Why do I get bounce messages about email that I didn't send?

Email sent to an invalid addresses causes a Delivery Status Report (DSR), also known as a "bounce message" or "bounceback"to be sent back to "From" address. Usually, when you see bouncebacks for email you did not send, a spammer was forging your email address as the "From" address.

The bounceback messages (and possibly complaints) you get are called "backscatter".

How Can I Stop It?

Forging someone's email address is very simple. All the spammer has to do is change the "from address" in their own email sending program. Anyone can do it and you can't really stop them.

In general, you don't want to block these bounce messages. It's important to know if someone is forging your email address. However, there are a few steps you can take:

  • If you're being inundated with backscatter, you may opt to temporarily DELETE all messages from a null sender (under Additional Filteirng, "Block Delivery Status Notifications" ID: 10896). Make sure and disable this blocking when things quiet down, otherwise you won't receive any bounce messages for relayed emails that you send that can not be delivered.
  • To reduce the amount of backscatter, you might be able to publish SPF records for your email domain, which can help reduce the number future bouncebacks.
  • If the forged email addresses don't exist, you could disable any catchall email aliases that forward email for all non-existent email addresses at your domain to your inbox, or use the Mailboxes feature to reject DSR messages sent to invalid email addresses.

Why Do Spammers Forge Email Addresses?

There are two theories on why spammers do this:

  1. A forged email address is used because a message requires a valid mail from address in order to be accepted by the recipient, and the virus/spammer:
    • Doesn't have a valid email address
    • Wants to remain anonymous
    • Doesn't want to receive the large number of bounces from invalid email recipient email addresses
    • Wants to send their bounce messages to an enemy just to annoy them
  2. To gain trust, the mail from address might be forged:
    • To appear from the postmaster at your domain
    • To appear from someone else at your domain
    • To appear from someone with whom you do business

Back to top

How can I prevent being listed as a spammer?

Most "false positives" (legitimate messages accidentally identified as spam) occur from bulk mailing list type mailings, and not from an actual personalized email message.

There are two main reasons:

1. The recipient doesn't remember signing up, and reports your messages as spam.

Sometimes, while using an online service, purchasing goods online, or filling out a form to enter a contest, the sender is not aware or has forgotten they have subscribed to a mailing list. When the recipient starts receiving mailing list messages, they may not remember explicitly subscribing and therefore report the emails as spam.

Sometimes a company will change names and, although the recipient was happy to receive the mailings before, doesn't recognize that the continued mailings are from the same company, thereby reporting the messages as spam.

2. The sender is using a mailing list service that has been Block-Listed.

Most mailing list type services offer a link tracking service, which replaces your domain name in the message with that of the tracking domain. This allows you to track who clicked on your links, but it also masks your domain name and forces you to include a third party domain name in your email message. Since most mailing list type services have problems with spammers signing up to use their service, this link tracking URL will probably have appeared in some spam and could be Block-Listed. You could end up getting your messages blocked by including this third party domain name in your email messages.

If too much spam is seen coming from the mailing list service's mail servers, the IP addresses of those mail servers could be added to Block List of known spammers. If your recipients are subscribed to these Block List, all email from the Block-Listed servers could be identified as spam, regardless of content. "Too much" spam from these mail servers could, for example, could be triggered by just one out of 1,000 recipients forgetting that they subscribed to a mailing list.

Things a mailing list service can do to prevent from being listed as a spammer:

  1. Ensure that there is a web site at these link tracking URLs that indicates what mailing service owns it.
  2. Ensure that your senders include a statement that says why the recipient is receiving the message (where and when they subscribed).
  3. Include a link where the recipient can unsubscribe as well as report it as abuse to the mailing service's abuse department (roving.com is now doing this as well as several others).
  4. Make sure that the subject of the mailing list message is not misleading, and indicates subscription. For example, "blah blah Newsletter for September" as opposed to "Check out this great deal!"
  5. Don't allow your users to import email lists, and maintain records of confirmed opt in requests.

Following these five things will allow our analysts to recognize that this message that has been reported as spam may actually be the result of a legitimate subscription. Additionally, it will allow us to quickly recognize a link tracking URL as belonging to a mailing list service (with good policies), and not the actual spammer's URL.

Things mailing list owners can do to prevent from being listed as a spammer:

  1. Do only confirmed opt-in, and keep all records of IP addresses and dates of the confirmation process, to both prevent and dispute spam complaints.
  2. Ensure that you include a statement that says why the recipient is receiving the message (where and when they subscribed).
  3. Include a link where the recipient can unsubscribe by clicking on it.
  4. Make sure that the subject of the mailing list message is not misleading, and indicates subscription. For example, "blah blah Newsletter for September" as opposed to "Check out this great deal!"
  5. Ask your recipients to allow list your newsletter at the time that they subscribe.

Following these five things will allow our analysts to recognize that this message that has been reported as spam may actually be the result of a legitimate subscription.

CAN-SPAM Compliance Even if your messages are CAN-SPAM compliant, they can still be considered Unsolicited Bulk Email, which is the term we use to define spam. Even if a recipient has sent you queries or is a current customer, it is highly recommend that you include an unsubscribe link at the bottom of any sales follow-up or advertisement related messages. It is also good to remind them of how you got their information.

Unsubscribe links that the recipient simply has to click on are less likely to result in a spam complaint. Unsubscribe links are also less likely to get you listed as a spammer by our analysts. On the other hand, if you require your users to send in a postcard or send an email to unsubscribe, the decision as to whether or not you are a spammer is more likely to go against you. This is particularly true if you state that the recipient must send an email from the email address that is subscribed, but you don't state the email address you sent to. These are all considered part of "good subscription policies".

Back to top

Should You Click the "remove" Link in Spam?

Conventional wisdom is that you should never click on the "remove" link in spam because it will only result in more spam. However, if you follow these guidelines, you can reduce the amount of unwanted email by clicking on some "remove" links.

Place the mouse on the "remove" link without clicking it. The status line of your email program should display the domain name in the link. The domain name is the word, sometimes with dashes, before the ".com" or ".net".

  1. If email is from a legitimate company, especially one that you recognize, it should be safe to click. Legitimate companies like LL Bean, Sprint, American Airlines, etc. are not going to send you unwanted email.
  2. Lookup the domain name in the "remove" link at www.whois.net. It will list the name and address of the owner and, most important, the date when the domain was originally created.
  3. If the owner is an individual and not a company, it is almost certainly spam, do not click the link.
  4. If the domain was originally created within the last two years, do not click the link.
  5. If the owner's full address and phone number are not listed, do not click the link.
  6. If the owner is not in the US, Canada or other modern country, do not click the link.
  7. Otherwise, if the Whois information is complete, it should be safe to click the "remove" link.

Probably the most important piece of information in the Whois information is the age of the domain name. Almost no spamming domains in the US/Canada are more than three years old and almost all established, legitimate companies registered their domain name more than five years ago. A spammer typically uses a domain name for only a few months.

(We similarly study the Whois information to determine which domains to add to our URL filtering. We are not aware of any domain name which was registered more than five years ago which is blocked by our service.)

In summary, if the email is from a legitimate company, especially one you recognize, you should follow their instructions to remove yourself from their mailings.

Back to top

Can spam ever be totally stopped or perhaps outlawed?

A few countries have outlawed spam while others debate such laws. Such laws will have limited effect since most spam comes from third-world countries that will never prosecute spammers; they simply have bigger problems. The solution is technology to stop as much spam as possible, wherever possible. In our estimation, most (shady) businesses find that spam barely works; the response rate is below .01%. If everyone blocked 95% of the spam, then the cost of sending spam would increase by a factor of 20. Even the shadiest business would no longer find it cost effective and would therefore stop sending it. (Let's hope so.)

In the meantime, if most of the "open relays" in the modern countries are reconfigured by their owners to be "closed relays", it will become much easier to block the remaining spam.

In our efforts to stop spam, we regularly inform legitimate ISPs and hosting companies that their systems are being used for spam. Most will shut down the websites used by spammers. Unfortunately, most spam websites run on computers outside the US/Canada.

We have also contacted our regional US Trade representative and explained how some anti-spam services are now blocking entire countries. We were surprised and pleased that our representative forwarded our message to his counterparts in the countries being blocked. Several foreign representatives in turn contacted us and explained that they understood the damage spam was causing, understood that having their country blocked was not desirable and that they would ask their governments to take steps to stop spammers. We encourage you to also take an active political role.

Back to top

What does all spam have in common?

The answer is that 99% of spam wants you to click on a URL (web-site), to call a phone number, or send an order to a fax number.

The first level of filtering performed by SpamStopsHere is based on the URLs (web-sites) and phone/fax numbers mentioned in spam. We have found this to be very effective - we have seen 10 completely different looking spam messages, sent from 10 different mail systems (even in different countries) mention the same web-site or phone number. By actively "harvesting" new spam, we update our URL/Phone# list every five minutes.

Although our service does not filter on content based on simple words or phrases (which is too error-prone), we do filter on distinctive long phrases found in spam. An example is "diplomas from prestigious non-accredited universities"; it is extremely unlikely such phrases would ever occur in a legitimate email. This helps us stop recurring spam in which the URL changes very rapidly.

Back to top

Can't spam just be filtered by its "obvious" content?

While a person can easily recognize spam, it is not easy for computers because they do not "understand" language. Spammers have also learned to defeat most content filters based on phrases and keywords. While you may see "free money" on the screen, the email message may not even contain that phrase; instead, complex HTML code visually places those two words next to each other. Without a vision system, a computer cannot recognize this obvious phrase.

The best attempts to block spam according to its content, e.g. SpamAssassin (tm), not only miss 5 - 10% of real spam, but also incorrectly block 1 - 2% of legitimate emails.

Since SpamStopsHere does not use content filtering based on "obvious" words and short phrases, it is much less likely to block legitimate emails. It can even be used by medical and legal organizations in which legitimate emails might discuss prescription medication, mortgage rates, profanity, and sexual terms.

Back to top

What is an "Open Relay"

An open-relay is a mail server which is not configured properly to prevent anyone on the Internet from using it to send e-mail messages. This is often unintentional, but is sometimes intentional. It is often the result of the organization owning the mail server not understanding security settings or just not caring about the consequences. Until the last few years, the default settings for most mail servers on Unix/Linux were as open-relays; many of these older machines are still running that way.

Spammers search the Internet for open-relays and then "program" them to send a continuous stream of spam. The owner of the open-relay typically learns of this via a flood of angry e-mails and then takes steps to shut it down. By then the spammer has moved on to another open-relay.

Back to top

Where does spam come from?

As explained above, most spam comes from criminals and shady businesses. Lists of millions of e-mail addresses are readily available for as little as $100. To send the spam to millions of addresses, they must use "cooperative" mail servers. Most legitimate mail servers are protected from spammers and most ISP prevent users from sending huge numbers of emails. Therefore spammers have to resort to the following methods:

  • Using a spam mailing service. These are typically in China and third world countries that don't outlaw such practices or don't bother to prosecute them.
  • Using an "open relay", which is described above.

Back to top

Doesn't most spam come from Yahoo and Hotmail?

No! Spam often has a fake "Return address" to try and fool you into thinking it came from Yahoo, Hotmail, or even Merrill Lynch. There rarely is a real Return-Address.

Most spam is sent from mail systems in the Far-East and South America; some is sent from mail servers and personal computers in the US/Canada that have been compromised (hacked) by spammers.

Since most spam wants you to click on a link or call a phone number, there is no need for a real email "Return" or "From:" addresses.

Some spam is even sent with the same "To:" and "From:" addresses. If you set up a simple spam filter which sends the email back to the sender, you end up sending the spam to yourself, which is the spammer's intention.

Back to top

Does spam work?

Most spam is sent by unethical hustlers, pornographers and outright scammers. Many spammers have criminal records; some attempt to dupe people into revealing their Credit Card number while "ordering" a product or service that doesn't really exist or has minimal value. Another primary purpose of spam is to dupe legitimate home businesses into purchasing an email list or spam service. In many countries, sending spam is illegal and is a sure way to ruin your business. In short, spam may work for criminals and shady businesses, but it does not work for legitimate businesses.

Never respond to a spam message; it can lead to harassment, attempts to hack your computer and attempts to steal your credit card number or identity. At a minimum, it will lead to more spam, especially if you click the infamous "Click to remove" link. For these reasons, it is important to block as much spam as possible and explain the dangers to your employees and family members.

Back to top

Other Resources