Can “pretend bounces” hide you from spammers?

Wouldn’t it be great if you could somehow make yourself invisible to spammers by tricking them (and only them) into thinking that your e-mail address doesn’t work? A few well-known e-mail programs and add-on utilities claim to be able to do just that: they offer “bounce” features that let you selectively send official-looking bounce replies to messages you get; the idea is that these “pretend bounces“ (as I will call them) are supposed to convince the recipients that your address is undeliverable, and thereby discourage them from bothering you further.

Is it really this simple? Does this technique actually work, and can you use it both ethically and safely? Based on some research, and some testing of my own, I have to conclude that the answer to all these questions may be NO. Pretend bounces are completely ineffective in just those cases where you could most benefit from them (i.e., against hardcore criminal spammers). In addition, pretend bounces can be misdirected to innocent parties who were not involved in the spamming (making the pretend bounce itself a form of reportable e-mail abuse), and they may also show evidence of manipulation and deception that can cause them to be tagged as abusive e-mail by many e-mail systems. Read on for the details.

How pretend-bouncing works

If you’ve used e-mail for any length of time, you know that when you send mail to an undeliverable address you will get a bounce message (known technically as a Delivery Status Notification (DSN), or sometimes as a Non-Delivery Notice (NDN)) to let you know that your message did not go through; this information will generally convince you to stop trying to send further messages to this address (unless, perhaps, you just happen to enjoy sending messages that go nowhere).

The pretend-bounce capabilities of e-mail clients (such as Apple Mail for Mac OS X) and add-on programs (like MailWasher Pro and SpamBully, as well as numerous other less-widely-distributed utilities) generally work by concocting e-mail replies that look as much as possible like official DSNs, and sending these directly from your own computer (bypassing your provider’s outgoing mail service) to the from-addresses found in the unwanted messages. These replies are not “real” bounces (i.e., real DSNs) because they are not sent from one of the bona-fide mail hosts that were involved in the transfer of the original message.

It is important to note that not all “bounce tools” found in e-mail programs are intended as spam-avoidance aids. Many are used just to forward or redirect entire messages, including their existing headers, to other e-mail addresses; this is a pretty esoteric feature that is similar to the “forward” commands that you find in all good e-mal programs, except that the original headers in the message are preserved. These bounces do not attempt to emulate a DSN, and so are not useful (nor deceptive) in the way that pretend bounces might be.

The case for pretend-bouncing as an anti-spam tool is based upon three very questionable assumptions:

  • The bounces will go to the parties responsible for sending the spam (they will not), or else will be bounced themselves or otherwise disappear harmlessly from the network (they might do something far worse).
  • If the spammer does happen to receive the bounce, he will remove the sender’s “dead” address from his list (he will not).
  • The bounce will look exactly like an “official” DSN and will therefore not implicate or identify the bouncer (not a safe bet at all).

Will the bounces actually go to the spammer?

In the case of hardcore spam, the answer to this question is NO. At best, your pretend-bounces will be bounced back to you, or else may simply vanish into a bit-bucket somewhere. At worst, your bounces will go to an innocent person who may consider them (with good grounds) to be spam or abuse.

How can this happen? To find out, let’s look for a bit at how e-mail addresses are treated within e-mail messages.

In order to pretend-bounce a spam message, your “bounce tool” has to know where to send the bounce. There are several places where return addresses can appear in e-mail messages (i.e., the From address, the Envelope-From address, and the Return-Path address), but none of these are trustworthy in the case of spam because they are easily spoofed or forged.

Because of the way in which e-mail transfers work (and I won’t bemuse you with the details here), spammers need not and therefore do not use their own e-mail addresses in their mailings; instead, they simply lie about their return addresses. This is very easily done with simple bulk-mailing tools, and has been going on for many years now; the practice carries no real consequences for the spammer, because it is hard to follow up on forged addresses or to penalize the spammer for their use.

The forged addresses used by the spammer will be either:

  • completely phony addresses (but in real, functioning internet domains), or
  • real, working e-mail addresses belonging to innocent parties.

Obviously, then, when you pretend-bounce a spam message, the bounce will either be bounced back to you itself (if the return address is phony), or else will be sent to some poor soul who had nothing to do with the spam other than having had the misfortune to have his address (or internet domain) stolen to serve as camouflage. Whichever the case, the spammer will never see the bounce at all, so it will not fulfill the purpose for which you sent it.

Will the spammer remove your address if it bounces?

Don’t depend on it. Even if he does actually see the bounce (which as we noted above is quite unlikely), he is generally not interested in removing any address from his list for any reason, even the fact that the address appears to be undeliverable. It simply isn’t worth his time, and goes against his business model.

You might think that a spammer would want to reduce his exposure or his operating costs by eliminating undeliverable addresses from his mailing list, but the fact of the matter is that the hardcore spammer gains very little, if anything, by managing his list in this way. By and large, hardcore spammers use stolen resources and bandwidth to send their mail, and have figured out many ways to do so anonymously such that they can spam away around the clock without worry of being identified and nailed. They have no particular need to closely control the use of resources that they have stolen in the first place, stolen from a seemingly bottomless well provided by complacent internet providers and their customers. In other words, “failed deliveries” is simply not a figure that shows up in the successful hardcore spammer’s operating budget, and eliminating one or two addresses from a list that numbers into the tens of millions is not going to save much money or reduce an already-negligible risk of exposure.

Even if a spammer wanted to prune his mailing list using bounces, this would require him to expose a valid return address to which the bounces could be sent; this would obviously be a major security breach for him. Plus, he would require some pretty hefty incoming-mail resources to absorb thousands upon thousands of bounce messages (real or pretend) that he would then receive. Far better for him simply to let other people (i.e., innocent internet mail services and their innocent customers) deal with the bounces that result from his abusive greed.

Even if the target of your pretend bounce isn’t a hardcore spammer (i.e., maybe he is just an annoyingly aggressive marketer who nevertheless uses legitimate channels to send his mail and receive bounces), the receipt of a single bounce here and there is likely not going to trigger instant and automatic purging of his list — particularly if the bounce is identified as a pretend one. In these cases, you might be better off reporting the mail to the sender’s upstream providers, or even using the sender’s opt-out mechanism (if he provides one).

Are pretend bounces safe for those who send them?

At heart, the pretend bounce is a form of deception (i.e. it claims that your address is not deliverable when in fact it really is), and trying to deceive people about the e-mail you send puts you on tenuous moral ground, right next to the spammer. Few would complain if the only victim of the lie were the spammer (who himself is guilty of massive and serial lying on a Terabyte scale). However, pretend bouncing harms innocent parties (as we have just seen), and can even backfire on you personally, making you look like a spammer yourself.

To understand why this is so, consider a typical, genuine DSN bounce.

  • The DSN will have an “official” return address (for instance, postmaster@your-isp.foo) displayed in the From field.
  • Inside its headers, the DSN will show that it originated from the IP address of an “official” mail host (that is, an MTA or MDA) and not an end-user’s machine.

In order to completely and correctly emulate a DSN bounce, a pretend bounce would have to exhibit both of these properties (and others besides). However —

  • While it is easy to drop a phony but official-looking return address into a pretend bounce message, this is lying — it is precisely the same behavior (i.e., forgery of return addresses) for which we regularly condemn spammers. 
  • We cannot successfully spoof the IP address of a bona-fide mail host in a pretend bounce, and so it will most likely be the IP address of your own computer — and not a mail host — that shows up as the source of the message. This can lead some spam filters to identify the pretend bounce as abusive e-mail, and it also exposes your computer’s IP address to the recipients of the bounce, which can lead to further problems for you. 

Let’s take a closer look at the latter point. Because they are essentially forgeries, pretend-bounce messages must be sent using special techniques. These messages cannot be sent through the normal outgoing-mail channels that you use for your routine messages; instead, they must be sent by your computer directly to the incoming mail hosts that serve the from-address of the original message. This technique, known in the trade as direct-to-MX mailing, is not technically forbidden, but it has become so closely identified with spam mail that many spam filters are designed to detect it and to flag messages that use it as spam.

Having your pretend bounce flagged in this way can result in harsh consequences for you. If the recipient of the pretend bounce (who, again, is probably not the spammer) decides to report the bounce as abusive e-mail (which many anti-spam tools and services consider to be an appropriate response), he will probably find on examining the header that your computer’s own IP address shows up as the source of the mailing. If you persist in sending pretend bounces from this address, it may actually wind up on a blocking list; while this may or may not have a direct effect on you, it may attract the attention of your provider, who will want to know why the address has been blocked. This provider is probably not going to be amused that you have also forged its “official” e-mail addresses into your bounces. Plus, in pretend-bouncing mail from your own IP address, you may be revealing that address (along with your supposedly inoperative e-mail address) to people who are smart enough to do something more sinister with the information.

Pretend-bouncing from Apple Mail: an experiment

I have mentioned several specific e-mail clients and bounce tools here; most of these are not immediately accessible to me (as many will only run on Windows, and some require payment for use). However, I did test the pretend-bounce feature of Apple Mail for this post.

I started by sending a message from one of my e-mail addresses to another, each address in a different internet service (so that the message would have to travel across the public net rather than being routed internally within a single domain). When I received this message, I used Apple Mail’s bounce command to bounce it. Once I received the bounce, I submitted it to the SpamCop parser for analysis. SpamCop is generally extremely accurate at deconstructing e-mail headers, and this case proved no exception:

  • SpamCop concluded that the message contained a forged header line (constructed from bits and pieces taken from the original message), which is literally against U.S. Federal law (specifically, the CAN SPAM act).
  • Despite the forgery, SpamCop accurately traced the origin of the message directly back to my own IP address. 
  • The bounce message used a Resent-From header to identify my supposedly “dead” address, which tends to contradict the impression I wanted to leave (that the address was really “dead”).

If I had submitted this parse as a spam report, I would have put a black mark against my own IP address, and sent a spam report to my own provider. If I had made many, many such bounces in a short space of time, I could even have put my IP address on the SpamCop Blocking List (SCBL), which would have made my ISP that much more angry.

Again, I do not have access to the other tools I have mentioned, so I cannot say whether they are any better (or worse) at constructing believable pretend bounces; however, if they (like Apple Mail) send direct-to-MX from the user’s own computer, I cannot see where they would escape similar results.

Pretend bouncing: think twice

There may be perfectly proper reasons to use pretend-bouncing; you might, for example, use it to convince particular unwanted correspondents or even “cyber stalkers” that your address is offline. However, pretend-bouncing is useless for stopping today’s hardcore spammers, since these spammers will never see the bounces and would be unlikely to act on them even if they did. 

Worse, when you send pretend-bounces, you may be sending forged (and technically illegal) messages with spoofed return addresses, and these can make you look very bad if you make them a habit.

For these reasons, I’d advise you to keep away from pretend bouncing altogether, or to use it only in limited cases where it might actually accomplish something useful.

Post a comment Post a CommentTrackback URI Trackback URI

XML RSS 2.0 feed for these comments

This entry (permalink) was posted on Tuesday, July 22nd, 2008 at 8:58 PM by rick and categorized in Spam info.

Post a Comment

*Required
*Required (Never published)
 
« How we pay the spammers’ bills
Autoresponders: sharing the joy of spam »
Home