Spammers Using Bounced E-mails As Weapons Is A Myth

[drshi]

According to Michael Tsai, developer of SpamSieve, spammers do not redirect bounced e-mails to flame innocent users. He explains, "There is a narrow window of time in which rejecting a spam message might work. When the mail server is in the process of receiving a message, it's talking to the sending server and so theoretically it could communicate that the address is invalid. By the time the message has been delivered to your account, downloaded by the mail program on your Mac, and filtered by SpamSieve [for example], this window has long since closed. At this point, if the spammer were listening, he'd already know that the message had been delivered. If you were able to get a bounce back to him, he'd know that it was a fake bounce. The original message must have gotten all through, so he should send you more spam. Since bouncing doesn't work, it would be a waste of your time and network resources to do it. Including such a feature in SpamSieve would fill out the feature checklist but give the false impression that the feature should be used." In short, spammers pay no malicious attention whatsoever to bounces; its simply not worth their time or energy.

[stan_qaz]

I have to disagree with your title "Spammers Using Bounced E-mails As Weapons Is A Myth" as I have had many problems with spammers setting the reply-to address in their spam run to one of my addresses and flooding my inbox with many thousand bounce messages, out of office messages and challenge/response messages.

According to Michael Tsai, developer of SpamSieve, spammers do not redirect bounced e-mails to flame innocent users.

Spammers do not resend bounces that get sent to them, they forge the spam they send so that the forged bounces generated by users or delayed bounces created by poorly configured mail systems are sent to innocent their parties or to non-existant addresses.

He explains, "There is a narrow window of time in which rejecting a spam message might work. When the mail server is in the process of receiving a message, it's talking to the sending server and so theoretically it could communicate that the address is invalid.

That is true for a well configured mail server but there are still huge numbers of servers that do not generate a reject code to the originating server but accept the mail and then generate a bounce message at a later time that is sent to the address that the spam is purportedly from.

By the time the message has been delivered to your account, downloaded by the mail program on your Mac, and filtered by SpamSieve [for example], this window has long since closed. At this point, if the spammer were listening, he'd already know that the message had been delivered. If you were able to get a bounce back to him, he'd know that it was a fake bounce. The original message must have gotten all through, so he should send you more spam.

Delivered to the mail server but unless the spammer tracked which systems generated reject codes versus the ones that generated bounce messages the bounce or the time would not tell much about the legitimacy of the bounce. Looking at the header and checking the IP address would provide the ability to see that the IP address was not the mail exchanger that should have been sending the bounce but that again requires the spammer to collect a lot of information to tell what is real and what is forged.

Since bouncing doesn't work, it would be a waste of your time and network resources to do it. Including such a feature in SpamSieve would fill out the feature checklist but give the false impression that the feature should be used."

While bouncing spam doesn't work I do have to disagree with the reasons you have given above. The number one reason bouncing doesn't work is because the spammer rarely uses their own address as the one to send the bounce message to. In my incoming mail the address to bounce to is obviously forged well over 90% of the time, a lot of the remaining 10% are probably forged too but aren't obvious and would take a bit of time to check.

In short, spammers pay no malicious attention whatsoever to bounces; its simply not worth their time or energy.

Change that to "most spammers" and I'll agree with that portion but there are a few who do collect bounces as they contain some valuable information if you are not just a spammer but also are looking for the information found in the fake bounce's header to use as an attack target either directly or in a phishing attempt.

You also left out a big problem with forged bounces, they are forged. That is a violation of law in many places, a violation of your ISPs rules (and since you are forging their address they can become quite cranky) and it subjects you and your ISPs mail server to reporting and possible denial of service as a source of abusive e-mails.

[drshi]

Stan:

Thanks for the detailed and thoughtful reply. Though I certainly acknowledge and respect your position and your personal experience with malicious bouncing, I would greatly appreciate your stating the reason you feel your counterarguments are both valid and superior to those of Mr. Tsai, an authority in this field. In developing his anti-spam software, Mr. Tsai drew on all available research which includes in-depth analysis of known spammers -- how they operate and network. The anecdotal evidence you've provided is condsidered by the likes of Mt. Tsai to be, though present in the field, sufficiently minimal as to not be worthy of consideration in the grand scheme of Web traffic. My personal experience has been diametrically opposed to yours, which is why I prefer to defer to those whose careers are dedicated to this issue.

According to my own research as a professional journalist, editor, and publisher, by far the most effective way of reducing spam to near-nonexistence in one's Inbox is to never Forward widely distributed e-mails without first removing all addresses from them and then adding the request that all your recipients remove your address before re-forwarding them. This has reduced my spam to almost nil.

Spammers collect most of their addresses by creating spiritual, uplifting, and otherwise moving e-mails, chain letters, petitions, etc., including some sort of guilt trip urging you to pass them on. Every time one receives an e-mail that begins with a big, fat list of previous recipients, it should be viewed as a Spammers Banquet.

Bottom Line: Since we both agree that bouncing is relatively ineffective in reducing spam; and if you now understand that I've bounced thousands of e-mails over the past eight years completely without any negative results, I guess we'd better just call this one a draw. Since neither of us are spammers we have to rely on our own personal experience and hopefully some decent research before stating anything as "fact" regarding an underground operation that's trying much harder to remain mysterious than we are trying to unmask it.

Best,
Rob

[stan_qaz]

I'd really recommend you find a new mail expert.

SpamSieve is a fairly unsophisticated program that falls far behind the current version of MW in its abilities and even further behind the current beta version that moves to an even more powerful method of integrating antispam tools to achieve accuracy beyond what a simple Bayesian system as described by Paul Graham here http://www.paulgraham.com/spam.html which it does include as one of its many tools.

As to the delayed bounce issue and the "narrow window of time" I think this is worth reading, http://www.spamcop.net/fom-serve/cache/329.html#bounces pay particular attention to the difference in a reject and a delayed bounce. I don't know any organization with more experience with spam than these folks. IronPort and now Cisco Systems seem to agree as they have purchased the spamcop.net system from its originator.

As to how spammers collect addresses I again have to again disagree with you, sending an e-mail "with a big fat list of addresses" does not provide the addresses to the spammer. The only way a spammer can collect the addresses directly from the e-mail is if the e-mail is sent to their address once all the others have been appended, that can work for chain letters though. The spammer can indirectly collect the addresses if the e-mail arrives at a machine that is infested with malware that scrapes addresses from messages and sends them on to the spammer. You might want to investigate this further rahter than relying on the expert you are now or my opinion.

I do not credit anyone with anti-spam expertise just because they have written a program that helps deal with it, you can ask Nick Bolton about that as we disagree about many points. Sometimes I am able to make my position clear enough that he considers it which is about all you can ask.

[AlphaCentauri]

According to Michael Tsai, developer of SpamSieve, spammers do not redirect bounced e-mails to flame innocent users.

Your arguments don't support that thesis. They're supporting the thesis "Using Mailwasher to create fake bounce messages won't get spammers to unsubscribe you anymore." We all agree with that one.

Spammers certainly do use the email addresses of antispammers in the "from" field in order to annoy them with backscatter. Many of us have been targets. They don't do it much once they figure out that it gives us useful evidence and is no more annoying than all the other spam we get from them.

A well-known case of trying to harrass antis with backscatter was when the participants of the public spammer forum at specialham.com (since shut down) traded a list of email addresses of people who were on the Blue Security do-not-intrude list and encouraged one another to use those email addresses in the "from" field of spams. I don't know if there are any copies of those forum transcripts still on line, but it's interesting reading. (If you've never read a spammer forum, it's very much like the all-night argument among the trolls in The Hobbit, except they don't turn to stone at the end.)

[stan_qaz]

Oh, yea... Bluefrog that had me up to over 8,000 undeliverable bounces/C/R messages and antispam replies a day for a while. MW happily generated reports on them with no major problems. :-)