[Dshield] Spam 101 Question

Mike Easter mike.easter at gmail.com
Sat Aug 6 15:16:09 GMT 2005

Jeffrey Pike wrote:
> I have begun using a script cobbled together from samples I found on
> Microsoft's Web site to e-mail the library's newsletter to individual
> recipients using my local SMTP service (Windows Server 2003/IIS 6.0).

I don't know which server others are talking about which is listed as an
open smtp server, but /old/ Win's IIS is inherently insecure and not

There are many discussions about v thru' 5 "if your Exchange 5.0 server
is connected to the Internet, it WILL relay for anyone, and that cannot
be stopped."  However, you re saying you are using v. 6, which can be
configured securely or insecurely, which has been the case since v.5.5.

That's not your problem you are describing here.

> I have received about 900 returned mails, bounced spam with my
originating e-mail address in the From: field.  A random sample
indicates the spam originated in Korea.

This problem has nothing to do with any server insecurity and should not
be confused with that by anyone.

The problem of bouncing spams derives from a combination of 2 factors.
Number one, essentially all spam uses a forged or bogus From.  Typically
the forged From derives from the same kinds of places as the spam
targets -- only occasionally is it a 'made up' socially engineered From,
such as a girl's name on a porn From.  Rarely is it totally bogus or
non-existent.  When your own address happens to be what is in the forged
>From we are taking the first step toward the rest of the problem.

The rest of the problem unfolds when a spamrun goes out with your addy
in the forged From.  Then, some servers 'stupidly' accept for delivery
mails/spams which they cannot deliver.  Unfortunately, some of those
servers are configured to perform what I call 'belated bounces'.  A
belated bounce of a spam results in a misdirected bounce to the forged
From.  That is a bad and abusive configuration, resulting in those items
you have described.

> How (why?) did this happen, and is it my fault? Can I do anything to
> stop it?

No.  Except that since the misdirected bounces are abusive, the servers
which perform such bounces can be reported to spamcop.  Those reports
can result in the server becoming spamcop blocklisted.  Such
blocklisting can 'force' the server admins to configure their servers to
not perform misdirected bounces, because being spamcop blocklisted
causes problems for the delivery of their mail.

> I can provide headers, and the script, too, if that would help.  If
there is a more appropriate forum in which to address my questions,
please feel free to refer me there.

If you like newsgroups you can discuss in the usenet group alt.spam or
on the newsserver news.spamcop.net in the newsgroups spamcop or

I'm posting/emailing this at 8:15 AM PDT, Aug 6.  I don't know when it
will eventually appear.

Mike Easter

More information about the list mailing list