Bounce mail

O good! I wouldn't want to see 13 pages of replies for something that doesn't matter...

Very good. Now perhaps read them, if you don't think it matters.

Pete

thanks for reposting the links, Ziatron, although we have already answered this a few times. Each time someone brings it back up the obsessives who want to spank people and censor the original question come back in. Please note the question has been marked answered. It's an important download for me and it's NOT for spamming, contrary to the liars who keep coming into silence everyone else -- only those who use it improperly would cause any "spam" problem. If you use it for a KNOWN sender who has not been hacked and who has disregarded your request to stop writing you, it's being used appropriately and it can also on occasion help in situations where someone doesn't know yet their account has been hacked although one could just as well write a note to such a person. But for people you've already written who have not had their addresses forged and who won't stop harassing you with unwanted messages such as political list messages (which are NOT advertisements/"spams" and thus you're not "spamming" them back to signify you're not receiving their messages via using Bounce).

this ringaround the rosey with the people wanting to spank people for wanting to use Bounce will never end if people keep dragging it up. Please consider this thread answered. Someone should lock it. If the current download no longer works we can start a new thread. I'm tired of finding the arguing babies coming into harangue those who share the link but please understand we've already gotten the links posted a few times.

let's bring this to a close for now. It's not a thread on the merits of whether to have Bounce. It was a thread asking how to get the function back. The location of the third party download has been posted; until there is a new need, we don't need this thread other than as an archived closed topic. Maybe topics can't close. I wish the arguing childishness trying to silence people for sharing a link would end and that the link sharing would stop repeating over and over, filling up my email inbox.

rivmo wrote:

thanks for reposting the links, Ziatron, although we have already answered this a few times. Each time someone brings it back up the obsessives who want to spank people and censor the original question come back in. Please note the question has been marked answered. It's an important download for me and it's NOT for spamming, contrary to the liars who keep coming into silence everyone else -- only those who use it improperly would cause any "spam" problem. If you use it for a KNOWN sender who has not been hacked and who has disregarded your request to stop writing you, it's being used appropriately and it can also on occasion help in situations where someone doesn't know yet their account has been hacked although one could just as well write a note to such a person. But for people you've already written who have not had their addresses forged and who won't stop harassing you with unwanted messages such as political list messages (which are NOT advertisements/"spams" and thus you're not "spamming" them back to signify you're not receiving their messages via using Bounce).

this ringaround the rosey with the people wanting to spank people for wanting to use Bounce will never end if people keep dragging it up. Please consider this thread answered. Someone should lock it. If the current download no longer works we can start a new thread. I'm tired of finding the arguing babies coming into harangue those who share the link but please understand we've already gotten the links posted a few times.

let's bring this to a close for now. It's not a thread on the merits of whether to have Bounce. It was a thread asking how to get the function back. The location of the third party download has been posted; until there is a new need, we don't need this thread other than as an archived closed topic. Maybe topics can't close. I wish the arguing childishness trying to silence people for sharing a link would end and that the link sharing would stop repeating over and over, filling up my email inbox.

The short version of this whole page for those who are too busy to read all of it: DON'T BOUNCE SPAM, THE FROM IS FORGED. You should only send non-delivery notifications to your own users, anything else that can't be rejected during the SMTP transaction and is later found to be undeliverable should be dealt with locally, don't bounce it or your server becomes part of the problem. Thank you.

Skip to the Index.

Backscatter bounces are Non-Delivery Notifications, but they're for email you didn't send. A spammer sends out some of his spew with one or more of your addresses as the From, and poorly configured servers don't properly reject it, instead they send an NDN to the forged From address. So you get notices for something you had nothing to do with. To give you an idea of the size of the problem, I received over 10,300 backscatter bounces in the 8 months starting with October 2006. Of the bounces that specified a reason for not accepting the spam, the vast majority were for an invalid recipient address. The next most common reason is because the spam was identified as spam, followed by over quota mailboxes andidentified viruses. Invalid addresses and over quota mailboxes can normally be determined during the SMTP transaction and rejected, but in the cases where I'm getting them as bounces they weren't rejected or I'd never see them. So those mail servers are obviously accepting those emails and processing them before bouncing them. Most servers do body scanning for spam and virus after accepting the email, then many of them bounce it. But it is possible to receive [not accept] the body of an email, scan it, then accept or reject the final packets, avoiding causing backscatter. Exim is one example of a mail server that can be configured to do that. As of October 2008 this has been written into the RFCs. See the box below. Something over half of the bounces that I receive don't specify the reason for the bounce.

December 1, 2008. There are two items of good news.

First, Barracuda has released a firmware update that sets the Send Bounce option to No, overriding existing settings. Better late than never. And it's not all good news, see this note for details.

Second, there have been some changes to the RFCs, and a couple of the items deal specifically with spam filtering and bounces. RFCs 2821 and 2822 have been obsoleted by RFCs 5321 and 5322. The key change from the point of view of this web site is that rejection ("bounce") messages SHOULD NOT be sent unless the receiving site is confident that those messages will be usefully delivered. Bounces for spam, viruses and a few other unwanted messages will NOT be usefully delivered since they won't go back to the source. Rejections are fine. See Bouncing vs. Rejecting for more details.

The short version.

Who this page is for.

Who can use this page?

Why I wrote it.

Bouncing vs. Rejecting

What are the spammers up to?

Why not bounce spam?

What can you do?

Invalid Recipient Addresses

Auto-responders, Out of Office messages.

Challenge/Response, why not. (It's not a question.)

What about viruses?

How can you test your server?

Could it be too late? How to see if you're already listed.

What can you do if you're getting hammered with Backscatter?

Related links

My Privacy Policy and a disclaimer.

Who is this page for?Back to the Index.

This page is primarily intended for people who run mail servers that receive email for multiple users. Individuals who get their email through an ISP or company server normally won't have much control over what needs to be done to solve this problem.

There are a few positive things that end users can do though. They can certainly help put pressure on their email admins if something needs to be fixed. In many cases it's just a matter of the people in charge not realizing how things have changed since about the beginning of 2006. And if they haven't adjusted, the mail server may have ended up on blacklists. If so your email could be blocked from at least some sites.

End users should never use a program to bounce spam in hopes of abusing the spammer or getting removed from spam mailing lists. Spammers will never see those fake bounces, they'll go to an innocent person who may report the bouncer for sending them spam. Use of aChallenge/Response spam filter can also cause the server to end up on blacklists. It's also not a good idea to try and retaliate against spammers in any way other than reporting the spam you receive, there's far too much potential for abuse of innocent third parties.

Who can use this page?Back to the Index.

Anyone who wants to refer someone to this page is welcome to do so. If the goal is educate someone on the evils of bouncing spam so that they'll modify their servers actions, please be sure that you're notifying the right person. Please use caution, not cluing someone in is probably preferable to irritating the wrong person who may already be doing it right.

Why did I write this page?Back to the Index.

Lately I've been getting a lot of bounced spam. up to 1000 a day although most days are far less than that. And of course I didn't send any of the spam, so I report as many as possible as spam, which they are to me. See note 1 Even before the volume got out of control, I got tired of typing out emails and filling in contact forms explaining why the sender of the bounces shouldn't do that, so I created this site. The information on this page comes from knowledge I've gathered in years of dealing with computers and poking around the internet and newsgroups, as well as my own experiences dealing with spammers. I received some suggestions and corrections from people far more knowledgeable than I am. And I've done my best to verify that everything here is accurate, but it's up to you to make sure that it's appropriate for your situation. And of course, at some point this information will be outdated.

The internet is a constantly changing medium. Some changes are for the better, some for the worse. Unfortunately spammers have forced several of these changes, and now they're forcing another one.

My goal is to provide information that will convince more people that bouncing spam is a bad idea. The same reasoning applies to bouncing viruses found in incoming email. Anyone who thinks it would help is welcome to send a link to this page to anyone who has sent them bounce spam. Please make sure that they really are the source though, spammers also forge bounces.

If someone sent you a link to this page it's because they received some bounced spam from your server, or a Challenge/Response, or possibly an Out of Office reply to a spam that had their address forged as the From. It might even have been me who sent you the link, although anyone who wants to is certainly welcome to do the same. If you are responsible for any of the above you should seriously consider fixing your system. There are people getting thousands of bounces etc. per day and they had nothing to do with the original spams. Backscatter is becoming a huge problem, and at least one DNSBL (DNS based Blacklist) is now aggressively including backscatter sources in his lists. As of the beginning of 2007 the operator of TQMcube.com had reported that his parser was adding about 50 backscatter sources to his lists every hour. And he said that his lists were being used to filter about 200 million emails per day. You do not want to be there. And his list isn't the only one you could end up on. Spamcop now allows backscatter bounces to be reported as spam, and once there are enough reports, they also add the server to their blacklists. Most blacklists that add backscatter sources will result in blocking all email from that server. But now www.backscatterer.org is providing a list that is just Backscatter and Sender Callout sources. That list can be used to reject just unwanted NDNs.

Bouncing or rejecting?Back to the Index.

There's a big difference between rejecting email and bouncing email. Rejecting email is the acceptable way of handling undeliverable email, bouncing email is the one that is causing problems.

• Rejecting is done during the SMTP transfer when the sending and receiving servers are talking to each other. If the receiving server rejectsan incoming email, then the only one who will get the rejection is the sending server. If it's a legitimate email that server should notify theirlocal sender with a failure report. See RFC 5321 for details. That RFC is new as of October 2008, replacing RFC 2821. If it's spam then the sending server is probably a bot, and it's not likely to be listening. Rejections can be temporary (a 4xx code, like mail box busy) or permanent (a 5xx code like no such user). A great deal of spam would disappear forever if it was simply rejected during the SMTP transaction when no such user is appropriate. Appendix D on page 87 of the RFC has some examples of SMTP conversations. D.2 shows a rejection.
• Bouncing is done after the receiving server accepts the email and the connection with the sender is closed. So the email has to be sentsomewhere instead of simply rejected. The only way to determine where to send it at this point is to look in the headers, normally the From or the Return Path. TQMCube.com, Spamcop and other blacklists now consider misdirected bounces as spam, and they are treated as such. If your server is bouncing spam you will eventually get listed as a spam source.

The way it should work is that the sender sends an email to their mail server. That server contacts the recipient's server, which determines whether or not the email should be accepted. If it's rejected, the sending server gets that notification before closing the SMTP connection, and it's then the responsibility of that server to notify the original sender. Ideally, bounces should only be sent to local recipients, not to someone on another server since you can't guarantee the validity of the headers. A receiving server should be very cautious about notifying the original sender directly, servers should usually only provide notifications to their own users.Sender --> Sender's server --> Recipient's server --> Recipient.Effective October 2008 RFCs 2821 and 2822 have been replaced by RFCs 5321 and 5322. Apparently the main purpose was to clarify some of the statements. But there are several changes which apply specifically to spam filtering and Mail Rejection.In RFC 5321 Section 4.2.2 a 550 is defined as Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons).In Section 4.3.2 it states that a 550 (rejection for policy reasons) is allowed after DATA. This allows a server to accept a message and hold the connection open [for a reasonable amount of time] while the message is scanned, then return a 550 and properly reject the message even after the DATA transfer. Many servers have been doing this, but now it's officially sanctioned.Section 6.2 deals with Unwanted, Unsolicited, and "Attack" Messages. While it discusses the importance of delivering any message that can be delivered, it recognizes the problems that can be caused by unsolicited messages:

Utility and predictability of the Internet mail system requires that messages that can be delivered should be delivered, regardless of any syntax or other faults associated with those messages and regardless of their content. If they cannot be delivered, and cannot be rejected by the SMTP server during the SMTP transaction, they should be "bounced" (returned with non-delivery notification messages) as described above. In today's world, in which many SMTP server operators have discovered that the quantity of undesirable bulk email vastly exceeds the quantity of desired mail and in which accepting a message may trigger additional undesirable traffic by providing verification of the address, those principles may not be practical.

The RFC goes on to state that bounces [as opposed to rejections] SHOULD NOT be sent in the case where they can not be expected to be usefully delivered.

Conversely, if a message is rejected because it is found to contain hostile content (a decision that is outside the scope of an SMTP server as defined in this document), rejection ("bounce") messages SHOULD NOT be sent unless the receiving site is confident that those messages will be usefully delivered. The preference and default in these cases is to avoid sending non-delivery messages when the incoming message is determined to contain hostile content.

So if your server and/or filters have determined that a message is spam, or a virus, or a phishing attempt, then it SHOULD NOT be bounced because of the additional problems that can cause. Rejections are still fine (and preferred] since that will only involve the originating server [or spam bot]. And in the case of a false positive, the originating server can still notify the sender. But do not bounce spam or viruses.For a very complete analysis of the changes in both RFCs see MailChannels' Anti-Spam Blog.Once an email has been passed on to the recipient's server, there is no longer a safe way to automatically notify the sender of problems.What have the spammers done now?Back to the Index.

Spammers have changed the way that they send spam, and this is forcing a change in the way that email is handled. It used to be A Good Thing to return email if it couldn't be delivered for any reason. Personally, up until a couple of years ago I was adamant that in my opinion all undeliverable email needed to be returned. Whether it was a bounce or a rejection didn't make a lot of difference at that time. That way the sender was notified that there was a problem and they could take steps to fix it. This worked fine as long as the vast majority of email was legitimate and had valid headers. But spammers are ruining that. In December 2006 the percentage of email that was spam went to 94%. Estimates on the amount of spam vs. legitimate emails in 2007 ranged up to 90%. In 2008 (Javascript required to see the chart) that percentage was above 95% for most of the year, dropping in October when a large spam source lost their connectivity for a while. According to Postini spam increased 146% in 2006. But it gets worse. That's just the raw numbers. Because many spammers are now using images or other attached files to try to foil filters, the requiredbandwidth jumped by 334%. Your mail servers have to be able to handle that volume increase. And now that a single spammer can send millions of emails (or more) in a day, all with forged From addresses, it's counter productive to return all the undeliverable emails. Sometimes those forged addresses belong to someone. I can guarantee that they don't belong to the spammer, so someone else is going to get the bounces. I know of people who have gotten 10s of thousands of bogus bounces a day while some spammer was doing a big run with their address. Usually it's just coincidence, but it can also be malicious if someone has irritated a spammer and they're performing a Joe Job. Any server that is the source of backscatter becomes a source of internet abuse. The resources available to determined spammers and/or someone with money to spend are overwhelming. See this wired.com article about botnets. Spammers have become very sophisticated in the way they manage their botnets, and theSpamThru Trojan is the leading example at the moment. In at least one case the botnet consisted of over 73,000 computers. In another analysis bySecureworks.com a botnet that size can send over a billion spams per day. The SpamThru Trojan even keeps it's own set of statistics, so they were able to use that in their research.Since 2006 botnets have gotten even bigger and more sophisticated. The Srizbi spam botnet in late 2008 controlled about 500,000 computers and at one time may have been responsible for up to 40% of the world's spam. Other bot nets are close to that, at least in volume. Every now and then the control center for one of them is identified and taken off-line. There's an immediate and unfortunately temporary drop in spam volumes until the bots can reestablish contact.Why you shouldn't bounce spam.Back to the Index.

Spam (and viruses) shouldn't be bounced because the From and Return Path are invariably forged. Sometimes they're not valid addresses and they go nowhere, although it takes some server and DNS activity for even that to happen. But far too often, the forged address belongs to someone. Some spammers use an address off of their mailing list as the From. It used to be common to use one address for an entire run of many thousands of spams. If someone actually owned/used that address they would get thousands of bounces. More recently the spammers seem to be inserting a different address from their mailing list in each spam, the same way they rotate the To, Subject and Body. The main reason is probably to help them get around filters that collect massive numbers of emails looking for duplicates. It also makes it impractical to block specific senders since you'll probably never get another spam from the same 'person'. When the From is legitimate, this method results in less bounces to each victim. But they're still going to someone who had nothing to do with the spam. And if you got one of those spams you're also likely to have your address used for some of the forged Froms, meaning you're likely to get some bounces yourself. websiterepairs.net has some good information on the problems caused by bouncing spam.Spammers have even started deliberately crafting their spams so that they are bounced by a poorly configured server and end up where the spammer wants them by making the From address be that of the target. Bounce spam attacks can cripple the server that is picked to do the bouncing. Bounce spam will often pass right through filters since it usually comes from legitimate servers that aren't on blacklists and the headers won't look like spam. However those legitimate servers are now getting added to blacklists as a result of sending the bounces. As an example,Spamcop now allows backscatter bounces (as well as virus notifications, out of office response and C/R emails) to be reported as spam. So I report as many of them as I can. See Note 2.What can you do about it?Back to the Index.

The best way to avoid causing collateral damage is for the mail server to filter incoming email before accepting it and reject known spam and invalid addresses. There are several things you can do.

• One of the best is to reject invalid recipient addresses at the SMTP transaction. That means of course that the SMTP server needs to know all the valid addresses. If your server is accepting mail for other servers, you may not be able to do that, and you may need to re-evaluate your setup. A large proportion of the bounces I get were apparently sent to invalid addresses and never should have been accepted by the receiving server, which would have prevented the later bounce.

  Postfix users can use these instructions to implement a Before-Queue Content Filter. The Apache Wiki has the additional steps to Integrate SpamAssassin into Postfix using spampd. There are also instructions for configuring Postfix to avoid backscatter.

• Greylisting is an excellent way to reduce incoming spam, I've seen reductions of up to 90% in the amount of spam received. When email is received for/from a new combination of addresses the receiving server simply tells the sending server that it's busy, please try again later. Since most spam senders (and viruses) send their spew without waiting for a response, they don't see the resend notice, and don't try again. That means it never clogs up the system. Even if they do pay attention and retry later it costs them time and reduces the number of spams they can send. That's one of the few things that you can do that will cost spammers money. And by the time they retry they're often listed on DNSBL's and may be rejected on that basis.
• Use a DNSBL to validate the source of the incoming email. I recommend a very conservative list for rejecting email, it's better to accept a few spams than reject some valid and wanted email. Spamhaus has a blacklist that consists of dynamic and non-MTA customer IP rangeswhich can be used to block a significant portion of zombied residential computers that are spewing spam.Remember to periodically confirm that whatever lists you're using are still functional. For instance, dnsrbl.net apparently stopped working in 2005, but was simply timing out. Recently someone changed the DNS and the server was returning a code that made every inquiry about an IP address get a response that the address was listed. That resulted in everyone who was still using that list rejecting all inbound email. One place you can check is Spamlinks.net
• It's possible to scan headers and body for spam and virus indicators before the final acceptance of the email, which means that they can be properly rejected. Most servers seem to accept the email before they scan it, then bounce it. Exim (and probably other servers) can be configured to not acknowledge the final acceptance of the email body until the scanning is complete, allowing it to be properly rejected.
• You can filter on SPF and Domain Keys in some cases, although the results are often not conclusive.
• Use local blacklists of known compromised and unwanted destination addresses.
• Do not use a Barracuda Spam Firewall. Barracudas are very effective for many things. But I have to question the wisdom of a company that specializes in dealing with spam, but hasn't got enough sense not to bounce emails that it's product identifies as spam. I've gone so far as to call them and complain, and was given the email addresses of a Division Manager and a higher level manager. Neither one bothered to respond. So I continue to report their customers as the spammers they are. Some of them have been very appreciative of the notification and have adjusted the settings. In other cases the reports are bounced as spam. Or the address that the bounce says to use for contacting them (usually postmaster@) is invalid. But the real problem is that the Barracuda's default settings are just ignorant. I"m not the only one that feels this way. Spamfighter has written Read this before you buy a Barracuda Spam Firewall. He also has a blog entry about how Barracuda Networks and their customers could to do more to stop the backscatter.November 2008: It appears that Barracuda has seen a glimmer of light under the crack of the door. Don sent me this notice he received from them:

  As of version 3.5.12, the following configuration changes will be made on ALL SYSTEMS upgrading from a pre-3.5.12 release:The Send Bounce option will be SET TO NO on all systems, regardless of your previous setting. If you wish notifications to go out to any sender whose email was blocked, you can re-enable this option from the BASIC-> Spam Scoring page, in the Spam Bounce (NDR) Configuration section.Version 3.5.12 firmware was released on 10/24/2008.

  There is no effective warning about the risks of re-enabling it though. At least they recommend not turning it back on. Don sent me the text of the help pop-up too:

  Spam Bounce (NDR) Configuration
  Send Bounce controls whether notifications are sent to senders when a message is blocked due to spam scoring or content filtering. No is recommended.When a bounce message is about to be sent, the Check SPF for Bounce Recipients option first validates the email against the sender's Sender Policy Framework (SPF) records; if the email fails the SPF rules, no bounce message will be sent.This configuration option differs from the SPF Configuration settings on the Advanced > Email Protocol page in that the SPF Configuration settings decide whether SPF lookups should be used to determine the spam status of a message, whereas the Check SPF for Bounce Recipients option decides whether an SPF lookup should be performed after a message has already been determined to be spam, to avoid sending email bounces to forged sender addresses.Regardless of this setting, no bounce message will ever be issued for messages that were determined to be spam because of SPF match failures; thus, it is unnecessary to enable this option if general SPF checking has been enabled.

  The good news is that no bounces will be sent to any address that fails an SPF check. The bad news is that it looks like those settings default to Off, and since there are a lot of domains not using SPF, they'll still get the backscatter bounces even if the setting is enabled.November 2009: Just over a year ago Barracuda started using their own blocklists. They use what they call aReputation System to reject email from IPs that they have identified as spam sources. They also use a URL filter as part of that system, it blocks emails if there's a listed URL in the email. You can check to see if your mail server's IP address is listed using their Lookup page. There's a removal request page you can use if you've been listed. And if you want to avoid the risk you buy your way off the list. Keep in mind that you have to pay for each set of IPs and domain names, if you have more than one domain name, or mail server, you need to pay more than once. Not only do they use non-standard techniques and lots of buzzwords, but you can simply buy your way off the list and not have your email blocked, all of which makes me question their competence. Again. If you're using a Barracuda Firewall, you should give careful consideration to the use of their blocklist, there are better options out there.

For those servers that accept mail for upstream servers and therefore don't have a list of final recipients, you may be able to combine greylisting with address verification. Temporarily reject the initial email if it's not an already known sender/recipient combination. Then request an address confirmation from the final server before the sending server makes another attempt. If the final server reports the address as invalid, reject the next attempt. It would be a good idea for the final server to only perform address verifications that originate from specific servers so that spammers can't use that function to generate or clean mailing lists. That puts the burden on you, but that's the way that spam works unfortunately, the sender has minimal costs of any kind and the recipient bears the burden.If your server forwards to an AOL server and gets a 554 response, that email may be deleted. AOL gives a 554 when the body of the email contains domain names that are associated with spam or phishing.

Devon Granger has written a Windows ITPro Ebook titled Email Discovery and Compliance. The previous copies that had unlimited access seem to have been removed, free registration is required to view this one. The relevant section is a sidebar in Messaging Security. It's an excellent discussion of why it can be cheaper in resources to Reject spam rather than deal with it beyond the first server. Remember that by some accounts up to 90% of the email your server processes is spam, get rid of it as soon as you can.But remember this is all rejecting before the SMTP transaction is completed. There are several advantages to this. One is that rejections only go back to the computer that's attempting to send the email, and if it's a legitimate server with a legitimate email the true sender will get the non-delivery notification. Another major advantage is that rejecting spam reduces the load on everything except the sending server or spam bot, and that makes it the spammer's problem.If your mail server is accepting the email for processing rather than rejecting the ones that you don't want, then you can add some processing steps that will sort the majority of spam locally to reduce the backscatter bounces. If you must accept mail then bounce some, based on the backscatter I get a great deal of backscatter can be eliminated by:

• Not bouncing invalid addresses. Looking through the email I receive well over 99% of email to invalid addresses is spam. The majority to a relatively small number of addresses. You could blacklist and delete any email to those addresses if the number is small enough at your server. Or simply route them all to a folder for periodic inspections and deletions. Do not bounce them. For those who are unable to properly reject emails to invalid addresses, bouncing them can no longer be considered responsible. Remember that the updated RFCsstate that bounces shouldn't be sent unless you're reasonably certain that they can be usefully delivered.
• If your filters identified it as spam, just delete it, don't bounce it. In many filters there's an option for that. If your filter is having too many false positives, get a better filter.
• Most over quota mailboxes are probably abandoned. Identify the addresses that are over quota and determine if that's the case. If so reject or delete all email to them. If it's a current user either increase their quota or make them keep up.
• If your filters identified it as a virus, delete it. The From is forged and you're just spreading it around if you bounce it.
• Don't use Out Of Office auto-replies. Have someone check your email, or forward it to someone so they can do it for you. Don't expect me to do it.
• Don't use Challenge/Response for spam control, it may be a solution for you, but it's part of the problem for everyone else.

Auto-responders and Out of Office messages.Back to the Index.

If someone will be away for a while and their emails can't wait, let whoever is taking care of their work also take care of their emails. Considering that over 90% of email traffic is spam, over 90% of your Auto-responses have the potential to be backscatter. Spamcop.net has some suggestions if you absolutely must use an auto-response of some kind, including Out of Office messages. Among other things, put a spam filter in front of it so that anything with even a remote likelihood of being spam is diverted and/or deleted before it can be responded to. This is a place to use an aggressive spam filter. Delete things that are certainly spam. Have someone inspect anything that may be spam so that a human makes the final decision. That will minimize auto-responses to spam, which will go to forged From addresses. Your Auto-responses are also more likely to be rejected or identified as spam now that spammers are abusing Auto-responses to get past filters.Challenge/ResponseBack to the Index.

As a spam filter, Challenge/Response has got it exactly backwards. It may block the spam sent to the person using C/R, but it puts the burden of doing that on the other people who may want to write to that person. Worse yet, with the proliferation of forged Froms in spam, it dumps those C/Rs on people who have no connection with the spam or the intended recipient. With estimates of up to 90% of all email currently being spam, that could mean that up to 90% of Challenges are going to someone who wasn't involved in the original email. C/R may be relatively effective at blocking the spam for the intended recipient, but it increases the spam for others. Plus it's easily abused and relatively easy to circumvent. And finally it causes no trouble for the spammers who never see the challenges and don't seem to care if their spam actually gets delivered. After all, they're just playing the percentages anyway.Challenge/Response will eventually get your mail server listed on blacklists. Remember that spammers forge the From addresses on their spam runs, generally using other addresses from their lists. A percentage of those harvested addresses are going to belong to spamtraps and eventually one will end up as the forged From on a spam sent to a user on your server. When their C/R goes back to that spamtrap, your server is listed. If your server is or has been listed at backscatterer.org the odds are good that it will end up on other lists too.If you're still unconvinced, go read the opinions of some people who say it much better than I do. There's a 971 KB PDF file from John Graham Cummings on why he hates Challenge/Response. Or you can read Google's HTML version. There's a long article about Challenge/Response fromKarsten Self. Richard Clayton doesn't think much of C/R systems and points out a number of things wrong with them. I use the link to thisSpamcop article when I respond to to a C/R, which also releases the spam to intended target. I didn't send the spam, I don't want to get your challenge to it. I report all C/Rs as spam.What about viruses?Back to the Index.

Basically everything that applies to bouncing spam applies to bouncing viruses. Even more so since the bounce can actually be dangerous in this case. For some idiotic and certainly outdated reason most of the bounced viruses I get include the virus. And many of them are bounced becausethe email is identified as containing a virus. I know that because the bounce message very politely informs me that a virus was found in the email, so they're sending it back. Well then, delete the thing, don't pass it on. Since I didn't send it, I'm probably not infected. Hopefully I'm smart enough not to get infected by the bounced virus. But some of those bounced viruses probably will go to someone who wants to see that Video of Saddam's hanging or that picture of Natalie naked. And since many, maybe even most, of the recent email viruses are being sent by spammers to increase the size of their bot fleet, you're just making it worse in several ways when you pass that virus on. Bouncing a virus to a forged From just increases the chance of infecting additional computers.How do you test your server?Back to the Index.

You may want to test your mail server to be sure that it's doing what you expect. Another case where you may want to do some testing is if you're a domain owner who wants to see how your domain host is handling spam. Be advised that the mail server may do different things in different situations. Two examples are invalid addresses and matching a rejection rule. A lot of the backscatter spam I get was sent to an invalid address. Many mail servers are accepting mail before they validate the recipient address, then bouncing it when they determine that it's not valid. Often this is because a server further along the path has the address list. It's good to test both invalid addresses [if appropriate] and a server rejection rule. Keep in mind that a rejection rule in your mail client will work very differently than a rule at the server level. You should never bounce email once it's gotten as far along as your mail client. You will also need to be able to send email through a different server than the one you're testing.

• If you know with absolute certainty that unknown addresses are rejected, you can send email to an address that isn't in your list of valid addresses. It should be rejected not bounced. To test rejection rules (DNSBL, address blacklists, etc.) you'll need to be able to set up a rejection rule on the server. It can't be a rule in your email client since that gets the email after the original SMTP transaction has closed and it's too late to reject so all you can do then is bounce it, and you don't want to do that. If your mail host allows you to set up specific spam filters you can do that, perhaps by making a rule that will reject (or delete) mail with a certain unlikely word in the subject. You don't want it to catch anything other than your test email. Delete your test rule when you're done.
• You need to send an email that will be rejected and has a Return Path that is different than the From. It should be a different domain with a different mail host to make it clear where the rejection ends up and how it gets there. Ideally it needs to be sent via a third mail host. As far as I know you can not do this with any web mail, even one that lets you appear to be sending with a different From address. Make sure that the email really does have the headers you need by sending one to yourself and checking.
• Be sure to substitute your own appropriate domains here where I use examples. Send a test email to your example.org account with the right subject using your mail server at example.com and with the From set to be example.net. I used one of my Gmail addresses as the From. The mail should go from the sending email program to your email host, which will send it to the receiving email host that you want to test. That server should reject it based on what you're testing, and refuse to accept it. If that happens, the first server will return it to the account that sent it. If the receiving server accepts the email before determining that it needs to be refused, then it will have to send it back to the different From address (Gmail in my case). If the bounce shows up at that different address, it's not being done right and you could be part of the backscatter problem. There are a lot of variables in the test though, so double check that it makes sense for your situation. And that the test email is set up properly.

Could it be too late? How to see if you're already listed.Back to the Index.

If your server has been bouncing spam and viruses, you could already be in some Blacklists. Many of these lists are based on spam trap addresses that have been posted where spam bots can harvest them, and they're never used for anything else. Any emails to those addresses can safely be assumed to be spam, and the sender is automatically added to their blacklist. With the increasing tendency of spammers to rotate forged Froms in their spam run, they are more and more likely to use one of those spam trap addresses as the From. If that spam happens to be sent to your server and you bounce it, that bounce will go to the spam trap. Since your server was the last one to handle it, that would be considered to be the source of the spam. In the past most blacklists seemed to be willing to exclude bounces from causing a server to be listed. Due to spammers latest methods that's changing. Backscatter has become such a problem that bouncing servers are now being listed more aggressively. And if your server is on a blacklist, any mail server using that list to determine if an email source is a spammer is likely to reject your user's emails.One place to check the status of your server is mxtoolbox.com. They will look up your IP Address in over 100 different databases. To use it, enter your mail server's IP address in the box and press the Lookup button. The results page will give you a summary at the top of the page, and a list of all the DNSBLs queried. Each line in that list will have a link to the DNSBL's web site. Ones that have the tested IP address flagged as a spam source will be listed at the top. You can use the link to go to the site and find out how to try and get de-listed. Some lists are easier to get off of than others. Remember that these lists are used by mail server admins to determine whether or not to accept mail sent from you and/or your server. You do NOT want to get on any of these lists.DNSStuff.com used to have a free spam database lookup, but now you have to register for the free 30 day trial, then pay to use it after that.You can use SenderBase.org to look up statistics for your server's IP address to see if there are problems with it.You can check to see if your server has been a backscatter source at backscatterer.org. This list is only backscatter sources and should not be used for normal spam filtering.While not all blacklist sites have a way that you can query their database via a web page, DNSStuff.com and Mxtoolbox.com can still check many of them. But if you want to check some specific sites or to get more information on how they work here's a few individual sites.

• At SORBS use the "Database check" at the top left of the page.
• Spamhaus has a box at the bottom of the page.
• UCEProtect-Network will let you check your IP. It defaults to filling in the IP address you're using to visit their page.

Getting Backscatter yourself?Back to the Index.

If you're getting hammered with Backscatter yourself there are only a few things you an do, and what they are depends on how much control you have over the server. If you're an end user about all you can do is report the sources as spammers and hope that they get a clue. They can be reported pretty easily using Spamcop.net. Note that it's .net, the .com site is someone else, apparently capitalizing on the name similarity. When you report sites as spammers, Spamcop.net will send a notification email to them or someone upstream. Feel free to include a link to this page. The only other thing you can do is to create some rules to filter or delete Delivery Status Notifications.

backscatterer.org provides a list of servers that have been a source of backscatter bounces or sender callout. Their front page has a line showing the number of servers currently listed. Servers drop off the list after 4 weeks with no repeated backscatter so it's a good indicator of spam volumes. During 2008 the number has ranged from a low of 49,006 up to 88,064 at the times I've checked.

Someone sent me this rule that he's using with Exim. It will reject emails with a Null Return Path if the source is listed at backscatterer.org and include a message suggesting that they fix their server configuration. At the time it was rejecting about 50% of his backscatter, but that percentage should improve as their list gets bigger. (Verify the format of the rule before using it.)

deny senders = :
dnslists = ips.backscatterer.org
message = This message looks like a bounce, and your server is listed at \
ips.backscatterer.org, so I assume that this is "backscatter". \
Please configure your mail server to not send "backscatter spam". \
For advice, try http://www.dontbouncespam.org/

Note 1

Because of the volume of bounces I'm getting I now report most of my backscatter bounces through Spamcop. If I have time to do a little research I'll include a notification to the domain because Spamcop often sends the report upstream. Sometimes I'll go to the trouble of checking a website for a contact address and use that via Spamcop. Occasionally I'll find that that address turns out not to be valid. For a lot of reasons you want to be sure that addresses listed on your website are valid. I do recommend obscuring them to minimize harvesting and the amount of spam sent to them. You should also make sure that your domain has a valid reporting/contact address. You can register one at Abuse.net and Spamcop will use that. At least that way you'll know about problems instead of having the reports sent to dev null or someone upstream who may not contact you. Many bounces contain a contact address (usually Postmaster@) to use in case of problems. It appears that they are often just the default address that came with that function of the mail server rather than a deliberately chosen, working address. I have sometimes used that address for notifications since it's specifically listed in the bounce as a contact address. And sometimes that bounces too.

Note 2

My single report of a bounce will probably not get a server put on a blacklist. However sometimes in a large spam run I'll get several bounces from the same server, and if I report all of them that may be enough to blacklist the server. The way I do it should get the admin a notification of the problem though, assuming that there is a contact address available. And keep in mind that if I'm getting backscatter, others almost certainly are too. And if they're also reporting them that can result in blacklisting. If you have the ability, check the logs and see how many emails are being bounced to get an idea of how much backscatter you're generating. Remember that way over 90% of those bounces are likely to be spam, with forged addresses that may land them in someone's inbox, or a spamtrap.

Whenever I have time, I try to notify the actual sending server, instead of just going upstream. Often that requires checking a website, and if your pages require Flash and/or Javascript just to see anything, you'll never hear about your problem directly from me, I'll just report your server using Spamcop. At a minimum you should be sure that your pages degrade gracefully for those who don't want all the bells and whistles. One thing that will increase the likelihood of me reporting backscatter no matter how busy I am or how many I get is an indication that it was identified as spam and bounced anyway. This especially applies to anything from a Barracuda Spam Firewall or anything similar. You'd think that a company that deals with spam for a living would know better than to recommend bouncing spam. I also aggressively report all Challenge/Responses.

Links:Back to the Index.

www.uceprotect.net has a list of 4 suggested steps to reduce email abuse.

UCEProtect.net also has Backscatterer.org which specifically lists servers that are the source of backscatter abuse.

Barracuda Networks and their customers could to do more to stop the backscatter is a blog entry from Spamfighter, who also gets a lot of Barracuda Backscatter. He lists two major problems with the Barracuda Spam Firewall, both of which could easily be fixed, but Barracuda appears to prefer remaining clueless and ignorant.

Chris Fuhrman has an interesting analysis of the headers of some email that became backscatter.

SpamFighter's home page has links and information about backscatter. He gets lots of it, even more than I do.

If your domain does not have a contact address registered for people to use in case of abuse, you can register one by following the instructions atAbuse.net.

Spamlinks.net have some pages explaining some of the problems with Backscatter.

Spamlinks.net also has some links to spam filter vendors explanations of why their product doesn't include a bounce function, followed by a list of spam filter vendors that do bounce spam. These products should have that feature disabled and they've included links to instructions. This includes the Barracuda spam firewall, which has the spam filter set to bounce by default. Barracuda's are the source of a significant percentage of my bounces. To turn off the bounce change the Send Bounce setting from Yes to No on the Spam Scoring page. At least they recommend not bouncing viruses, although it is possible to turn it on. Don't do that. In late 2008 a firmware upgrade for Barracudas finally set the bounces options to No by default.

spam.abuse.net has links to lots of articles and sites related to combating spam.

Spamnix.com has an explanation of why their product won't generate fake bounces, which coincidentally is exactly why spam shouldn't be bounced at all.

RFC 5321 lays out the specifications for the SMTP protocol. Also see RFC 5322 Internet Message Format. Effective October 2008 these replaceRFC 2821 and RFC 2822.

A Wikipedia.org article on Backscatter.

What's wrong with bouncing spam from Castlecops.com.

2 bounce or not 2 bounce from georgedillon.com

The problem with fake bounces from spamfaq.net This site may not be available any more.

Why Spampal doesn't include the ability to fake bounces.

Spam Zombies are the source of a lot of spam that ends up as backscatter.

Spamsieve is a Bayesian spam filter for email clients running on MACs.

reference http://www.dontbouncespam.org

And now, Ziatron, I hope you see why repeating the links that we have already been given before in these threads is a waste of time.

There are a couple of condescending juvenile people with nothing to do but spam us with extremely long repetitions of information that has nothing to do with how I and anyone not insane use the Bounce function.

The Bounce function is NOT properly used to send back "spam," which the harassing people scolding those providing the links to Restore Bounce can't get through their heads is NOT how we use it and was never the point.

It is properly used in sending mail back to people you personally KNOW who you were having a conversation with or who you were on an email list with who ignore your request to stop writing you -- people you personally know who are harassing you, NOT people (either not known to you or known to you) who have had their addresses forged. It is very obvious when that occurs but these people who keep backscattering long replies and trashing people in this forum for providing a link have no clue how to properly use it and keep preaching to people about how not to use it. We KNOW how not to use it -- I have not used to bounce back a "spam." He thinks we all use it to send back advertisements, which means it does not actually reach the sender. We are not USING IT THAT WAY but his brain can't wrap around that.

So to spare us more harassment by this spamming rude and hateful person who attacks people who ask how to get Bounce, please stop repeating the sending of the links. The links have been provided several times.

As you mentioned they are at:

http://download.cnet.com/Restore-Bounce-Mail-Button-To-Lions-Mail-app/3640-20429 _4-75629050-1.html

http://www.jarnot.com/archives/2011/08/restore-bounce-message-functionality-to-o s-x-lion-mail-app.php

and probably other places. Thanks for telling us. But let's close the thread because there is a circular thing going on where this guy who has nothing else to do wants to keep harassing people who share the link to the Restore Bounce third party download.

***As stated before numerous times - don't use it to send back "spam" as that will only create "backscatter" since the person you send a "spam" back is not the sender but a hapless victim whose address was put into the spam.

Use it only when people harass you or people such as a politician you once wrote who collected your email address during a past communication, whose address is NOT FORGED, won't take you off an email list that has no auto remove, after you've asked them nicely a couple of times. Or for other select situations, not to routinely send back a spam, since bouncing a "spam" creates more harassment of an innocent person whose address was forged. Repeating the links in here now that it's already been answered and extending this thread will subject us to more spewing harassment in our inboxes from someone it would be nice if we really could use this Restore Bounce to deter (but it will only go to apple and not him unfortunately). Unfortunately some of the people in here who like to yell "don't use it for spam" can't understand that's not how it is used, so please don't keep repeating the link.

to those finding the thread later, please just search through the thread and you'll find the link to Restore Bounce, don't use it the wrong way (such as to bounce spam), and ignore the harassers who are trying to intimidate people who want the feature restored. Hopefully the thread will one day come to an end now until the download is not available and needed again.

Please explain how one may verify that an address is not forged,

(people such as a politician you once wrote who collected your email address during a past communication, whose address is NOT FORGED, won't take you off an email list that has no auto remove, after you've asked them nicely a couple of times)

Where can this information be found?

Here is the earlier sentence you MISSED in your zeal to quote me out of context:

"It is properly used in sending mail back to people you personally KNOW who you were having a conversation with or who you were on an email list with who ignore your request to stop writing you -- people you personally know who are harassing you, NOT people (either not known to you or known to you) who have had their addresses forged."

The sentence I wrote about politicians -- I'm sorry you can't tell the difference between a person who INTENDS to send you a political email whose reply address IS clearly the correct email address for the political office sending it and whose office you have previously emailed and whom you know how they got your address and how it's a valid email but does not actually have an autoremove and how I phoned their office before I resorted to Bounce and they acknowledged that they put everyone on a list who writes their office as a routine matter without giving us a choice to opt in or out -- but it's very very clear and I made sure and I told you we typically ask people to remove us or to stop writing us nicely several times before we resort to Bounce. Bounce does work after all else fails with these people. Sometimes they are just lazy. And when it's a conversation with an acquaintance where it turns ugly and they harass you, sometimes that's all that works as well.

It is CLEAR to anyone who is not a moron when they are on a valid email list. They get valid news from a real address. But if they ask to get off the newsletter list and it does not have an autoremove function and you write them emails or phone and they still don't take you off, Bounce does help.

When you are getting a SPAM, it is typically to advertise a product and it is of course from an address we assume to be forged so we don't use Bounce for that. I'm sorry you don't know the difference and this thread was not created to inform the people who don't know how to use the Bounce function properly how to use it. The thread was to inform people who wanted the functionality back where the links were to the third party software. I'm tired of the smug, snide replies scolding us about a function called Bounce that the scolders do not know how to use properly. Please cease haranguing and scolding and give us benefit of the doubt that we are sentient beings who know how to use it and stop dragging this out. If you need a tutorial on how to use it I'm sorry but this is not the thread for that. The thread did not ask how to use it.

You properly use it for KNOWN senders and we actually are not so stupid that we don't know the difference even though you think we are.

I read the whole thing but you failed to tell me where I can verify a politicians email address (your choice of subject, not mine) and you are exceptionally rude so I couldn't care less about your issues.

You really can't backup anythng you say except with insults. Futzak.

I actually did tell you how. You know when you are on an email list from a politician that provides valid news from their organization and is not selling something, and you write to them and they reply saying they will take you off the list (thus the address is validated although it was already clear it was valid) or you phone them and they say yes, you are automatically put on the list, and you still keep getting the list mail even after talking to them. There are clear ways to know when you are on a valid list as opposed to receiving advertisements.

I am sorry you can't tell the difference between forged advertisements and valid lists that you did not want to stay on and talk to the sender about getting off of. Or people you were talking to whom you know who harass you but those are the typical ways you use it and it's very clear and i'm sorry you can't read english.

People who are too stupid to know the difference should not use Bounce - so those of you barking at us about how you can't tell the difference, please just don't use it and stop bugging us.

All you did was stamp your little feet. Insult instead of argument is the route taken by self serving idiots.

Your calling me an moron is the high spot of your post, go bounce that.

Dude, i'm sorry you don't like a taste of your own medicine but i did in fact answer your question in full. I told you that Bounce is never the first resort. It is the last resort after a conversation. We are not blindly sending the bounce to people we've never talked to about stopping sending us mail. We ask them. They keep writing and they are people we KNOW, not a forged message. I'm so sorry you just can't understand the scenario and haven't had to deal with people who won't stop writing you or sending you list messages even after you ask them to take you off the list and who have TOLD you they will -- so it's a real conversation involved. If you don't know the difference between a real conversation and spam, you really miss the point and no one can help you.

You are an insulting little person, ego issues?

afromwest melbourne wrote:

Bounce mail

Here's a link to a third party add on for "Bounce" functionality.

I like bounce. I use it a lot and i don't seem to have repeat spams. On the tech side of it working or not I'm not qualified to comment. But my experience has thus far been positive and it does give me a sense of satisfaction to bounce spams back.

http://download.cnet.com/Restore-Bounce-Mail-Button-To-Lions-Mail-app/3000-20429 _4-75629050.html

Above was the original reply that answered the thread with what was asked, along with other helpful links like this from Ziatron:
quote from ziatron>>>

http://download.cnet.com/Restore-Bounce-Mail-Button-To-Lions-Mail-app/3640-20429 _4-75629050-1.html

http://www.jarnot.com/archives/2011/08/restore-bounce-message-functionality-to-o s-x-lion-mail-app.php

Bounce is a “must-have” for many people. For that reason you'll find several solutions on the web.

<<< /end forward from Ziatron

The pounding of "why" certain off-topic people don't want to see us use it with ill-informed opinions about people they think are so stupid that we would be sending back spams (which is not how we use it - it is used when talking to people you know who have not had their accounts hijacked who you have asked to stop writing and who don't even if they tell you they are going to, not sending back advertising spam by forged senders) should be ignored by visitors. Just go to the first reply and the answer is there. The thread is not about how to use it or why you should or should not use it, contrary to the trolls pounding the thread with pages of childish spew garbage.

I did not renew the thread. I got stuff in my inbox again from Ziatron and then petermac and Csound beginning on April 14, thought it was a bunch of repetition and replied, then defended myself from the resultant spew; I did not restart anything -- I reminded people the question has already been answered..

I'm pointing this reply back to the person with the first good answer -- afromwest melbourne - not to reply to him but to point back to the first good reply that has a green star by it so people remember that the thread has been over a long time despite the attempts by several people to extend it. It was a useful thread but it's turned into a place for angry, childish, off-topic spammers to tell people off so the ones who care for the Bounce Restore third party app for the Apple Mail program should stop reinitiating an opportunity for spammers to spam and pound their off topic views -- the topic is not whether to use it or why or why not, but WHERE TO GET IT. Thanks to afrompop for having answered this thread a long time ago.

rivmo wrote:

afromwest melbourne wrote:

Bounce mail

Here's a link to a third party add on for "Bounce" functionality.

I like bounce. I use it a lot and i don't seem to have repeat spams. On the tech side of it working or not I'm not qualified to comment. But my experience has thus far been positive and it does give me a sense of satisfaction to bounce spams back.

http://download.cnet.com/Restore-Bounce-Mail-Button-To-Lions-Mail-app/3000-20429 _4-75629050.html

Above was the original reply that answered the thread with what was asked, along with other helpful links like this from Ziatron:
quote from ziatron>>>

http://download.cnet.com/Restore-Bounce-Mail-Button-To-Lions-Mail-app/3640-20429 _4-75629050-1.html

http://www.jarnot.com/archives/2011/08/restore-bounce-message-functionality-to-o s-x-lion-mail-app.php

Bounce is a “must-have” for many people. For that reason you'll find several solutions on the web.

<<< /end forward from Ziatron

The pounding of "why" certain off-topic people don't want to see us use it with ill-informed opinions about people they think are so stupid that we would be sending back spams (which is not how we use it - it is used when talking to people you know who have not had their accounts hijacked who you have asked to stop writing and who don't even if they tell you they are going to, not sending back advertising spam by forged senders) should be ignored by visitors. Just go to the first reply and the answer is there. The thread is not about how to use it or why you should or should not use it, contrary to the trolls pounding the thread with pages of childish spew garbage.

I did not renew the thread. I got stuff in my inbox again from Ziatron and then petermac and Csound beginning on April 14, thought it was a bunch of repetition and replied, then defended myself from the resultant spew; I did not restart anything -- I reminded people the question has already been answered..

I'm pointing this reply back to the person with the first good answer -- afromwest melbourne - not to reply to him but to point back to the first good reply that has a green star by it so people remember that the thread has been over a long time despite the attempts by several people to extend it. It was a useful thread but it's turned into a place for angry, childish, off-topic spammers to tell people off so the ones who care for the Bounce Restore third party app for the Apple Mail program should stop reinitiating an opportunity for spammers to spam and pound their off topic views -- the topic is not whether to use it or why or why not, but WHERE TO GET IT. Thanks to afrompop for having answered this thread a long time ago.

You unfortunately are simply obsessed with this one thread and are the only one who is keeping it open, for ego reasons no doubt. You refuse to concede you are a self-confessed spammer and are only trying to troll. You want the last word. Won't happen.If this thread truely annoys you when you get email notifications, then unsubscribe. Or don't you understand how that works either? 😉

Cheers

Pete