Russian spammers hijack one our email addresses - we receive thousands of bounced messages

In the last few minutes we are receiving thousands of bounced messages because someone is sending spam in our name.  Here's an example of how we've received dozens of such bounced messages in one minute at 5:45 PM:

image

Years ago we made sure spammers could not send spam using our email servers (we use SMTP-AUTH and pop-before-send) - so we know we are not sending the spam.  In this case, Russian spammers are using one of our email addresses as the "From" email address.  Some servers are then rejecting the spam, either because the email was sent to an account that is no longer valid, or it's a vacation response, etc...

We were going to try to report the Russian spammers on Spamcop.net, but we found out we can only report spam sent to us - in this case, the spam is sent to a server, which then bounces a message back to us.  Here are some relevant threads:

  http://forum.spamcop.net/forums/index.php?showtopic=6535
  http://forum.spamcop.net/forums/index.php?showtopic=203
  http://forum.spamcop.net/forums/lofiversion/index.php/t6585.html

This is really unfortunate - there's nothing we can do.  Either we cancel this email address (which we'll probably do) or we ride out the wave of bounced messages.  I copy below more information and the text in Russian of one of the spam messages sent in our name. 





How do I stop spammers from using my email address?, or Why am I getting all these bounces?
http://forum.spamcop.net/forums/index.php?showtopic=6535

Answers:

  • The simple answer is that you cannot stop spammers from using your email address in the From: or Reply to: fields.
  • Once a spammer (or the software they use) has discovered or guessed your Email address then it is perfectly easy for them to send spam Email forging your Email address as the sender.
  • Sadly it happens all the time. Thankfully, this is usually only a short-term problem and after a day or two the flow stops. Typically the fall-out is that you start receiving all sorts of failed delivery messages. You simply have to take this problem on the chin and delete the unwated messages (you can report mis-directed bounces via SpamCop if you wish but this will not stop the problem but may help).
  • It usually lasts about a week, starting with maybe 100-200 bounces received per day for the first 2 or 3 days and then tailing off towards the end. It's very annoying but if you have patience you will find it doesn't last very long.
  • You can minimize the impact if you can turn off the blanket address feature and setup specific email addresses.
  • Reporting the bounces does NOT report the spammer. It reports the server that is bouncing the forged return address. I believe it is still against the rules to report the original spam inside the bounce.

Adapted From the FAQ

  • There are two kinds of bounces: SMTP rejects that go directly back to the server that sent the message and email bounces after accepting the message.
  • Email bounces are allowed by RFC (netiquette rules for the internet). Once email bounces were a very useful feature. The spammers spoiled it. Now the spam bounced with forged addresses is just a big a nuisance as the original spam.
  • Most mail servers do an SMTP reject, which means that any bounce message will come from the original sending mail server.
  • There are some mail server operators that claim that it is not practical to convert to SMTP rejects instead of bouncing.
  • These mail server operations must be bigger than AOL.COM which had several years ago announced on the SPAM-L mailing list that they recognized that such bounces where abusive to the rest of the internet and were switching over to only using SMTP rejects.
  • AOL changed their policy because of the complaints they got.

Here's the spam message that thousands of people are getting -

image

Here are sample headers from the original message after it bounced to us (I removed the to address to protect the innocent):

Your message to:
<@sthildas.qld.edu.au>
was not deliverable.

The server replied with:
<
@sthildas.qld.edu.au> : 550 5.1.1 User unknown

This is a fatal error, no further attempts will be made to deliver this message. I'm sorry.

Message Excerpt:

Received: from host70.ctrnet.ro [195.149.72.119] by gwavix.sthildas.local
       with GWAVIX 3.9.4 (b3441, r3446) on Linux;
       Thu, 04 Sep 2008 10:16:05 EST
Date: Tue, 15 Apr 2008 16:49:46 +0000
Message-ID: <39617.sunil@rfs>
From: =?koi8-r?B?4sHR2snU?= <dmelle@factsofisrael.com>
To: <*@sthildas.qld.edu.au>
Subject: =?koi8-r?B?8sHazcXdxc7JxSDSxcvMwc3Z?=

Posted by David Melle
 Link to this page |   Email this entry |   digg this

Comments
Post a comment




Remember Me?


Enter the code shown:   
This helps us prevent automated spam comments

Comments are open and unmoderated, although obscene or abusive remarks may be deleted. Opinions expressed do not necessarily reflect the views of FactsOfIsrael.com. See the Terms of Use for more details.

Email this entry
Email this entry to
(Please enter email address):


Your email address:


Message (optional):


Referrers to this Page

FAIR USE NOTICE

This site contains some copyrighted materials the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.