Proper Ways to Dispose of Spam?

An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed." In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?

anyone have a domain where this DIDN'T happen?

[Subgenius]

Welcome to my hell. I've had this happen to 8 of my domains over the last couple of years, typical spam runs of 30k at a time, based on all of the 'bounce back' messages that tell me 'my' mail is spam, or worse "go F** yourself, spammer" crud. SPF might fix this, but only if it was mandatory and ALL ISPs blocked non-commercial email servers (DO NOT WANT the latter to occur).

Good Luck.

Re:SPF!

[stg]

That was the same in my case. I still get about the same number of bounces from spammers after adding SPF.
The only thing that did solve it was killing all addresses I don't use and adding filters for the most common bounces.

Re:SPF!

[Alphager]

We are talking about spam-bounces, not the spam itself. Of course using SPF as sole spamfilter is useless (spammers quite frequently kite domains and set up an SPF-record allowing everybody to send mail for that domain). But most spam-filters know that a false-positive with SPF is not possible (if you ignore email-forwarding, of course) and won't bounce the mail to the innocent domain.

Re:SPF!

[silas_moeckel]

If you just care about outbound SPF assuming your hosting provider also runes your DNS severs they can add it in easily.

Re:SPF!

[poot_rootbeer]

I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Spammers don't care about hit rates and neither do the folks that employ them. Who cares if it's 10 people out of 100 that fall for the bait or 10 people out of 100,000 -- it's still 10 sales that they can credit to spamming.

Re:Why the forging in the first place?

[Kelson]

There's also a mundane reason for it:

1. Using your own address makes you more traceable and means you have to deal with bounces, complaints, etc.
2. Using a forged address saves you that inconvenience.
3. Completely bogus addresses will have a low throughput, because it's trivial for a receiving server to check whether a domain name exists or not.
4. Verifying a specific address at a real domain, however, is more involved.
5. Solution: Use a bogus address at a real domain name.

This solution expresses itself in both throwaway domains (where the spammer registers it for cheap, figuring they only need it for one spam run) and forged addresses using bystander's domains. Forging is cheaper, since you don't have to register a domain, and while it's illegal, enforcement is rare.

Re:No

[Akatosh]

Spam is spam. I don't care if it was relayed by using the victim address in 'rcpt to:' (traditional spamming) or 'mail from:' (blowback spamming). So you stuck three lines of text above it then relayed it on to the victim. Good job, by bouncing instead of rejecting you're an open relay. You even add some additional bayesian slaying text to the top. That's how I see it.

It's really not that difficult to configure your mail systems to reject instead of accept then bounce. I see this as becoming manditory, similar to how it used to be ok to have an open relay, then over time it became a sin.