Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Proper Ways to Dispose of Spam?

Cliff posted more than 7 years ago | from the let's-stop-wasting-bandwidth-on-useless-bounces dept.

Spam 119

An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed." In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?

Sorry! There are no comments related to the filter you selected.

The toilet (3, Funny)

antifoidulus (807088) | more than 7 years ago | (#17556824)

regardless of whether it comes out the back port or the front(both are equally likely).

Re:The toilet (5, Funny)

kfg (145172) | more than 7 years ago | (#17558342)

You have already failed the first rule of disposing of Spam:

1. For goodness sake, whatever you do, don't eat the stuff!


Re:The toilet (1)

avronius (689343) | more than 7 years ago | (#17559254)

And on a day that I don't have mod points!

+1 Insightful
+1 Informative
+1 funny

- Avron

Re:The toilet (0)

Anonymous Coward | more than 7 years ago | (#17563222)

If it's so bad for you, why does it have to taste so damn good?

Re:The toilet (1)

kfg (145172) | more than 7 years ago | (#17564412)

How the hell should I know? See rule one.


Re:The toilet (0)

Anonymous Coward | more than 7 years ago | (#17564444)

How the hell should I know? See rule one.


Proper disposal of spam (0, Offtopic)

gentimjs (930934) | more than 7 years ago | (#17556856)

Either call the EPA and get them to declare a superfund site in your compost pile, or use it as fuel in home-brew nuclear fusion experiments. The end results will likely be simmilar. I'm told its also a good substitute for bathroom grout.

Re:Proper disposal of spam (1)

alexandreracine (859693) | more than 7 years ago | (#17557180)

You could always follow his advice [] or ask him about that...

Consider the Jihad (-1, Troll)

jihadi_schwartz (989888) | more than 7 years ago | (#17556864)

Ever notice the "beat the rush and see it early" link at the top of slashdot when a new story is about to come out?

Sounds good, doesn't it? To be able to view the pages linked to in the article before the tens of thousands of other slashbots click to view them.

Did it ever occur to you that you're taking part in cyber-terrorism?

That's right: Slashdot's editors are cyber-terrorists. They coordinate a DOS against small websites, and they attempt to collect moeny from people who wish to be spared the effects of said DOS. Terrorism, plain and simple.

You can fight this and other crimes by slashdot's editors by joining anti-slash [] . Anti-slash is committed to forcing the editors to own up to their numerous crimes against the geek community. Until our demands are met, we will relentlessly discredit them as a news service through trolling and other means.

Also, props to poopbot and the alan thicke troll. We remember your accomplishments.

In sacred jihad,


| _ __ | |
_) |_|_)__/_| |
(_) o

SPF! (4, Informative)

Alphager (957739) | more than 7 years ago | (#17556872)

Two of my domain-names are in several spammer-tools and i was inundated by spam-bounces (and auto-replies). With SPF, i am down to one bounce every now and then.

Re:SPF! (2, Informative)

crow (16139) | more than 7 years ago | (#17557138)

I found SPF to be nearly useless. I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Re:SPF! (3, Insightful)

stg (43177) | more than 7 years ago | (#17557248)

That was the same in my case. I still get about the same number of bounces from spammers after adding SPF.
The only thing that did solve it was killing all addresses I don't use and adding filters for the most common bounces.

Re:SPF! (2, Insightful)

Alphager (957739) | more than 7 years ago | (#17557270)

We are talking about spam-bounces, not the spam itself. Of course using SPF as sole spamfilter is useless (spammers quite frequently kite domains and set up an SPF-record allowing everybody to send mail for that domain). But most spam-filters know that a false-positive with SPF is not possible (if you ignore email-forwarding, of course) and won't bounce the mail to the innocent domain.

Re:SPF! (3, Informative)

qbwiz (87077) | more than 7 years ago | (#17557918)

Right, but that post was saying that he thought that spammers would avoid forging a domain with SPF on it, because it would be more likely that their mail would be rejected. Therefore, if you add SPF to your domain, you shouldn't get as many bounces, as spammers won't want to forge that as the sender.

Re:SPF! (1)

ednopantz (467288) | more than 7 years ago | (#17559868)

You mean to tell me my bounce flood is what happens *with* spf?
I'd hate to see it without.

Re:SPF! (1)

davburns (49244) | more than 7 years ago | (#17563020)

I suspect that there is a high correlation between sites that check SPF and sites that reject (5xx) spam. If not, sites that check SPF are (almost) a proper subset of sites that reject spam. (If I had time and resources to do only one or the other, I'd do the former; I suspect almost anyone else would do the same.) The main place where SPF will help is if software checks it before sending vacation (and similar) messages.

Re:SPF! (2, Insightful)

poot_rootbeer (188613) | more than 7 years ago | (#17558334)

I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Spammers don't care about hit rates and neither do the folks that employ them. Who cares if it's 10 people out of 100 that fall for the bait or 10 people out of 100,000 -- it's still 10 sales that they can credit to spamming.

Re:SPF! (1)

TubeSteak (669689) | more than 7 years ago | (#17560080)

Of course hit rates are important. That's why spammers blast out huge numbers of e-mails.

It's kinda easy to see the difference between a 10% hit rate and a .01% hit rate.

If they could get a 10/100 hit rate, everybody would be doing it.

Re:SPF! (1)

ahodgson (74077) | more than 7 years ago | (#17561238)

The people (and software) that send out NDR's to spam, instead of just rejecting it outright, are already busy polluting the Internet. Why would they take the time to add SPF checking to their already misconfigured systems? Hell, they'd probably send NDR's for that, too.

Re:SPF! (1)

stoolpigeon (454276) | more than 7 years ago | (#17557390)

This has been a problem for me for quite a while and I assumed there was nothing I could do.

I've just googled spf and gone to the site, but could someone give me a quick summary of how I might set it up. Can I do it or do I need to have my hosting company take care of it?

Right now I don't use my own email servers - I use the servers provided by the people who host my web site. (As is probably already obvious - this is not an area where I am terribly proficient.) I'm going to keep reading at the spf site but since there seem to be so many here who already use it, I figured it couldn't hurt to ask.

Re:SPF! (2, Insightful)

silas_moeckel (234313) | more than 7 years ago | (#17557686)

If you just care about outbound SPF assuming your hosting provider also runes your DNS severs they can add it in easily.

Re:SPF! (1)

stoolpigeon (454276) | more than 7 years ago | (#17557944)

i've read some more - and i guess i have a better picture of it all. my domain is registered with go daddy and they are the ones who point my domain at the ip address where my site is -- so godaddy is who i need to add the spf record?

Re:SPF! (1)

funfail (970288) | more than 7 years ago | (#17558806)

Domain registrars (GoDaddy in your case) rarely point to the web server's IP address. Instead, they point to the nameservers that point to the web server. If this is the case, most probably your hosting provider is also providing you with DNS service. You should ask them.

To put it another way, just do a whois query for your domain and look at the nameservers. If they look like, then your hosting provider is responsible for DNS (thus SPF).

Re:SPF! (2, Informative)

Medieval_Gnome (250212) | more than 7 years ago | (#17563418)

My domain (and email) is hosted with godaddy, and it was trivial to set up SPF.

Go into your hosting account, then open the control panel for the domain you want to set up SPF for.

On the page that opens up, select DNS Manager.

Scroll down to the bottom of that page, and there should be a button saying something like "Add SPF Record."

Assuming you use to send your email, the defaults should work splendidly, and it should be good to go.

Rejecting spam bounces (2, Informative)

CustomDesigned (250089) | more than 7 years ago | (#17561540)

Speaking from 2 years experiences with rejecting 11000+ spams a day, publishing SPF records helps, but not enough folks reject mail with SPF fail for it to help a lot with spam bounces. The real solution to spam bounces is to "sign" your MAIL FROM, using SRS for example. (SRS is not just good for forwarding.) Then you just reject bounces without a proper signature. After signing, your MAIL FROM would look like this:


The current main benefit to SPF is that when you get an SPF PASS, you can be reasonably sure that the MAIL FROM wasn't forged. This is comforting when I get mail from online banks and vendors (that I actually use). Also, I reject not only on SPF fail, but on softfail for selected domains (e.g. Getting an SPF pass is a two edged sword for a spammer. I track reputation (using pygossip) for validated MAIL FROM and HELO domains. So after a few trips through the content filter, they get rejected in SMTP envelope:

2007Jan11 14:19:47 [244] Received-SPF: pass ( domain of designates as permitted sender) client_ip=; envelope_from="42991_VMTA2574-alb=BMSI.COM@identit";;; mechanism=mx; identity=mailfrom
2007Jan11 14:19:47 ham: 0, spam: 23
2007Jan11 14:19:47 ID reputation: -76.159416,2.209194
2007Jan11 14:19:47 [244] X-GOSSiP: 0Q1xs3S.9Tt$ySk.$6w1Mg,-76,2
2007Jan11 14:19:47 [244] rcpt to <alb@BMSI.COM> ()
2007Jan11 14:19:47 [244] REJECT: REPUTATION

Re:Rejecting spam bounces (1)

Sancho (17056) | more than 7 years ago | (#17562438)

Can you elaborate on the FROM signing? What mail clients might support this (I use mutt, so I assume I can wedge this functionality in). Are individual mails signed differently?

Do you have a package that does this, specifically?

It sounds like an interesting solution to one of the most frustrating spam problems I have.

Re:Rejecting spam bounces (2, Informative)

CustomDesigned (250089) | more than 7 years ago | (#17563252)

I use pysrs from the pymilter [] project for MAIL FROM signing. It adds a macro to sendmail, and installs a pysrs daemon as a sendmail socket map. The SRS library could be used by a python script to integrate with mutt I suppose (I always do all my filtering in the MTA - so I can't offer advice). Example code (with random spaces inserted by slashdot):

>>> srs ='boo')
>>> srs.sign('')
>>> srs.reverse('')
>>> srs.reverse('')
Tra ceback (most recent call last):
AssertionError: Invalid hash
There are also C libraries like libsrs and libsrs2.

Detecting the bogus bounces in mutt is less than optimal - because you have already received the SPAM. By checking in the MTA, you reject the bounce before SMTP DATA.

Re:SPF! (1)

mophab (137737) | more than 7 years ago | (#17559110)

I have had problems with spammers using one of the domains I owned.
I added an SPF record and within two months they quit using my domain.
I suspect spammers avoid domains with SPF records, for now.

Re:SPF! (1)

DigitalRaptor (815681) | more than 7 years ago | (#17561128)

I want to add SPF to my domains, but I send email from GMail as if it were being sent from my domain.

But if I add GMail's servers as valid sources for my domain, then any gmail user can send email as if it were from me.

If I don't, it makes the email I send look less valid and more likely to be rejected or flagged as spam.

How do I avoid this catch-22?

Re:SPF! (1)

gb3 (998440) | more than 7 years ago | (#17561720)

Doesn't Gmail require users to verify they can receive E-mail on an account before they are able to send with that account? Or is there a way around that I'm not aware of?

Re:SPF! (1)

DigitalRaptor (815681) | more than 7 years ago | (#17562220)

Good point, I'm not sure. I do have my accounts setup that way, and yes, they send a confirmation email with a link you have to click.

When I setup my domains and listed GMail servers as valid senders, I saw a big increase in spam bounces that were being sent from that domain.

Maybe I had it setup or it was just a coincidence and had nothing to do with GMail.


Gmail Sender overrides your From for SPF checks (1)

Matthew Bafford (43849) | more than 7 years ago | (#17562436)

Gmail sends the mail as coming from your domain, but the sender header is listed as coming from your gmail address. Because of this, the SPF testers seem to care about Gmail's SPF check, not your domain's. For example, send an email to the address given by this site: []

For example, in my case, I see:

SPF-Record-Classic: v=spf1

In the headers send in the email, I see:

From: me@example.invalid
Reply-To: me@example.invalid

For a while I actually had my domain's SPF records set to deny all. Worked out well enough, since Gmail sent all of my domain's email back then.

anyone have a domain where this DIDN'T happen? (3, Insightful)

Subgenius (95662) | more than 7 years ago | (#17556874)

Welcome to my hell. I've had this happen to 8 of my domains over the last couple of years, typical spam runs of 30k at a time, based on all of the 'bounce back' messages that tell me 'my' mail is spam, or worse "go F** yourself, spammer" crud. SPF might fix this, but only if it was mandatory and ALL ISPs blocked non-commercial email servers (DO NOT WANT the latter to occur).

Good Luck.

Re:anyone have a domain where this DIDN'T happen? (5, Interesting)

Southpaw018 (793465) | more than 7 years ago | (#17557610)

Ahhh, I had one of those -yesterday-. We have SPF implemented, and it still doesn't work very well, alas.

I got a call from a sysadmin somewhere in nowheresville USA. The minute I picked up the phone, the guy started berating me, since I was destroying his domain, and it was all my fault, because I'm running Exchange and obviously I was infecting him with Winblows.

After I finally got things sorted out, I walked him through exactly how and why it wasn't our domain a'tall, which would have been obvious had he looked at the headers of any one of the thousands of emails he claimed he recieved. If he knows how to read any of them. When he realized he was wrong, he slammed the phone down midsentence.

Point of the story: SPF is great, proper mail server administration is great, but there will always be jerks who think they know what they're doing when they don't, and they're the bane of the whole system, more like a wolf in sheep's clothing than a known enemy.

SPF somewhat effective (3, Informative)

asc4 (413110) | more than 7 years ago | (#17556904)

SPF is only somewhat effective as unfortunately only some have adopted it. Still, it takes all of a few seconds to add an SPF record for your domain. It can't hurt. Also, try reporting the servers hitting you with backscatter to Spamcop. Again, it might not help much, but it can't hurt.

Re:SPF somewhat effective (1)

zyl0x (987342) | more than 7 years ago | (#17557124)

Join now and start losing those extra pounds of SPAM today! We guarantee results in 12 weeks!

Re:SPF somewhat effective (1)

zyl0x (987342) | more than 7 years ago | (#17557154)

..and my browser totally posted this under the wrong parent, thus nullifying the funniness of this comment with a +2 bonus.

Re:SPF somewhat effective (1)

oyenstikker (536040) | more than 7 years ago | (#17562242)

How was it your browser's fault and not your own? What browser were you using?

Re:SPF somewhat effective (1)

Shaman (1148) | more than 7 years ago | (#17557170)

Actually outside of a small server, it can do great harm. The DNS system is heavily loaded worldwide now... SPF just adds yet another DNS request to each e-mail.

Re:SPF somewhat effective (4, Informative)

Albanach (527650) | more than 7 years ago | (#17558792)

The DNS system is heavily loaded worldwide now
I'm not sure what you mean by this - surely with a properly caching nameserver, you add almost no additional load to the root nameservers by performing SPF lookups as the query never goes near them? Your own DNS servers might be heavily loaded - in which case you should can additional ones or pay for someone else to provide DNS service. DNS scales easily so that shouldn't be an issue.

A DNS request is tiny compared to bouncing about bits of mail - if you can reject the message before even processing the body thanks to SPF you significantly reduce bandwidth consumption, much more than that spent on a DNS lookup, especially now there are so many image based spams floating about.

I have a similar problem (1)

SkunkPussy (85271) | more than 7 years ago | (#17556916)

I get about 50-75 bouncebacks a day on my domain, although I believe some of them at least are "false bouncebacks" from spammers, the idea being im more likely to read a bounceback than a spam.

SPF is effective... sort of (2, Informative)

XenoPhage (242134) | more than 7 years ago | (#17556922)

SPF is only effective if everyone uses it. It's pretty much that simple. Problems with forwards and mailing lists aside, SPF seems to work pretty well. I've been using it for a while now and I like it.

As for what to do... It's a tough call. You're being affected by a "Joe Job" [] .. Defending against this is not the easiest thing in the world. Filtering is probably the only route you can go right now. you should be able to filter based on the subject and To: address, looking for MAILER-DAEMON messages to the users being affected. That's how I would deal with it to begin ... Then perhaps limiting SMTP from the outside world, prioritizing local user traffic. That should calm the server down a little.

For the record, every mail server I've worked on has been set up to reject. I learned a long time about that bounces and double bounces can easily kill a server. Great idea in theory, but the low-lifes on the net make good ideas regretful..

Re:SPF is effective... sort of (1)

Thansal (999464) | more than 7 years ago | (#17556980)

for refference, the point of Joe Jobbing some one is to ruin their reputation.

General spoofing is just there to hide their tracks, and make it more likely that the mail will be delivered.

Easy (0, Offtopic)

JamesP (688957) | more than 7 years ago | (#17556938)

Two big guys and a baseball bat

Oh, you mean SPAM, I read that as spammer...

Re:Easy (1)

Xugumad (39311) | more than 7 years ago | (#17557106)

Just one baseball bat? Erm, budget cutbacks?

My way (-1, Offtopic)

smooth wombat (796938) | more than 7 years ago | (#17556948)

I find that removing the spam from the can and slicing it into ~3/8" thick slices (length wise), placing the pieces in a skillet over medium heat and letting them get nice and brown is the best way to rid of spam. Spam goes great with any breakfast food (except cereal).

I've also had the pleasure (such that it is) of dicing the spam into cubes and mixing it into a noodle casserole and baking for 45 minutes in the oven. The spam is cooked nicely and its fat oozes into the surrounding noodles and sauce.

Oh wait, you meant email spam. Never mind.

Re:My way (1)

OneSmartFellow (716217) | more than 7 years ago | (#17557094)

Also usefull as bait for carp. They seem to really like, and fight to get on the hook.

Re:My way (1)

Ruzty (46204) | more than 7 years ago | (#17557176)

Cubed with diced potatoes and onions. Fry in a bit of butter. When it's nearly done toss in a few cubes of Velveeta. As soon as the "cheese" melts toss it on a plate and enjoy! I prefer some pickled jalapeños with mine and a nice cold Diet Pepsi.


Re:My way (-1, Offtopic)

smooth wombat (796938) | more than 7 years ago | (#17558056)

Bwahahahaha! Now that's funny. My comment gets modded as offtopic but the two following comments, also offtopic, don't get modded anything.

Yeah, real nice mod system ya got here folks. Let's not fix the mod point system so people who have a brain can mod correctly. Let's just keep things the way they are cause, you know, like Microsft, it's not a bug, it's a feature!

Re:My way (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17559210)

The moderation system seems to work fine for me. Your comment wasn't funny, so someone rightfully decided it was noise.

SPF is Marginally Effective (2, Informative)

prothid (302906) | more than 7 years ago | (#17557052)

I am having this same issue. I have SPF set up with '-all' on the end of it. This still lands me with a lot of bounces every day. I am using Gmail for my mail and I have about 10 to 20 bounces that didn't get caught by their spam filter sitting in my inbox every morning.

Here is the SPF line I am using with Gmail (with an irrelevant ip4 entry omitted):

@ IN TXT "v=spf1 mx -all"

I figure that at worst, I am keeping myself off blacklists because the ones likely to blacklist my domain have at least implemented SPF. It is still a fairly annoying situation. It is probably worth noting that I have a catch-all alias for inbound emails. I like to give a different email address for each site I go to so that I can track who is sending me spam. The downside to this apparently being that it potentially opens your domain up to being used TO spam.

Re:SPF is Marginally Effective (2, Informative)

Neon Spiral Injector (21234) | more than 7 years ago | (#17557188)

Spammers *love* domains with catch-all aliases and specifically target them for impersonation. I would suggest finding an easy way to add new aliases as needed (so you can create one just before you sign up on a site) and kill the catch-all.

Re:SPF is Marginally Effective (1)

prothid (302906) | more than 7 years ago | (#17557306)

Yeah, I may end up having to do this. It was nice while it lasted! I could probably get away with doing a catch-all on a subdomain.. hmm...

filtered catch-all (1)

bcrowell (177657) | more than 7 years ago | (#17558440)

It is probably worth noting that I have a catch-all alias for inbound emails. I like to give a different email address for each site I go to so that I can track who is sending me spam.
I could probably get away with doing a catch-all on a subdomain
What I do is I use e-mail addresses that look sort of like this: On the front is the name of the business, so if I get mail at that address, I know it was because I gave it to them. Next is my name. Next is the last two digits of the year. In my mail filters, I reject anything that isn't of the form .*crowell\d\ That way if some spammer is just trying to guess an address like, it's not going to work. If I start getting a pile of spam to, say, the slashdotcrowell07 address, I just stop accepting mail at that address. The year is because most addresses eventually start getting more and more spam. So right now if someone sends mail to me at an 07 address, it goes to my inbox; if they send it to 06, it goes in a special box so I'll realize I need to give them the new one; if they send it to 05, it gets marked as probable spam, and I won't look at it until I get around to looking through my spam box; 04 goes straight to the bitbucket.

Re:filtered catch-all (1)

prothid (302906) | more than 7 years ago | (#17558686)

Right now I just use the domain name without the tld. I like your idea though, I will have to start doing that. Thanks!

Re:filtered catch-all (1)

grimwell (141031) | more than 7 years ago | (#17559228)

I do something similar. I use When I start receiving spam at that address I setup an alias to automatically forward it to I do like your idea of adding a date to the name, I'll probably start doing that.

I can't see handing out a new email address every year... just too much of PITA, especially with the older relatives and ones I only hear from a couple times a year.

Re:filtered catch-all (1)

bcrowell (177657) | more than 7 years ago | (#17560208)

I can't see handing out a new email address every year... just too much of PITA, especially with the older relatives and ones I only hear from a couple times a year.
I just whitelist them.

Re:filtered catch-all (1)

Etcetera (14711) | more than 7 years ago | (#17560206)

Or you could just use qmail :)

Nowadays, when I give out an email for anything it's to
"" or something similar. Anything at smith-* will end up at my smith account automatically. Allows for great automatic tracking, and now pre-setup needed (I make them up on the fly). If one of them ever gets compromised, I can simply add a config in there that handles that extension specifically. Furthermore, no automatic spamming bot is going to create wildcards and a blah-* like that.

Re:SPF is Marginally Effective (1)

milgr (726027) | more than 7 years ago | (#17557452)

I don't think that the spammers realize that a domain is read by only one person. Frequently, if they know that is a possibly email address, then they will send spam to billg@microsoft,com, and replace billg with plenty of other common names, such as,, etc.

My email addresses also have a catch all. At one point I needed to implement a filter to ignore lots of common names (ie., tom, dick, and harry).

I have received lots of bounces to email that purports to come from my email account but doesn't. There is nothing you can do about it. A common spam technique is to have the from address be a valid address - of someone else.

Good luck.

Re:SPF is Marginally Effective (1)

Neon Spiral Injector (21234) | more than 7 years ago | (#17557560)

There is something you can do about it, just what I was suggesting: Kill the catch-all. Spammers will stop abusing your domain (as much), you won't get bounces to addresses you don't use, and any server that performs sender address verification callouts will know that the MAIL FROM: is bogus and reject the message right away.

No (1)

Otter (3800) | more than 7 years ago | (#17557190)

If you reject instead of bouncing then legitimate mail senders will still know there is a problem.

I've been hit by the same problem (and eventually gave up on my own domain and decided to let GMail deal with it) so I sympathize, but this simply isn't true. Bounces are much more effective.

Re:No (4, Informative)

Neon Spiral Injector (21234) | more than 7 years ago | (#17557474)

You should not generate the bounce, a 5xx responce to an SMTP command is all your server should do. If it is a real mail server talking to yours it will generate the bounce for the user that is relaying through it (hopefully including the text of your 5xx reply).

Re:No (1)

Otter (3800) | more than 7 years ago | (#17557588)

Ahhh, if that's what he mean by "reject", then I agree.

Re:No (1)

arivanov (12034) | more than 7 years ago | (#17557834)


And as far as the stream of bounces flowing at the moment I think this has mostly to do with this: ne/ []

One of the SPAM botnets was lost over Christmas (I guess, not only NASA and ESA can lose systems by bogus commands/software uploads). As a result the spamgangs have ordered a couple of clones of old beaten up viruses to go and capture new zombies. At least some of these use the codebase of one of the old crap pieces of code that generated fake addresses in known domains. As a result - loads of bounces for fake names.

The only way of dealing with these is to filter for valid names on your frontline relay. This is a well known problem without a good solution as this means that the frontline has to do full alias expansion. I have some ideas on how to do that for exim, but have not got the time to do it at the moment.

Re:No (2, Insightful)

Akatosh (80189) | more than 7 years ago | (#17561932)

Spam is spam. I don't care if it was relayed by using the victim address in 'rcpt to:' (traditional spamming) or 'mail from:' (blowback spamming). So you stuck three lines of text above it then relayed it on to the victim. Good job, by bouncing instead of rejecting you're an open relay. You even add some additional bayesian slaying text to the top. That's how I see it.

It's really not that difficult to configure your mail systems to reject instead of accept then bounce. I see this as becoming manditory, similar to how it used to be ok to have an open relay, then over time it became a sin.

Who gets overwhelmed by spam bounces these days? (1)

Bright Apollo (988736) | more than 7 years ago | (#17557322)

I own a handful of domains, and I have little if any problem setting up autoreject for invalid email addresses. The only problem I can't easily handle is when a valid email account is used by a spammer. I think you should strongly consider changing your domain host if you've got these issues in 2007.


Disposing spam... (0, Offtopic)

creimer (824291) | more than 7 years ago | (#17557362)

If I haven't eaten it...

[Please insert wow ur fat [] joke here.]

I put the spam into the trash, tie the top of the trash bag, and throw trash bag into the dumpster outside. I don't know what the fuss is about disposing spam. Spam is spam. :P

Gmail checks SPF... (1)

rthille (8526) | more than 7 years ago | (#17557374)

But doesn't follow the spec and reject on fail :-(
So I'm not sure what value that is, and I'm not sure if google forms a bias against spam from my domain, even though it's verifiable that the spam is a forgery and that my domain had nothing to do about it.

Other lameness are domains like and which publish records which indicate you shouldn't reject mail claiming to be from them from servers that they don't control. (soft-fail or neutral results).

How I dispose of spam.,.. (0, Offtopic)

Lord_Slepnir (585350) | more than 7 years ago | (#17557380)

You'll need a dog. I simply feed him my excess cans of spam. If you're dealing with spam e-mail, then simply print out the spam, and use it to paper train the dog after it's gorged on Spiced HAM.

Backup MX is to blame for some of this bouncing (4, Interesting)

artifex2004 (766107) | more than 7 years ago | (#17557428)

It's great to set up your mail server to reject the mail up front. But many spammers know people are doing this, so they connect to backup MX, often the one with least priority. From what I've read, that's how spammers' mail blasting programs are written these days.

Are you running your own backup MX? Probably not. It's often a generic spooler your ISP lets you use for convenience. Even if you do, does your backup MX have all your rules in place, so it knows what to reject? No, I bet not. So this backup server accepts the mail without question, then passes it to the primary, and then it gets bounced.

We need to either have a way to give our backup MX our rulesets (which the people who run the backup servers understandably won't like), allow backup and primaries to just silently discard (which legitimate senders and receivers won't like), or, quite possibly, stop using backup MX entirely, and then if the primary goes down, the originating mail servers should do their normal pattern of retrying for 5 days, or whatever.

Large companies who need 100% instant availability of mail shouldn't be using backup MX anyway, (I've seen backup MX servers configured to hand off to primary hourly or even daily, not to mention those that hold until the primary asks for the mail) they should be using a ring of servers sharing primary preference. I'd expect the ruleset to be identical across the ring, thus allowing for instant rejection all the time.

Re:Backup MX is to blame for some of this bouncing (2, Informative)

GreggBz (777373) | more than 7 years ago | (#17559246)

Your right. I work for a smallish ISP and notice that spam-bots usually prefer the backup MX record.

For smaller domains and people with fewer resources having one MX record is impractical. For larger systems, like say an ISP, their is typically only one MX record, which really points to a virtual server that exists in a Foundry switch or some such. This is then load balanced round-robin style to a group of identically configured servers, preferably that are geographically distributed. This is a little more straight forward then the ring of servers, but has it's own issues.

The one headache that I have with this set up is the tedious log searches that you end up doing trying to find out what happened to customer x's email, or just troubleshooting in general.

It's a pain shelling into 4 different servers and greping through each maillog. I'd like to find a solution to this.

Re:Backup MX is to blame for some of this bouncing (1)

Kissing Crimson (197314) | more than 7 years ago | (#17559932)

You could use a central syslog server: HOWTO []

Re:Backup MX is to blame for some of this bouncing (1)

dodobh (65811) | more than 7 years ago | (#17563424)

Unix MTAs log to syslog. Syslog is perfectly capable of sending stuff over the network.

Grab a PC, setup a syslog server on it listening to the network, tell your MTAs to log there in addition to local logging.

Re:Backup MX is to blame for some of this bouncing (1)

Plug (14127) | more than 7 years ago | (#17563292)

A useful thing to do (although in no way a solution) if you need a backup MX and can't use exactly the same rules on one as the other, is to set up priorities as such:

10 primary
20 backup
30 primary

This way, if spammers prefer the highest MX, which they are known to do, you get all the benefit of the filtering on the primary, as well as backup if the primary goes down.

SPF hasn't helped me much (2, Interesting)

Slashdot Parent (995749) | more than 7 years ago | (#17557488)

I publish SPF records for all of my domains, and I still get a ton of blowback. Here are the options that I evaluated:
  1. Don't use catch-all addresses. Normally blowback is not addressed to a valid user. This was not an option for me, but it may be for you.
  2. Reject invalid bounce messages. Any message coming with an empty envelope sender to an address that has never sent mail on my system is considered invalid and rejected during SMTP with a message stating why. This is what I chose.
The reason for my choice is that it consumes minimal resources (all that's required to reject a message is one SQL query against a small, in-memory table), informs the bouncer of the problem, and eliminates 99.99% of blowback (some incorrectly-configured MTAs produce bounce messages that don't have empty envelope senders... I get like one of those per month).

And I second your pleading: Please, please, please, mail admins, please reject email during SMTP instead of producing bounce messages! Please!

Donate it (1)

emil10001 (985596) | more than 7 years ago | (#17557494)

I believe that smalltime is accepting cans of spam to fuel their "Find-the-Spam" game. They're capitolizing on the idea that this is obviously something that only a hobo would eat, and turning it into a fun game [] .

PS. - For added entertainment, try the text version!

My idea (1)

QueePWNzor (1044224) | more than 7 years ago | (#17557570)

I have an old FreeBSD mailserver that uses Exim. You should set up an intermediate domain/DNS system that can destroy the wrong usage of your name outgoing through the system. Then, I reccomend looking through Perl scripts, because though one is not definative, try, try again and you might partially suceed. Also, be sure to do security and firewall updates as mine was hacked... I don't know everything that you've tryed, but if you haven't done all of those thouroughly, then you're screwed:) It'll never be perfect, though.

A recent conversation with a would-be vendor: (1)

PFI_Optix (936301) | more than 7 years ago | (#17557662)

"Okay, I'd like to send you some more information and need to verify your e-mail address."


"Is it jay ewe inn kay at blah blah blah dot com?"

"uhh...Yep, that's me. John Unk."

Only trusted vendors get real e-mail addresses here. I don't even get spam on my home e-mail. Absolutely none, after three years of having the same e-mail.

Re:A recent conversation with a would-be vendor: (1)

bcrowell (177657) | more than 7 years ago | (#17558532)

Unfortunately, many people don't have this option. If you're running a web-based business, you may need prospective customers to be able to e-mail you for the first time without making them jump through hoops, because you don't want to lose their business.

Re:A recent conversation with a would-be vendor: (1)

PFI_Optix (936301) | more than 7 years ago | (#17562878)

In that case, forms are your friend. You might even include a little note that you use the form because publishing your e-mail address directly would result in it being flooded with junk mail. Users will understand that, even if (like me) they aren't fond of using web forms to make contacts.

I know next to nothing about JavaScript, but I'm wondering whether there's a good way to obfuscate an e-mail address using JS or some other client-side script so that the spam crawlers don't see it because it would only show up on mouseover or something like that. Guess I need to learn JS and see if I can make something like that work...

Re:A recent conversation with a would-be vendor: (0)

Anonymous Coward | more than 7 years ago | (#17564252)

Just google: javascript email obfuscation

I found the following quite useful: []

I'm sure there are other ways to do it, but this looks as straightfoward as they get.

Spam disposal (0)

Anonymous Coward | more than 7 years ago | (#17557666)

Simple: Burn it onto DVD-minus-R. Then nobody will ever be able to read it ever again!

Why the forging in the first place? (2, Informative)

mabu (178417) | more than 7 years ago | (#17557826)

I believe the main reason why spammers are forging in the first place is to taint relay blacklists. RBLs hurt spammers more than anything else. When they forge from addresses they cause legitimate relays to be spammed by other legitimate relays and this in turn may prompt some relays to blacklist legitimate smtp servers and tarnish the effectiveness of RBLs. However, most admins are now wise to this and differentiate between the different types of traffic.

If you run any mail server for a reasonable amount of time, until the feds decide to get off their lazy asses and prosecute these criminals, you're going to run into this problem. It usually passes after a few days. If I run into it, I will sometimes change the MX record of the offending domain to temporarily. And rule number one is avoid * mail mappings...

Re:Why the forging in the first place? (3, Informative)

Robotech_Master (14247) | more than 7 years ago | (#17558234)

In my experience, some spammers will also forge the 'from' address to be the address of the intended recipient of the spam, and then send it to an address they know will bounce (i.e. with an autoresponder) to try to get past spam filters or something.

Re:Why the forging in the first place? (2, Insightful)

Kelson (129150) | more than 7 years ago | (#17559372)

There's also a mundane reason for it:

  1. Using your own address makes you more traceable and means you have to deal with bounces, complaints, etc.
  2. Using a forged address saves you that inconvenience.
  3. Completely bogus addresses will have a low throughput, because it's trivial for a receiving server to check whether a domain name exists or not.
  4. Verifying a specific address at a real domain, however, is more involved.
  5. Solution: Use a bogus address at a real domain name.

This solution expresses itself in both throwaway domains (where the spammer registers it for cheap, figuring they only need it for one spam run) and forged addresses using bystander's domains. Forging is cheaper, since you don't have to register a domain, and while it's illegal, enforcement is rare.

spamassassin (1)

stuff-n-things (89988) | more than 7 years ago | (#17558316)

I run a domain which receives a few thousand spam messages a day (one every 15-30 seconds or so). Postfix, amavis, clamav, spamassassin, and procmail are my friends. Use amavis rather than spamc/d to keep spamassassin running and to get clamav too. You're mailer will have to send all messages to amavis like it's forwarding all mail to another email server, and listen on another port so that it doesn't loop back to amavis. Have the mailer send catch all addresses to an alias, then have the spamassassin configuration score anything going to that alias as almost spam. Have spamassassin configurations like

header MAILBOX subject =~ /mailbox/i
with a score that isn't high enough to automatically make it a spam, but close. This weeds out 'mailbox full' messages. Do the same for 'Delivery Status Nofication', etc. The more common rules for porn, refinancing, etc. will force more catch-all email to spam, as well as mark regular user's email. Don't bounce or reject for the catch-all address, just tell procmail that /dev/null is the mailbox for anything marked spam. What little remains, I get, and I only get a few spams a month. The system (a 2.8GHz Xeon) runs at 1-3% CPU to handle spam--plenty of RAM helps with this too.

Simple, check the Received: envelope headers (4, Informative)

Anonymous Coward | more than 7 years ago | (#17558350)

You start by rejecting outright email for non-existant email addresses. That gets rid of all bounces that come from addresses the spammers have made up. Then you look at the Received headers of the email that you supposedly sent and validate that it did indeed come from your IP and the header is of the form that your MTA generates. If not, somebody was impersonating you and you reject the bounce. See Stopping Backscatter Email [] .

Don't use a catch-all (4, Informative)

Kelson (129150) | more than 7 years ago | (#17558378)

The problem of invalid bounces drops dramatically if you set up your incoming server so that invalid addressees are rejected with a "User unknown" note at SMTP time. If you're using Sendmail with a virtual user table, this is as easy as adding the following at the end of the file error:nouser 550 5.1.1 User unknown

It's important to do this on the server that accepts mail from the outside. If you have a setup with an antispam/virus gateway that then relays to an internal server, you need to make the gateway aware of the valid/invalid addresses.

By rejecting invalid senders in the SMTP transaction, you only get bounces from the few messages that forged an actual sender. In my experience, the addresses tend to look like, so most of the bounces will just disappear into the ether(net).

SPF seems like a good idea but... (1)

jazman (9111) | more than 7 years ago | (#17558386)

...are MAILER_DAEMONs and their friends who are so stupid they bounce instead of reject likely to be intelligent enough to check an SPF record before sending a bounce message to someone who obviously didn't send it?

I too get loads of spam bounces sent to non-existent addresses "from" (random string)@(my domain), not to mention "please validate your message" challenges and autoreplies; my approach is one enormous blacklist that just autodeletes any messages from postmaster, mailer_daemon etc that aren't to my sending address, which works until some stupid postmaster decides to call himself Mail Delivery System or Mail Delivery Subsystem and so on, plus non-English versions, and the numer of variants on "undelivered mail" is equally astonishing - that, Mail delivery failed, delivery status notification, returned mail, delivery failure, mail system error, undeliverable, cannot be delivered, foreign variants...

The subject is apparently incorrect... (1)

Kumba (84067) | more than 7 years ago | (#17558420)

It should be "Proper Ways to Dispose of Spammers?"

I propose the firing squad or hanging. By their balls (if they have any).

Maybe evisceration?

Postfix Backscatter HOWTO (4, Informative)

alanxyzzy (666696) | more than 7 years ago | (#17558544)

Knowing that a common term for this is "backscatter" may help you search for other hints and tips.

There is a Postfix backscatter HOWTO at []

The solution: Bounce Keys (0)

Anonymous Coward | more than 7 years ago | (#17558624)

You add an encrypted header to all outgoing emails which says "Yes, this email came from this server." Then, when you receive a bounce message, you check for the key. If it has it and its correct, it gets through, and if it doesn't, it gets rejected. This stops ALL normal bounces that result from spammers, and the only thing you do get are auto-responders which aren't actual bounces.

Here's the Exim howto e-authbounce.txt []

Difference between bounce and reject. (1)

Vellmont (569020) | more than 7 years ago | (#17558916)

Can someone tell me the differences in terms of when each happens, and what happens on the other end between a bounce and a reject? I _think_ I understand the difference, but I'm not certain.

My understanding is that a reject is sent by the receiving SMTP server before it's accepted the mail. I.e. server a->server b, server a says mail is to: from: Server B can then accept the mail, or reject it (with various different codes for each). If B accepts it, it's server B's responsibility to handle it. If it rejects it, it's server A's responsibility to handle it.

So, (if I understand this right) the problem the submitter is getting at is that server B accepts the mail, but then later bounces it. (Because a spammer is obviously not going to bother bouncing the mail when it's rejected).

Why would Server B accept mail from Server A if it's only later going to bounce it? I can think of at least once case (and one I have experience with). If Server B is acting as a relay host for Server C, then it's difficult (but not impossible) for Server B to know if Server C will accept or reject the mail. So Server B just accepts all mail, but later has to bounce some of it when Server C rejects the mail.

I've dealt with this problem, and only recently fixed it when I rebuilt the relay server. I use Postfix, which now supports validating recipient addresses for relay hosts. Essentially what happens (in terms of my little scenario) is before Server B accepts a message, it connects to server C and sends a test message addressed to the recipient. If server C rejects the message, Server B rejects the message from Server A. (Yah, it's a little more complicated than that and involves caching, but that's the general idea). The previous version I was using didn't support this feature, so I wound up with a lot of bounce messages going out for spam addressed to invalid addresses.

The other scenario I can think of is that Server B later figures out that the mail is spam. But why in the world would you decide to bounce the mail at this point, since it's very likely the return address is fake, will never accept mail, etc? Either throw the mail away entirely and forget about the whole ugly mess, flag the mail as spam and delivery it to its destination, or squirrel it away somewhere just in case someone really really needs to see it (like it's a false positive).

What I do is flag the mail and stick it in the users spam folder. Then no one complains about not getting mail.

Re:Difference between bounce and reject. (1)

kitterma (757172) | more than 7 years ago | (#17559572)

Your understanding of bounce versuse reject seems correct to me.

Re:Difference between bounce and reject. (1)

SuiteSisterMary (123932) | more than 7 years ago | (#17561116)

PersonA gets virus. Virus on PersonA's machine connects to PersonA's ISP SMTP server, and sends out ten thousand messages as

PersonA's ISP server dutifully accepts these messages, and tries to send them. Each and every one, in this example, is to an invalid recipient. So each and every message goes like this:
ISP Mail server: telnet recipient.mail.server 25
RCPT TO: invalidaddress@mail.server
550 unknown address

'Oh, noes!' thinks the ISP mail server. 'This poor message can't get sent! I better let the sender know! Lets see, the sender would seem to! I will send them a delivery status notification, also known as a bounce message, immediately!'

And personb gets 10,000 'undeliverable message' messages.

Re:Difference between bounce and reject. (1)

Akatosh (80189) | more than 7 years ago | (#17562182)

mail from:
250 Sender ok
rcpt to:
550 does not exist here

If it was a virii sending this, it just stops there. No one gets any message. If there's a mail server inbetween, then the sender side mail server would generate a bounce to Most virii are sending direct with no mail server in between.

mail from:
250 Sender ok
rcpt to:
250 Recipient ok
354 Enter mail, end with "." on a line by itself
lolspamspam wonderfull spam lovely spam
250 Message accepted for delivery.

It then sends the spam message to with a few lines about it being undeliverable at the top. Every time. Think of it as an open relay that adds a bayesian slaying text block to the top.

a HOWTO for Postfix and SpamAssassin (1)

jmason (16123) | more than 7 years ago | (#17559698)

I've been dealing with this a lot recently -- I just wrote up a short howto doc over on my blog [] yesterday, in fact, using Postfix on the MX to catch most of the bounces, with SpamAssassin to filter out the remainder.

BATV (2, Informative)

Patrin (30495) | more than 7 years ago | (#17559992)

Take a look at Bounce Address Tag Validation (BATV). [] There even is an implementation for EXIM. This drops spam bounces like you wouldn't believe.

Envelope Sender Signature (3, Informative)

mossmann (25539) | more than 7 years ago | (#17560278)

Check out the Envelope Sender Signature technique described here: MX/collateral.shtml []

The idea is to tag outgoing messages in such a way that legitimate DSNs are distinguishable from illegitimate backscatter (which can then be discarded).

I assume you're using a catch-all (1)

GWBasic (900357) | more than 7 years ago | (#17564386)

I assume you're using a catch-all email account, like I do. I get about 100 SPAMs/bounces a day. Here are techniques that I use:

  • My reply-to address doesn't go to my catch-all. This way, all undeliverable bounces in my catch-all are only from SPAM.
  • Almost everyone who I email on a regular basis figures out my REAL email address, thus the special account for my reply-to address has very little SPAM.
  • I use Apple's mail program instead of Microsoft's mail programs. It's much easier to see what's SPAM because Apple displays the "TO" and "FROM" addresses without me having to open the email.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?