this post was submitted on 26 Apr 2025
43 points (100.0% liked)

Cybersecurity

0 readers
14 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
shellsharks@fedia.io
tweedge@fedia.io
43
Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send (hear-me.social)
submitted 4 days ago by Jerry@hear-me.social to c/cybersecurity@fedia.io
37 comments fedilink hide all child comments
 

Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send millions of emails with your FROM: address and you will get a million bounce messages.

Can you stop this or prevent this? No

Why would a mail provider send you a bounce message, knowing you're innocent? Because that's how someone wrote the protocol back then, and nobody changes it or does it differently because ... reasons.

Does the spammer get a bounce message? Nope, not one.

Does the SMTP sending account owner whose credentials were stolen be notified about bounces so they can stop the spam? Nope.

Just millions of emails sent every day to poor schlameels who have no idea why they are getting them and who can't do anything about them.

The more I learn about the email protocols, the more I realize how terrible the design is.

#emailsecurity #spoofing #cybersecurity #spam

you are viewing a single comment's thread
view the rest of the comments
[–] Jerry@hear-me.social 3 points 3 days ago (2 children)

@ikidd@lemmy.world People are not reading. You are not reading.

SPF, DKIM and DMARC are not relevant. Those are instructions to the receiving servers which are not the ones sending the bounces. The receiving server is telling the sending server, based on these DNS records, that it will not accept the message. It refuses them. Period. No bounce message.

The sending server then, as a courtesy, lets the sender know, solely based on the FROM: address, that the email could not be delivered, as one by one messages.

There are no DNS records or configurations that control this. The SMTP server follows the protocol which is to inform the FROM: address, as a courtesy, that the email was not accepted. It is the sender. It does not look at SPF, DMARC, and DKIM rules. That is only what the destination server uses.

[–] ikidd@lemmy.world 6 points 3 days ago (1 children)

The point is that if an SMTP server is respecting RFC7208 then you don't get those bounces if you have the records. Which is most SMTP servers now.

[–] Jerry@feddit.online 1 points 3 days ago (1 children)

My hotmail inbox says that Miocrosoft must then not be a member of the "most" group.

[–] ikidd@lemmy.world 1 points 3 days ago (1 children)

Maybe Hotmail, I couldn't say about freemail domains, but I get dmarc reports for recipients on Office 365 hosted domains all the time and have for years. They were one of the earliest adopters, since I've had a dmarc policy for my domains for over a decade.

[–] Jerry@feddit.online 1 points 3 days ago (1 children)

DMARC reports are sent by the receiving server, which is not the server sending the bounces. They are reports sent to the domain owner. SPF, DKIM and DMARC are only meant as tools to protect the domain owner and indicate when an email should not be accepted.

These bounces are coming from the sending server whose email attempt got rejected by the receiving server. They are NDRs which are not covered by SPF, DKIM, or DMARC.

The sending server is informing the FROM: address, as a courtesy, that the email could not be delivered, even when the sending server knows the FROM is likely fraudulent. This has nothing to do with SPF, DMARC or DKIM and is a different protocol.

Argue with Google, not me: https://support.google.com/mail/thread/209018675/my-sent-email-box-is-filling-up-with-bounce-emails-and-emails-i-did-not-send-my-inbox-is-fine?hl=en

[–] superkret@feddit.org 2 points 3 days ago (1 children)

Is the recipient server drops or quarantines spam instead of rejecting it (which is standard best practice), the sending server will never know, and won't send a message back to the sender.

[–] Jerry@feddit.online 1 points 3 days ago

DMARC has only 3 options. Ignore, reject or quarantine. There is no "drop" instead of "reject". And anything other than an "ignore" will cause a reject from the receiving server back to the sending server who will then inform the FROM address that the email was not delivered.