Network News

X My Profile
View More Activity

The Mysterious Unsent 'Bounced' E-mail

The subject line from the e-mail that just landed in your inbox indicates the message was returned because it could not be delivered. Upon closer inspection, the message -- hawking cheap designer watches -- doesn't look like any message you've ever sent. What's going on here? Is there a ghost in your machine? Has it been commandeered by criminals and enslaved as a spam zombie?

These are questions that I've been asked many times, and while I may not have a definitive answer, there may be a simple explanation for what's really happening with your e-mail account.

Spammers blast their junk mails out to millions of e-mail addresses that are usually purchased in bulk and/or scraped from various Web sites and forums. But some spammers also use those lists to fake or "spoof" the address in the "From:" field of each e-mail sent. That means that if they spoof your e-mail address in a message sent to an address that is no longer active, your inbox will receive the automated bounce-back reply explaining that the message could not be delivered.

Using regular old snail mail as an example may help readers best conceptualize what's happening in this case. Let's say Alice sends a letter through the U.S. Postal Service to Bob, but instead of writing her own return address on the back of the envelope, Alice puts Charlie's physical address there. If Bob no longer lives at the address to which Alice sent the letter (and the Post Office has no records of Bob's forwarding address), the Post Office will return the letter to Charlie. While Charlie didn't send the letter, the Post Office doesn't really know that - it only knows that Charlie's is the address listed as that of the sender.

By Brian Krebs  |  January 2, 2008; 11:15 AM ET
Categories:  Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Blogspot Blogs Help Spread Storm Worm Attacks
Next: Malware-Laced Banner Ads At MySpace, Excite

Comments

So, does that explain why this latest batch of Storm Worms came with unlikely 'From' addees? I got a lot of .gov & .edu crap.

Posted by: Keith Warner | January 2, 2008 11:34 AM | Report abuse

And then the next question, is there any good way to stop it from happening? Possibly not since it's impossible to control another's behavior, particularly someone you've never met before, but figured I'd ask.

Posted by: Anonymous | January 2, 2008 11:50 AM | Report abuse

What you have recieved is a bounce message.
What the article does not mention is that this only happens because of misconfigured email servers. A server should _never_ accept email for a non-existent user. Best practice is to reject this email. The difference between a rejection and a bounce is that a rejection means that the email is never sent. Bouncing emails for non-existent users is a relic of a simpler time on the internet and only remains because of lazy and/or ignorant system administrators. When you get a bounce, report it to your isp as spam and send an email to abuse@ whatever domain the bounce came from, letting them know that you consider this spam and they need to fix their server. Be pleasant, they may not understand that they have an issue, and realize that 90% + simply don't care.

Posted by: horosho | January 2, 2008 12:06 PM | Report abuse

Another component to this issue is email that superficially seems to be bounced or returned mail. But, on closer examination, the address actually isn't from a mail server at all. It's just another example of a phishing attack. Sometimes, the purported address is a good spoof, sometimes it's flagrantly bogus.

Posted by: slgrieb | January 2, 2008 12:25 PM | Report abuse

Will Mary please stop using my address! I've got lots of mail sent to me that I never sent!

Posted by: Charlie | January 2, 2008 12:37 PM | Report abuse

Another detail that we've been seeing lately is spammers "pairing" similar names in similar domains, perhaps in the hope that the spam will have a better change of getting through. For example, an email would be sent to a bill.jones at an edu domain, with a spoofed address of a bill.johnson at a different edu domain.

Posted by: shrdlu | January 2, 2008 12:41 PM | Report abuse

If spammers are using my legitimate email address as the "from" address, does this mean that there are millions of people getting spam that looks like it has come from my business address -- thereby creating the possibility that my legitimate business email will be blocked?

Posted by: ken | January 2, 2008 12:55 PM | Report abuse

Dear Brian Krebs,

Many thanks for this information. I do appreciat.Keep up the good work. Thanks.

Posted by: Akber A. Kassam. | January 2, 2008 1:14 PM | Report abuse

@horosho:

You've misunderstood the way that mail servers behave (per IETF specifications) and the way that spammers are using them. Email protocols were designed in an era when connections between servers were expensive and only active for short periods of time. Consequently, the email protocols were designed to be liberal in what they would accept, and to attempt to deliver mail regardless of how mangled it might be, and to provide the best information possible when unable to deliver a message.

Let's take Brian's example again in a little more detail (Alice sends a message to Bob@foo.com, with a return address to Charlie@bar.com). One of two things will happen: if Bob is a valid user at foo.com, then Bob will receive a spam message from Charlie@bar.com, otherwise the mail server at foo.com will send a bounce message to Charlie@bar.com. The mail server at foo.com may also do some spam checking; if so, it may choose to report the spam by sending a message to Charlie@bar.com. That is correct behavior per the Simple Mail Transport Protocol (SMTP).

Unfortunately it means that a single spam message can generate several useless messages reporting on the networks inability to deliver a mislabeled message.

@Ken:

Yes, that's happening today (and has been happening for more than a decade). There are several proposals for advertising 'legimate' mail servers, but they all require that receiving mail servers be changed to only accept mail from the advertised 'good' servers, and that takes time to implement.

Posted by: W Craig Trader | January 2, 2008 1:19 PM | Report abuse

To Horosho...
Email servers that do not accept email to non-existent users (reject messages immediately instead of following up with a bounce message) are vulnerable to what is called a Directory Harvest Attack. Once a spammer knows that your email server issues an immediate rejection on bad addresses, that spammer can then send thousands of messages to random people at your domain, knowing the email server will diligently tell him/her which ones are valid, and which ones are not.

The bounce approach is actually more secure, and is fairly common. Reacting to a bounce message with a complaint might not be the best approach.

Posted by: Dean | January 2, 2008 1:26 PM | Report abuse

To Ken; the answer is probably yes.
You can take steps to prevent spoofed emails from your domain however by utilizing DomainKey or SPF standards on YOUR mail (and DNS) servers. Basically these technologies publish publicly readable records that identify those mail servers on the Internet that are REALLY allowed to send email purporting to be from your domain.
While not all servers check this; many do - and those that do will refuse to accept any email saying its from your domain unless the machine it's coming from is listed as an authorized sender. Attempted SPOOFs to any machine that checks DK/SPF will fail if the domain they're trying to SPOOF has published DK/SPF records.

For those mail servers that don't support DK or SPF you can legitimately argue that their mail services are broken/out dated and any spam delivered via them is THEIR fault for not utilizing these standards that have been around for years.

Posted by: ChrisB | January 2, 2008 1:29 PM | Report abuse

An important clarification that is overlooked here: the "From:" field that is the cause of the bounces is not the "From:" field you see in the message header.

SMTP handles the sender and recipient addresses of an email outside the message text itself. A typical plain SMTP conversation looks like this (the messages with numeric prefixes are from the server; the other messages are from the client):

220 SMTP server ready
HELO local.domain.name.example.net
250 Go ahead client
MAIL FROM: sender@example.net
250 Ok
RCPT TO: recipient@example.com
250 Ok
RCPT TO: other@example.org
250 Ok
DATA
354 Send message; terminate with .
From: whomever@whatever.example.org
To: whomsoever@anywhere.example.net
Subject: a message

message body
.
250 Ok, message queued
QUIT
221 Bye now

The From: and To: headers are purely advisory and don't govern the message delivery at all. This is why it is possible to Bcc people; the actual recipient addresses are exchanged using RCPT TO: commands in the SMTP exchange, and can be omitted from the message header. The addresses in MAIL FROM: and RCPT TO: are referred to as the "envelope sender" and "envelope recipient" addresses, respectively, and are the messages that actually govern the message's disposition. In the above example, the envelope sender is sender@example.net--this is the address that bounces will go to; there are two recipients: recipient@example.com and other@example.org.

With many mail servers, you can see what the actual envelope sender is by examining the complete message source and looking for a Return-Path header at the top; many mail servers populate this header with the envelope sender address upon delivery. The envelope recipient may not be in the message at all but it may be logged in Received: headers. Note that if you have aliases for your email address, you don't necessarily know what the envelope recipient was unless it is otherwise logged.

Note from the conversation above that there are multiple points at which to refuse mail. Mail servers that are using IP blacklists (see spamhaus.org) may refuse mail right at the beginning with HELO, or any time later. An earlier poster said that mail servers that refuse mail to nonexistent recipients is giving away information about which addresses are valid; this is not strictly true. It is commonplace for mail servers to go through the entire transaction and then refuse in response to the . at the end of the message data (above, where the response is "250 Ok, message queued"). This leaves the sender with no information as to why the message is being refused--it could be SPF doesn't allow the sender address; it could be a blacklist; it could be one of the recipient addresses is invalid, it could be that the sender address domain is unresolvable, or it could even be that the message body triggered a spam filter.

In any case, accepting mail you intend to bounce later is *not* a best practice. If you accept mail for invalid recipients, the best practice is to throw it away if you haven't done something to validate the sender address (e.g. SPF). Otherwise you are bouncing messages back to people who didn't send them.

Note also that bounce messages may originate for valid recipients, e.g. if the recipient's mailbox quota is exceeded. Typically the mail server will hold the inbound message in a queue for some period to give the recipient time to get back under quota, and send a bounce only when that grace period has expired.

Posted by: antibozo | January 2, 2008 2:01 PM | Report abuse

I used to get annoyed when my easily-mangled-into-something-unprintable real name was abused. Come to find out that Spammers are too stupid to realize the obvious and spoof my name on a regular basis. Organized Crime needs better English tutors or there is no future in it ;)

Posted by: GTexas | January 2, 2008 2:03 PM | Report abuse

I recently changed my E Mail address to get away from the spammers, but they are at it again

Surely there is a Gov agency that can track down these mongrels and put them out of business.

It seems completely unlikely they can remain anonymous...tell me
gpl3@dodo.com.au

Posted by: Charles French | January 2, 2008 2:39 PM | Report abuse

The others have given some great technical explanations, so I'll just jump in with two terms to help you search deeper:

When Alice puts Charlie's return address on a piece of spam, that is called a "joe job". This is (I swear to God, and I was "there") because the first Charlie was named "Joe". (Google the archives of the news.admin.net-abuse.email group.)

The bounces that you get from a joe job are called "backscatter".

Posted by: Jay Levitt | January 2, 2008 3:25 PM | Report abuse

We send out this letter, regarding these "Virtual Viruses".

Dear user,

First, thanks for the attention you're paying to your e-mail. Vigilance of users is the first line of good mail security.

As you know, we live in a world where viruses can attack us in many ways. Although the County e-mail system is protected 100% from all known and probably all unknown virus attacks, what you are experiencing is what we call a "virtual virus". Essentially, it has effects similar to a real virus in many ways, but you (or your mailbox, or your mail server) are not actually infected. Here is how this happens:

1. There are many viruses in the wild that will infect a machine and read that machines address book.

2. These viruses then create e-mail messages using the addresses it has found as both the sender *and* the recipient. That is, the virus populates both the "to" and the "from" fields with addresses it got from the machine's address book.

3. These viruses then send out these e-mail messages, and the Internet tries its best to deliver the messages to the appropriate e-mail server.

4. If the appropriate e-mail server has virus protection, or good policies blocking certain forms of attachments, the receiving e-mail server will say "Nope, we don't want this message". At this point the message is either deleted *or* sent back to the sender of the message -- and here is where it gets annoying!!!!

5. When you address a letter for the U.S. post office, and put the return address label on, nothing stops you from saying the message was sent from your neighbor's house instead of yours -- if the USPS can't deliver the letter they will return it to YOUR NEIGHBOR'S house instead of yours. The same is true with e-mail -- when the server sends it back, it goes to the person listed in the "FROM" field, which as described above is just some poor soul who had his address in the infected computers address book! As a result, a person whose machine is NOT infected gets a message from a legitimate server saying "The message you sent was infected" or "We block these messages because they are bad" or something like that. This of course causes all sorts of strife with the user and his/her mail administrator, as they try to determine where the infection is.

The reality is the person getting the reply message is NOT infected, their address is just in some infected computers address book. It is literally impossible to track these down.

So you see, it is truly a virtual virus -- You get all the hassle of messages form servers saying you sent a bad message, in fact you might even get nasty phone calls from people who get infected and blame you, but you yourself are actually NOT infected.

How can we guard against this? We can't! :-(. We could block all non-delivery reports so you don't get the messages from servers saying you sent a bad message, but then you will never know if you have problems sending a LEGITIMATE message, or if you are blocked for some other reason. You could never give your e-mail address out to anyone, but then they'll never mail you :-). You could verify that everyone you ever come into contact with has up to date virus protection and practices safe computing, but the County has not been able to achieve this with a KNOWN population, so your chances are glum here.

The only sane course of action that defeats the purpose of the virus is to delete the message if it is not one you sent and get on with your life. This minimizes your stress and also the pleasure the virus maker gets from this sort of activity.

Thank you for taking the time to read all of this, and if you have any further questions or concerns, please let helpIT know.

Sincerely,

John Van Eck
Network Administrator
Montgomery County Government

Posted by: John Van Eck | January 2, 2008 4:00 PM | Report abuse

@WCT: all true but you need machines to send the mail out and you need servers to forward it. Open proxies aren't what they used to be. The only reasonable (and right now it's more than reasonable) way to proliferate all this junk is through zombie Windows PCs. Take Windows off the market and spam ceases to be the lucrative enterprise it is today.

Posted by: Rick | January 2, 2008 4:38 PM | Report abuse

How about the "oldie" to thwart address books being harvested? Just type AAAA starting off the address book with no email address listed?
Just a thought

Posted by: Byronic | January 2, 2008 7:25 PM | Report abuse

Ah . That explains things . Been getting IMs like that for last 4 days , asking if I sent some link,or another . Notified Yahoo, but they sent a "Sorry, but we can't do anything" reply.

Posted by: mikeinportc | January 2, 2008 7:53 PM | Report abuse

Charles French recetly changed his email address to get away from spam and bemoans the fact that he is getting it again.

But then he breaks the cardinal rule and publishes his email address in an open forum where the spambots can find it.

No wonder you get lots of spam, Charles.

Posted by: Ian from Oz | January 3, 2008 1:39 AM | Report abuse

Thanks for explaining this problem to the general public.

There is a lot of discussion on the net regarding bounces.

I am on the side that says todays world no longer requires bounces because it generates too much unwanted traffic.

At my company we daily get tens of thousands of messages to impossible recipient addresses (dictionary attacks, etc.). I have the mail server throw them away in order to save bandwidth and mail server processing.

Posted by: IT Guy | January 3, 2008 9:16 AM | Report abuse

lol@charles, silly french

Posted by: Anonymous | January 3, 2008 9:16 AM | Report abuse

Thanks for explaining this problem to the general public.

There is a lot of discussion on the net regarding bounces.

I am on the side that says todays world no longer requires bounces because it generates too much unwanted traffic.

At my company we daily get tens of thousands of messages to impossible recipient addresses (dictionary attacks, etc.). I have the mail server throw them away in order to save bandwidth and mail server processing.

Posted by: IT Guy | January 3, 2008 9:27 AM | Report abuse

After finding 80 "returned/failed" email messages in a week, I changed my email password and they stopped. I will be more diligent about updating my email password in the future to avoid this from happening again. Comcast took the information about this problem, but had no suggestions other than to change your email password.

Posted by: meganbaltimore | January 3, 2008 1:04 PM | Report abuse

I have received similar bounce-backs in the past. I have always interpreted them as being a clever tactic by Spammers to circumvent spam filters. Many spam filters will deliver bounce-backs to your inbox.

Posted by: Kyle L. | January 4, 2008 5:06 PM | Report abuse

What about slobs like me who sometimes mistype the mail-to address (or use the wrong one because my address book is out of date)? The bounce back is my only signal that I screwed up and I need to fix it.

Posted by: Solo Owl | January 6, 2008 9:53 PM | Report abuse

I am one of those diligent people that
forward each of the phishing e-mails to
the legitimate company that is being taken
advantage of.

Imagine my surprise that I when I went to
the Citizens Bank online site to report the
fraud e-mail, I find three different e-mail
addresses, two of which (ironically in the
Fraud prevention area) do not even work.

I then took the step of contacting them
via their Contact Us form on the site.
I received a form letter promising me
they would follow up.

I then took the extra step of calling them
up and navigating their call menu until
I was able to reach a live human. I
demonstrated over the phone where their
web pages needed updating (how to get to
each one from the main page) to solve the
problems.

It boggles my mind that these pages are
not fixed _months_ later.

The "good" URL for reporting Citizens bank fraud e-mail:
http://www.citizensbank.com/security/security.aspx

The "bad" URLs for reporting Citizens bank fraud e-mail:
http://www.citizensbank.com/security/fraud.aspx (email address in the link bounces)
http://www.citizensbank.com/security/default.aspx (malformed mailto: link)

I do not have a Citizens Bank account,
and based on this, I probably never will.

Dan Dawson
naD noswaD (to my friends)

Posted by: Dan Dawson | January 6, 2008 11:12 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company