Email Address Used by a Damn Spammer

[sa...@twinix.com]

See Thread at: http://www.techienuggets.com/Detail?tx=33187 Posted on behalf of a User

Hi,

Some (nice) person used my email address to send millions of emails. Even though the email wasn't sent from our SMTP server but the fact that the from address has my email all the bounces are coming back to me. I have setup a rule to delete them but there should be some other way. I'm surprised the servers bouncing the email aren't verifying that the email didn't originate from our domain and are simply sending them to my email address which was forged by the spammer. I guess this is just a rant. Not sure much can be done about it.

John Haskel



---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[David Legg <da...@searchevent.co.uk>]

Timothy Collett wrote:
> David Legg wrote:
>> I think this would be much more effective than SPF which relies on 
>> everybody correctly implementing it for it to be effective.
>
> However, by your description, VERP still relies on your own mail 
> server to process the mail and discard it--which means you'll still be 
> getting flooded with emails you don't want.

True... I can see the beauty of cutting spam out of the picture as early 
as possible.  But of course even SPF looks as if it will generate a lot 
of DNS lookups (and therefore lots of net traffic) as it attempts to 
determine the legitimacy of the email.  I don't have hard figures but 
experience shows the average size of spam messages appears to be getting 
smaller and smaller.  Most of the stuff I get is one line long as the 
spammers desperately try to shed any context which might identify the 
message as spam.  Indeed some seem so desperate they even squeeze out 
the spaces between words!

If this trend continues I can't believe that all the extra DNS packets 
flying about in an attempt to validate the email add up to any less than 
the spam itself.
>
> SPF may not be implemented by everyone, but those mail servers that 
> *do* implement it, if I understand correctly, should avoid sending 
> such mails on to your server in the first place.
>
> ...Which, of course, leads to the conclusion that the most effective 
> solution would be a combination of both ;-)

I agree ;-)

David Legg

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[Timothy Collett <da...@mac.com>]

David Legg wrote:
> I think this would be much more effective than SPF which relies on 
> everybody correctly implementing it for it to be effective.  I read 
> recently [2] that even a large organization like paypal mucked up their 
> SPF entries leading to people being prevented from subscribing.

However, by your description, VERP still relies on your own mail server 
to process the mail and discard it--which means you'll still be getting 
flooded with emails you don't want.

SPF may not be implemented by everyone, but those mail servers that *do* 
implement it, if I understand correctly, should avoid sending such mails 
on to your server in the first place.

...Which, of course, leads to the conclusion that the most effective 
solution would be a combination of both ;-)

Timothy Collett

-- 

The only thing you can't trade for your heart's desire is your heart.

~ Miles Naismith Vorkosigan

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[Danny Angus <da...@apache.org>]

On Mon, Apr 21, 2008 at 8:10 PM, Tor-Einar Jarnbjo
<to...@jarnbjo.name> wrote:

>  However, I still don't see the point in VERP anyway. It obviously would
> confuse your recipients, as they get mails from you from different addresses
> each time.

No, that's not how it works, its the Return Path that changes, the
Return path is used by bounces.
This list uses it, the mail I'm replying to has a return path of:
Return-Path: <se...@james.apache.org>

You would then discard any bounces which didn't have the correct verp
form of address.

d.

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[Tor-Einar Jarnbjo <to...@jarnbjo.name>]

David Legg schrieb:
> I'm not sure I follow.  I was assuming that you only apply the VERP 
> technique to test incoming messages that are bounce messages.  I 
> vaguely recollect that this is a problem in itself as not every mail 
> agent uses a standard for this.
That's true. There is a standard for generating bounces and most mail 
servers implement it correctly, but I get a lot of bounces or other more 
or less clever replies to spam mails with forged sender adresses, which 
are not formatted correctly. Out-of-office replies and some kind of 
clever "you have to click this URL to confirm your mail" are rather 
common as well.

However, I still don't see the point in VERP anyway. It obviously would 
confuse your recipients, as they get mails from you from different 
addresses each time. If a recipient copies one of your sender addresses 
to his/her address book, will the receiving server accept more than one 
mail to that address? And if it is only able to filter out correctly 
formatted bounces anyway, it is rather easy to do that without messing 
with VERP. I am not sure if it is really required, but most mail servers 
include at least the beginning of the causing mail, when they generate a 
bounce. After checking for fake received-headers, it is not too 
difficult to determine if the causing mail originated from a "trusted 
source".

Tor



---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[David Legg <da...@searchevent.co.uk>]

>>> Furthermore if people uses multiple SMTP servers to send messages 
>>> out then you will loose the bounces to messages they sent via others 
>>> SMTP servers not using VERP.
>>
>> This could be overcome with each SMTP server accessing a shared 
>> database of VERP entries.
>
> No. As an example when I use my mobile phone I have to use a specific 
> SMTP server of my mobile operator. I can anyway specify my real email 
> address and that domain is managed by my JAMES server..
> If I used VERP in my james I would not receive bounces to messages 
> sent by my mobile phone.

Thank you.  That example strikes the death-knell for VERP for me!
>
>>> Unfortunately in SMTP there is no rule that the outgoing SMTP server 
>>> have to be the same of the MX server for the sender domain.
>>
>> Which is precisely the problem with SPF.  In SPF, you must list all 
>> possible SMTP servers for your domain.  This gets tricky when you are 
>> using a third party to manage your address lists and they change the 
>> IP address of their SMTP servers without telling you!
>
> With SPF I can tell the world that my mobile operator is a valid 
> sender instead I cannot ask my mobile operator to use VERP shared with 
> my JAMES server ;-)

Point taken ;-)  Although to be fair, I think you will find it very hard 
to get an exhaustive accurate list of potential SMTP servers that might 
be used to forward your email from.  I believe SFP allows you to specify 
sending domains with regular expressions.  So you could say any IP 
address from the *.mymobilephonecompany.com.  However, that does incur a 
lot more network activity from your mail server as it checks the IP address.
> I'm not saying that SPF is better than VERP. None of them will save us 
> from spam. I just wanted to point out some VERP issue so our reader 
> will be less surprised later.

Thanks again.  I've learned a lot too!

David Legg


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[Stefano Bagnara <ap...@bago.org>]

David Legg ha scritto:
> Stefano Bagnara wrote:
>>>> The only thing you can do against this is to use a SPF entry
>>>> ( www.openspf.org ) and hope the remote mailserver use SPF.
>>>
>>> You could implement VERP!
>>
>> This is not enough, anyway. You will also have to recognize incoming 
>> messages destinated to non VERPed email addresses as delivery 
>> notifications to remove them.
> 
> I'm not sure I follow.  I was assuming that you only apply the VERP 
> technique to test incoming messages that are bounce messages.  I vaguely 
> recollect that this is a problem in itself as not every mail agent uses 
> a standard for this.

Right. Unfortunately a standard for bounces exists, but not every 
software is compliant.

>> Furthermore if people uses multiple SMTP servers to send messages out 
>> then you will loose the bounces to messages they sent via others SMTP 
>> servers not using VERP.
> 
> This could be overcome with each SMTP server accessing a shared database 
> of VERP entries.  Realistically though, are there that many James based 
> server farms out there that would need to do this?

No. As an example when I use my mobile phone I have to use a specific 
SMTP server of my mobile operator. I can anyway specify my real email 
address and that domain is managed by my JAMES server..
If I used VERP in my james I would not receive bounces to messages sent 
by my mobile phone.

>> Unfortunately in SMTP there is no rule that the outgoing SMTP server 
>> have to be the same of the MX server for the sender domain.
> 
> Which is precisely the problem with SPF.  In SPF, you must list all 
> possible SMTP servers for your domain.  This gets tricky when you are 
> using a third party to manage your address lists and they change the IP 
> address of their SMTP servers without telling you!

With SPF I can tell the world that my mobile operator is a valid sender 
instead I cannot ask my mobile operator to use VERP shared with my JAMES 
server ;-)
I'm not saying that SPF is better than VERP. None of them will save us 
from spam. I just wanted to point out some VERP issue so our reader will 
be less surprised later.

> I must confess I don't use VERP (or SPF) to manage my spam.  I rely 
> heavily on the Bayesian analysis code.  Everything except mail from 
> authenticated users or from whitelisted addresses gets passed through 
> the filter and rejected if it doesn't pass.  This way even so called 
> bounced messages get rejected if they don't look right.

Same here.

Stefano



---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[David Legg <da...@searchevent.co.uk>]

Stefano Bagnara wrote:
>>> The only thing you can do against this is to use a SPF entry
>>> ( www.openspf.org ) and hope the remote mailserver use SPF.
>>
>> You could implement VERP!
>
> This is not enough, anyway. You will also have to recognize incoming 
> messages destinated to non VERPed email addresses as delivery 
> notifications to remove them.

I'm not sure I follow.  I was assuming that you only apply the VERP 
technique to test incoming messages that are bounce messages.  I vaguely 
recollect that this is a problem in itself as not every mail agent uses 
a standard for this.

> Furthermore if people uses multiple SMTP servers to send messages out 
> then you will loose the bounces to messages they sent via others SMTP 
> servers not using VERP.

This could be overcome with each SMTP server accessing a shared database 
of VERP entries.  Realistically though, are there that many James based 
server farms out there that would need to do this?

> Unfortunately in SMTP there is no rule that the outgoing SMTP server 
> have to be the same of the MX server for the sender domain.

Which is precisely the problem with SPF.  In SPF, you must list all 
possible SMTP servers for your domain.  This gets tricky when you are 
using a third party to manage your address lists and they change the IP 
address of their SMTP servers without telling you!

I must confess I don't use VERP (or SPF) to manage my spam.  I rely 
heavily on the Bayesian analysis code.  Everything except mail from 
authenticated users or from whitelisted addresses gets passed through 
the filter and rejected if it doesn't pass.  This way even so called 
bounced messages get rejected if they don't look right.

David Legg


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[Stefano Bagnara <ap...@bago.org>]

David Legg ha scritto:
> Norman Maurer wrote:
>> The only thing you can do against this is to use a SPF entry
>> ( www.openspf.org ) and hope the remote mailserver use SPF.
> 
> Not quite the only thing ;-)
> 
> You could implement VERP! [1]
> 
> Essentially, if your system allocated unique return addresses to every 
> email it issued then it could easily distinguish between truly bounced 
> messages and spam messages pretending to be bounce messages or messages 
> legitimately bounced but only as a result of a badly addressed initial 
> spam message.
> 
> I think this would be much more effective than SPF which relies on 
> everybody correctly implementing it for it to be effective.  I read 
> recently [2] that even a large organization like paypal mucked up their 
> SPF entries leading to people being prevented from subscribing.
> 
> Regards,
> David Legg
> 
> 
> [1] http://cr.yp.to/proto/verp.txt
> [2] http://mail.python.org/pipermail/python-list/2007-September/456167.html

This is not enough, anyway. You will also have to recognize incoming 
messages destinated to non VERPed email addresses as delivery 
notifications to remove them.

Furthermore if people uses multiple SMTP servers to send messages out 
then you will loose the bounces to messages they sent via others SMTP 
servers not using VERP.

Unfortunately in SMTP there is no rule that the outgoing SMTP server 
have to be the same of the MX server for the sender domain.

If you can accept this issue then VERP is better.

Stefano


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[David Legg <da...@searchevent.co.uk>]

Norman Maurer wrote:
> The only thing you can do against this is to use a SPF entry
> ( www.openspf.org ) and hope the remote mailserver use SPF.
>
>   


Not quite the only thing ;-)


You could implement VERP! [1]

Essentially, if your system allocated unique return addresses to every 
email it issued then it could easily distinguish between truly bounced 
messages and spam messages pretending to be bounce messages or messages 
legitimately bounced but only as a result of a badly addressed initial 
spam message.

I think this would be much more effective than SPF which relies on 
everybody correctly implementing it for it to be effective.  I read 
recently [2] that even a large organization like paypal mucked up their 
SPF entries leading to people being prevented from subscribing.

Regards,
David Legg


[1] http://cr.yp.to/proto/verp.txt
[2] http://mail.python.org/pipermail/python-list/2007-September/456167.html

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: Email Address Used by a Damn Spammer

[Norman Maurer <no...@apache.org>]

Am Sonntag, den 20.04.2008, 12:08 -0500 schrieb samk@twinix.com:
> See Thread at: http://www.techienuggets.com/Detail?tx=33187 Posted on behalf of a User
> 
> Hi,
> 
> Some (nice) person used my email address to send millions of emails. Even though the email wasn't sent from our SMTP server but the fact that the from address has my email all the bounces are coming back to me. I have setup a rule to delete them but there should be some other way. I'm surprised the servers bouncing the email aren't verifying that the email didn't originate from our domain and are simply sending them to my email address which was forged by the spammer. I guess this is just a rant. Not sure much can be done about it.
> 
> John Haskel
> 
> 

The only thing you can do against this is to use a SPF entry
( www.openspf.org ) and hope the remote mailserver use SPF.

Cheers,
Norman



---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org