[Dshield] PDF Spam Wave

M Cook dshieldlists at versateam.com
Fri Aug 10 00:46:30 GMT 2007

jayjwa wrote:
 > Two replies, since they are short and on the same topic I've placed
 > both here.

It may be that you are thinking that a bounce message is always 
generated when there is a failure. This is true with mail servers that 
are properly configured and senders that are authenticated. But consider 
where the bounce is generated. If mail server A tries to send to mail 
server B, but mail server B in the SMTP protocol says "Permanent 
failure", mail server A is then responsible for generating the bounce 
message. If instead mail server B accepts the mail and later decides 
that it is not deliverable, server B is responsible for sending the 
bounce message. The RFC's make it clear that this latter case is to be 
the exception rather than the rule. That is, the preferred behavior is 
for server B to signal a permanent failure rather than accept the 
message, leaving server A to handle the problem. In the case where 
server A is the spammer (using a compromised residential computer on a 
dynamic IP address to imitate a real SMTP server) and server B is the 
innocent recipient, when server B gives the 5nn permanent failure, 
server A (the spammer), which would ordinarily be responsible for 
sending the bounce, doesn't bother; it just goes on to try to send the 
next spam message.  You can see which of these two cases generates the 
backscatter. Yes, the RFC does specify exceptions, but we're not talking 
about exceptions, we're talking about mail servers that accept tens of 
thousands of spam messages and then generate tens of thousands of 
bounces. If they would "not accept" those messages, there would be no 
bounce backscatter.

Again, to summarize: most of the spam I have seen fits a specific 
pattern: it is generated on residential or dynamic IP addresses from 
compromised machines, connecting directly to the MX server of record. 
That MX server in most cases should be able to tell whether or not the 
recipient addressee is valid. If it rejects (5nn) the message in the 
middle of the SMTP dialog, there won't be a bounce message. There are 
exceptions, but I don't think that's what we are talking about primarily.

I hope that clarifies where I'm coming from. This is the pattern I've 
been seeing for at least five years (though volumes have gone up each 
year) so it is not something new. If you are trying to bring something 
else to our attention, I apologize for missing it, and will try to be 
more receptive if you care to clarify.

More information about the list mailing list