TELECOM Digest OnLine - Sorted: Re: Trial Shows How Spammers Operate

Re: Trial Shows How Spammers Operate

Dan Lanciani (
Sun, 21 Nov 2004 23:23:34 EST (Robert Bonomi) wrote:

> In article <>, Dan Lanciani
> <> wrote:

>> Obviously. But why should I care? The point of the response is to
>> tell people who were neither sending spam nor forging their address
>> that their mail has been incorrectly identified as spam. Note that I
>> do not include the body of the original message in my automated
>> response, so you can't use my filter to reflect spam to a third party.

> Suppose *your* email address got forged as the sender on spam that
> went to 100,000 people using a similar system.

My email addresses are frequently forged as from addresses for spam
and various trojan horse programs. The automatically generated
responses to those messages make up a lot of my junk mail. The
difference between those "similar" systems and my system is that the
operators of those systems are not considerate enough to rate-limit
the responses to one per several months. Yet I do not condemn them
for this oversight.

|Guess what happens to _your_ mailbox.

Yes, let's guess. Or rather, let's compare the two scenarios. If
nobody were using a system similar to mine then my mailbox would see
at a minimum a bounce message for each bad address on the list of
100,000 people. You may try to argue that spammers--being far more
considerate of the innocent user whose from address they forged than I
am--would carefully vet the list to minimize the bounces. But
everybody who has received the bounces resulting from these forgeries
knows that this is not the case. And even if the target address is
good, it may well be set up to reject unknown from addresses.

If every target system involved *were* running something like my
filter then my mailbox would see at most one spam warning message from
each *system* involved, regardless of the number of target addresses
on that system. You may argue that spammers don't send to multiple
accounts on the same system and -- even though anyone who has cleaned
up the aftermath of having their address used in such a forgery knows
that this argument is not generally valid -- I'll give it to you. So
in the worst case my mailbox will see 100,000 spam warning messages.
But guess what? Cleaning up 100,000 spam warning messages rather than
10,000 bounces (assuming a conservative 10% bounce rate) really
doesn't involve a significantly greater effort. Beyond a certain
threshold it comes down to removing the whole file, possibly after
grepping for a few important keywords.

On the other hand, in the best case (and a case that I expect would be
much more typical) all 100,000 destination addresses may be,
so I'll get but one warning regardless of the god/bad address ratio.
I like the odds.

> But, "why should those people care?"

They should *not* care. I encourage everyone to do something similar
to what I am doing. This is not a prisoner's dilemma or a tragedy of
the commons. The only downside to any individual of others doing the
same thing is a greater incentive for spammers to look for ways around
the specific filter, but that is a second order effect. And in any
case the actual filters don't have to be the same, just the general

> *You* don't care about being part of doing it to them.

What I'm doing is not part of the problem; it is part of the solution.
Consider what would happen if everybody implemented a system similar
to mine. There might (or might not, depending or arguable statistics
about how well the addresses are coalesced per system) be more warning
messages for people to read. But getting people to read warning
messages does not benefit spammers. Spammers need people to read
*their* messages. If nobody reads their messages then they will go

Of course, it may be hard to accept that a solution that helps in the
long term also provides tangible advantages to its users in the short
term. We've been hearing for years about strategic initiatives to
fight spam by punishing the owners of open relays and causing
collateral damage to residents of spam-friendly ISPs. It all sounds
very clever and political, but the spam just keeps increasing. (You
may claim that the problem would be even worse were it not for these
strategic initiatives; I really don't know.) I'm tired of waiting, so
I opt for a more direct approach.

> If all the spam had *invalid* addresses addresses, it wouldn't be an
> issue. But, it is _very_ common for the forged address to belong to a
> _real_person_ who had *nothing*to*do* with the spam.

> You *are* spamming _their_ mailbox.

Nonsense. You are re-defining "spamming" to suite your goal of
shifting blame from the spammers to those who do not wish to read
their spam.

>>> Occasionally I see messages like that and they are treated
>>> like spam, since they have nothing to do with me and responding to
>>> them is useless. They go to /dev/null. Until it's full.

>> That works only if you have time to look at all the messages. I
>> don't.

(I see you declined to disclose a working solution here or in the
initial part of my message where I asked for an alternative. How
about proposing a solution that does not involve reading the spam as
its senders desire and that does not involve dropping what might not
be spam on the floor without a response.)

>>> Since spammers never use a real From: address replying by mail is
>>> useless.

>> It is extremely useful for my purposes; it just may not happen to also
>> do what you (said you) want. :)

> Yeah. you mail-bomb *innocent* parties who's address was used
>_without_their_permission_as the sender.

So you consider sending a single warning message in response to a
received message to constitute mail-bombing? Again, I think you are
using a very strained definition in an attempt to shift blame from the
responsible parties to the victims. Do you also consider an error
response for a non-existent target address to constitute mail-bombing?
What about a response that the recipient is not accepting mail from
the sender (as is popular with AOL)?

>> My machine doesn't look like a relay and they are not trying to use it
>> as a relay. They are sending to long lists of (invalid) *local*
>> addresses.

> It's called a 'dictionary' attack.

No kidding. The question is why they are doing it to my machine. I
suppose it's possible that they do it to any port 25 to which they can
connect, but I'm not convinced.

Anyway, feel free to have the last word. I realize that this is
basically a religious argument that could carry on indefinitely, so
I'll bow out.

Dan Lanciani

[TELECOM Digest Editor's Note: The same thing could be said of me, I
guess. I have an autoreply here at telecom I sent out to everyone who
writes to or
which serves three purposes. If you are a good person, writing here to
ask a question of the readers, comment on what others said, (or quite
often, sass at me) that's fine. The second purpose is if you spammed,
but are trainable, like most cats and many dogs to use a litter pan or
a newspaper, then it tells you we are not interested in buying
anything. The third purpose of the autoack is if you did not write any
letter at all, to let you know someone has borrowed your name or your
port 25 or whatevr, so you can make adjustments as needed. PAT]

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: jdj: "Re: Trial Shows How Spammers Operate"
Go to Previous message: Thomas Ludwig: "Internet Broadband Services via Satellite"
May be in reply to: Monty Solomon: "Trial Shows How Spammers Operate"
Next in thread: jdj: "Re: Trial Shows How Spammers Operate"
TELECOM Digest: Home Page