[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More then 2800 spams from the list...

On Tue, Mar 20, 2018 at 09:21:03AM +0000, Joe wrote:
> A SMTP server, by default, accepts email only for recipients which have
> an account on it.

If only.  No, that's part of the problem.  An SMTP server, *by default*,
has no knowledge of which local-recipient-parts are valid and which
are not.  It has to communicate with some other system, process, library,
or whatever, to make that determination.

It's much easier for an SMTP server to validate just the domain-part
(right of the @ sign), and generate bounces when it turns out that
the local-recipient-part (left of the @ sign) is invalid.  This is
how things worked 25 years ago.

Unfortunately, humans being the despicable creatures that they are,
that naive system no longer works.

P.S. someone said that bounces are generated using the Reply-To: header.
This is incorrect (or at least, would be a violation of the protocols).
Bounces are sent to the envelope sender address (the one given by the
sender during the SMTP session), without looking at the message itself.

Of course, the envelope sender is just as easy to forge as the
Reply-To: header is.  The sender only needs to lie about who it is.
The receiver has no way to verify the address, other than "yeah, that
domain exists in DNS".

That's how backscatter (a.k.a. "joe-jobbing") works.  The spammer
sends mail to an invalid address and lies about the envelope sender
address.  The receiver generates a bounce to the forged envelope
sender address.  Voila, spam sent -- by the poor schmuck in the middle
who was just trying to follow the SMTP protocol properly.  The only
one who can identify the actual sender is the one who generated the
bounce, and the only identifying information that system has is the
IP address from which the message was sent.  Everything else (envelope
sender, message headers, message body) is fabricated.

Reply to: