers and routing info. They can tell it's not genuine by their own server logs. They can tell it's not genuine in the SAME WAY that a recipient of spam can tell when the spam has been forged. What makes you think that Mailwasher has the ability to create a better forgery than the spammers can with their own software?
That, again, was quoted verbatum from the FAQ page at the MailWasher site. Sure, it doesn't look *identical* to the bounce my server sends out, but neither do the bounces I get from all the other servers! In fact, they are *all* differently formatted - some similar to what MailWasher sends while others look like they were written by a computer novice.
The address in the "From:" field also varies - some come from Mailer-Daemon while others come from "Postmaster" or something else. If you collected 50 bounces from 50 different servers and one of them was from MailWasher, I doubt that you, or anyone else, that hadn't specifically researched and noted the exact format used by MailWasher, would be able to pick it out of the lineup. :)
If you want, I'll send you an email that you can bounce with Mailwasher, and then I'll show you the difference between what your bounce looks like and what a genuine bounce looks like.
I appreciate the offer, but it's really not necessary - I've actually done that myself as a result of our discussion. It even pointed out a fallacy in the article I wrote at the IMF forum, that I'm now going to have to retract and post a more accurate review - thanks for that! ;-)
As I said in my prior post, not even genuine bounces are identical or have any common identifying traits - every mail server handles it differently.
-Abigail
Cheers, Tom -------------------------------------------------------- Try MailWasher Pro for 30 days, or grab MailWasher Free! http://entier.ecosm.com/link/?iqbeoyr
Sell MailWasher Pro for 40% Commissions!
http://entier.ecosm.com/join.php?pid=4&aid=2853
--------------------------------------------------------____ � The WDVL Discussion List from WDVL.COM � ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] Send Your Posts To: [EMAIL PROTECTED]
To set a personal password send an email to [EMAIL PROTECTED] with the words: "set WDVLTALK pw=yourpassword" in the body of the email.
To change subscription settings to the wdvltalk digest version:
http://wdvl.internet.com/WDVL/Forum/#sub
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
