12 Comments

  1. Just now, I received my first non-error message e-mail. It was spam addressed to me, not a delivery error. Gee, I feel so special to actually receive some spam instead of being framed for sending it.

  2. Update: another 9641 spam messages returned to me. I now have a filter setup to isolate the messages that bounce-back to me.

    At least initially, the e-mails were referencing sub-domains of OEMWX.COM and TABOODK.COM. I wondered who these kind persons were, so I check the domain registrant info. Both were Yahoo accounts, which I’m sure are valid:

    Registrant:
    Manoj Kumar
    Navi Mumbai Mumbai, 400003, IN
    ENOM, INC.
    Domain Name: OEMWX.COM
    Created on: 14-dec-2005
    Expires on: 14-dec-2006
    Last Updated on: 17-dec-2005
    Administrative Contact:
    Technical Contact:
    Kumar , Manoj
    [email protected]
    Navi Mumbai Mumbai, 400003,IN
    +91.02225438906

    Kumar , Manoj
    [email protected]
    Navi Mumbai Mumbai, 400003,IN
    +91.02225438906

    Domain servers in listed order:
    Registry Status: REGISTRAR-LOCK
    NS1.OEMBZ.COM
    NS2.OEMBZ.COM

    TABOODK.COM
    Registrant:
    e-mail :
    August RITTER (RITTER4-BMN-PE) 1902 North Griffin Street 58501 Bismarck UNITED STATES fax:
    ONLINE SAS
    Domain Name: TABOODK.COM
    Created on: 23-dec-2005
    Expires on: 23-dec-2006
    Last Updated on: 23-dec-2005
    Administrative Contact:
    Technical Contact:
    August RITTER (RITTER4-BMN-PE),
    [email protected]

    Domain servers in listed order:
    Registry Status: ACTIVE
    CA.CABOCHONGH.COM
    GH.CABOCHONGH.COM

  3. domain: beststorediscount.com
    owner: Brion Benson
    organization: Benson and co. corp
    email: [email protected]
    address: 191 Timberhill Dr
    city: Canton
    state: NC
    postal-code: 28716
    country: US
    phone: +1 734 416-3284
    admin-c: [email protected]#0
    tech-c: [email protected]#0
    billing-c: [email protected]#0
    nserver: ns1.dnshostlink.com 220.173.103.6
    nserver: ns2.dnshostlink.com 221.11.134.35
    status: lock
    created: 2005-12-15 12:53:41 UTC
    modified: 2005-12-15 13:03:31 UTC
    expires: 2006-12-15 07:53:41 UTC
    source: joker.com live whois service
    query-time: 0.015056
    db-updated: 2005-12-26 16:58:30

  4. Still getting bounce-backs and still filtering out over 99% of them. I’m lookin through some of the messages from where they were sent and to which sites they refer.

    Where email originates:
    telekomunikacja.pl, tpnet.pl

    Site referenced: http://www.mugest.com/pt/
    Domain hosting by: zj.chinamobile.com

    Site referenced: http://www.kerinn.net/pt/
    Resolves to 211.140.139.106
    Whois for 211.140.139.106 : [email protected]

    So, it looks like China is the source of my ill. Someone in China is trying to make a buck, I guess. And in the process sending me over 20,000 e-mail messages in 5 days. Can’t wait until the new e-mail system to replace SMTP is implemented so these guys will be looking for a new job.

  5. Well, I thought this problem may have been a temporary issue, but I’m still getting about 2000 e-mails per day. I’ve white-listed all of my legitimate addresses and I’m able to isolate all of the spam bounce backs, so it is not at all the headache it was.

    I did some reading on spamcop and found these bounce-back error messages are considered spam as well. The postmasters of the servers should be more considerate and not automatically send failed delivery messages to me when I didn’t send the messages originally. Users sending authentication messages to people who did not send them mail should look for a better solution as well. Glad to see there are some thoughts on how to resolve these problems in the future:
    http://www.spamcop.net/fom-serve/cache/329.html

  6. I’ve now added SPF records to my DNS server. Unfortunately, most mail servers are not using SPF, so there is little benefit to me at the moment. Generating the SPF records was easy; I did it by going to http://www.openspf.org/

  7. I’ve been reading some more and the general theory for my domain being targeted for unsolicited bounces is that, because I reported spam to spamcop, I was targeted. SpamCop obscures the name and e-mail address of the person reporting, but the messages can contain unique information (such as picture names) that would show I was the intended recepient.

    So here is how it works: spammers send spam to a bunch of people. Those that report it to spamcop are among the few, so they are retalliated against by Unsolicited Bounces. If they continue to report, even more unsolicited bounces. To be allowed send more spam, they target those that report.

    I can’t verify that this is factual, but that is my guess. My server appears to be getting more traffic the more spam I report. Too bad everyone doens’t use SPF to ignore spoofed mail headers. Too bad the new and improved e-mail system to replace SMTP is still years away.

  8. You’re not alone…

    I’m currently receiving thousands of undeliverable, out-of-office and “your message is spam” responses from non-existant addresses also.

    Like you, the spammer is using random usernames at a handful of domains I admin (such as docs.com.au – which for some reason is always confused with docs.gov.au… I get these wonderfully sensitive reports on child abuse that I really wish didn’t get here!)

    Even domains that I don’t admin (aaledo.com.au and trainingaustralia.com.au) are getting them – yet a different username appears in the “To” field!

    Like you, I initially thought that it might be retaliation for using a spam reporting service. I was using Blue Security until they were crushed by repeated DDOS attacks. Now I’m using SpamCop.

    Then I realised; Aaledo.com.au and trainingaustralia.com.au weren’t part of my “protected addresses,” so I wasn’t reporting the Spam (1,000+ msgs per day) for this account.

    So I don’t know why the Spammers are picking on me or my domains; I just hope it stops soon!

  9. I think the root of the problem may have been that my catch-all e-mail address accepted all of the bounced messages, which allowed the spammers to send more messages as they didn’t have to deal with any bounces. I killed my catch-all e-mail addresses and set the unknown response to be “Fail: The sender is notified that the address doesn’t exist”. If the bounce occurs fast enough, it may push back to the original spammer IP and slow down the rate of spam deployment. Also, it may not make any difference at all to the spammer. Either way, killing my catch-all and bouncing back messages to invalid e-mail addresses solved my problem.

Leave a Reply

Your email address will not be published. Required fields are marked *