Re: Bouncing Seems to Work

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Quoted text here. Click to load it

I'm not running a mailserver on this account, it's my ISP's server I'm
getting them through.

Re: Bouncing Seems to Work

Quoted text here. Click to load it
servers on
Quoted text here. Click to load it

But you are "serving" the bounces. When the ISP does the bouncing it
does it in a timely manner and modern spamming software can tell the
difference. So "your" bounces may just be confirming that you are a real
valid address <cha-ching $$$> and are running some fake bouncing

Re: Bouncing Seems to Work

Quoted text here. Click to load it

Exactly.  The bounces issued by the client who doesn't bounce until they
happen to poll the mailbox is NOT the same as a bounce issued by the
receiving mail server.  And, in fact, using Mailwasher to issue *BOGUS*
bouncebacks *IS* running a mail server in that you are definitely trying
to pretend that you are the mail server issuing the bouncebacks.

While it is possible for spam software to determine that your bogus NDR
(non-delivery report) did NOT come from the receiving mail server, it is
not likely than many spammers would bother.  They would to run a mail
server that accepted inbound e-mails.  That puts them at risk for
exposure, retaliation, and disconnect.  So it is possible to validate
e-mail accounts based on receiving bogus NDRs from clients as
differentiated from getting NDRs from the ISP's mail server to which the
e-mail was delivered but it is not a likely scenario.

The primary problem is you sending out bogus NDRs is that you hit
innocents with your "bounce spam" for e-mails they never sent.  You also
consume even more bandwidth for bounce messages that are never received
by the spammer.  For poorly coded e-mail client that issues bounces, you
can end up causing a flood of bouncing messages between two mail
servers.  Mailwasher, I have been told, uses a null valued Return-Path
header which means the receiving mail server will not issue an NDR of
its own in response to your bogus NDR sent to a non-existent mailbox
(which would then have you bounce their NDR with another bogus NDR that
they bounce that you bounce and ad nauseum).  Mailwasher is well aware
of the stupidity in issuing bogus NDRs, but it is too good a lure to get
newbies to buy their product.  Them including the option doesn't mean it
is a good option.  Bogus NDRs should be sent only when there is
reasonable expectation that it gets delivered to the actual sender of
the instigating e-mail.  That means YOU have to interrogate the headers
to determine the likelihood that you can identify the correct sender
rather than bogus values inserted by a spammer.  However, users enabling
this bounce feature are too lazy to bother looking at the headers; if
they did, they wouldn't need the automated bounceback feature, anyway.

You don't hurt the spammer by sending bogus NDRs.  It's like using a
shotgun at the campfire to swat mosquitos which you rarely hit but you
manage to slaughter all the campers nearby: an ineffective and
irresponsible solution with lots of innocent casualties.  Say a spammer
issues one million spams per day (which is not impossible and even
higher rates are possible) and all of them have you listed in the From
header.  After all, the spammer is certainly not going to list their own
e-mail address.  Say only 10% of those e-mails get delivered (i.e., make
it past server-side filters and also hit valid e-mail accounts).  That's
100,000 delivered copies of their spam.  Say only 1% of those recipients
used Mailwasher's bounceback feature.  That will be 1,000 NDRs delivered
to your mailbox for an e-mail that you never sent!  I had one guy that
in one day got nailed with around 3,500 NDRs for an e-mail that he never
sent just because the spammer used his e-mail address in the From or
Reply-To headers.  There is no intellience employed as to where the NDR
gets sent.  If all those Mailwasher users are going to abuse my mailbox
with their misdirected *spam* (because, after all, they were NOT the
result of an e-mail that I sent so all of them are unsolicited and come
from USERS rather than real mail servers), they can expect the same
"courtesy" in return - by getting their accounts canned!

Your solution should not inflict other users with the negative side
effects of your "solution".  Flush your own turds rather than spew them
back out on the Internet and hitting innocents with them.

Post your replies to the newsgroup.  Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.

Re: Bouncing Seems to Work

Quoted text here. Click to load it

Agreed, but the modern spamming software has this ability and feature to
help the spammer cull the address database. Blank e-mails don't
advertise anything (not UCE spam) and yet can show delayed returns from
desktop bouncing thus validating them as "good" addresses. Not a likely
scenario for a spam run though because as you say there needs to be a
valid return address for the email for the spammer to see the bounces.

Site Timeline