Hi,
I am a Sponsor of an Internet University. She motivates and train for sucess. She also pays $20 for each student you enrol as a “BASIC MEMBER”;while as a “PREMIUM MEMBER” you recieve double ($40 ) per each student you enrol. All you have to do is to ADD our Link to your website.

We’ve seen your website at
http://www.rickconner.net/
spamweb/spam_nigerian_cc.html
and we love it!

We see that your traffic rank is 689476
and your link popularity is 76.
Also, you have been online since 9/20/2002.

Please contact me at:
afaniran$comui.edu.ng (address munged)

Thank you.

(name removed)

+234(Nigerian phone number removed)

I have a few questions for afaniran, but as a rule I don’t respond directly to e-mail from criminals. So, perhaps he (or she) will discover this posting and leave a comment for us.

1. Why is your university female? Most universities I know are gender-neutral.
2. What is the link I’m supposed to add? You forgot to provide it. Oh, I guess I’m supposed to respond via the e-mail address you provided — but this address was issued by another university that appears to be in competition with yours (and may not be either female or internet-based). Just so that there’s no confusion on the point, I’ve notified the postmaster that you are using this address, and sent along a copy of your message for appropriate handling.
3. I’m glad you all loved my website. How closely did you actually read it? Closely enough, it seems, to decide that someone who publishes warnings about stupid Nigerian con-artists would be a willing participant in your own scheme.
4. Thank you for providing my page rank info. I guess this is supposed to convey to me that you are smart enough to look such things up. I also guess I’m somehow supposed to care about this information. I don’t.
5. Thank you also for scraping my contact address from domain-WHOIS to use for commercial offers (which is in violation of ICANN policy, as well as the policies of my own registrar). You could have used the actual address I provided on the site to contact me, but I suppose that this did not occur to you.

Occasionally, I get waves of messages purporting to be from young foreign women seeking simple friendship or romance. Here’s a typical example:

Hello I am a single 26 girl. I recently moved and I saw your post looking for new friends. Lets Chat and I will send a Picture right away. Write me at Francis446@SuperGolovaWorld.com

Such messages are come-ons for a form of advance-fee fraud; the party at the other end of this address is likely to be a hard-boiled con artist who will attempt to string the victim along with false promises and high-powered emotional manipulation, and then at the right moment put the bite on for money (to buy plane tickets for a promised rendezvous, fix medical or personal problems, etc.). Sadly, these scams do work; I’ve received appeals for help from sad and humiliated victims who’ve been stung in this way.

While most spammers have absolutely no interest in hearing back from you (except to place orders at their websites), many e-mail fraudsters do depend upon getting replies via e-mail in order to identify suckers who can be fleeced. That’s why we can dispense in such cases with the standard advice to ignore e-mail addresses in spam; in fact, it is quite appropriate to report abuse of e-mail addresses that the fraudster uses to collect replies from recipients. This isn’t always easy to do, however.

Quite often, e-mail fraudsters will use freemail services (e.g., from Yahoo, Hotmail, or less-well-known providers) to collect their replies, and such addresses are not difficult to report. In some cases, however, the scammers set up their own “private” mail services that are used exclusively for their fraud (so that they can control their own incoming mail, largely unmolested by providers). For example, the case above used such a “jackleg” mail service to the SuperGolovaWorld.com domain (since expired).

In order to report such abuse, we must (1) find out where (i.e., to which mail host) messages to the reply address will be sent, and (2) unearth the contacts to which abuse reports regarding this host can be sent.

Step 1: Identify the domain-part of the reply e-mail address. This is pretty easy; all you have to do is hack off the “@” sign and everthing to the left of it; what you will be left with is the domain part of the address. For example, for the (fictitious) address candi@crookmail.foo, the domain part is simply crookmail.foo.

Step 2: Find the mail exchanger(s) for this domain. You next need to know which specific hosts have been “blessed” as the collection point for mail entering the crookmail.foo domain; these are known as mail exchangers or MXs. Since all mail heading for crookmail.foo passes through one of these hosts, the “intake” of fresh victims can be halted if these MX hosts can be removed from the picture.

In order to find the MX hosts, you use a DNS lookup of type “MX” (e.g., nslookup -t MX crookmail.foo from a command window on Windows systems). I myself prefer to use the dig command (e.g., dig mx crookmail.foo) because dig tells me a bit more about the domain, and dig is available from my Mac OS X Terminal app (not usually the case with Windows systems). You may also be able to use web-based tools to run this query. See the links at the end of this post for more information.

A couple of notes here:

• Usually, a particular domain will be served by more than one MX (most providers of any size deploy multiple MX hosts for load-sharing and improved availability). More than likely, however, scammers of this sort will only have a single MX.
• Also, it is not necessary for the MX host to be in the same domain as the one it serves; that is, you might find something like mx.icheatu.foo as the MX for crookmail.foo.

If you can’t find an MX host at all, this means that it would be impossible for you to deliver any messages to this domain right now. This could mean that the scammer has already been dealt with, or it might just mean that the scammer’s DNS service is not working reliably. If you get no MX hosts in your query, you can retry the query some time later to see whether the situation changes; otherwise, you may be content simply to conclude that the operation is offline (and that you can stop work).

Step 3A: Get contact info for the IP addresses of the MX host. Now that you have one or more MX hosts for the scam operation, you need to find out where these MX hosts are on the public network, and to whom we can report abuse. For this step, we once again turn to DNS to get the IP addresses used by the MX hosts. For example, if the MX host is mx.icheatu.foo, then we can use a simple lookup (using, say, nslookup, host, or dig) to get its IP address.

If you can’t get an IP address for any of the MX hosts you’ve found (e.g., perhaps the domain doesn’t exist), then you can probably stop work and declare the scam mail system dead (unless you want to try again later).

If you do get an address, then your next step is to find out who controls this address, and where you can send abuse reports. You do this using an IP-WHOIS lookup (see the links at the bottom of this page). The WHOIS report should identify the netblock in which the address resides, the institution that controls the netblock, and various means of contacting this institution (including, usually, an e-mail contact for abuse reports).

Step 3B: Find the registrar who sold the domain for the MX hosts. You may not always want to send reports under your name to the kinds of small-potatoes providers who are usually associated with these scam operations. If you don’t, you can approach the problem from a different direction by reporting abuse of the domain in which the MX host resides. In our ongoing example, we would want to find the domain registrar that sold the icheatu.foo domain so that we could report criminal activity involving the MX host mx.icheatu.foo in this domain.

To find the registrar, simply identify the domain for the MX host (in this case, icheatu.foo) and do a domain-WHOIS lookup (again, see the links at bottom for help). The WHOIS report should identify the registrar who sold the domain, as well as contact information about the party who registered the domain. It is probably not worth your time to follow up on the latter information, since scammers generally do not supply correct contact information when they register their domains. The domain-registrar information, however, should be authentic.

Technically, domain registrars’ responsibilities are rather limited when it comes to mail abuse; however, both registrars and their customers are bound by their ICANN agreements to abide by local laws, and frauds of this sort are very much against the law everywhere. So, be sure to mention in your report that you suspect criminal fraud.

Step 4: Report the abuse. Send an e-mail to the contact addresses you have obtained in steps 3A and/or 3B. This e-mail should contain (1) the full raw text of the e-mail you received, including the headers, and (2) a statement indicating that the MX hosts you’ve identified are serving the reply address, and that they reside at the IP you found for them. You should request that the MX hosts be dealt with (by having their network services suspended, or by having their domains null-routed) so that they can no longer be used to perpetrate the scam.

What happens next? Once you have filed your report, the recipients may take action. Or, they may not. Or, you may have nailed the wrong parties with a misdirected report. You might get a personal response, but more than likely you will not.

Whatever the case, you have more than discharged your duty by reporting this particular problem, and you can then wash your hands of it and move on to the next one. Many novice spam-fighters feel the need to follow up every incident to the bitter end, but this can very quickly lead to burnout. It’s better to keep plugging away for a long time at what you can easily do, rather than give up and stop reporting altogether after a couple of weeks of frustration. There will be plenty more spams and scams in the years to come, we’ll need your help on those.

This question seems as though it ought to be easy to answer, and it can be, but it is a rather vague question, and many people aren’t sure what they mean when they ask it. A good first step in understanding the problem of unsolicited bulk e-mail is to come to grips with this question, and fortunately this does not require a great deal of technical expertise — you need only draw on a far more familiar communications medium that you probably already understand.

Where does a postal letter come from?

We can eliminate the annoying technical stuff from the problem by turning to the world of postal mail (which the world of e-mail resembles to a remarkable degree). To wit: suppose you get a letter from your Aunt, who is apparently on vacation in Europe. The letter is written on the stationery of the Hotel Splendide, and came in an envelope imprinted with the return address of that fine institution. Now: where did this letter come from?

• The person who wrote it? Obviously, you might snort, the letter came from your Aunt because she wrote it. Or, did she? It could have been someone else posing as your Aunt. Short of being able to detect forgery of her handwriting, can you really be sure?
• The location where it was written? The letter came on Hotel Splendide stationery, so we can figure that it was written there, right? Not really; perhaps your Aunt (assuming for the moment that she really is the author) might have written it in a café down the street, or she may even have “borrowed” the stationery from the four-star Splendide to hide the fact that she is really staying at the economy-minded Pension Flohensack around the corner. She might even have written it on her return flight, or back at home where postage is cheaper.
• The location where it was handed off to be mailed? Here again, we can’t be entirely sure about this; perhaps your Aunt gave it to the desk clerk at the Splendide to be mailed, or maybe she dropped it in a postal box at the end of the block (or even at the airport on her way out of town). It could even have fallen out of her purse while she was touring Zambezi Falls, whence some helpful stranger picked it up and dropped it in the box for her.

As you can see, we can poke quite a few holes in this seemingly simple affair if we examine it closely (and I could actually go even further with this hair-splitting). Of course, in most cases, you could simply assume that the message did come from your Aunt while she was staying at the Splendide — but what if this was the last word that you or anyone else had heard from her in some weeks? Perhaps she has been injured, kidnapped, or worse, and the matter now has to be turned over for police investigation. All of a sudden, all of these silly ifs, ands, and buts can become very significant indeed.

Fortunately, postal letters do have a piece of information that we can use to get a reliable, official fix on their origins. When mail is turned over to a post office, it will be stamped with a postmark that gives the location of the particular branch office, as well as a time and date. We can assume that this postmark is valid (or, at least, more likely to be valid than anything else on or inside the envelope). So, although we may not be able to learn much more from the letter (without the aid of fingerprint experts, handwriting analysts, or the like), we can now at least pinpoint (to within a few miles) the location where the letter was dropped off for delivery.

To sum up — if you believe that the letter really is from your Aunt, then you can probably rely upon the other information it contains. If the letter is suspect, however, nearly all of these details are also questionable as well, and you must be very careful not to draw any false conclusions from them. The only reliable information you may have immediately at hand is the “official” postmark applied by the post office.

Meanwhile, back to e-mail

Electronic mail poses the same kinds of forensic problems as do postal letters. If we believe that an e-mail message we receive has been sent by an honest correspondent, then we can assume that the various details associated with it (such as the return address) are valid; on the other hand, if we decide that the message is spam, we cannot trust most of these details and should not assume that they are correct.

And so, we ask again: where did that spam e-mail come from?

• From the “owner” of the return e-mail address it bears? Nope. The return addresses you see in e-mail are not used in the delivery of mail, so they simply have no use or relevance to the machines that send outgoing mail. They are only useful to the human recipient, to tell him who the message may be from, and to enable him to reply conveniently if he wishes. Since the spammer wants to deceive you as to his identity, and does not (in most cases) want to get e-mail replies from you, he has no need for valid return addresses so he does not provide them. Instead, he uses his bulk-mailing software to inject forged or stolen addresses into his messages.
• From the internet service associated with the return address? Again, no. We already described above how return address in spam are usually completely fictitious, so it follows that any particular parts of them will also be unreliable as well. So, if you get a spam that purports to be from “simon@cashhorse.foo,” you needn’t bother pursuing the matter with cashhorse.foo any more than you would with Simon himself.
• From the “network space” associated with that service? Not here, either. Recall that your Aunt can drop her letter to you into any mailbox in the world, and does not have to wait until she gets home to her own branch post office. LIkewise, we can send e-mails from many places (e.g., using wireless services in hotels or coffee shops) and we do not have to be anywhere close to our home or office internet setups to do so. We can use our return addresses even with such “away-from-home” mailing, because an e-mail address is not an absolute identifier or a geographic fix: it is simply a bit of information that tells the recipient how to respond to us if he wishes. If we don’t want the recipient to know who we are, and don’t want to hear back from him, then we can lie about our return addresses (as the spammers do).

You may have guessed by this point that e-mail messages have the equivalent of a postmark; in fact, they do, and it is located in portions of the message “header” that are normally not visible to the recipient. While spammers can (and do) manipulate and forge header information, there is one important item they cannot (as yet) tamper with: the IP address of the host that handed the message to your incoming mail service. Once we extract this address from the message (through rigorous analysis of the header), we can then determine the internet service responsible for operating the address, and can then send a report advising this service that the address has been used for spamming. This sort of reporting goes on millions of times per day, which is barely a drop in the bucket compared to the total volume of spam, but which does tend to keep the pressure on providers to fortify their networks against subversion by spammers.

And so, when you speak to a seasoned spam-fighter, this is most likely the answer you will get to your question: the spam message came from a specific host at a specific IP address, a host that was used (most likely indirectly and fraudulently) by a spammer. We cannot automatically derive very much additional information from the e-mail itself (because we have just declared it to be untrustworthy); we have to rely upon law-enforcement folks to track down the spammer using real-world detective work in addition to further cyber-world investigation.

What do autoresponders do?

Autoresponders are generally found at the heart of services like the following:

Vacation messages. These are probably the textbook example of the autoresponder. Suppose you are all set to sail on a six-week cruise, and you are leaving your laptop behind (and even gamely divesting yourself of your Crackberry). You don’t want your friends and business associates to think you are ignoring their incoming e-mails in the meantime, so you use the “vacation message” feature offered by your e-mail system — you simply compose a generic message explaining where you will be (or where you want people to think you will be) and when you will get back, and then press a button; from then on, every new incoming message will not only be posted to your inbox (as normal), but will also be immediately responded-to with the message you created.

Challenge/response spam filters. Many a frustrated e-mail user has turned his or her e-mail address over to a robot (one known as a challenge/response filter); the robot examines each incoming mail, and if it comes from an untrusted source (i.e., a stranger), the robot will send a response challenging the sender to prove that he is a real human being and not another robot (or a spammer). If the sender meets the challenge (typically by clicking on a web link embedded in the challenge message), then he will be “whitelisted” and his message delivered. If the sender declines to accept the challenge, his mail will remain forevermore undelivered.

Mailing list control. Many old majordomo/LISTSERV-style mailing lists (the kind often used by hobby, social, or professional-interest groups) use a simple but effective e-mail based interface to allow subscribers to join or quit the lists, or to change their list preferences. The list will have a special e-mail address that is monitored by a robot, and the subscriber communicates with it by sending e-mails that contain embedded commands. The robot will extract the commands and execute them, returning any responses to the subscriber.

Automated marketing messages. Many small-time internet marketing gurus extol the virtues of the humble e-mail autoresponder (which, they often say, can do “selling on autopilot”). Here, the would-be marketer sets up a robot that monitors a particular e-mail address; anyone who sends a message to this address gets an immediate sales pitch in response (and the robot will also no doubt remember to put the prospect’s address in a database for later “follow-up” by the marketer or those to whom he sells or rents the data).

Receiver-side mail bounces. Technically, an e-mail system is not supposed to accept incoming mail unless it is pretty confident that it can deliver that mail. However, many systems do not bother to make the necessary checks at the time of message delivery, and then find subsequently that the mail is not deliverable. Under the circumstances, they are then forced to send automatic “bounce” messages to inform the sender that the message did not go through. Even if the mail service isn’t lazy or slipshod, it may in very rare cases have to renege on its promise to deliver an incoming message (e.g., if there is a massive and immediate system failure), and is technically required to send a bounce when it does. Whatever the case, the mail system that chooses to bounce messages it has already accepted effectively becomes an autoresponder.

What’s the problem with autoresponders?

Misfiring autoresponders are part of the general problem of e-mail backscatter or blowback, in which spam mailings generate a secondary load of automated e-mail traffic that, while usually benign, is still pointless, unsolicited, and annoying to its recipients.

Common to each of the types of autoresponder mentioned above is the fact that the autoresponder replies automatically to the party whom it believes to be the proper sender of the original mail. The only information it has about this party are the return addresses that appear in the visible headers of the original message (e.g., in the From or Reply-To fields). If the original message is an “honest” one, then these addresses will more than likely be correct. In the case of spam, however, these addresses are invariably forged and therefore are incorrect. Worse, many of these forged messages may be valid, working addresses belonging to people who were not involved at all with the original message. In these cases, autoresponders’ replies to spam will thus go to people who had nothing to do with the spam. Many of these people will regard errant autoresponder mail as a form of e-mail abuse, and may report it as such. Even those who don’t report are likely to be very confused or angry (or both).

One nightmare scenario for an autoresponder user is the the case in which a spammer decides to forge the robot’s address into his mail. The result of such forgery (depending upon the size of the spam run and the “quality” of the spam list) can be hundreds or even thousands of bounced e-mails being “returned” to the autoresponder, which then duly sends out responses to each. This could dramatically increase the autoresponder’s overall traffic level, and could draw unwanted attention to the operation. Imagine having to explain to your IT department why hundreds upon hundreds of “vacation messages” were sent from your address while you were out for a long weekend!

Making autoresponders smarter

If an autoresponder could somehow tell good mail from bad, it would know to respond to the good mail and ignore the bad mail. There are several ways to give autoresponders the means to suppress misdirected replies:

• If the mail service itself rejects or suppresses delivery of obvious spam mail (through the use of DNS blocking lists or similar means), then the bad mail never reaches the autoresponder and so will not be responded to. 
• The autoresponder can use these same tools on the mail that it does receive to judge the bona-fides of the mail; if the message looks phony, the autoresponder can elect not to send a response.
• The autoresponder can also use more aggressive and comprehensive filters (e.g., Bayesian filters or SpamAssassin) to evaluate incoming mail for its spamminess.
• Autoresponders can check the relevant Sender Policy Framework (SPF) or Domain Keys (DKIM) information (if this information is available) to see whether the mailing has been “authorized” by the provider responsible for it.

None of these methods are absolutely foolproof (in particular, not all services publish SPF or DKIM information, and those who don’t cannot tell the autoresponder that the incoming message is “rogue”), but they are better than nothing at all. These methods are probably beyond the resources of individual end-users of e-mail, but can certainly be managed by a mail provider of any size or sophistication.

Should you use an autoresponder?

I assume that you, like most people, want to be a good “netizen” and avoid placing unnecessary hardships on innocent parties through indiscriminate automatic e-mailing. Not using autoresponders at all would certainly be a very good idea in this regard. However, you may not want to (or be able to) forego the benefits of autoresponder services. Here are some points to consider:

• If your spam volume is currently exceptionally low (whether through happy accident or effective filtering), then your risk of sending misdirected autoresponder mail is also likely to be very low, so you might be able to get away with an occasional vacation message as long as you don’t make a long-term habit of it. However, you must live with the possibility that every spam you receive while in “vacation mode” has resulted in at least one misdirected autoresponder message.
• Find out whether your provider’s (or employer’s) autoresponder services are protected using one or more of the methods described above; if so, then the risk of misdirected responses may be greatly reduced.
• Some employers may encourage (or even require) their staff to use vacation autoresponders whenever they plan to be away from the office, so that important business mail is at least responded to (if only by a robot). If yours is one of them, you might share this article with your management or IT department, and then suggest a change in policy. Temporarily redirecting your business mail to colleagues or administrative staff, for instance, might actually be more effective than using an autoresponder, since this holds out the hope that a human being might be able to respond positively to an urgent appeal (which the autoresponder cannot do).
• If you currently use a challenge/response spam filter, it might be time to reconsider the practice. C/R filters have high false-positive rates (since every untrusted mail is assumed guilty until proven otherwise), and as we have seen they are prone to misdirected challenge messages. Your freedom from spam is coming at the expense of strangers who receive your misdirected challenges, and potentially fruitful correspondents who cannot or will not respond to challenges.
• If you manage a mailing list, you may want to secure your list’s robot address with effective spam filtering, and to limit its replies only to bona-fide subscribers wherever possible (you might have to block this robot from signing up new subscribers, instead using some more secure form of invitation or separate application). Or, consider migrating your list to a more modern web-based mailing list or bulletin board system (such as GoogleGroups or Yahoo! Groups).
• If you are using an autoresponder simply to blindly send out marketing messages, consider using more conventional means of promotion other than unsupervised e-mailing (which can quickly turn into mail abuse or spam). I suspect that marketing-autoresponder addresses by their nature may attract a greater volume of spam than “private” e-mail addresses, so your autoresponder may wind up burning a bearing responding to spam, and spreading your “message” to many people who did not ask to see it — the very definition of spam. 

Is it really this simple? Does this technique actually work, and can you use it both ethically and safely? Based on some research, and some testing of my own, I have to conclude that the answer to all these questions may be NO. Pretend bounces are completely ineffective in just those cases where you could most benefit from them (i.e., against hardcore criminal spammers). In addition, pretend bounces can be misdirected to innocent parties who were not involved in the spamming (making the pretend bounce itself a form of reportable e-mail abuse), and they may also show evidence of manipulation and deception that can cause them to be tagged as abusive e-mail by many e-mail systems. Read on for the details.

How pretend-bouncing works

If you’ve used e-mail for any length of time, you know that when you send mail to an undeliverable address you will get a bounce message (known technically as a Delivery Status Notification (DSN), or sometimes as a Non-Delivery Notice (NDN)) to let you know that your message did not go through; this information will generally convince you to stop trying to send further messages to this address (unless, perhaps, you just happen to enjoy sending messages that go nowhere).

The pretend-bounce capabilities of e-mail clients (such as Apple Mail for Mac OS X) and add-on programs (like MailWasher Pro and SpamBully, as well as numerous other less-widely-distributed utilities) generally work by concocting e-mail replies that look as much as possible like official DSNs, and sending these directly from your own computer (bypassing your provider’s outgoing mail service) to the from-addresses found in the unwanted messages. These replies are not “real” bounces (i.e., real DSNs) because they are not sent from one of the bona-fide mail hosts that were involved in the transfer of the original message.

The case for pretend-bouncing as an anti-spam tool is based upon three very questionable assumptions:

• The bounces will go to the parties responsible for sending the spam (they will not), or else will be bounced themselves or otherwise disappear harmlessly from the network (they might do something far worse).
• If the spammer does happen to receive the bounce, he will remove the sender’s “dead” address from his list (he will not).
• The bounce will look exactly like an “official” DSN and will therefore not implicate or identify the bouncer (not a safe bet at all).

Will the bounces actually go to the spammer?

In the case of hardcore spam, the answer to this question is NO. At best, your pretend-bounces will be bounced back to you, or else may simply vanish into a bit-bucket somewhere. At worst, your bounces will go to an innocent person who may consider them (with good grounds) to be spam or abuse.

How can this happen? To find out, let’s look for a bit at how e-mail addresses are treated within e-mail messages.

In order to pretend-bounce a spam message, your “bounce tool” has to know where to send the bounce. There are several places where return addresses can appear in e-mail messages (i.e., the From address, the Envelope-From address, and the Return-Path address), but none of these are trustworthy in the case of spam because they are easily spoofed or forged.

The forged addresses used by the spammer will be either:

• completely phony addresses (but in real, functioning internet domains), or
• real, working e-mail addresses belonging to innocent parties.

Obviously, then, when you pretend-bounce a spam message, the bounce will either be bounced back to you itself (if the return address is phony), or else will be sent to some poor soul who had nothing to do with the spam other than having had the misfortune to have his address (or internet domain) stolen to serve as camouflage. Whichever the case, the spammer will never see the bounce at all, so it will not fulfill the purpose for which you sent it.

Will the spammer remove your address if it bounces?

Don’t depend on it. Even if he does actually see the bounce (which as we noted above is quite unlikely), he is generally not interested in removing any address from his list for any reason, even the fact that the address appears to be undeliverable. It simply isn’t worth his time, and goes against his business model.

You might think that a spammer would want to reduce his exposure or his operating costs by eliminating undeliverable addresses from his mailing list, but the fact of the matter is that the hardcore spammer gains very little, if anything, by managing his list in this way. By and large, hardcore spammers use stolen resources and bandwidth to send their mail, and have figured out many ways to do so anonymously such that they can spam away around the clock without worry of being identified and nailed. They have no particular need to closely control the use of resources that they have stolen in the first place, stolen from a seemingly bottomless well provided by complacent internet providers and their customers. In other words, “failed deliveries” is simply not a figure that shows up in the successful hardcore spammer’s operating budget, and eliminating one or two addresses from a list that numbers into the tens of millions is not going to save much money or reduce an already-negligible risk of exposure.

Even if the target of your pretend bounce isn’t a hardcore spammer (i.e., maybe he is just an annoyingly aggressive marketer who nevertheless uses legitimate channels to send his mail and receive bounces), the receipt of a single bounce here and there is likely not going to trigger instant and automatic purging of his list — particularly if the bounce is identified as a pretend one. In these cases, you might be better off reporting the mail to the sender’s upstream providers, or even using the sender’s opt-out mechanism (if he provides one).

Are pretend bounces safe for those who send them?

At heart, the pretend bounce is a form of deception (i.e. it claims that your address is not deliverable when in fact it really is), and trying to deceive people about the e-mail you send puts you on tenuous moral ground, right next to the spammer. Few would complain if the only victim of the lie were the spammer (who himself is guilty of massive and serial lying on a Terabyte scale). However, pretend bouncing harms innocent parties (as we have just seen), and can even backfire on you personally, making you look like a spammer yourself.

To understand why this is so, consider a typical, genuine DSN bounce.

• The DSN will have an “official” return address (for instance, postmaster@your-isp.foo) displayed in the From field.
• Inside its headers, the DSN will show that it originated from the IP address of an “official” mail host (that is, an MTA or MDA) and not an end-user’s machine.

In order to completely and correctly emulate a DSN bounce, a pretend bounce would have to exhibit both of these properties (and others besides). However —

• While it is easy to drop a phony but official-looking return address into a pretend bounce message, this is lying — it is precisely the same behavior (i.e., forgery of return addresses) for which we regularly condemn spammers. 
• We cannot successfully spoof the IP address of a bona-fide mail host in a pretend bounce, and so it will most likely be the IP address of your own computer — and not a mail host — that shows up as the source of the message. This can lead some spam filters to identify the pretend bounce as abusive e-mail, and it also exposes your computer’s IP address to the recipients of the bounce, which can lead to further problems for you. 

Let’s take a closer look at the latter point. Because they are essentially forgeries, pretend-bounce messages must be sent using special techniques. These messages cannot be sent through the normal outgoing-mail channels that you use for your routine messages; instead, they must be sent by your computer directly to the incoming mail hosts that serve the from-address of the original message. This technique, known in the trade as direct-to-MX mailing, is not technically forbidden, but it has become so closely identified with spam mail that many spam filters are designed to detect it and to flag messages that use it as spam.

Having your pretend bounce flagged in this way can result in harsh consequences for you. If the recipient of the pretend bounce (who, again, is probably not the spammer) decides to report the bounce as abusive e-mail (which many anti-spam tools and services consider to be an appropriate response), he will probably find on examining the header that your computer’s own IP address shows up as the source of the mailing. If you persist in sending pretend bounces from this address, it may actually wind up on a blocking list; while this may or may not have a direct effect on you, it may attract the attention of your provider, who will want to know why the address has been blocked. This provider is probably not going to be amused that you have also forged its “official” e-mail addresses into your bounces. Plus, in pretend-bouncing mail from your own IP address, you may be revealing that address (along with your supposedly inoperative e-mail address) to people who are smart enough to do something more sinister with the information.

Pretend-bouncing from Apple Mail: an experiment

I have mentioned several specific e-mail clients and bounce tools here; most of these are not immediately accessible to me (as many will only run on Windows, and some require payment for use). However, I did test the pretend-bounce feature of Apple Mail for this post.

I started by sending a message from one of my e-mail addresses to another, each address in a different internet service (so that the message would have to travel across the public net rather than being routed internally within a single domain). When I received this message, I used Apple Mail’s bounce command to bounce it. Once I received the bounce, I submitted it to the SpamCop parser for analysis. SpamCop is generally extremely accurate at deconstructing e-mail headers, and this case proved no exception:

• SpamCop concluded that the message contained a forged header line (constructed from bits and pieces taken from the original message), which is literally against U.S. Federal law (specifically, the CAN SPAM act).
• Despite the forgery, SpamCop accurately traced the origin of the message directly back to my own IP address. 
• The bounce message used a Resent-From header to identify my supposedly “dead” address, which tends to contradict the impression I wanted to leave (that the address was really “dead”).

If I had submitted this parse as a spam report, I would have put a black mark against my own IP address, and sent a spam report to my own provider. If I had made many, many such bounces in a short space of time, I could even have put my IP address on the SpamCop Blocking List (SCBL), which would have made my ISP that much more angry.

Again, I do not have access to the other tools I have mentioned, so I cannot say whether they are any better (or worse) at constructing believable pretend bounces; however, if they (like Apple Mail) send direct-to-MX from the user’s own computer, I cannot see where they would escape similar results.

Pretend bouncing: think twice

There may be perfectly proper reasons to use pretend-bouncing; you might, for example, use it to convince particular unwanted correspondents or even “cyber stalkers” that your address is offline. However, pretend-bouncing is useless for stopping today’s hardcore spammers, since these spammers will never see the bounces and would be unlikely to act on them even if they did. 

Worse, when you send pretend-bounces, you may be sending forged (and technically illegal) messages with spoofed return addresses, and these can make you look very bad if you make them a habit.

For these reasons, I’d advise you to keep away from pretend bouncing altogether, or to use it only in limited cases where it might actually accomplish something useful.

E-mail is a point-to-point medium

It should be obvious that electronic mail is a point-to-point (person-to-person) communications medium, just like postal mail. That is, one party (the sender) sends a payload (the e-mail packet) directly to another party (the recipient). That’s how it works — one sender, one packet, one recipient.

Of course, the sender can send the identical message to many people (either by putting more addresses in the To: or the cc: fields, or simply by retransmitting the same message over and over, each time to a new recipient), but each transmission is still a one-to-one affair. Each e-mail recipient gets his own distinct copy of the mail packet, just as each recipient of bulk postal mail gets his own personal copy of the coupon-pack or flyer or catalog.

In other words, if a spammer sends a mailing to a million recipients (a small number for many of these guys), then a million individual copies of the same mail packet will have to traverse the internet, one to each recipient.

Using a point-to-point medium for broadcasting is inefficient.

The term “broadcast e-mail” was once fashionable for describing e-mail marketing (including spam), but it is a bit of a misnomer: the broadcast e-mailer isn’t actually broadcasting anything, he is just making a very large number of individual point-to-point deliveries (of the identical packet) to a list of individual recipients. Because of all this duplication of data, using e-mail to send identical copies of messages to large groups of recipients (as the spammers do) is fundamentally inefficient. Many of the problems caused by spam come about because of this inefficiency - the need to distribute vast numbers of copies of the same information to equally vast numbers of recipients. Much of this inefficiency has to be dealt with by people other than the spammer (i.e., the recipients and their internet providers), who must expend time, resources, and money for which the spammer does not compensate them.

To understand this point a bit better, let’s look at some examples of true broadcasting:

• Advertising billboards and posters can be considered a kind of broadcast, since there’s only one copy of the billboard (or poster), but many recipients are exposed to it as they pass by. 
• Similarly, a radio or television program is also a broadcast, because there’s only one signal leaving the station’s antenna (or the cable operator’s head end), and everyone who watches or listens receives this same signal via their TV sets or radios.

There are also media in the real (non-internet) world that are traditionally point-to-point media, but are often used (inefficiently) for “broadcasting:”

• The telephone is not a broadcast medium. You can only call one other person at a time on the public network (or, at best, a small handful of people if you use some sort of conferencing service and can coordinate all these people). Using telephones for marketing or other mass-calling (such as the “robo-calling” that goes on every couple of years in the political seasons) requires that one call be placed at a time, serially. Even if the marketer uses a “boiler room” full of people (or robots) to do the calling, each of these can only call one number at a time.
• Likewise, traditional postal bulk-mail is not really broadcasting either; as we noted, the sender must send a separate copy of the letter, flyer, catalog, etc. to each recipient. This leads to the need to produce, distribute, and mail vast quantities of paper, each piece carrying the same information.

Somebody has to pay for the inefficiency

For something to be inefficient means simply that it costs more than it ought to. Someone has to pay this extra cost. When ethical advertisers use inefficient methods, they pay the full cost of this inefficiency themselves. Spammers, on the other hand, manage to pass these costs on to other people — the internet providers (and their customers) to whom the mail is directed. This point may not be immediately obvious, so keep reading.

There’s nothing particularly wrong with using a point-to-point medium to “broadcast” to many people; it all boils down to a simple business decision as to whether the advertiser can derive enough benefit from using such techniques in order to justify the cost (to him) of the inefficiency.

• For instance, a sender of postal bulk mail must pay postage (even if at a discounted bulk rate) for each item he sends; he also has to pay for the production, printing, and packaging of each of those items. 
• Likewise, telephone solicitors have to pay their telephone company for the calls they place, and they may also have to buy or lease special telephone equipment or lines to do the job. They may also have to hire sufficient boiler-room staff (or robots) to place all these calls, one at a time. 

In these cases, the marketer pays the full cost of the delivery of the messages, including the costs for the inefficiency of these duplicative messages. The recipient pays nothing, because the services used by the advertiser (i.e., the telephone company and the post office) have been set up to put the full cost burden on the sender. That is, it costs you nothing to receive postal bulk-mail, just as it costs you nothing (in most cases, anyway) to receive marketing calls on a landline telephone in your home. The same is not true for the internet, however.

Nowadays, most home internet users pay a simple flat rate for essentially unlimited access: that is, they pay the same $50 (or so) per month whether they download movies around the clock, or just send an e-mail or two. The internet providers compute these charges based on their costs of doing business, plus some profit margin. If the costs go up, then the fees will tend to have to go up as well.

Since spammers use inefficient bulk e-mail to distribute their messages, they spawn billions of kilobytes (literally) of highly-duplicative traffic that would not otherwise be seen. These billions of kilobytes have to be processed by the incoming mail hosts belonging to the recipients’ internet providers. This means that the providers need to use more internet bandwidth to receive this traffic, and must also provide additional (or more powerful) mail servers to absorb this traffic. They then must hire additional personnel (a significant cost in any business) to administer these expanded networks and systems.

It is well documented that anywhere from sixty to ninety percent of all e-mail traffic in the world these days is spam. This means that a very large share of the cost of a given internet provider’s e-mail budget goes to handling messages that nobody wants. Since spam continues to grow steadily in volume, the costs for receiving it also inevitably grow. The internet provider must either absorb or reduce these costs (perhaps by finding more efficient ways to deal with the flood), or else must pass them on to their customers in the form of higher fees.

So, here’s the upshot of all this: more spam sent means higher costs to the internet providers who must receive it, and ultimately higher costs to the recipients (you and me). We also see why bulk e-mail is so attractive to the spammer: he does not pay the cost for any but the smallest portion of the inefficiency associated with his operations; he has managed the neat trick of passing most of his advertising cost onto his customers.

What can be done?

Having described the problem of spammers’ cost-shifting in what I hope is an eloquent and succinct manner, I have now come to the end of the post, where I am expected to pass on a solution to the problem. Unfortunately, I do not have such a solution. The issue before us is more of a social (or economic) problem than a technical one, and like most such problems it is a tough nut to crack. 

If we could somehow re-engineer the financial structure of the internet in such a way as to make spammers pay in full for their activities (including the inefficiency of the traffic they generate), then spamming would quickly become a prohibitively expensive livelihood. Any such restructuring of how internet service is paid for (and accounted for), however, would require one very large magic wand. 

For example, a provider could simply begin charging for access to its incoming mail hosts for the delivery of mail to its customers; the sending service would be expected to pay these charges, and then somehow pass them back to the customers who sent the mail. This would (in theory) place the cost burden back on the senders, where it belongs. You can bet, however, that no ISP is going to step forward to be the first to impose such a requirement, since if it did so it would very quickly find itself virtually cut off from the rest of the internet (since other providers would be very unlikely to agree to pay such charges). Plus, such a scheme would obviously be opposed by legitimate bulk-mailers (who do not spam), since it would massively increase their costs. 

Even if we could magically impose such a regime across the entire internet, it would require the mother of all accounting systems, one that would be prone to error, unreliability, or inequity, and that would likely create many more problems than it solved. 

Finally, it is very likely that spammers wouln’t even be affected by such a scheme, since they generally steal services in order to send their mail (a topic I reserve for a future post), and so might not even appear on the accountants’ radar screens.

And so, regardless of whether we can solve it, the problem remains: spammers exploit the odd financial structure of the internet to get other people to pay for their crooked activities.

A bit of background: In those days, computing pioneer Digital Equipment Corporation (DEC) was the most visible and successful seller of minicomputers (which were considered “mini” because they could fit in one room rather than taking up an entire floor). A young DEC sales rep named Gary Thuerk decided to use ARPAnet (the Pentagon-run precursor to today’s public internet) to send out invitations to a couple of California-area demos of DEC’s latest, the DEC-20 system.

Thuerk and his staff pored through the printed directory of ARPAnet users (imagine it — all the e-mail addresses in the world bound into a single phone-book-style volume) and extracted several hundred addresses that appeared to be in the geographic vicinity of the upcoming dog-and-pony shows. Thuerk then had a colleague type up, address, and send the message. Unfortunately, the mail program used (called SNDMSG) could not support more than 320 addresses on the to-line, so at least a third of these spilled out into the message body (and these parties never received their copies).

Quite a few ARPAnet users apparently complained about this blatantly commercial use of what was, after all, a government facility to be used only for military business and related research. One outfit even claimed that the “bulk” mailing had crashed their mail host (although it was later shown that they were sent only three copies of the message).

ARPAnetters hotly debated the Thuerk message amongst themselves, eventually leading to some words between DARPA (the DoD agency coordinating the ARPAnet) and DEC. One Major Raymond Czahor of DARPA may have established himself as the very first BOFH (“Bastard Operator from Hell”) with a terse public response that included the following (note the early use of “shout caps,” as in the original Gary Thuerk message):

THIS WAS A FLAGRANT VIOLATION OF THE USE OF ARPANET AS THE NETWORK IS TO BE USED FOR OFFICIAL U.S. GOVERNMENT BUSINESS ONLY. APPROPRIATE ACTION IS BEING TAKEN TO PRECLUDE ITS OCCURRENCE AGAIN.

On the other hand, one Richard Stallman, an ARPAnet user at the Massachusetts Institute of Technology, was less critical. Stallman (who would later earn fame for spearheading the open-source software movement by founding the GNU project) observed, somewhat prophetically:

Would a dating service for people on the net be "frowned upon" by DCA? I hope not. But even if it is, don't let that stop you from notifying me via net mail if you start one.

In a followup posting, after Stallman actually saw the Thuerk message (he was not on the original mailing list for it), he admitted that he did in fact find the message abusive, but only because it had so many addresses in the header.

The Thuerk message was quite tame by the modern standards of legit marketing mail (let alone those of spam), but the strong reaction to it set a precedent against such uses of the net that lasted a decade or more, well into the era of the public (non-DARPA) internet. Leaving aside the problem of misuse of a government resource for commercial purposes, the objections to Mr. Thuerk’s message boiled down to two issues, which will seem very familiar to modern anti-spammers:

1. The address list for the message was collected through relatively random harvesting (by geography, in this case), rather than through careful pre-screening or opt-in methods.
2. The message itself was not in conformance to the recognized protocols and practices of the time.

In the years that followed, DEC found itself outgunned by a new generation of microcomputers (starting perhaps with that pesky Apple ][), and eventually was absorbed by PC-maker Compaq, which was itself taken over by Hewlett Packard. Mr Thuerk remains on staff at HP, acknowledging his role in Spam Zero with good humor, but insisting that he felt he had done nothing wrong (indeed, he even told a Wall Street Journal blog that the message may have germinated some $12 million in sales). I’d say his sin was far from venal, although he certainly appears to have lent standing room on his shoulders for subsequent and more pernicious generations of spammers.

By the way, no one called Thuerk’s message “spam” at the time — the term would not come into currency for unwanted e-mail until almost two decades later.

As you may recall (perhaps from reading my post below), the feisty and litigious little e-mail marketing firm E60Insight LLC, headed by one David Linhardt, filed suit in a Chicago court on January 15 against the mega-ISP and cable-TV provider Comcast for blocking its marketing mail as spam. That was actually just the start of E360’s complaints, however, which went on to encompass computer fraud and abuse (for Comcast’s having supposedly returned misleading SMTP bounce messages that somehow damaged E360’s databases (?!)), and even violation of E360’s first-amendment free-speech rights (which, for some reason, E360 figured that Comcast—a private business—was supposed to be enforcing). E360 sought over US$21 million in damages from Comcast.

In a decision released on April 11, Judge James B. Zagel granted Comcast’s motion for immediate judgment, effectively dismissing the suit without allowing E360 so much as a chance for discovery (i.e., to allow its lawyers go through Comcast’s records regarding the E360 mailings). This latter point was probably the least welcome news for E360, which might otherwise have been able to collect some valuable intelligence on Comcast’s mail filtering operations.

Perhaps stinging from the judge’s not-so-veiled rebuke (“…Some, perhaps even a majority of people in this country, would call [E360] a spammer”), E360 has filed for reconsideration of the dismissal. On the other hand, this may just be a largely pro-forma action laying the groundwork for an appeal of the dismissal to a higher court.

At the same time, E360 also filed a motion to dismiss Comcast’s countersuit against E360, which alleged violations of CAN SPAM and Illinois anti-spam laws, as well as the same Computer Fraud and Abuse Act (18 USC 1030) that E360 tried to wield against Comcast.

Meanwhile, in other E360 litigation news, one of its other prominent targets has found E360 rather less cooperative in discovery than E360 wanted Comcast to be. The Spamhaus Project has filed a motion alleging that E360 has not provided the information that Spamhaus seeks in order to ascertain the basis for the US$11 million award that E360 seeks for Spamhaus having blocklisted its outgoing mail host addresses. What’s sauce for the goose may not be sauce for the gander, at least according to E360.

E360’s complaint against Comcast (for which it seeks over $21 million in compensatory damages) boils down to four allegations:

1. That Comcast practiced restraint of trade by using spam filters that blocked the delivery of marketing e-mails that E360 claims it had prior permission to send. E360 also alleges that Comcast was wrong to deny them access to details of its spam blocking system so they could find ways to get around it (!!).
   • ISPs have been blocking spam for a decade or more, and 99.9% of the time have managed to avoid being sued for this practice, so it isn’t clear whether this allegation is going to fly, particularly if E360 cannot prove that they are being singled out for special mistreatment rather than being blocked for simply acting like spammers (and thereby getting on third-party blocking lists).
   • Comcast indicates in its response that, as an internet service provider, it is immune from such charges because of its obligations under the Communications Decency Act, which allows ISPs to take measures to block offensive content.
   • Comcast also argues that while it provides services to allow its users to send and receive e-mail, it rejects E360’s contention that it has a duty to see that all such messages are sent.
2. That Comcast violated the Computer Fraud and Abuse Act (18 USC 1030) in blocking mail deliveries from E360. E360 alleges that Comcast’s spam filtering system amounts to a “denial of service attack” that has drained the resources of E360’s servers and done damage to E360’s databases. Refusing a mail delivery in a simple SMTP transaction hardly seems like the sort of thing we think of when we think of a DDOS, while E360 admits that the “damage to databases” was done by themselves when they removed addresses that they found to be undeliverable. In any case, this allegation rather turns 18 USC 1030 on its ear, since this law is far more likely to be used against the senders of unwanted e-mail rather than in their defense.
   • E360 claims that Comcast mail hosts “tarpitted” E360 servers by keeping them “on the hook” (waiting for a message transfer to conclude) for an average of five hours per message transfer; Comcast denies the tarpitting charge, but if it were true it would certainly provide evidence that E360’s mail sending hosts exhibit questionable efficiency.
   • E360 alleges that Comcast sent “false bounces” to E360 servers when these tried to transfer messages to Comcast MX hosts, and that these false bounces led E360 to remove the supposedly-unreachable Comcast e-mail addresses from its databases. Reading between the lines here, we might surmise that Comcast may have been “graylisting” the E360 hosts. If true, this would show that E360 mail-sending hosts may not correctly implement SMTP procedures (i.e., to retry mail transmissions after a fallback period if they are initially refused for technical reasons).
3. Comcast violated E360’s first amendment right of free speech through its “arbitrary and capricious” blocking of E360’s e-mails. This seems a silly argument even to a non-lawyer like myself, since Comcast is a private business that has no responsibility for enforcing or supporting anyone’s free-speech rights at its own expense (uncompensated by E360). Even E360 appears to recognize the weakness of this allegation, since they’ve only asked for $500,000 damages (out of the $21 million) on it.
4. Comcast is practicing unfair competition, since it treats E360 differently from other users of its network. E360 believes that because it has complied (so it is claimed) with Comcast’s AUP (as well as with the CAN SPAM law), it should be allowed to send mail on Comcast’s networks just as paying Comcast customers may do. Seems to me that being an outsider with no contractual relationship to Comcast puts E360 out of scope of the Comcast AUP, but then I’m no lawyer.

For its part, Comcast has replied to the charges with a dismissiveness bordering on contempt, and has asked the judge for an immediate dismissal of the suit, without trial. The next hearing in the matter is scheduled for April 15.

E360 Insight’s previous tussle at the bar was in E360 v. The Spamhaus Project (documents at SpamSuite.com), in which they took exception to Spamhaus’ naming of e360’s mail-sending hosts to its widely-used DNS blocking lists (E360 points out in the Comcast suit that Comcast uses Spamhaus DNSbls in its spam-filtering system). E360 can actually claim a technical victory here (“modified rapture,” to quote W.S. Gilbert), but only because the UK-based Spamhaus did not feel obliged to answer charges brought in a U.S. court, and so lost by default. On the appeal, which Spamhaus is more aggressively pursuing, E360 is finding the going a bit tougher.