Strange Spam
September 10, 2004 9:46 PM
SpamFilter: The last week or two I've been getting the strangest spam, real spam with a wide variety of (normal for spam) message content, that is addressed to some imaginary address at a domain I own, but is posed as a rejection message from the intended recipient's domain. Anyone else who owns a domain having this experience?
Is it possible some spammer is faking my domain in the headers and sending messages? Or some other nastiness that could turn around and bite me?
Is it possible some spammer is faking my domain in the headers and sending messages? Or some other nastiness that could turn around and bite me?
If you're getting the same kind I used to get, they are actually fake bounce messages. That is, they look like bounce messages, but they are not actually the result of mail bouncing. They're hoping you're worried about some mail you sent bouncing and will thus open and read the spammy payload in the "rejected" message before realizing, hey, I didn't send that!
I got so many of them, I set up a mail filter to delete them. It was pretty easy -- IIRC, the body of the "rejected" message said it was sent out through jerrykindall.com but had the wrong IP address. So basically I set up a filter that deletes bounces of messages that don't have my mail server's real IP address in the rejected message's header.
posted by kindall at 11:09 PM on September 10, 2004
I got so many of them, I set up a mail filter to delete them. It was pretty easy -- IIRC, the body of the "rejected" message said it was sent out through jerrykindall.com but had the wrong IP address. So basically I set up a filter that deletes bounces of messages that don't have my mail server's real IP address in the rejected message's header.
posted by kindall at 11:09 PM on September 10, 2004
they are actually fake bounce messages
How can you tell the difference between a fake bounce message intended for you to read and a real bounce message that's the result of a spammer putting an address at your domain into the From: header on their outgoing spam?
posted by jjg at 11:38 PM on September 10, 2004
How can you tell the difference between a fake bounce message intended for you to read and a real bounce message that's the result of a spammer putting an address at your domain into the From: header on their outgoing spam?
posted by jjg at 11:38 PM on September 10, 2004
Well, for one, the fake messages are usually addressed to accounts that do not exist on your domain.
For two, they usually carry a virus payload. Most real bounce messages I receive do not have any attachment at all. If you can set your mail program to show in the index list of your mailbox which messages have attachments, then do so. You don't want to have to open messages to find this out.
For three, the fake bounce messages often have non-standard bounce subject lines, very unlike the true bounce messages. Try sending some mail yourself to email accounts that do not exist to get an idea of what a real bounce message looks like.
For four, the fake bounce messages often have grammatically odd composition: either the grammar is stilted, child-like, or incoherent.
For five, if you get a real bounce message, it's going to be in response to mail you sent, right? So a bounce message that comes in within a few minutes after you've sent a message or messages is just a little bit less likely to be fake. Plus, real bounce messages will often retain some form of the original subject line you included in your original message.
Add all these up, you increase your odds of recognizing a true bounce message.
posted by Mo Nickels at 8:05 AM on September 11, 2004
For two, they usually carry a virus payload. Most real bounce messages I receive do not have any attachment at all. If you can set your mail program to show in the index list of your mailbox which messages have attachments, then do so. You don't want to have to open messages to find this out.
For three, the fake bounce messages often have non-standard bounce subject lines, very unlike the true bounce messages. Try sending some mail yourself to email accounts that do not exist to get an idea of what a real bounce message looks like.
For four, the fake bounce messages often have grammatically odd composition: either the grammar is stilted, child-like, or incoherent.
For five, if you get a real bounce message, it's going to be in response to mail you sent, right? So a bounce message that comes in within a few minutes after you've sent a message or messages is just a little bit less likely to be fake. Plus, real bounce messages will often retain some form of the original subject line you included in your original message.
Add all these up, you increase your odds of recognizing a true bounce message.
posted by Mo Nickels at 8:05 AM on September 11, 2004
Real bounce messages reference messages you actually sent and should be rare if you know the correct e-mail addresses of the people you're corresponding with. Fake ones reference messages you didn't send and are, sadly, much more common.
Real bounce messages always have an empty Return-Path. Fake bounce messages often don't.
Real bounce messages will usually have the real IP address of your outgoing mail server in the transcript in the body of the message. Fake bounce messages often don't.
posted by kindall at 9:19 AM on September 11, 2004
Real bounce messages always have an empty Return-Path. Fake bounce messages often don't.
Real bounce messages will usually have the real IP address of your outgoing mail server in the transcript in the body of the message. Fake bounce messages often don't.
posted by kindall at 9:19 AM on September 11, 2004
Thanks guys. The explanation that these are viral attacks makes them much more understandable.
posted by billsaysthis at 10:09 AM on September 11, 2004
posted by billsaysthis at 10:09 AM on September 11, 2004
« Older What elements of cultural anxiety do the Aliens... | Good Windows clock applet for multiple timezones? Newer »
This thread is closed to new comments.
No. There's not alot you can do. These things are sorta hit and run.
posted by RavinDave at 10:42 PM on September 10, 2004