Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
mark
On 08/31/2011 01:16 PM, m.roth@5-cent.us wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
There are two parts to an email that relate to routing; envelope header and email header. The only consideration given to routing is the envelope header which has sender and recipient, nothing else.
Reply-To is part of the email header and is there for the email client to use.
(See RFCs 2821, 2822.)
HTH,
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem!
Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses.
Stephen Harris wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem!
Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses.
That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced.
mark
Spam filter that'll authorize the sending before receiving? Just a thought to stop the hundreds of emails...
On Wed, Aug 31, 2011 at 4:27 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem!
Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses.
That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 08/31/2011 01:27 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
You don't want to send rejects to more than one address 'cos you then have a simple message multiplier; send one message, generate two bounces; the mail server will be doubling the back-scatter problem!
Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses.
That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced.
Mark,
The Reply-To address is an optional component of the email header and is not used in email routing by mail servers.
If the Reply-To is absent, mail clients compose a message to be sent to the sender listed in the From field instead.
Mail server will send NDRs (non-delivery receipts) back to the envelope sender every time with no regard for From or Reply-To.
Josh Miller wrote:
On 08/31/2011 01:27 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from
<snip>
Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses.
That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten
The Reply-To address is an optional component of the email header and is not used in email routing by mail servers.
I'm well aware that it's an optional component. <snip>
Mail server will send NDRs (non-delivery receipts) back to the envelope sender every time with no regard for From or Reply-To.
You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To.
mark
On 08/31/2011 01:33 PM, m.roth@5-cent.us wrote:
Josh Miller wrote:
On 08/31/2011 01:27 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from
<snip> >>> Anyway, the SMTP server should send the delivery failure to the >>> envelope address, which may be different to both the From and Reply-To >>> addresses. >>> >> That would be lovely. Unfortunately, a high percentage seem to use the >> Reply-To address. Trust me, the last four or five months, I've gotten > > The Reply-To address is an optional component of the email header and is > not used in email routing by mail servers.
I'm well aware that it's an optional component.
Thank you for that clarification.
<snip> > Mail server will send NDRs (non-delivery receipts) back to the envelope > sender every time with no regard for From or Reply-To.
You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To.
You are seeing the "full" email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc..
On 08/31/2011 01:37 PM, Josh Miller wrote:
On 08/31/2011 01:33 PM, m.roth@5-cent.us wrote:
Josh Miller wrote:
On 08/31/2011 01:27 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from
<snip> >>> Anyway, the SMTP server should send the delivery failure to the >>> envelope address, which may be different to both the From and Reply-To >>> addresses. >>> >> That would be lovely. Unfortunately, a high percentage seem to use the >> Reply-To address. Trust me, the last four or five months, I've gotten > > The Reply-To address is an optional component of the email header and is > not used in email routing by mail servers.
I'm well aware that it's an optional component.
Thank you for that clarification.
<snip> > Mail server will send NDRs (non-delivery receipts) back to the envelope > sender every time with no regard for From or Reply-To.
You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To.
You are seeing the "full" email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc..
Mark,
Why don't you use your SPF record to prevent spoofing (to most providers...)?
dig -t txt 5-cent.us
... 5-cent.us. 14400 IN TXT "v=spf1 a mx ptr include:hostmonster.com ?all" ...
You have one but you're not using it to prevent spoofing.
Josh Miller wrote:
On 08/31/2011 01:37 PM, Josh Miller wrote:
On 08/31/2011 01:33 PM, m.roth@5-cent.us wrote:
Josh Miller wrote:
On 08/31/2011 01:27 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
> Here's a thought I just thunk, folks: some scum, apparently in > eastern Europe, has harvested my email, and is using it in the > Reply-To: in its spamming efforts. Now, I realize that some
<snip> >>> Anyway, the SMTP server should send the delivery failure to the >>> envelope address, which may be different to both the From and >>> Reply-To addresses.
<snip>
Why don't you use your SPF record to prevent spoofing (to most providers...)?
dig -t txt 5-cent.us
... 5-cent.us. 14400 IN TXT "v=spf1 a mx ptr include:hostmonster.com ?all" ...
You have one but you're not using it to prevent spoofing.
Um, because I'm not that deep into that? Thank you, I'll look at setting that up. One question: is that in my registrar, or my hosting site? Given it's an MX record, I'm guessing it's the former.
mark
On 08/31/2011 01:57 PM, m.roth@5-cent.us wrote:
Josh Miller wrote:
On 08/31/2011 01:37 PM, Josh Miller wrote:
On 08/31/2011 01:33 PM, m.roth@5-cent.us wrote:
Josh Miller wrote:
On 08/31/2011 01:27 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote: >> Here's a thought I just thunk, folks: some scum, apparently in >> eastern Europe, has harvested my email, and is using it in the >> Reply-To: in its spamming efforts. Now, I realize that some
<snip> >>> Anyway, the SMTP server should send the delivery failure to the >>> envelope address, which may be different to both the From and >>> Reply-To addresses.
<snip> > > Why don't you use your SPF record to prevent spoofing (to most > providers...)? > > > dig -t txt 5-cent.us > ... > 5-cent.us. 14400 IN TXT "v=spf1 a mx ptr > include:hostmonster.com ?all" > ... > > You have one but you're not using it to prevent spoofing.
Um, because I'm not that deep into that? Thank you, I'll look at setting that up. One question: is that in my registrar, or my hosting site? Given it's an MX record, I'm guessing it's the former.
It's a DNS record. Hostmonster is authoritative for your domain, so you'll likely use them.
On 8/31/2011 4:37 PM, Josh Miller wrote:
On 08/31/2011 01:33 PM, m.roth@5-cent.us wrote:
You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To.
You are seeing the "full" email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc..
Actually, what you are interested in is the envelope sender that the remote server saw. And there is no way for you to see that unless you have access to the remote server's logs.
On 08/31/2011 01:48 PM, Bowie Bailey wrote:
On 8/31/2011 4:37 PM, Josh Miller wrote:
On 08/31/2011 01:33 PM, m.roth@5-cent.us wrote:
You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To.
You are seeing the "full" email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc..
Actually, what you are interested in is the envelope sender that the remote server saw. And there is no way for you to see that unless you have access to the remote server's logs.
That is not true as the remote server will present the envelope header to your mail server upon connection.
On 8/31/2011 4:50 PM, Josh Miller wrote:
On 08/31/2011 01:48 PM, Bowie Bailey wrote:
On 8/31/2011 4:37 PM, Josh Miller wrote:
On 08/31/2011 01:33 PM, m.roth@5-cent.us wrote:
You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To.
You are seeing the "full" email headers. You will not see the envelope headers unless you capture packets or view mail server logs, etc..
Actually, what you are interested in is the envelope sender that the remote server saw. And there is no way for you to see that unless you have access to the remote server's logs.
That is not true as the remote server will present the envelope header to your mail server upon connection.
Yes, but the issue was in confirming which email address was used in that connection. If you assume that the remote server is replying to the envelope header, then yes. But if you are trying to confirm that, then you do not have enough data.
You could, of course, create your own message with known (and differing) From, Reply-To, and envelope headers and watch the result.
On Wed, 2011-08-31 at 16:33 -0400, m.roth@5-cent.us wrote:
You're saying it uses the envelope, not if exists Reply-To, else From? The problem I have with that is that a few of them have returned the email, with full headers, and I see the *only* reference to my email address is in the Reply-To.
Will you tell us what mail server (MTA) is doing that ?
Paul.
On Wed, Aug 31, 2011 at 04:27:00PM -0400, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Anyway, the SMTP server should send the delivery failure to the envelope address, which may be different to both the From and Reply-To addresses.
That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced.
Envelopes can be forged just as easily as any header.
http://www.openspf.org/Introduction - SPF FTW
On Wed, Aug 31, 2011 at 4:47 PM, Stephen Harris lists@spuddy.org wrote:
On Wed, Aug 31, 2011 at 04:27:00PM -0400, m.roth@5-cent.us wrote:
Stephen Harris wrote:
Anyway, the SMTP server should send the delivery failure to the
envelope
address, which may be different to both the From and Reply-To
addresses.
That would be lovely. Unfortunately, a high percentage seem to use the Reply-To address. Trust me, the last four or five months, I've gotten probably hundreds, if not more, of delivery failures. And I wind up at least glancing at them, in case email to this list, or to a friend, has bounced.
Envelopes can be forged just as easily as any header.
--
rgds Stephen _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--On Wednesday, August 31, 2011 5:48 PM -0400 Mailing Lists mailinglist@theflux.net wrote:
http://www.openspf.org/Introduction - SPF FTW
DKIM is another possibility.
Blizzard (the game company) signs some (not all) of its mail with DKIM, and I use that to spot obvious account-theft scams. Unfortunately some servers break the signature, so it can be difficult to use and verify.
on 9/1/2011 10:39 AM Kenneth Porter spake the following:
--On Wednesday, August 31, 2011 5:48 PM -0400 Mailing Lists mailinglist@theflux.net wrote:
http://www.openspf.org/Introduction - SPF FTW
DKIM is another possibility.
Blizzard (the game company) signs some (not all) of its mail with DKIM, and I use that to spot obvious account-theft scams. Unfortunately some servers break the signature, so it can be difficult to use and verify.
I get TONS of spam with legitimate DKIM signatures...
On Thursday, September 01, 2011 12:43 PM -0700 Scott Silva ssilva@sgvwater.com wrote:
I get TONS of spam with legitimate DKIM signatures...
DKIM and SPF do not stop you from getting spam. Their purpose is to keep you from getting joe-jobbed, by declaring to the world which mail really came from you. It protects email sources, not destinations.
So you're getting "honest" spam that tells you that it really came from where it claims to have come from.
on 9/1/2011 1:14 PM Kenneth Porter spake the following:
On Thursday, September 01, 2011 12:43 PM -0700 Scott Silva ssilva@sgvwater.com wrote:
I get TONS of spam with legitimate DKIM signatures...
DKIM and SPF do not stop you from getting spam. Their purpose is to keep you from getting joe-jobbed, by declaring to the world which mail really came from you. It protects email sources, not destinations.
So you're getting "honest" spam that tells you that it really came from where it claims to have come from.
Yes... Hotmail and YAhoo let ANYONE sign up, and flood for a short time until they get cut off. Legitimate source, but still crap...
On Thu, Sep 01, 2011, Always Learning wrote:
On Thu, 2011-09-01 at 12:43 -0700, Scott Silva wrote:
I get TONS of spam with legitimate DKIM signatures...
How is that possible ?
The spam comes from Yahoo! or perhaps Google groups?
Bill
On 01/09/11 22:10, Always Learning wrote:
On Thu, 2011-09-01 at 12:43 -0700, Scott Silva wrote:
I get TONS of spam with legitimate DKIM signatures...
How is that possible ?
Because spammers know how to sign their email with DKIM signatures too, same as spammers can set an SPF record in DNS.
These are NOT specifically anti-spam techniques, they are designed to prevent forgeries, not spam per se.
On Wed, 2011-08-31 at 16:16 -0400, m.roth@5-cent.us wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
May I suggest you create a sub-domain and a user name the use that in public places ? For example:-
mark@xyz.5-cent.us
As soon as the nasty ******** get that email address simple change the sub-domain.
If you receive your own mails (meaning run your own mail server) then do not accept emails from sites where the host name does not exist or does not resolve to the HELO / EHLO or the IP address of the sending server.
There are lots of other things you can do to reduce the spam, but only if you run your own mail server or use Google to filer-out the spam.
Paul.
On Wed, Aug 31, 2011, m.roth@5-cent.us wrote:
Here's a thought I just thunk, folks: some scum, apparently in eastern Europe, has harvested my email, and is using it in the Reply-To: in its spamming efforts. Now, I realize that some mails go out from noreply, but other than that, is there a good reason why a mailserver would not be configured to send delivery failure to *both* Reply-To and From?
This type of forging is generally referred to as a "Joe Job", and may be a conscious effort to impair the reputation of the forged sender or domain or perhaps an attempt to flood the mailboxes of antispammers (e.g. mail forged like abuse@antispam.example.com).
Sending spam complaints to these addresses or to their ISPs is generally a waste of time and effort as the forged sender has nothing to do with the message as any cursory examination of the Received: headers in the message will confirm. The spam complaints are in themselves a type of abuse, and are referred to as "Blowback". Sometimes these complaints are the result of ignorance when they are manual complaints, or incompetence (e.g. early Barracuda e-mail appliances that did this by default).
Configuring an MTA to bounce to the Reply-To: header is probably worse than useless as it could well flood poorly configured mailing lists with garbage when spam gets through the lists spam filters, then the complaints go back to the mailing list.
Probably the best thing to do with this kind of delivery failure message which come in is to ignore them unless you feel like Don Quixote and like tilting at windmills.
Bill
-
Always Learning -
Bill Campbell -
Bowie Bailey -
Josh Miller -
Kenneth Porter -
m.roth@5-cent.us -
Mailing Lists -
Ned Slider -
Scott Silva -
Stephen Harris