I’m sure this sort of behavior is old news, but it’s still really annoying. Starting last night and continuing as I’m writing this, some annoying spammer has been forging my email address as the “From” line of a variety of spams. This is causing a staggering volume of backscatter, mostly of the “Delivery Status Notification (failure)” variety. Sampling these messages, I’m seeing several interesting things.
- The spammer is using my proper email address (dwallach@…) on each message, but a different “real” name on each one. The name “Dan Wallach” does not appear anywhere.
- I forward everything to Gmail. Gmail considers all of this backscatter to be spam. That’s probably the correct answer, but I’m not sure I want to train my own DSPAM to do the same thing. (DSPAM runs locally, and then I save a local copy and forward to Gmail.) If I send a real message and it legitimately bounces, I want to know about it. If I train DSPAM that all of these delivery status notifications are spam, it will inevitably throw away anything from “mailer-daemon”. I’m unclear on whether that’s good or bad.
- You could easily build a bounce-message validator. Every backscatter seems to have the original message ID in it, somewhere. If the backscatter mentions a message ID that my system actually generated, then the backscatter is allowed. Otherwise it’s dropped. (This idea appears to be a variation of VERP; I’d make the message ID be a keyed MAC of a sequence number.)
- A large number of these spams have a message body consisting entirely of “Take a look at yourself ” and linking to “video.exe” on a variety of different web sites. Gmail helpfully rewrites those links such that they can track that I clicked on it. This would also seem to give them an opportunity to give me an anti-virus warning, but they don’t do any such thing. (“video.exe” is one of the common names used by the Storm worm.)
- Many spams include links that redirect through Google’s PageAd server to yet another server. I clicked on one of them. It appears that the PageAd redirector worked, but then Firefox’s “badware” detector caught the destination as being bad, ultimately taking me to stopbadware.org. Go Firefox!
- Some legit antispam firewall products (including Barracuda) are helpfully telling me my message “was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED”. This is clearly broken behavior. Just drop it and move on!
- Several of the backscatter messages are actually validation messages (sender address verification). This has been largely discredited due to a variety of practical problems, never mind common-case annoyance to normal users.
- One of the spammers seems to be quite keen to sell replicas of expensive wristwatches, and those links take you to some kind of seemingly real online store, albeit with a funky DNS name. Somehow, even if I did want a fake expensive watch, I’m not sure I’d be comfortable typing my credit card number into a web site whose name is a list of random characters and who (clearly) is closely related to the underworld of lecherous spammers.
EDIT: fixed post that had gone out before it was done.