Many ways to train them not to do so anymore.

Did they left a 'toll free' phone number? (Please dont post it in public, if they where stupid enough to do so...)

I got this vigilante phone dialer gizmo handy... I guess, in some cases, the phone company bills can be a serious deterant to SPAM. <evil grin>:)</evil grin>

I've been getting these on various domains for a long time. I havn't found anything that can be done about them.

For the domains most affected, I either disable catch-all email addresses, or use procmail to filter out bounces. I put a note making clear I have nothing to do with them on the site in question where possible, and I bring them to the attention of my hosting company (in case they get misdirected spam complaints).

In most cases, they're sent by hijacked windows machines on broadband connections without the owners being aware. Generally the spam messages don't have phone numbers, just a link to a website which more often than not is not longer active (making the spam utterly pointless). Usually the registation addresses are in China or Korea (although that's just a front to make tracing harder).

It's extremely annoying but as far as I can see there is simply nothing that can be done at all. All the "reply addresses" are totally random (non-existant) names at random domains, sometimes thousands of different reply addresses in a day, if they pick your domain there is no solution. It's killing email.

> disable catch-all email addresses

You should only use the catch-all if you have very good reasons to do so. I disabled it long time ago. I got rid of those bounces to fake addresses. I got rid of some spam. And there is no backside to it. If people want to contact me there are easy procedures to follow. People who write to non-existant addresses like webmaster@mydomain.dk, info@mydomain.dk etc. deserve nothing better than having their messages bounced.

You should only use the catch-all if you have very good reasons to do so

I don't use catch-alls on most domains (for exactly the same reasons as you), but one of the domains affected more recently was a personal domain, where I use unique addresses like theothercompany@mydomain.com to keep track of where the addresses are sold (and to disable addresses that are leaked too widely).

However, regardless of whether or not we actually see the bounces, they still help slow down the mailserver (sometimes thousands of messages a day) and make any addresses that happen to match the random addresses chosen unusable.

Much more importantly, they defame the domain to thousands of people every day, giving the majority of them (and even some anti-spam programs) the impression the domain is sending the spam. It's this defamation that is much more of a problem and concern than the technical stuff of minimising what I see, and it's the part where I can't see a real-world solution.

I've had similar experiences. Right now someone is using my personal e-mail address as the reply to for some disgusting spam.

There's really nothing I can do about it directly.

What I did do was start digitally signing all my e-mails. I tell people that if there's no signature, or the signature is invalid then the e-mail is NOT from me. To me that seems the best I can do.

Sadly I am getting hundreds of bounced e-mails every day and more than a few complaints from people.

SpamCop blacklisted my domain at one point. I explained to them about my digital signature, included a letter of support from my network administrator, and they released me from their blacklist.

Your points are very valid. Perhaps I should consider myself lucky. The messages that were bounced to fake addresses on my domains and were part of my reason for disabling the catch-all were not spam but "only" viruses. And there were few of them. I guess that sometimes it's an advantage to have an obscure domain in a small country.