this post was submitted on 26 Apr 2025
43 points (100.0% liked)

Cybersecurity

0 readers
13 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
shellsharks@fedia.io
tweedge@fedia.io
43
Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send (hear-me.social)
submitted 4 days ago by Jerry@hear-me.social to c/cybersecurity@fedia.io
37 comments fedilink hide all child comments
 

Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send millions of emails with your FROM: address and you will get a million bounce messages.

Can you stop this or prevent this? No

Why would a mail provider send you a bounce message, knowing you're innocent? Because that's how someone wrote the protocol back then, and nobody changes it or does it differently because ... reasons.

Does the spammer get a bounce message? Nope, not one.

Does the SMTP sending account owner whose credentials were stolen be notified about bounces so they can stop the spam? Nope.

Just millions of emails sent every day to poor schlameels who have no idea why they are getting them and who can't do anything about them.

The more I learn about the email protocols, the more I realize how terrible the design is.

#emailsecurity #spoofing #cybersecurity #spam

you are viewing a single comment's thread
view the rest of the comments
[–] Jerry@feddit.online 4 points 4 days ago (1 children)

SPF can't be set up to stop bounces. It just indicates which servers are authorized to send email for the sending domain. It has nothing to do with the FROM: address. It's only there to protect the owner of the domain from where the email is sent. It does not care about you.

DMARC tells the receiving email server what to do if SPF and DKIM fail and often the instructions are to do nothing.

If the receiving server ends up refusing the email because it fails SPF and/or DKIM and DMARC says to reject, the SMTP server, not the receiving server, sends the bounce to the FROM: address to tell the person their email could not be delivered.

In summary, SPF and DKIM are about whether the email should be delivered. It says nothing about informing the sender that their email was not delivered. That's a courtesy provided by your email provider.

[–] faebudo@infosec.pub 1 points 3 days ago (2 children)

Yes, however RFC7208 says not to send NDR when sender authentication fails (=when SPF/DMARC is correctly set up it will fail) So you will get massively less backscatter. There will still be some providers sending NDRs however not the big ones, they will instead inform you via DMARC reporting which is easier to ignore.

Generating non-delivery notifications to forged identities that have
   failed the authorization check often constitutes backscatter, i.e.,
   nuisance rejection notices that are not actionable.  Operators are
   strongly advised to avoid such practices
[–] sxan@midwest.social 2 points 3 days ago* (last edited 3 days ago)

It's still incumbent on the receiver to implement and follow DMARC and SPF rules. Email is, what, 44 years old, if you include RFC 822. SPF was introduced a mere 20 years ago, and DMARC is only 12 years old; Google started enforcing it only 10 years ago. There's an entire sea of email server out there whose admins have not bothered to set up SPF, much less DMARC.

There's a huge gap between "should" and "do."

[–] Jerry@feddit.online 2 points 3 days ago (1 children)

Apparently, hotmail hasn't read the memo because they've been sending them for me today

[–] faebudo@infosec.pub 1 points 3 days ago

Ah yes. But you can just reject NDR messages with "550 5.7.509: Access denied, sending domain example.net does not pass DMARC verification and has a DMARC policy of reject" now.