Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Advice Sought: Dealing with Spam Bounces/DDoS

By ewhac in Internet
Mon Feb 03, 2003 at 09:56:41 AM EST
Tags: Round Table (all tags)
Round Table

There are many HOWTOs and expository texts on how to protect your users against unwanted spam, as well as how to secure your server against relay rape by spammers. But what do you do if your server becomes flooded with bounce messages because someone decided to forge your domain in the From: header?

Sponsor: rusty
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
comments (24)
active | buy ad
A friend of mine has their domain hosted on a low-cost domain farm. They provide Web space, CGI support, limited UNIX shell access, and POP/IMAP email boxes for a tiny amount of money. You can create as many mailboxes/usernames as you wish, and you can also elect to accept email addressed to any username, which will be deposited in a single "catch-all" mailbox. This last feature was enabled by my friend, so they could create and use "disposable" email addresses and track who might be selling their address to spammers.

At approximately 11:00 local time, someone started flooding the net with a spam-like message advertising a pr0n site. For the From: address, the spammer supplied random usernames at my friend's domain, <random_junk>@suckerpunch.com (Note: not actual domain name). Because my friend enabled the "catch-all" option, they have received over fifteen thousand bounce messages so far, with no end in sight. They are currently deleting them all by hand.

Mercifully, the payload of the spam was very brief -- only a couple of lines of text, with no viruses. However, multiplied by several thousand, it quickly becomes a difficult mess. Further, the spamvertised Web site doesn't exist, and apparently never did. DNS and whois lookups for the domain return nothing. This suggests that the bounce flood is not spam gone bad, but rather a malicious DDoS attack against my friend's domain.

Analyzing the message's headers in the bounce replies suggests that the miscreant is using a large constellation of open relays to mount their attack, so submitting the messages to spamcop.net may be of dubious utility. In the meantime, my friend's catch-all mailbox is filling up with alarming speed. Deleting or shutting off the catch-all box is problematic, though: they actually do receive legitimate email there from time to time. Also, shutting it off would magnify the network load by generating even more bounces.


  • Can anything be done to stem the flow of bounces, or can they only batten down the hatches and weather out the storm?
  • How long can such an attack be expected to last?
  • Should the faked messages still be sent to SpamCop.net, given the large number of relays apparently used?
  • Should the catch-all option be shut off, even though it will magnify the network traffic?
  • Is there any realistic hope of catching the perp?
  • Any other relevant advice for my friend?

(This is a re-submission of an earlier, briefly-submitted story. My friend provided me with additional facts on the matter, which demanded a re-write.)



Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


What is the most appropriate punishment for spammers?
o Banishment from the Internet 10%
o Heavy fine 22%
o Imprisonment 2%
o Extreme torture 17%
o Death 8%
o Some combination of the above 31%
o None; spamming is a legitimate form of product promotion -- get over it, you communist hippie 4%
o None; spamming is protected by the First Amendment 2%

Votes: 127
Results | Other Polls

Related Links
o Also by ewhac

Display: Sort:
Advice Sought: Dealing with Spam Bounces/DDoS | 41 comments (39 topical, 2 editorial, 0 hidden)
Get in contact with your host (4.00 / 4) (#2)
by Talez on Sun Feb 02, 2003 at 10:26:31 PM EST

Is it the same messsage?

Just apply a fiter to the blabberbath and delete the spam messages.

Even if its a few different message it shouldn't take more than a few minutes to filter out the text from the body and kill the message.

Si in Googlis non est, ergo non est

Easy. (1.26 / 19) (#3)
by Noam Chompsky on Sun Feb 02, 2003 at 11:02:02 PM EST

1. Uncomment experimental 'Delete' key source.
2. Recompile Gnu/kernel.
3. ??
4. Profit!

Faster, liberalists,

Filter out the bounces (3.85 / 7) (#4)
by seeS on Sun Feb 02, 2003 at 11:13:27 PM EST

There's got to be something in the email that is common. Filter that out and you'll be right.
Where's a policeman when you need one to blame the World Wide Web?
Redirect all the emails to a file (4.66 / 3) (#5)
by coljac on Sun Feb 02, 2003 at 11:36:24 PM EST

Redirect all the incoming email to a file and then you can run it through a script to sanitize it in a week when it all dies down.

Can your friend set up a .forward file? I guess putting

| cat >> ~/allmail.txt

in the .forward ought to do the trick. Am I wrong? Or just wait a week and then sanitize the /var/spool/mail file.

Whether or not life is discovered there I think Jupiter should be declared an enemy planet. - Jack Handey

.forward (none / 0) (#31)
by haflinger on Tue Feb 04, 2003 at 07:42:50 AM EST

This only works for email that's actually delivered. What you want to dump in the bit bucket are the bouncing emails.

Did people from the future send George Carlin back in time to save rusty and K5? - leviramsey
[ Parent ]
I don't think so (5.00 / 1) (#34)
by coljac on Tue Feb 04, 2003 at 12:02:10 PM EST

What's the difference between an incoming email and an incoming bounce message (in the form of email)?

Whether or not life is discovered there I think Jupiter should be declared an enemy planet. - Jack Handey
[ Parent ]

You are correct. (none / 0) (#35)
by haflinger on Tue Feb 04, 2003 at 06:31:30 PM EST

I am sorry, I was brainfried :)

Did people from the future send George Carlin back in time to save rusty and K5? - leviramsey
[ Parent ]
Mail corruption (none / 0) (#38)
by piranha jpl on Fri Feb 07, 2003 at 12:45:31 PM EST

So, what happens when two mail deliveries are attempted? Two processes can try appending to the same file at the same time. This could (will?) result in mail corruption.

The solution:

  1. Make a Maildir:

    $ mkdir -p Maildir/{new,cur,tmp}
    $ chmod 2700 Maildir/{,{new,cur,tmp}}

  2. Set up procmail to deliver arbitrary mail to this Maildir:

    $ cat > ~/.procmailrc << EOF

  3. Tell your MTA to use procmail for deliveries:

    • Sendmail, Exim, others:

      $ echo '|/usr/bin/procmail' > .forward

    • qmail:

      $ echo '|/var/qmail/bin/preline /usr/bin/procmail' > .qmail

  4. Now let's say you want to use your messages in mbox format. Make sure mail isn't being delivered to your Maildir by renaming it, then do:

    cat Maildir-tmp/{cur,new}/* > mbox

- J.P. Larocque
- Life's not fair, but the root password helps. -- BOFH

[ Parent ]
I wonder if... (2.25 / 4) (#7)
by MickLinux on Mon Feb 03, 2003 at 02:06:15 AM EST

...  Suppose you found the owner of the pr0n site, using www.dnsstuff.com ?

     Then you instituted a lawsuit [especially if you have anything to do with Virginia law] against that company or individual?  Make sure to make the lawsuit for enough that you can require a jury trial.

     At that point, it is up to the owner of the pr0n site either to hand over his spammer(s), or else to pay for the damages himself.

     Further, his computers might be seizable as evidence.

     Most likely, I expect the pr0n site will be based in [or owned by a company based in] America. Things get more complicated if, for example, it's truly based in Hungary.  

     Just a thought.

I make a call to grace, for the alternative is more broken than you can imagine.

You didn't read to the bottom (4.00 / 2) (#9)
by gazbo on Mon Feb 03, 2003 at 04:32:00 AM EST

The site doesn't exist and there are no DNS records. That is why he suspects it is a DoS.

Topless, revealing, nude pics and vids of Zora Suleman! Upskirt and down blouse! Cleavage!
Hardcore ZORA SULEMAN pics!

[ Parent ]

Use procmail (5.00 / 9) (#8)
by rf0 on Mon Feb 03, 2003 at 02:26:57 AM EST

If all the spams have the same subject line do something like

* .*<subject line>.*

in your ~/.procmailrc. If you want any more help drop me an email

a2b2.com - Stable, Friendly Decent Hosting

extra (3.50 / 2) (#21)
by spottedkangaroo on Mon Feb 03, 2003 at 12:49:16 PM EST

pretty sure you don't need those hungry .*'s on either side... I think they're implied

[ Parent ]
Some Answers (4.80 / 5) (#10)
by The Turd Report on Mon Feb 03, 2003 at 07:38:41 AM EST

Can anything be done to stem the flow of bounces, or can they only batten down the hatches and weather out the storm?

Well, as long as the spammer is using those return addresses, you will get the bounces. You can go after the sender and make them stop, if you want to be sure it stops.

How long can such an attack be expected to last?

For as long as the spammer uses the domain. Depending on how the spam is being sent, it might take up to a week, or more, to clear out all the mail queues. I would guess that the brunt for the attack will go on for 2-3 days.

Should the spam still be sent to SpamCop.net, given the large number of relays apparently used?

Yes. Admins need to be made aware of their security issues. Someone has to complain.

Should the catch-all option be shut off, even though it will magnify the network traffic?

*shrug* I dunno...

Any other relevant advice for my friend?


I hope this helps

Related problem (4.00 / 3) (#11)
by Simon Kinahan on Mon Feb 03, 2003 at 08:32:41 AM EST

I've had a similar problem on a smaller scale over the last few weeks. I have an account with an ISP that gives you a domain name and lets you configure the email addresses as you please. Although I only use one or two addresses (and that is all I've ever used), some spammer has been sending copies of some pr0n advert to what look like real addresses but aren't on my host. This is irritating.

I've noticed that the URLs in the spams point straight to an IP-address, which does not reverse resolve correctly (presumably deliberately). I wonder if this is the same person, and they're just bombing random addresses at every host they can find ? Does anyone more clueful than I about internet things know how to find our who owns an IP ?


If you disagree, post, don't moderate

Find owner of IP address (5.00 / 2) (#13)
by Afty on Mon Feb 03, 2003 at 09:40:22 AM EST

or for Europe

You can find out which ISP owns the IP, and often ISPs will put their customer details in there of it's colocated space or leased line.

[ Parent ]

samspade.org (5.00 / 2) (#15)
by QuickFox on Mon Feb 03, 2003 at 10:52:32 AM EST

To find who owns a domain or IP address, www.samspade.org is very easy to use, you don't need to know anything about this stuff, just type a domain name or IP address in the topmost text field.

If SamSpade can't find the owner for you by itself, it may mention a registrar where you can look for a domain name. Go to the registrar and look for a "whois" textbox or a link to a "whois" page. But registrars only handle domain names, not IP addresses.

Checking like this, if you can't find the owner of the IP address, you may instead find their ISP. If you explain to their ISP, perhaps they'll investigate and try to help. If they don't, you might try to find their upstream ISP and see if they will help you. If it's a big and serious attack you'll probably get help, but if it's small, well, they have a lot of work to do. It depends.

I've noticed that the URLs in the spams point straight to an IP-address, which does not reverse resolve correctly (presumably deliberately).

Note that some of the "Received" headers at the beginning (at the bottom) may be faked. But they can't all be faked. The later ones (topmost) are real.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi
[ Parent ]

I forgot to warn you... (3.66 / 3) (#16)
by QuickFox on Mon Feb 03, 2003 at 11:02:43 AM EST

...that if you write to the spammer's ISP, this ISP might itself be a bunch of Evil Spammers and decide to put your e-mail address on every spam list available. There are some ISPs that knowingly host spammers, and dealing with them can be nasty.

At least, this is what rumors say, I haven't seen it myself.

Give a man a fish and he eats for one day. Teach him how to fish, and though he'll eat for a lifetime, he'll call you a miser for not giving him your fi
[ Parent ]

Level 3, Charter.et (4.33 / 3) (#18)
by odaiwai on Mon Feb 03, 2003 at 11:39:36 AM EST

Charterpipeline.net and Level3.net have both passed on complaints from me to the actual spammers.  They are as bad as the spammers themselves.

Spamming scum.  They're blocked on any network I have anything to do with, along with many other mainsleaze operations.

dave "flowgo-away and die"
-- "They're chefs! Chefs with chainsaws!"
[ Parent ]

Broken Porn Spam (none / 0) (#33)
by Kintanon on Tue Feb 04, 2003 at 11:48:05 AM EST

There is nothing I hate more than getting spam that advertises, "FREE NAKED WOMENS!!!11!!1" or something similar and then the link being totally broken. And having no record of the domain ever existing. What is the purpose of these e-mails? Are they trying to sell me something? Is it the anti-spam tool companies bombarding everyone with useless spam to help sell their product? Who is making money off of broken porn links? Shouldn't they at least lead to a banner farm or something?


[ Parent ]

Why bounce? (3.25 / 4) (#12)
by bke on Mon Feb 03, 2003 at 09:04:37 AM EST

Should the catch-all option be shut off, even though it will magnify the network traffic?

When not using a "catch-all" there is usually also the option of just silently ignoring messeages sent to non existing recipients instead of generating bounces. This may cause a slight inconvineince to real senders who just can't spell, but it might be worth a try as a temporary solution...

Read, think, spread!

Because it's not his server that generates them (5.00 / 2) (#19)
by jt on Mon Feb 03, 2003 at 11:48:13 AM EST

From my interpretation, I believe the problem is thus:

1. Spammer sends mail to nonexistent address (e.g. bar@foo.com) originating from suckerpunch.com.
2. Mail server at foo.com domain generates a bounce message and sends it to the address at suckerpunch.com.
3. Catch-all address receives thousands of bounce messages.

The only way for him to not see those bounce messages is to turn off the catch-all, but the mail server at suckerpunch.com will still receive them, and may even generate bounce messages in return.

[ Parent ]

SMTP is broken (4.42 / 7) (#14)
by dipierro on Mon Feb 03, 2003 at 10:39:58 AM EST

need any more evidence be provided.

Is there any realistic hope of catching the perp?

If they're in the U.S., you could almost certainly catch them, but it'll cost some money. You need to file a John Doe lawsuit in court, perhaps under trespass to chattel, or perhaps under plain old harassment. Then you need to start getting subpoenas from each link in the chain. If you succeed, and the perp is in the U.S., and has money, you'll get your money back and then some. If not, then you lose.

Re: SMTP is Broken (4.00 / 1) (#25)
by Alfie on Mon Feb 03, 2003 at 08:56:32 PM EST

I think the open relays are more to blame than the SMTP protocol.

[ Parent ]
Not really (5.00 / 2) (#28)
by dipierro on Mon Feb 03, 2003 at 10:49:38 PM EST

The problem is that bounces are being sent without any verification of the From: address.  This is why the DDOS is possible.  Worst of all, this broken behavior is required in order to be compliant with the standard.

Open relays are an additional problem, but they're not really a problem with the protocol, rather with the implementation.  Further, they are generally a rather easy problem to protect against using blacklists.  With bounced emails you can't implement blacklists without losing the vast majority of your legitimate mail.

[ Parent ]

*Sigh* (2.50 / 2) (#30)
by dasunt on Mon Feb 03, 2003 at 11:45:07 PM EST

You really haven't thought out this "SMTP is broken" idea, have you?

Lets verificate on IP address instead! That can never be spoofed! That's why the r-commands and NFS are so secure!

Okay, how about the arp address! Its always fun to have everything break just because you changed a NIC or switched machines.

I know, lets have an opt-in list. Wait, that's (1) possible with smtp and (2) prevents all email from people I don't know. Which hinders my ability to sell or buy things online.

Hmmm, maybe SMTP isn't the problem after all. Maybe the problem is human beings.

[ Parent ]
SMTP doesn't authenticate. (5.00 / 1) (#32)
by haflinger on Tue Feb 04, 2003 at 07:44:20 AM EST

Sure, rsh has a broken authentication mechanism. But SMTP doesn't authenticate, AT ALL. It is impossible to count the ways in which this is bad.

Did people from the future send George Carlin back in time to save rusty and K5? - leviramsey
[ Parent ]
Mr. President? (none / 0) (#40)
by vegetablespork on Sun Mar 09, 2003 at 12:18:14 PM EST

Lets verificate on IP address instead!

George? Is that you?

[ Parent ]

Joe jobs (3.33 / 3) (#17)
by odaiwai on Mon Feb 03, 2003 at 11:31:08 AM EST

I have a problem with non-existent usernames being forged by some spammer. (probably the pissed off former employee who threw a big sulk when we refused to host all of our services on Microsoft OS based servers:

twit:"I think you look backward to mailservers using unix - you should use Exchange"
BOFHS: "Security, escort this moron from the premises."

This can get up to 1000 bounces per day, all sourced from various open proxies.  I just have a few rules in /etc/mail/access:

pol987@[domain]    550 We're being Joe jobbed.  Complain to originating IP.
vesna@[domain]     550 We're being Joe jobbed. Complain to originating IP.

What more can I do?  Other people need to use the open proxy blacklists to stop accepting this crap, and a certain previous employee needs a date with a baseball bat.

-- "They're chefs! Chefs with chainsaws!"

Go back to Slashdot -NT (2.00 / 1) (#27)
by CaptainSuperBoy on Mon Feb 03, 2003 at 08:58:19 PM EST

jimmysquid.com - I take pictures.
[ Parent ]
You have completely missed the point (none / 0) (#37)
by odaiwai on Thu Feb 06, 2003 at 12:48:00 PM EST

I am not slagging MS here - I am just providing some background to a policy decision which has apparently resulted in a situation where we have an employee who is likely to bear resentment and cause a particular problem.

-- "They're chefs! Chefs with chainsaws!"
[ Parent ]

Rebounce? (5.00 / 4) (#20)
by srichman on Mon Feb 03, 2003 at 12:47:53 PM EST

Should the catch-all option be shut off, even though it will magnify the network traffic?
How would it magnify the network traffic? The Internet mail system does not and should not re-bounce bounced messages. If your friend's "low cost domain farm" uses custom software that does this, I would say that's bad.

It Won't Increase Network Traffic (3.00 / 2) (#22)
by CarryTheZero on Mon Feb 03, 2003 at 02:03:57 PM EST

As other people have pointed out, shutting off the catch-all option won't generate additional bounces, because a mail server should never generate a bounce message in response to a bounce message.
Also, depending on how your friend's mail server is configured, it may refuse to accept mail at all if it doesn't know about the recipient address, which would actually decrease your network traffic/server load.

You said I'd wake up dead drunk / alone in the park / I called you a liar / but how right you were
iTunes users: want to download album artwork automatically? Now you can.
Yes, Do Use Spamcop (4.50 / 2) (#23)
by Alpha Prime on Mon Feb 03, 2003 at 02:17:12 PM EST

Given the volume it may not be practical to use Spamcop to report them all (you can't report the bounces, but you can report the contents of the bounce).  OTOH, if you feed in a few of the open-relay's, open-proxies, etc., you at least feed the Spamcop blocklist (SCBL) which may get the attention of those system admins to fix their screwed up systems.

A few things you can do, but not much (3.33 / 3) (#24)
by JML on Mon Feb 03, 2003 at 07:58:22 PM EST

This may be a dictionary attack that the spammer is running against many hosts, not a DoS directed at your friend. The spammer may be sending e-mails to millions of user names at thousands (or more) domains, and then seeing which get accepted. Of course the problem with this theory is that your friend gets the bounces, so the spammer doesn't know which addresses worked and which didn't.

Remember though, spammers aren't known for their brainpower, so it could be a dictionary attack that is broken.

As far as reporting the problem somewhere, you can try, but the site sending you the bounce is just an innocent third party, and the site originally generating the message is most likely an open proxy running on a Windows computer. The proxy does no logging and does not insert a received: line in the header, so there is no way to tell where the message is really originating. As far as I am concerned, such an open proxy is not allowed to talk to my mail server, so I use blacklists that include such machines. Though for each one known, there are probably many that are not yet known (except to the spammers waiting to exploit them).

If the bounced messages have any type of pattern to the address, you can use various rules to block delivery. If have all have the same From: line (the address that the mail is going to at your friends server) you can put something in sendmail's access file (or the equivalent file for your vice of choice).

TO:joe-jobbed@ DISCARD

If the addresses are of a particular pattern you need to get a bit fancier, but they can still be blocked. Something like this in sendmail.mc might do the job.

Kakak regex -a@MATCH (joe|job).*<@mypoorsite.com
R$* $: $<Parse0 $<3 $1
R$+ $: $(akak $1 $)
R@MATCH $#error $: "550 Spam not accepted"

(Don't trust this code though, I can't be sure I got all of my &lt;, etc in for the <, etc.

Post to nanae (4.50 / 2) (#26)
by CaptainSuperBoy on Mon Feb 03, 2003 at 08:56:56 PM EST

Post this to news.admin.net-abuse.email. They are extremely helpful and this kind of thing is right up their alley.

jimmysquid.com - I take pictures.
Whitelist, not blacklist. (3.50 / 2) (#29)
by pla on Mon Feb 03, 2003 at 11:23:05 PM EST

A number of people have responded that you should blacklist the offending open relays, or find a good string in the messages to add to a filter rule. Both of those would work, but only temporarily (and for the latter, you don't need to look very hard since bounces clearly ID themselves as such to prevent rebouncing).

For a better solution, however, you need to make a *whitelist*, allowing bounced messages only for addresses belonging to real users on your system. Normally, whitelists may lose some legitimate traffic (thus a possible reason why no one suggested it yet), but in this case, no legitimate bounce can EVER come from a nonexistant account in your domain <G>.

This will still let you enjoy having catch-all enabled, and get rid of the possibility of future attacks of a similar nature.

instead of a catch all... (none / 0) (#36)
by Jordan Block on Wed Feb 05, 2003 at 01:53:47 PM EST

personally, I find it works beter to not use a catch-all address.

instead, I set a single account up on my mail server that I use for most online forms, and so on, say spam@domain.com

whenever a site asks for my email, i use spam+sitename@domain.com - this still delivers it to the single account, and I can easily tell who is giving out addresses to the spammers.

if spammers start abusing the address, you can delete it, and the mail to it will bounce, ratherr than getting a massive number of bounce messages from other servers.

lube... (none / 0) (#39)
by antispamist on Mon Mar 03, 2003 at 02:59:19 AM EST

I think all one can do...in the long run is be flexible :)

A useless endevor that will certainly leave u wanting less but getting more.
Catch-All (5.00 / 1) (#41)
by mattyb77 on Sun Mar 09, 2003 at 01:40:56 PM EST

I used to be a support technician at a Web hosting provider of about 15,000 customers.  We would setup catch-all mappings (in addition to regular virtual mappings) for customers.  We did this so that the customer wouldn't miss any e-mail, especially if someone malformed an e-mail address.

I have changed my mind on this.  There is really little use for catch-alls because, if a person sends an e-mail to the wrong address, he/she should get a bounce so he/she can fix it, especially if it is in an address book.

I say turn off the catch-all because it seems to only serve as a way to get spam thrown into your mailbox, especially from dictionary attacks, which should produce a 100% delivery rate.

Also, as far as network traffic is concerned, I really like Postfix which has mechanisms in place to keep a mail server from being flooded with e-mail.  It has options to control the number of Postfix processes as well as the ability to slow-down SMTP connections with a particular mail server which is slamming it with e-mail.

Good luck.

"I bestow upon myself the `Doctorate of Cubicism', for educators are ignorant of Nature's Harmonic Time Cube Principle and cannot bestow the prestigious honor of wisdom upon the wisest human ever." -- Gene Ray, the wisest human ever

Advice Sought: Dealing with Spam Bounces/DDoS | 41 comments (39 topical, 2 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!