I bounce (unless it's been spoofed with my own domain). I also realize that most of the time the addresses aren't valid. Yes I do it anyway. It generates a slightly higher amount of satisfaction than just deleting them.

It generates a slightly higher amount of satisfaction than just deleting them.

Doubling the amount of spam in circulation generates satisfaction for you? Are you sure you have thought this through carefully?

Since I'm not the only one in the world getting SPAM, bouncing the SPAM sent to me certainly doesn't anywhere near double the amount of SPAM in the world.

Hi,

In some cases you are simply signalling to SPAMmers that they have some sort of valid (or near-valid) address. Dump SPAM, don't bounce it, however tempting.

In the case of faked From: addresses you are probably hurting an innocent 3rd party (eg me) and their mail machine, not a SPAMmer at all.

Rgds

Damon

To bird: Do you bounce spam? I'm genuinely looking to find out if it's a good idea to continue doing so. It seems to work for me, but has there been any real proof that it's actually detrimental?

Hi,

As a recipient of a fair amount of bounced SPAM using my domains in faked From: headers I can tell you that it IS detrimental, especially when accompanied by anguished-but-dim calls from all over Europe asking me to stop doing whatever scam it is that I have no idea about being done in my name with my email address.

Drop SPAM in the bit bucket: don't attempt to retaliate, because if *anyone* is hurt it won't be a SPAMmer.

Rgds

Damon

In some cases you are simply signalling to SPAMmers that they have some sort of valid (or near-valid) address.

No- the whole point of bouncing a message is to send a "not a valid address" message. If the originating e-mail address was valid (and the SPAMmer's), not getting a bounced message is an indication of a valid e-mail address, which almost guarantees your e-mail will be listed as a verified address and sold to yet more SPAM lists.

barns: I, too, use Mailwasher. Don't bother bouncing. Data, shamta, not worth your trouble, delete it, put it behind you. Look for patterns to put in your filters/blacklist, that's a fun challenge, but bouncing? Move on.

the whole point of bouncing a message is to send a "not a valid address" message. If the originating e-mail address was valid (and the SPAMmer's), not getting a bounced message is an indication of a valid e-mail address, which almost guarantees your e-mail will be listed as a verified address and sold to yet more SPAM lists.

That's been my rationale behind bouncing the spam.

If, as a number of replies have advised, simply delete spam instead of bouncing it, what can we do to alleviate spam? Surely my inbox will start filling up with greater number of spam as my email address stops resulting in bounced emails?

I never bounce SPAM messages, but reject them in the SMTP session. When I don't want to receive a message I respond with a 4xx or 5xx SMTP error code. This error code is going directly to the sending SMTP machine (most of the time the spammer or an infected computer acting on behalf of the spammer) so I don't fill the inbox of innocent people whose email address happens to be spoofed as the sender.

I have seen some improvements with this approach in the SPAM rate to my accounts. The more intelligent spam software seems to recognize the 4xx en 5xx error codes and eventually removes my email addresses from the list.

Rejecting with an SMTP errorcode instead of bouncing to the (spoofed) sending address is also the preferred method mentioned in RFC2505 [ietf.org], which gives recommendation how to deal with email spam.

Rejecting based on SPAM content is only the last in my chain of protection.

• The IP address from a sending server is first checked against my own whitelist. If the IP is in that list, it is accepted and only screened in the last step by Spamassassin.
• If the IP address is not in my whitelist, my email server rejects the incomming connection if there is no reverse DNS for the IP.
• Then it blocks emails from IP addresses that are listed in some major DNS block lists.
• The next line of defence is my own blocklist of IP addresses that are a spam source for my specific email addresses, but that for some reason don't appear in the major block lists.
• The remaining few percent, and the messages from whitelisted IPs, are screened by Bayesian filter techniques in Spamassassin. This filter distributes the messages between my normal inboxes and a spam inbox. All messages in the spam inbox are checked by me in case Spamassassin made the wrong decision.

Rejecting instead of bouncing also has the advantage that your email server is not overloaded. A simple DNS lookup rejects the largest part of the incomming SPAM before the message body is uploaded. The resource intensive content filter techniques of Spamassassin are therefore only used for a small fraction of the incomming messages.

I prefer sending a 4xx temporary error. Most SPAM software stops trying after one or two retries, but legitimate SMTP servers will try for one day or longer when they receive a 4xx temporary error. This gives me the ability to add a legitimate SMTP server to my whitelist in case it was accidentaly blocked.

To bird: Do you bounce spam?

In most cases, no. Pretty much all spam uses fake sender addresses nowadays, so that bouncing does nothing but generate yet another unwanted message to an otherwise uninvolved third party.

If everybody bounced spam, then that would indeed double the number of unwanted messages out there. Just because most other people don't is no excuse.

the whole point of bouncing a message is to send a "not a valid address" message.

This is only the case when your SMTP server refuses to accept the message in the first place, which isn't technically bouncing. As soon as your system has accepted the message, the only correct action is to drop it silently. Sending a post-SMTP bounce doesn't say "invalid address", it says "filtered address where it might be worth trying to trick the filter". No spammer will stop sending spam to an address returning such bounces.

lammert, thank you for the detailed reply, it's certainly food for thought.

Am I correct in thinking that it's only possible to check the To: address, From: address and sender IP when deciding whether to reject the email? If you want to check the content you must accept the email and then bounce it if required?

I see a lot of spam emails where the sender email address is different from the return-path address. OK so the sender address is fake, as all probably agree on that point. But could the return-path pick up on bounced and remove them from spam lists? If not, why not just use the faked sender address as the return-path?

[edited by: barns101 at 10:48 pm (utc) on Sep. 13, 2006]

As a recipient of a fair amount of bounced SPAM using my domains in faked From: headers I can tell you that it IS detrimental, especially when accompanied by anguished-but-dim calls from all over Europe asking me to stop doing whatever scam it is that I have no idea about being done in my name with my email address.

DamonHD, have you tried to setup SPF records? I have fairly restrictive SPF records in place for most of my domains and judging on the small number of bounces I receive compared to a year ago I assume that it helps somewhere in the process. Maybe spammers avoid From: addresses from domains with a strict SPF record, or maybe bounces to these domains are not sent by some email software because they can determine from the SPF record and sending IP address that the From: address was spoofed.

For example: I send emails from only a few domains. The other domains are either sleeping, or setup as receive only. For these non-sending domains I use the SPF record "v=spf1 -all" which tells that I never ever send emails from these domains.

Am I correct in thinking that it's only possible to check the To: address, From: address and sender IP when deciding whether to reject the email? If you want to check the content you must accept the email and then bounce it if required?

In most situations this is the case. The SMTP standard allows you to reject a message during the whole process of accepting it, also when the message body is comming in. Unfortunately most mail server software is not flexible enough to filter during the data acceptance session. They can only filter during the connection setup, based on IP, From and To, or afterwards when the connection is closed and the message is already in the local delivery queue.

This is also in my setup. Spamassassin is called when the message is totally accepted and in the delivery queue waiting for delivery to the mailbox. My filtering at the door already blocks so many incomming mails that I have no problem with that. The filtering based on IP and non-existent To: addresses stops at least 90% if the incomming messages in my situation. The remaining 10% is just a handful and not a real waste of time. But I am talking of 200 SPAM messages per day of which a maximum of 20 reach Spamassassin. These are luxery figures compared to the flood of SPAM others have to process. In those cases looking for an MTA which is capable to do real-time content filtering while the SMTP connection is still alive and the message has not been received totally yet can be a real advantage.

Thanks to everyone that has replied. I appreciate the comments and am looking forward to furthering my knowledge of how email delivery works.

Just as a reminder, I'm asking specifically about bouncing after email has been delivered, as I don't currently run my own email server (I just have POP3 mailboxes).

Hi lammert,

Yes, the 10,000+ SPAM attempts per day is inspite of my having SPF records!

Actually, for a while I had to have my main mail server behind a custom-written reverse SMTP proxy that, in addition to the steps you listed, greylisted for a while any incoming connection from a new SMTP server that I had not seen before/recently, and tarpitted egregious SPAMmers too.

The greylisting was to allow time for a newly-compromised machine (if that is what it was) to find its way into a DNS BL.

The tarpitting gave me a nice warm feeling inside, and is about the only legitimate way to respond to SPAMmers and marginally reduce their ability to send SPAM elsewhere.

Currently, after an upgrade to Solaris 10, I am finding sendmail with just two filtering rules (a DNS BL and checking for reverse lookup) to be fairly tolerable without my reverse proxy.

Rgds

Damon

Yes, blocking based on a DNS BL and reverse IP lookup seems a good first line defence, better than in the past actually. I think this is because in the past spammers used mainly badly configured open SMTP servers. Most of the regular SMTP servers have correct reverse DNS records.

Nowadays most regular SMTP servers are protected against abuse and spammers have moved their activities to infected user PCs. These infected PCs have often no reverse DNS record, or their DNS record easily identifies that they are not a regular mail server. I block for example all SMTP requests from dynamic.*.isp.tld and dialup.*.isp.tld for some larger ISPs. The chances that a genuine SMTP server is located behind a dynamic IP address or dialup connection are very small.

don't bounce, for the love of god don't bounce.

I have received thousands of bounced SPAM. I did not send them. I have no reason to pay for someone bothering someone else I don't know.

Real recipients put real from emails. Spamers don't, you will only be hurting the inocent.

I used to bounce. Then I started getting inundated with bounced bounce messages, since my bounce was bouncing to a non-existent address. I finally gave up on it. I have a fairly "clean" e-mail address (e.g., it's never been published online) so the amount of spam I get is minimal compared with a lot of people - somewhere around ten or twenty per day.

I also highly dislike receiving the bounce messages that other people send after receiving spam purporting to be from my domain...