General Questions about Spam
From Greenview Wiki
- SpamStopsHere FAQ
- General Questions about Spam
- General Questions about SpamStopsHere
- SpamStopsHere Support Related Questions
Why do I get bounce messages about email that I didn't send?
There is nothing you can do to prevent people from forging your email address (although SPF record checks can help recipients determine that they were forged). Forging the sender's email address for an email message is as simple as changing the "from address" in your email sending program, and anyone can do this.
Only the person or computer who sent the email message knows for sure why email addresses at your domain are being forged, but it is common for spammers and email borne viruses to forge the SMTP mail from address for email messages that they generate. If a spammer or virus forged one of your email addresses and the email that they sent was undeliverable, you may get the bounce (Delivery Status Report or DSR).
There are two theories on why they do this:
- A forged email address is used because a message requires a valid mail from address in order to be accepted by the recipient, and the virus/spammer:
- Doesn't have a valid email address
- Wants to remain anonymous
- Doesn't want to receive the large number of bounces from invalid email recipient email addresses
- Wants to send their bounce messages to an enemy just to annoy them
- To gain trust, the mail from address might be forged:
- To appear from the postmaster at your domain
- To appear from someone else at your domain
- To appear from someone with whom you do business
You typically don't want to block these bounce messages, as it is important to know that someone is forging your email address.
If you are being inundated with bounce messages because a spammer or virus is using your email address to send many undeliverable email messages, you may opt to temporarily DELETE all messages from a null sender (under Additional Filteirng, "Block Delivery Status Notifications" ID: 10896). Make sure and disable this blocking when things quiet down, otherwise you won't receive any bounce messages for relayed emails that you send that can not be delivered.
Additionally, many of the forged email addresses at your domain may not even exist. It is recommended that you disable any catchall email alias that forwards email for all non-existent email addresses at your domain to your inbox, or use the Mailboxes feature to reject DSR messages sent to invalid email addresses.
How can I prevent being listed as a spammer?
Most "false positives" (legitimate messages accidentally identified as spam) occur from bulk mailing list type mailings, and not from an actual personalized email message.
There are two main reasons:
1. The recipient doesn't remember signing up, and reports your messages as spam.
Sometimes, while using an online service, purchasing goods online, or filling out a form to enter a contest, the sender is not aware or has forgotten they have subscribed to a mailing list. When the recipient starts receiving mailing list messages, they may not remember explicitly subscribing and therefore report the emails as spam.
Sometimes a company will change names and, although the recipient was happy to receive the mailings before, doesn't recognize that the continued mailings are from the same company, thereby reporting the messages as spam.
2. The sender is using a mailing list service that has been blacklisted.
Most mailing list type services offer a link tracking service, which replaces your domain name in the message with that of the tracking domain. This allows you to track who clicked on your links, but it also masks your domain name and forces you to include a third party domain name in your email message. Since most mailing list type services have problems with spammers signing up to use their service, this link tracking URL will probably have appeared in some spam and could be blacklisted. You could end up getting your messages blocked by including this third party domain name in your email messages.
If too much spam is seen coming from the mailing list service's mail servers, the IP addresses of those mail servers could be added to blacklists of known spammers. If your recipients are subscribed to these blacklists, all email from the blacklisted servers could be identified as spam, regardless of content. "Too much" spam from these mail servers could, for example, could be triggered by just one out of 1,000 recipients forgetting that they subscribed to a mailing list.
Things a mailing list service can do to prevent from being listed as a spammer:
- Ensure that there is a web site at these link tracking URLs that indicates what mailing service owns it.
- Ensure that your senders include a statement that says why the recipient is receiving the message (where and when they subscribed).
- Include a link where the recipient can unsubscribe as well as report it as abuse to the mailing service's abuse department (roving.com is now doing this as well as several others).
- Make sure that the subject of the mailing list message is not misleading, and indicates subscription. For example, "blah blah Newsletter for September" as opposed to "Check out this great deal!"
- Don't allow your users to import email lists, and maintain records of confirmed opt in requests.
Following these five things will allow our analysts to recognize that this message that has been reported as spam may actually be the result of a legitimate subscription. Additionally, it will allow us to quickly recognize a link tracking URL as belonging to a mailing list service (with good policies), and not the actual spammer's URL.
Things mailing list owners can do to prevent from being listed as a spammer:
- Do only confirmed opt-in, and keep all records of IP addresses and dates of the confirmation process, to both prevent and dispute spam complaints.
- Ensure that you include a statement that says why the recipient is receiving the message (where and when they subscribed).
- Include a link where the recipient can unsubscribe by clicking on it.
- Make sure that the subject of the mailing list message is not misleading, and indicates subscription. For example, "blah blah Newsletter for September" as opposed to "Check out this great deal!"
- Ask your recipients to whitelist your newsletter at the time that they subscribe.
Following these five things will allow our analysts to recognize that this message that has been reported as spam may actually be the result of a legitimate subscription.
CAN-SPAM Compliance Even if your messages are CAN-SPAM compliant, they can still be considered Unsolicited Bulk Email, which is the term we use to define spam. Even if a recipient has sent you queries or is a current customer, it is highly recommend that you include an unsubscribe link at the bottom of any sales follow-up or advertisement related messages. It is also good to remind them of how you got their information.
Unsubscribe links that the recipient simply has to click on are less likely to result in a spam complaint. Unsubscribe links are also less likely to get you listed as a spammer by our analysts. On the other hand, if you require your users to send in a postcard or send an email to unsubscribe, the decision as to whether or not you are a spammer is more likely to go against you. This is particularly true if you state that the recipient must send an email from the email address that is subscribed, but you don't state the email address you sent to. These are all considered part of "good subscription policies".
Should You Click the "remove" Link in Spam?
Conventional wisdom is that you should never click on the "remove" link in spam because it will only result in more spam. However, if you follow these guidelines, you can reduce the amount of unwanted email by clicking on some "remove" links.
Place the mouse on the "remove" link without clicking it. The status line of your email program should display the domain name in the link. The domain name is the word, sometimes with dashes, before the ".com" or ".net".
- If email is from a legitimate company, especially one that you recognize, it should be safe to click. Legitimate companies like LL Bean, Sprint, American Airlines, etc. are not going to send you unwanted email.
- Lookup the domain name in the "remove" link at www.whois.net. It will list the name and address of the owner and, most important, the date when the domain was originally created.
- If the owner is an individual and not a company, it is almost certainly spam, do not click the link.
- If the domain was originally created within the last two years, do not click the link.
- If the owner's full address and phone number are not listed, do not click the link.
- If the owner is not in the US, Canada or other modern country, do not click the link.
- Otherwise, if the Whois information is complete, it should be safe to click the "remove" link.
Probably the most important piece of information in the Whois information is the age of the domain name. Almost no spamming domains in the US/Canada are more than three years old and almost all established, legitimate companies registered their domain name more than five years ago. A spammer typically uses a domain name for only a few months.
(We similarly study the Whois information to determine which domains to add to our URL filtering. We are not aware of any domain name which was registered more than five years ago which is blocked by our service.)
In summary, if the email is from a legitimate company, especially one you recognize, you should follow their instructions to remove yourself from their mailings.
Can spam ever be totally stopped or perhaps outlawed?
A few countries have outlawed spam while others debate such laws. Such laws will have limited effect since most spam comes from third-world countries that will never prosecute spammers; they simply have bigger problems. The solution is technology to stop as much spam as possible, wherever possible. In our estimation, most (shady) businesses find that spam barely works; the response rate is below .01%. If everyone blocked 95% of the spam, then the cost of sending spam would increase by a factor of 20. Even the shadiest business would no longer find it cost effective and would therefore stop sending it. (Let's hope so.)
In the meantime, if most of the "open relays" in the modern countries are reconfigured by their owners to be "closed relays", it will become much easier to block the remaining spam.
In our efforts to stop spam, we regularly inform legitimate ISPs and hosting companies that their systems are being used for spam. Most will shut down the websites used by spammers. Unfortunately, most spam websites run on computers outside the US/Canada.
We have also contacted our regional US Trade representative and explained how some anti-spam services are now blocking entire countries. We were surprised and pleased that our representative forwarded our message to his counterparts in the countries being blocked. Several foreign representatives in turn contacted us and explained that they understood the damage spam was causing, understood that having their country blocked was not desirable and that they would ask their governments to take steps to stop spammers. We encourage you to also take an active political role.
What does all spam have in common?
This is really a question for you. Think about it. The answer is that 99% of spam wants you to click on a URL (web-site), to call a phone number, or send an order to a fax number.
The first level of filtering performed by SpamStopsHere is based on the URLs (web-sites) and phone/fax numbers mentioned in spam. We have found this to be very effective - we have seen 10 completely different looking spam messages, sent from 10 different mail systems (even in different countries) mention the same web-site or phone number. By actively "harvesting" new spam, we update our URL/Phone# list every five minutes.
Although our service does not filter on content based on simple words or phrases (which is too error-prone), we do filter on distinctive long phrases found in spam. An example is "diplomas from prestigious non-accredited universities"; it is extremely unlikely such phrases would ever occur in a legitimate email. This helps us stop recurring spam in which the URL changes very rapidly.
Can't spam just be filtered by its "obvious" content?
While a person can easily recognize spam, it is not easy for computers because they do not "understand" language. Spammers have also learned to defeat most content filters based on phrases and keywords. While you may see "free money" on the screen, the email message may not even contain that phrase; instead, complex HTML code visually places those two words next to each other. Without a vision system, a computer cannot recognize this obvious phrase.
The best attempts to block spam according to its content, e.g. SpamAssassin (tm), not only miss 5 - 10% of real spam, but also incorrectly block 1 - 2% of legitimate emails.
Since SpamStopsHere does not use content filtering based on "obvious" words and short phrases, it is much less likely to block legitimate emails. It can even be used by medical and legal organizations in which legitimate emails might discuss prescription medication, mortgage rates, profanity, and sexual terms.
What is an "Open Relay"
An open-relay is a mail server which is not configured properly to prevent anyone on the Internet from using it to send e-mail messages. This is often unintentional, but is sometimes intentional. It is often the result of the organization owning the mail server not understanding security settings or just not caring about the consequences. Until the last few years, the default settings for most mail servers on Unix/Linux were as open-relays; many of these older machines are still running that way.
Spammers search the Internet for open-relays and then "program" them to send a continuous stream of spam. The owner of the open-relay typically learns of this via a flood of angry e-mails and then takes steps to shut it down. By then the spammer has moved on to another open-relay.
Where does spam come from?
As explained above, most spam comes from criminals and shady businesses. Lists of millions of e-mail addresses are readily available for as little as $100. To send the spam to millions of addresses, they must use "cooperative" mail servers. Most legitimate mail servers are protected from spammers and most ISP prevent users from sending huge numbers of emails. Therefore spammers have to resort to the following methods:
- Using a spam mailing service. These are typically in China and third world countries that don't outlaw such practices or don't bother to prosecute them.
- Using an "open relay", which is described above.
Doesn't most spam come from Yahoo and Hotmail?
No! Spam often has a fake "Return address" to try and fool you into thinking it came from Yahoo, Hotmail, or even Merrill Lynch. There rarely is a real Return-Address.
Most spam is sent from mail systems in the Far-East and South America; some is sent from mail servers and personal computers in the US/Canada that have been compromised (hacked) by spammers.
Since most spam wants you to click on a link or call a phone number, there is no need for a real email "Return" or "From:" addresses.
Some spam is even sent with the same "To:" and "From:" addresses. If you set up a simple spam filter which sends the email back to the sender, you end up sending the spam to yourself, which is the spammer's intention.
Does spam work?
Most spam is sent by unethical hustlers, pornographers and outright scammers. Many spammers have criminal records; some attempt to dupe people into revealing their Credit Card number while "ordering" a product or service that doesn't really exist or has minimal value. Another primary purpose of spam is to dupe legitimate home businesses into purchasing an email list or spam service. In many countries, sending spam is illegal and is a sure way to ruin your business. In short, spam may work for criminals and shady businesses, but it does not work for legitimate businesses.
Never respond to a spam message; it can lead to harassment, attempts to hack your computer and attempts to steal your credit card number or identity. At a minimum, it will lead to more spam, especially if you click the infamous "Click to remove" link. For these reasons, it is important to block as much spam as possible and explain the dangers to your employees and family members.
How to read a bounceback/DSN/NDR
There are three main things to look for when faced with a NDR (Non-Deliverable-Report):
- The sending server
- The server that encountered the problem
- What the problem was
The sending server (or "Reporting-MTA")
It's often presumed that the server where the bounce originates from is the server that had the issue. Although this is possible if it's a local error, most often it is the NEXT server in the route that caused the problem.
You can find out what server is sending the message by looking in a few common places:
- The "From" header - Often the "From" header in a NDR is "@sending.server.com", this shows that "sending.server.com" is the sending server.
- The "Generating server" - If the body says "Generating server: sending.server.com", this is the server sending the bounce.
- The "Reporting-MTA" - The "Reporting-MTA" may be listed in the bounce. If so, this is the sending server.
The server that encountered the problem (or "Remote-MTA")
Since the sending server is often not the server that encountered the error, it's important to know where to find the logs of why the message was not delivered. Generally (when faced with a SMTP 5.x.x error) this is on the receiving server.
A few common places to find this server are:
- The "Remote-MTA:" field in the bounce
- The "Remote Server:" field in the bounce
- Where it says "While talking to:" in the bounce
What the problem was
Usually the bounce contains more information than the Reporting-MTA's logs, but less than the Remote-MTA's logs. Nonetheless, it's usually enough to determine where to look next.
- If the bounce says "while talking to: receiving.server.com" it will say after that "receiving.server.com said:"
- The bounce may say in the body "Reason:", "Error:" or "SMTP 5.x.x [...diagnostic text...]"
- The bounce may have text that is configurable by the Remote-MTA such as links explaining the error or general diagnostics. For instance "Rejected due to abuse. See www.some-website-or-other.com/bounce.html for more information"
Sometimes the error is a local error. In this event there is no Remote-MTA and the error that is defined in the bounce is from the Reporting-MTA. This should be indicated by a reference to "localhost", "YourDomain.local" or a private IP, coupled with the absence of a Remote-MTA or it's equivalents.
There's often other information included in bounces including the headers of the message (please read our FAQ "How do I see the route of an email in the headers?" for more information) and the server that sent the original message (or the "Received-From-MTA"), but that information is beyond the scope of this FAQ. The goal of this FAQ is user-friendliness, but for in depth information you can read RFC 2821 section 3.7 "Relaying" for information on how email is relayed, and RFC 3464 for information about Delivery Status Notifications (DSNs).
