2 bounce or not 2 bounce?

Article written: 2004/02/13

The quick answer is... DON'T BOUNCE!

Bouncing spam used to be a good idea, but since the Mimail and Mydoom virii of early 2004 the rules have changed...

In the olden days, circa 2001-2002, when spamming was still an adolescent art, I discovered 'bouncing' as an anti-spam feature of Mailwasher, and heartily recommended that program partly because of that feature. I still recommend the program, but its bouncing feature has lost its shine.

Indeed the fact is that bouncing spam or other unwanted email only worsens the situation for 2 reasons. Firstly it doesn't have any deterrent effect on spammers - on the contrary - by responding at all you run the risk of confirming that your address actually does exist. And secondly the most serious threat to the internet at present is the sheer volume of traffic generated by spam and malware, and bouncing only adds to this problem.

What is bouncing?

When you 'bounce' an e-mail, a message is returned to the sender, as if from your mail server, saying, in effect: "Your message has not been delivered because this email address does not exist".

In those innocent days of 2001-2002 it was thought that spammers were concerned if their list of 10,000 email addresses contained 5% false entries. It was thought that the 'value' of a spammer's database would be reduced if it became stuffed with bogus addresses. So it was logical to assume that bouncing spam would encourage spammers to remove an address from their spam list.

However... the increased speed of computers, and increased availability of broadband have changed the maths. And now our presumptions, in those far off days, of how spammers actually worked seem rather naive.

Now (in February 2004) spammers quite happily send out MILLIONS of emails every hour in the hope, nay in the certainty, that the return will be a success rate of approximately 10... not 10%... but 10 in a Million (0.001 %). With those kind of odds, they just don't care if their database of addresses is 5% or 50% incorrect - the quality of their database is now irrelevant - it has become a sheer weight of numbers game.

So...

Bouncing won't reduce spam... but it gets worse...

Bouncing email can actually have the opposite of the desired effect - it can CONFIRM your email address as valid (not that the spammers give a toss anymore!) for several reasons:

  1. A genuine bounce will be sent by your ISP the moment the undeliverable message is received, whereas your 'bounce' from Mailwasher or Pocomail or whichever application you use will be returned after a significant delay. If the spammers do bother filtering bounces, you can be sure that this is a factor they will consider, and that your 'bounce', an hour or more after the message was sent, only confirms that the message WAS delivered but the bounce has been created later by a bouncing application.

  2. Mailwasher, excellent as it is, does NOT accurately reproduce YOUR ISP's undeliverable mail message. Try it (I have). The bounce message from Mailwasher (or any other application which offers 'bounce' as an option) is not EXACTLY the same as a true bounce from your ISP, and in its own way it is identifiable as coming from the application which created it - and again, you can be sure that any spammer who is paying attention to bounces will be clued in to the tell-tale signature of a bounce from your chosen app.

  3. Aliases. The bit before the @ sign in an email address is called an 'alias'. It's usual for any email addressed to any alias@yourdomian to be delivered into a 'catch all' mailbox. If you haven't changed it, by default this may be your username@yourdomain.

    So what happens when you bounce a message received in this (default) inbox? Let's say the spammer makes a guess and sends his message to target@yourdomain.com, and you (or your ISP) have things so configured that this is forwarded to catchall@yourdomain.com. The spam arrives and you bounce it... telling the spammer that "Your message to catchall@yourdomain.com could not be delivered because that address doesn't exist..." It's obvious really, isn't it? The spammer (if he's efficient) has a filter set up to scan all replies to their spam for email addresses and a script to check all addresses found in replies against the addresses already contained in his database. When your bounce arrives, claiming that catchall@yourdomain.com is a 'non-deliverable' address the spammer knows he has hit a target. A true bounce would contain the target address, so your bounce message - with the wrong target address - cannot have been generated from your mail server, and so must have been created by you to try to protect a valid email address - and now he knows what that address is.

    So the result of bouncing can be that whereas previously the spammer was just guessing, you have now confirmed the validity of your default address - which is about as bad as it gets.

  4. Traffic. OK, OK so we've all got broadband so nobody gives a damn about wasting bandwidth anymore... but hold on a second. The biggest threat to the internet currently is the sheer weight of bogus traffic generated by spam and viruses AND by the bouncing of spam and viruses. Bouncing only adds to the merry-go-round of crap.

CONCLUSION: FOR GOD'S SAKE STOP BOUNCING!

This article was prompted by the MIMAIL virus, or rather by the warning messages I received from the antivirus companies before it struck. I subscribe to a number of services which give early warnings of new viruses. On 26th January 2004 I received an urgent warning from Spywareinfo.com regarding the Mimail worm, which contained the following advice:

If you are running an email server with antivirus software that bounces virus infected emails, FOR GOD'S SAKE STOP BOUNCING THEM! You are participating in a denial of service attack by bouncing viruses at people who are not infected. You could even infect them yourself! STOP BOUNCING THEM!

In the past two weeks I have received more than a hundred emails containing either Mimail or Mydoom, and approximately 20% of these have been bounces from servers configured to detect the virus but not to realise that the "from:" address is forged. I recently read an article which suggested that it could take from four to ten years to clean Mimail & Mydoom from all the world's computers, and until that can be done bouncing is only perpetuating and aggravating the problem.





Related articles

Links valid at time of writing: 2004/02/13

This article was written from my own thoughts, but a Google search threw up a a couple of interesting discussions on this subject.

The first is a discussion relating specifically to the bouncing feature of mailwasher and runs to several pages, mostly of qood quality posts. I tend to agree with the opinion expressed by various contributors to this thread that the marketting of Mailwasher on the basis that its bouncing feature deters spam is no longer valid. -
Mailwasher Forum - Is there any point in bouncing?

The second attracted me because the thread had exactly the same title as this one, and it contains one golden nugget - that there is one very good use for bouncing, which is to deter KNOWN senders from sending you stuff you do not want, like funnies or e-postcards or other junk... bouncing it back to them is, I think, a smart way of tactfully saying to someone you love - "this gift is crap, have it back".

The link only seems to work if you follow it from Google (presumably they use server-side referrer checking), so here's the link TO Google, when you get there, click on the Heading "To Bounce or not to bounce?", which should be the first page listed: -
Google page linking to "To Bounce or not to bounce?" thread at webmasterworld

{Printed from http://www.georgedillon.com/web/2_bounce_or_not_2_bounce.shtml on Wed, 12 Dec, 2018 @ 04:25:12}