FAQ: Suffering Backscatter

Dear Richi, I have about 20-30 returned emails from some entity/person who is somehow using my domain to send out bulk email. How is that even possible?

Sadly, it's trivial for a spammer to forge your address. It's not your Web host's fault.

Some badly configured email servers auto-reply to spam. That's what you're seeing.

If you want to complain to anyone, complain to the people running the servers who are auto-replying to you. Here's a template complaint I've used before...

Hello. You are sending spam to me by bouncing spam to an unrelated person. I did not send the spam to your server: spammers forge the message sender. Hence, your reply goes to an innocent third party.

Perhaps you sent an unsolicited bounce because your mail server is incorrectly configured. Please don't do that. You should *reject* during the SMTP conversation, not *bounce* after accepting the spam message. It is not necessary for your MTA to send a non-delivery DSN -- you should reject at the point of SMTP RCPT with a 553 error or equivalent.

Or perhaps you're auto-replying to spam. Presumably you filter spam before delivering inbound email. In which case, this reply shows that spam is getting through those filters.

It's bad practice to accept a message for a non-existent user. If you accept and then bounce, you're sending spam. For more information, please see http://www.spamcop.net/fom-serve/cache/329.html

If this was an isolated error, there's no need to be concerned that you will be blacklisted as a spam source. It usually takes several complaints to illustrate a pattern of email abuse.

However, I urge you to correctly configure your mail servers.

More info at an old post of mine: I Got 25,000 Spam Messages in Two Days!

CNN: carbon footprint of spam

Finally, I have the CNN footage.

Amusingly, they mixed up the captions, so Woody got my title...


No video? Click here for the carbon footprint of spam video.

A "Monster" Spammer (NYSE:MWW)

Update May 1 3.30 UTC: several listwashing requests.

Dear Monster.com (NYSE:MWW),

You are spamming me. Stop it. Please.

You're sending marketing email to an address that has never given informed consent to receive it.

Not only that, but you're even breaking the spirit, if not the letter, of the U.S. CAN-SPAM Act. While your unwelcome missive does include the proscribed physical address and unsubscribe link, they are displayed in white text on a white background.

Yes, really. (I dare say they'd be more visible if my email client displayed HTML images by default, but like many clients, it doesn't.)

Naturally, it's also in violation of the law in which your UK subsidiary operates. There was no "prior consent" given, within the meaning of the Privacy and Electronic Communications (EC Directive) Regulations 2003. Offenders are liable to a fine of up to £5,000 in a magistrate's court, or an unlimited fine if the trial is before a jury.

Update May 1 3.30 UTC:

I've received a couple of email messages and a Twitter DM from Monster, expressing apologies for the situation. Sadly, these expressions of regret don't extend to actually fixing the spam problem; they appear to be an attempt to listwash.

Sorry, Monster; listwashing is bad practice. My standard operating procedure is to never unsubscribe from a list that I did not subscribe to.

If Monster wishes to solve this problem, it would stop sending email to addresses of people who did not subscribe. I'm open to a public dialogue on this subject: feel free to tweet or comment here, rather than privately emailing or DM'ing.

Today's Tweets

• 07:32 The swines! Flu panic blamed on Twitter and blogs ping.fm/D7j7T #itblogwatch #swineflu Voices of reason drowned by twits #
• 08:00 @djtechnocrat Yes, but it was always thus. Twitter makes the whole thing grow faster, whipping ignorance into a huge frenzy. #swineflu #
• 08:56 I'll be at Infosec on Thursday afternoon only. Currently available for briefings 1.45pm-4pm. #
• 11:48 @hprice Loudmouth workers leaking data through social networking sites tinyurl.com/d4p7uc #
• 11:50 Planning to keynote at Inbox/Outbox in mid-June. inbox-outbox.com #
• 12:11 @hprice LOL #

Thanks: LoudTwitter

Today's Tweets

• 19:49 @haiyo D'oh, sorry, I think I was confusing it with WLS. [Wanders away, mumbling quietly...] #
• 22:12 RT @tamar a list of journalists on twitter: muckrack.com/ #
• 23:00 So, WhenDidYouJoinTwitter.com ? Me: 767 days ago. #
• 23:10 @Scobleizer JungleDisk? Sure, if you have more money than sense... #
• 07:46 @kaibrach @elliotjaystocks @squaredeye Everyone says the new Mac version is way better. If restore build takes more than an hour, call @Mozy #
• 08:17 Windows 7 RC1 is here... almost ping.fm/gD3z2 #itblogwatch The official release of the Windows 7 release candidate #
• 08:33 World's Best Headlines: BBC News ping.fm/kXUpR "BBC editors consistently do an awesome job" #
• 08:41 @NaiveLondonGirl Ill-advised photo-op, not an "intercept" abclocal.go.com/wabc/story?section=news/local&id=6782403 #

Thanks: LoudTwitter

Today's Tweets

• 07:54 @markwu Dropbox isn't a backup tool; Mozy is. They solve different problems. richi.co.uk/mozy #
• 09:26 RT @fdestin Suddenly reminded of ... cartoon: "I used to tweet but I went back to pointless incessant barking" -- bit.ly/ZHfy9 #
• 12:59 @haiyo Dropbox isn't a backup tool; Mozy is. They solve different problems. richi.co.uk/mozy #
• 13:55 @haiyo Yes but DropBox doesn't do versioning and recovering deleted files. As for your mozy problems, let @Mozy know. He's good; he'll help. #
• 14:02 @hprice "piqued" ;-) #
• 14:43 RT @AllenHarkleroad Debt collector threat over BT bill for £0.00 ($0.00) tinyurl.com/djrs3h #

Thanks: LoudTwitter

Today's Tweets

• 20:33 Some thoughts about vendors I met at the RSA Conference ping.fm/IVfZw #
• 20:39 @LivingInHD Pretty happy with my Viera 50PZ80B plasma, but surprised how poor the blacks are. Quite a lot of light when screen is "black". #
• 20:44 @berkmancenter Thanks for the linkluv #
• 23:35 @mengwong thanks /LogicQcwLogiQ^[ZZ #
• 08:17 WANT: Smart Fourtwo powered by Tesla EV drivetrain ping.fm/bfcKM Hey aftermarket peeps, how about a conversion kit? #
• 11:21 RT @AllenHarkleroad To Tweet or to Re-Tweet that is the question.... #
• 11:31 @travelingcircus Hi. Interested in what people are saying about spam (not to mention @spam) #
• 11:39 @awaken319 No need to be a euro-hater. Of course, some European countries are worse than others. #
• 11:39 @signatureladyj I only know enough to be dangerous ;-) #
• 18:45 @hprice Try @Thepeoplefinder for that task #
• 18:52 @hlslaughter I did a test disaster-recovery of about 185GB. It averaged 500KB/s (would have been faster, but for my 6Mbps DSL). #
• 18:55 @mozy do you think that @dornquast is being fair? e.g., twitter.com/dornquast/status/1616523717 #

Thanks: LoudTwitter

BoxSentry Ditches Challenge/Response; Fights False Positives

Update Apr 25 6.30am UTC: fix name of product (thanks, Meng)

Singapore-based BoxSentry has historically been known as a challenge/response spam filter vendor. Readers will probably be aware that I'm no fan of C/R.

As time goes by, BoxSentry has gradually de-emphasized C/R, but until recently it was still sending challenges for a small but significant proportion of the spam it received -- and hence was sending unsolicited "replies" to people who had never sent email to the BoxSentry user.

Manish Goel, BoxSentry's CEO, confirmed to me that his company no longer uses C/R. That's great news for Internet users. Well done, Manish; I know that I and others have been thorns in your side for a while about this; I appreciate your good humour in our occasional, heated debates!


Manish also brought other news. While beefing up their technology base -- in part to compensate for the loss of the C/R layer -- the company has developed new techniques to better identify false positives.

BoxSentry has wrapped the new techniques in a product it's calling LogiQ. The idea is that it can run alongside a traditional spam filter and automatically retrieve any false positives it finds.

As an illustration, Manish offered a "typical" example: over the test period, a deployed spam filter from one of the well-known vendors delivered 11,500 legitimate messages, but LogicQ found an additional 680 false positives in the filter's quarantine. That's a roughly average false positive rate, in my experience. Not the exactly state-of-the-art, but pretty representative of deployed spam filters. It might equate to one false positive every week per user.

Manish says that 100% of the false positives identified with these new techniques really are false positives -- although they may not catch all of them.

A bold claim; I'm looking forward to digging into the details of the techniques under NDA...