Hello's
I'm living in spam Nightmare and need some help tracking down an errant SMTP
engine that is wreaking havoc on users email accounts.
From the looks of things a users email address is being used by an errant
smtp engine out there. The SMTP engine is sending out massive amounts of
emails and specifying this users account as the "Return To Address".
Most of these emails are to addresses that dont exist, OR are returned back
to the user due to the content of the Email. As such, the user's mailbox has
thousands of NDR's from remote mail servers.
This is some form of DNS as the user's email account is now un-usable. What
is the best way to track down the sender (s) of these email messages, and ha
s
anyone else experienced this problem?
many thanks
Blue.

[ Post a follow-up to this message ]

> Hello's  I'm  living  in  spam Nightmare and need some help tracking
> down  an  errant  SMTP  engine that is wreaking havoc on users email
> accounts.

Arrant, too, I'd say. 

> From  the  looks of things a users email address is being used by an
> errant smtp engine out there.

It'd  be wishful thinking to assume it's just one "engine" -- likely a
load of zombies.

> The  SMTP  engine  is  sending  out  massive  amounts  of emails and
> specifying  this  users  account as the "Return To Address".

Classic 'Joe Job'. There is nothing inherent in the SMTP protocol that
prohibits what we perceive as "impersonation" of an envelope sender.

Originally, JJs were largely malicious, deliberate DoS attacks against
specific senders. Later, spammers started using large ranges of sender
addresses  to  ensure they'd have a legit return address and thus pass
sender  address  verification (SAV) checks. Typically, JJs of the spam
type  calm  down  after  several  days,  as  each address falls out of
rotation.  However,  JJs  *designed* for spam can malfunction -- it is
both  amusing  and  horrifying  when  the botnets malfunction, spewing
e-mail  without  variable  substitution and such -- in which case they
would  be  as overwhelming as a deliberate attack. It would be hard to
tell  one from the other unless the victim had very recently made some
enemies,  such  as by starting up an anti-spam business, or really any
kind  of extreme personal or corporate antagonism where the other side
is tech-savvy.

The  only  way  to attempt to proactively prevent JJs is to publish an
SPF  policy  for  your domain. However, SPF failures are enforced by a
small  enough  fraction  of  remote servers that this will have little
practical  effect.  Still,  publishing  SPF  may  have an ethical (and
perhaps  legal?)  benefit  in  that  it  shows  that  you  have made a
good-faith  effort  to  highlight impersonation by listing the servers
you  authorize  to  send mail from your domain... thus, all others are
contravening your published policy and you can't be as responsible for
them as you would be without the public record.

> This  is  some  form  of  DNS  as  the  user's  email account is now
> un-usable.

DoS. 

> What  is  the  best  way to track down the sender (s) of these email
> messages,  and has anyone else experienced this problem?

Many  millions  have  experienced  this  problem. As I said, it should
abate  if  it  is  not a deliberate targeting of this account. You can
inspect  the  headers of the NDRs to get an idea of how many different
IPs  generated  the  original messages. If by some chance it is a very
small  set  of  IPs,  you  can pursue it with the ISP and also with (I
understand)  law enforcement, as there is case law establishing that a
crime  has been committed. But chances are, you'll see a huge range of
spam zombie IPs with no responsible party.

--Sandy

[ Post a follow-up to this message ]

Sandy,
So in short, all the users can do is wait it out? When you say "Each address
falls out of rotation" What do you mean by that? Whats to stop the spammer
from using the valid address via his/her zombies forever?
I've heard of Spam problems but did not imagine they could cause users to
switch email addresses.

"Sanford Whiteman" wrote:
 
>
> Arrant, too, I'd say. 
> 
>
> It'd  be wishful thinking to assume it's just one "engine" -- likely a
> load of zombies.
> 
>
> Classic 'Joe Job'. There is nothing inherent in the SMTP protocol that
> prohibits what we perceive as "impersonation" of an envelope sender.
>
> Originally, JJs were largely malicious, deliberate DoS attacks against
> specific senders. Later, spammers started using large ranges of sender
> addresses  to  ensure they'd have a legit return address and thus pass
> sender  address  verification (SAV) checks. Typically, JJs of the spam
> type  calm  down  after  several  days,  as  each address falls out of
> rotation.  However,  JJs  *designed* for spam can malfunction -- it is
> both  amusing  and  horrifying  when  the botnets malfunction, spewing
> e-mail  without  variable  substitution and such -- in which case they
> would  be  as overwhelming as a deliberate attack. It would be hard to
> tell  one from the other unless the victim had very recently made some
> enemies,  such  as by starting up an anti-spam business, or really any
> kind  of extreme personal or corporate antagonism where the other side
> is tech-savvy.
>
> The  only  way  to attempt to proactively prevent JJs is to publish an
> SPF  policy  for  your domain. However, SPF failures are enforced by a
> small  enough  fraction  of  remote servers that this will have little
> practical  effect.  Still,  publishing  SPF  may  have an ethical (and
> perhaps  legal?)  benefit  in  that  it  shows  that  you  have made a
> good-faith  effort  to  highlight impersonation by listing the servers
> you  authorize  to  send mail from your domain... thus, all others are
> contravening your published policy and you can't be as responsible for
> them as you would be without the public record.
> 
>
> DoS. 
> 
>
> Many  millions  have  experienced  this  problem. As I said, it should
> abate  if  it  is  not a deliberate targeting of this account. You can
> inspect  the  headers of the NDRs to get an idea of how many different
> IPs  generated  the  original messages. If by some chance it is a very
> small  set  of  IPs,  you  can pursue it with the ISP and also with (I
> understand)  law enforcement, as there is case law establishing that a
> crime  has been committed. But chances are, you'll see a huge range of
> spam zombie IPs with no responsible party.
>
> --Sandy
>

[ Post a follow-up to this message ]

> So in short, all the users can do is wait it out? When you say "Each
> address  falls  out  of rotation" What do you mean by that?

"Properly"  operating  zombies  wouldn't  continue  to hammer the same
address, because it helps keep a lower criminal profile -- and because
it isn't necessary.

> Whats  to  stop the spammer from using the valid address via his/her
> zombies  forever?

Nothing, just habit.

> I've  heard  of  Spam  problems but did not imagine they could cause
> users to switch email addresses.

Yeah,  welcome  to  the  wild. More people switch addresses because of
incoming  spam  and insufficient spam control, but NDR floods would be
second.

--Sandy

[ Post a follow-up to this message ]