this post was submitted on 26 Apr 2025
43 points (100.0% liked)

Cybersecurity

0 readers
25 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
shellsharks@fedia.io
tweedge@fedia.io
43
Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send (hear-me.social)
submitted 5 days ago by Jerry@hear-me.social to c/cybersecurity@fedia.io
37 comments fedilink hide all child comments
 

Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send millions of emails with your FROM: address and you will get a million bounce messages.

Can you stop this or prevent this? No

Why would a mail provider send you a bounce message, knowing you're innocent? Because that's how someone wrote the protocol back then, and nobody changes it or does it differently because ... reasons.

Does the spammer get a bounce message? Nope, not one.

Does the SMTP sending account owner whose credentials were stolen be notified about bounces so they can stop the spam? Nope.

Just millions of emails sent every day to poor schlameels who have no idea why they are getting them and who can't do anything about them.

The more I learn about the email protocols, the more I realize how terrible the design is.

#emailsecurity #spoofing #cybersecurity #spam

you are viewing a single comment's thread
view the rest of the comments
[–] devnev@lemmy.dbzer0.com 30 points 5 days ago (1 children)

There's a bunch of things wrong in this post. Mainly, you should take a look at DNS SPF records.

[–] Jerry@feddit.online 2 points 5 days ago (1 children)

That's why it bounces!

[–] devnev@lemmy.dbzer0.com 23 points 5 days ago (1 children)

An unauthorized sender IP should have their messages dropped, not bounced.

[–] Jerry@feddit.online 3 points 5 days ago (1 children)

Yes, but then what? Your email provider will kindly let you know, as a courtesy, that the email you sent could not be delivered. Normally, you want this notification. Unfortunately, hotmail, for example, for one, does not determine whether you really sent the email or not. That the FROM: address has you, It will inform you anyway that the email was not delivered. There are no DNS records to stop this.

[–] Nomad@infosec.pub 8 points 5 days ago (1 children)

Nope, they look up the domain dmarc record for the sending domain and add all the dropped records to a aggregated abuse report which is sent as one email to your postmaster.

[–] Jerry@feddit.online 4 points 5 days ago (3 children)

If the email is not accepted by the receiving imap or pop3 server, it sometimes follows the DMARC instructions for reporting. The report goes to the domain owner of the sending domain. This is done by the receiving server. SPF, DKIM, and DMARC are instructions to the RECEIVING email server, not to the sending email server.

The bounce I'm talking about is from your SMTP server that is following the protocol to let you know, as a courtesy, that your email could not be delivered. And that protocol simply says, in the absence of anything else saying otherwise, tell the FROM: address that their message did not get delivered, even if there is strong evidence that the FROM: address is a fraud.

[–] superkret@feddit.org 4 points 4 days ago* (last edited 4 days ago)

You keep saying we don't read or we don't understand, but as an email admin at a large company, let me tell you that actually you are wrong.
The sending server doesn't even know whether the spam mail was delivered or dropped by the receiving end.
It only knows in case the mail was rejected.

[–] Nomad@infosec.pub 6 points 4 days ago

My mail server has no knowledge of the mails the spammer sent, what are you talking about? This is no open relay.

[–] renormalizer@feddit.org 2 points 4 days ago (1 children)

I'm very sure that, by default, at least postfix will send bounces only to local senders. So unless the spammers use your SMTP server to send spam, you shouldn't get any bounces. If they do, you have different problems.

[–] Jerry@feddit.online 1 points 4 days ago

Tell that to hotmail because they keep sending it. And be sure to update Google too because they don't know as much as you either. https://support.google.com/mail/thread/209018675/my-sent-email-box-is-filling-up-with-bounce-emails-and-emails-i-did-not-send-my-inbox-is-fine?hl=en