Cybersecurity

Hello,

Long time ago we used to suffer from relay and users using your own mailservers to spam but thanks god for auth-before-pop.

But now i'm facing small problem with someone which us he is spaning using whatever mailserver with your@email.address.com and when these emails go to unknown addresses they will bounce back to your email! what you will do in this case? how to protect your self.

i know you can prove its not you who spam to people from the headers and many other ways, but the question here isto protect your self from the 100s of bouncebacks !!

Don't let spammers do this from your network.

you didn't get me..

not from my network , say your email address is user@usa.com and i'm from another planet and i use outlook to relay at my ISP mailserver and set the "e-mail address" to user@usa.com although an not user@usa.com and start emailing billion of users spamming and my ISP doesn't care about spam anyhow 80% of the emails bounced back to user@usa.com , your mailbox will be filled, how to avoid this and not get your mailbox filled?

I happened to have the same problem but not to the extent that it's killing our server or flooding me (postmaster) with email.

What you need to do is look at the headers and figure out if the spammers are using some system that is an open relay or not. If they are, calling or emailing the postmaster of that server may help to remove the problem.

Getting the hundreds of email from irate folks about spam - nothing can be done unless you just want to filter them and not do anything. The problem with that - one: your company does not look good in the eyes of potential customers; two: you will never get rid of the problem.

Yes, it is probably impossible to stop spammers one email at a time but finding the problem children on the internet (the open relays the spammers are using) or complaining to their ISP (those who are selling them a piece of a subnet) will help.

Check the headers - they will lead you to the folks involved. Complain to the postmaster, hostmaster, abuse, any contact person in either ARIN or NetworkSolutions database for that IP or domain name.

Check out Network Abuse Clearinghouse for further info.

If you are just a user looking to get rid this mail, then a filter would work.

As I understand the poster, he is not talking about relaying (one problem) he is talking about the "Reply-To" field where spammers are using his valid email address in their spam "Reply-To" field.

This is a common technique by spammers and you can't filter on source address or you could block 'the good guys' (people like you receiving spam).

It is like when a spammer sends me email and my email address is in the 'Reply To' field... I certainly don't like blocking me from myself and the scenarios go on and on. There are many variations of this spam technique.

However, if the email is being bounced, you can easily filter your server to just blackhole all mail from "mailer-daemon" and similar source addresses from bounced mail. You must examine the mail and set up appropriate filters.

You might find this paper of interest:

http://www.silkroad.com/papers/html/bomb/

the paper describes email bombs, countermeasures and filtering basics.

I'm finding programs like Mailwasher more and more useful: www.mailwasher.net but this gem runs only on MS products; so I queue mail on linux and wash with Mailwasher first thing in the morning (like brushing my teeth) or whenever I've been away for a long time; after washing I read with my standard mail user agent. The developer of Mailwasher is very responsive (Nick) and he has added a couple of features at my request in the past month.

I don't believe that it's "Reply-To", but rather "Return-Path" that is causing his problem.

"Return-Path" is supposed to show the the real address of the sender as taken from the envelope. And it's only supposed to generated by the MTA performing final delivery. And it's only used to notification of delivery problems.

Most MTA's just accept a "Return-Path" line if one is already present. This prevents recording the spammer's address from the envelope (no great loss since it is probably forged too) and it sends the delivery problem notifications elsewhere.

It's even possible that "Reply-To" contains some valid address for the spammer. That way you can reply to a hotmail account or something if you are interested in a product.

The latest versions of Sendmail have a way to replace a "Return-Path" header. But until everyone does that, this is a problem.

Right you are, Perderabo! Thanks for catching that. That will teach me to rely on 5 year old neurons "Reply-To" is used much less frequently in headers than "Return-Path"

FYI: See these threads for more info:

http://www.unicom.com/pw/reply-to-harmful.html

http://cr.yp.to/proto/replyto.html

I'll check some wierd spam and post a follow-up........