- Joined
- May 22, 2008
- Messages
- 16,075
- Reaction score
- 747
In another Forum, I started a thread about why one should NOT use a free email like gmail, hotmail, etc. John Hinton os EW3D.com posted a better answer as to why to use ONLY mydomainname.com - that is the ONLY domaion name YOU control.
Then someone posted about how she bounces spam back to the spammers. This is John's (with his permission to post) answer as to why that is not a good idea. You tech savvy probably already know this but those like me who know-nothing may learm from it. Here goes:
I'm going to take on trying to give a bit of an explanation to email headers. I have taken a few lines from the header of a spam sent to me. If you decide to view headers of an email yourself, you need to know to read them from bottom to top. The bottom is where the email starts, the top is where it lands in your box. To help everyone understand, I'm starting with lines from the bottom and working my way up. My comments on each line are inside the --- marks
Subject: [SPAM] =?GB2312?B?RGlnaXRhbCBQaG90byBFZGl0aW5nIFNlcg==?=
=?GB2312?B?dmljZXMgLSBQaG90byBDdXRvdXQgLSBQaA==?=
=?GB2312?B?b3RvIFJldG91Y2hpbmc=?=
---The spammer used Base64 encoding trying to avoid spam filtering. I won't post the unencoded subject line as I don't want to help them. The [SPAM] flag was added by our anti-spam system. The entire message was also Base64, so it is more difficult for most anti-spam systems to read.---
Reply-To: <[email protected]>
---As this was an ad for a service, this email address was likely a good one. I changed it in this post so I wouldn't be promoting the domain---
To: "ME" <[email protected]>
---This was my legit email address---
From: "Rick" <[email protected]>
---I change the username to protect this email address as it looks to be spoofed. If you bounced the message, it would go to this account---
Received: from host1 (unknown [61.191.37.115])
by info.antares-mebel.ru (Postfix) with ESMTP id 0035C18C6D0;
Thu, 13 Dec 2012 20:57:49 +0000 (UTC)
---This email positively originated from the server located at 61.191.37.115. I did a lookup on antares-mebel.ru and got no results, so it seems bogus. However a lookup on 61.191.37.115 show it is managed by CHINANET Anhui province network.---
Received: from info.antares-mebel.ru (unknown [193.33.62.35])
by MYMAILSERVERNAME (Postfix) with ESMTP id 3B5653C0BAA
for <[email protected]>; Thu, 13 Dec 2012 19:40:02 -0500 (EST)
---It seems that 61.191.37.115 passed this email along to another server, 193.33.62.35 still using that bogus domain name. This IP address is controlled by Prokma-Telecom JSC RU. So this email originated on a China internet service and was sent through a server in Russia---
End header posting....
I didn't bother with the top of the headers as they aren't important here. What we learn here is this email never went through any yahoo.de mailsystems. Yahoo.de is the German version of yahoo.com, to my knowledge owned and operated by yahoo.com but a German interface. My point is yahoo.de is legitimate and we need to accept mail from them. To my knowledge bounce always uses the 'From' address and not the 'Reply-To' address. So the bounce goes to an account that did not send the message.
Now for trickery. This spammer is most likely in China (although they could be only using an account in China and be anywhere in the world). They could easily set up a free Yahoo account at yahoo.de. This would be where the bounces would be received. Bounces are normally from legitimate email addresses, otherwise they are normally 'Rejects'. (I say normally because there are a number of uninformed mailserver admins in the world as well) The spammer could use this account to verify good email addresses to know which ones to positively keep on his list. 'Verified' email addresses are a hot commodity to spammers. Those list can be sold for good money. Or maybe he just grabbed a poor soul's email address to use as the 'From' address so the bounces wouldn't come back to him.
If you have bounced email, don't feel bad or dumb or anything like that. As I said above, it is a mistake made by a lot of mailserver admins and the spammers abuse those poorly configured systems. Combine that with the thought that you can spam the spammer and it becomes irresistible! It just doesn't do what you think it is doing. Now, if you know your irate sister-in-law's email address and it is the 'From' address, you can bounce the gripes back to her.
Posted by John Hinton
Then someone posted about how she bounces spam back to the spammers. This is John's (with his permission to post) answer as to why that is not a good idea. You tech savvy probably already know this but those like me who know-nothing may learm from it. Here goes:
I'm going to take on trying to give a bit of an explanation to email headers. I have taken a few lines from the header of a spam sent to me. If you decide to view headers of an email yourself, you need to know to read them from bottom to top. The bottom is where the email starts, the top is where it lands in your box. To help everyone understand, I'm starting with lines from the bottom and working my way up. My comments on each line are inside the --- marks
Subject: [SPAM] =?GB2312?B?RGlnaXRhbCBQaG90byBFZGl0aW5nIFNlcg==?=
=?GB2312?B?dmljZXMgLSBQaG90byBDdXRvdXQgLSBQaA==?=
=?GB2312?B?b3RvIFJldG91Y2hpbmc=?=
---The spammer used Base64 encoding trying to avoid spam filtering. I won't post the unencoded subject line as I don't want to help them. The [SPAM] flag was added by our anti-spam system. The entire message was also Base64, so it is more difficult for most anti-spam systems to read.---
Reply-To: <[email protected]>
---As this was an ad for a service, this email address was likely a good one. I changed it in this post so I wouldn't be promoting the domain---
To: "ME" <[email protected]>
---This was my legit email address---
From: "Rick" <[email protected]>
---I change the username to protect this email address as it looks to be spoofed. If you bounced the message, it would go to this account---
Received: from host1 (unknown [61.191.37.115])
by info.antares-mebel.ru (Postfix) with ESMTP id 0035C18C6D0;
Thu, 13 Dec 2012 20:57:49 +0000 (UTC)
---This email positively originated from the server located at 61.191.37.115. I did a lookup on antares-mebel.ru and got no results, so it seems bogus. However a lookup on 61.191.37.115 show it is managed by CHINANET Anhui province network.---
Received: from info.antares-mebel.ru (unknown [193.33.62.35])
by MYMAILSERVERNAME (Postfix) with ESMTP id 3B5653C0BAA
for <[email protected]>; Thu, 13 Dec 2012 19:40:02 -0500 (EST)
---It seems that 61.191.37.115 passed this email along to another server, 193.33.62.35 still using that bogus domain name. This IP address is controlled by Prokma-Telecom JSC RU. So this email originated on a China internet service and was sent through a server in Russia---
End header posting....
I didn't bother with the top of the headers as they aren't important here. What we learn here is this email never went through any yahoo.de mailsystems. Yahoo.de is the German version of yahoo.com, to my knowledge owned and operated by yahoo.com but a German interface. My point is yahoo.de is legitimate and we need to accept mail from them. To my knowledge bounce always uses the 'From' address and not the 'Reply-To' address. So the bounce goes to an account that did not send the message.
Now for trickery. This spammer is most likely in China (although they could be only using an account in China and be anywhere in the world). They could easily set up a free Yahoo account at yahoo.de. This would be where the bounces would be received. Bounces are normally from legitimate email addresses, otherwise they are normally 'Rejects'. (I say normally because there are a number of uninformed mailserver admins in the world as well) The spammer could use this account to verify good email addresses to know which ones to positively keep on his list. 'Verified' email addresses are a hot commodity to spammers. Those list can be sold for good money. Or maybe he just grabbed a poor soul's email address to use as the 'From' address so the bounces wouldn't come back to him.
If you have bounced email, don't feel bad or dumb or anything like that. As I said above, it is a mistake made by a lot of mailserver admins and the spammers abuse those poorly configured systems. Combine that with the thought that you can spam the spammer and it becomes irresistible! It just doesn't do what you think it is doing. Now, if you know your irate sister-in-law's email address and it is the 'From' address, you can bounce the gripes back to her.
Posted by John Hinton