ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] More e-mail oddities; SPF thoughts

2006-02-02 00:37:45
from [Douglas Campbell] [Permanent Link] 
All,
I mentioned previously that my domain name has been hijacked by spammers for use in falsified return paths. As a result, I am receiving approximately 500 bounce e-mails per day from spammed servers. I've noticed something quite interesting about the most recent batch of bounces -- the message id of the bounced spam attachment starts with what appears to be an ESC 20 (or, more exactly, text looking like <R[20), with the rest of the headers and body suppressed.
I'm wondering what the spammers are up to with this -- the bounce e-mail contains virtually NO information to allow me to backtrace. Any ideas? 

Claus,
I've just realized that the .forward capability in sendmail operates differently than my MUA, thunderbird, does when I manually forward.. If I manually forward an e-mail from thunderbird, I tell it the new recipients and get the chance to add additional information in a body. Thunderbird makes the original e-mail headers and body into an attachment and wrappers that with my own envelope, headers, and body. Why is the automated process different from the manual one?
Note that, in the case of forwarded mail, it has often been accepted by a boundary MTA and sent onward to the appropriate interior MTA for delivery to the end user; it's the interior machine that has access to the .forward information, not the boundary MTA. Hence, the only way the original sender can be notified that the possibly multiple forwarding addresses have problems is via bounce messages, since his original e-mail has already been accepted by a boundary MX system of the forwarder's domain.
I'm coming to the conclusion from my own bounce message problems that bounce messages are intrinsically bad, because they can easily be turned into a third party DOS issue. For example, I've thought of adding abuse(_at_)aol(_dot_)com to a .forward file in my postmaster account, given that they are hosting the spamvertised website's portal page and refuse to take it down. 

Cheers,
Doug Campbell



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Re: Default SPF Enablement?, Frank Ellermann
Next by Date:  Re: [Asrg] More e-mail oddities; SPF thoughts, Danny Angus
Previous by Thread:  Re: [Asrg] Default SPF Enablement?, Jon Kyme
Next by Thread:  Re: [Asrg] More e-mail oddities; SPF thoughts, Danny Angus
Indexes:  [Date] [Thread] [Top] [All Lists]