Skip to content

Archives

Apple’s ‘Bounce To Sender’ a Bad Idea

Matt journals a snippet from Apple’s eNews newsletter (originally forwarded by Skip Montanaro on the spambayes list), as follows:

Delivering a One-Two Punch to Spammers

Yes, Mac OS X Mail can help you deliver a staggering blow to spammers. Simply pull down the Mail menu, choose Junk Mail, and select Automatic. The next time you receive email, Mail will move suspect email into a Junk folder.

Now you’re ready to deliver a real knockout punch to spammers by taking advantage of yet another potent spam-fighting weapon:

  1. Click on the Junk folder.
  2. Type Command-a to select all of the email in the Junk folder.
  3. Choose Bounce to Sender from the Message menu.

    Mail will return the selected messages to the senders marked User unknown, making them think your email address invalid, encouraging them to drop you from their lists, and, thus, eliminating spam at its source.

Read on for details as to why this does not work (warning: long).

Subject: Bad move, Apple
From: Skip Montanaro (spam-protected)
Date: Thu, 6 Feb 2003 11:45:24 -0600 (17:45 GMT)
To: (spam-protected)

Got this in today’s Apple eNews mailing:

  1. Delivering a One-Two Punch to Spammers …………………………………..

    Yes, Mac OS X Mail can help you deliver a staggering blow to spammers. Simply pull down the Mail menu, choose Junk Mail, and select Automatic. The next time you receive email, Mail will move suspect email into a Junk folder.

    Now you’re ready to deliver a real knockout punch to spammers by taking advantage of yet another potent spam-fighting weapon:

  2. Click on the Junk folder.
  3. Type Command-a to select all of the email in the Junk folder.
  4. Choose “Bounce to Sender” from the Message menu.

    Mail will return the selected messages to the senders marked “User unknown,” making them think your email address invalid, encouraging them to drop you from their lists, and, thus, eliminating spam at its source.

    http://www.apple.com/macosx/jaguar/mail.html

Justin’s comments:

This sounds like an attractive idea at first — mail ‘user unknown’ Delivery Status Notifications back to the spammers, and they’ll take your address off their lists. However, it doesn’t work, and may actually send more noise to non-spammers. Here’s why.

  • First of all, most spam these days is sent using one of three
    • originating-address methods. The first is totally randomly generated From, Reply-To and/or Errors-To addresses, typically at a big ISP like Yahoo! or Hotmail. So replying to these with a ‘user unknown’ DSN will result in nothing more than wasting your own, and that ISP’s, bandwidth, as the address never existed anyway.
  • The second method is for the spammers to use a random address plucked from the same ‘addresses to spam’ list your name is on. So your ‘user unknown’ DSN will be sent to someone else on the spam-list, increasing the amount of crap they get in their mailbox. Oops.
  • Third is the joe-job. This is where the spammer has deliberately picked the address of someone they dislike, so that a barrage of complaints, legitimate ‘user unknown’ messages, and — yes — forged ‘user unknown’ messages! — will be sent to that person. Generally, if an spam-fighter gets joe-jobbed, you can be sure they’re doing something right ;)

Next — even if the spammers were to see your ‘user unknown’ message, they do not act on it:

  • There is a way for ‘user unknown’ messages to be communicated back to
    • the spammer (by doing it in the very first SMTP transaction). However, many folks who have tried this method have noted that it has no effect; spamware tools take a ‘fire and forget’ approach.

      After all, spammers want to send the mail as fast as possible, before they’re blocked from the relay or proxy they’re abusing, and before the DNSBLs and Razor react. So the method is simply to send as much mail as possible, without waiting for replies, and with as little identifying information as possible (to make it hard for them to be tracked down). In other words, any data coming back from the receiver is worthless to them, and may in fact get them shut down, so must be avoided.

  • Another factor is that, if your address is one of those ‘Addresses on CD’, you’ve got hundreds of spammers you’ll need to send bounces to (and hope they honour them). Each one of those spammers has a different copy of the address list, so removal from one — if it happens — won’t help with removal from the others.
  • Yet another aspect is that they do not want to reduce the number of addresses they send to. Spam economics is such that 2,000,000 addresses on CD are worth more than 1,000,000 addresses on CD, and who cares if half of them bounce, ‘cos you’ve paid your money already ;)

So, anyway, that’s why sending fake-bounces in response to spam is bad.

One pay-off, however, is that it makes the creation of spam-traps easy:

HOW TO MAKE A SPAM-TRAP

  • Take an old account that gets too much spam, set up an auto-reply saying
    • “this person has moved to (spam-protected) (although probably using a less machine-readable address format).
  • 3 months later, delete the account so it bounces with ‘user unknown’. That should clear out all the well-behaved mailing lists.
  • 6 months later, redirect it to yourself and monitor it, to catch the badly-behaved legitimate bulk mailers who do not handle bounces correctly (yes, there’s a few of these, unfortunately.)

  • 1 month after that, set up an alias that runs “spamassassin -r”. Install Razor, DCC and Pyzor. Set up a Razor account. Fix the old account’s addresses so they forward to this alias. Also worth piping it to the Blitzed.org OPM checker.

Hey presto, there’s your spam trap!