N. Miller wrote:
On Sun, 16 Dec 2007 13:26:52 -0500, Poprivet` wrote:

....

We are talking POP3 service?

Yes, it is POP3 service. To make sure I wasn't telling
tales out of school, I just checked my settings and
I'm sure it's no surprise to you that I was *wrong*!
The Delete After 7 days is no longer checked! Argghh,
I hate when that happens! Shoulda done that first as I
usually do!!!!
APOLOGIES TO ANYONE WHO READ MY MISINFORMATION AND
BELIEVED IT. I should know better, honest! Stupid,
stupid, stupid!
Moral: Never, ever ass-u-me anything is ever as it
was when it's important to you! Or can embarass you;
*stuff* happens! Always check it. I'll blame it on
the snow; we got two feet of it in one storm so my
brain's been burned by today's bright sunlight.

....

Now, if you are talking IMAP, that is another ball of
wax, entirely.

Glancing around sheepishly, he said "Yeah, that's it!
It's an IMAP! But unfortunately it's POP3. Never have
been a good liarg.

It may be something unique to that particular email
service; it does not fit the normal pattern for
standard
POP3 service (if I understood what you posted).

Norm, you're a gentleman and a scholar with pretty
decent interpersonal skills, know that? Thanks for not
just flaming in such a way that meant nothing. I'd
rather be shown as wrong than to be allowed to go on
giving out misinformation, which I absolutely abhor.
I'll be much more careful in the future, believe me. I
doubt I'll skip the verification step next time.

....

How does a fake bounce result in a complaint about an
innocent party? Have you ever dissected one? Whether

Yes, I have dissected many spams over about the last 5
years, first manually, mostly now with an online parser
but still manuall if the parse results don't look
right. It's gotten a little harder since DNSstuff.com
put so many restrictions in place for their tools, but
they've relented a tad, and they're useful again (for
me) since I don't have to use them that often. There
are other sources for such things but dnsstuff.com was
pretty much a turnkey site.

a
bounce is phony, or genuine, the headers will point
to
the source of the message; accurately so.

Actually, no, they won't. Only the first and second
Received lines as a rule can be considered as accurate
because your ISP inserts those (seen as a client, that
is, not as the ISP). Beyond that, and especially
including the From and Return Path fields, all of it
can be forged. Once you've encountered a forged line,
nothing beyond it is reliable as tracking info.

All bounce
to
forged email addresses are, rightly, considered
abuse,
and the sender of the bounce will be the party named
in
the complaint.

It's supposed to be. Unfortunately though, any
application that claims to be able to "bounce" e-mail
after it's been received by the recipient at his
machine, can by definitioin not be a bounce. I haven't
yet seen an application yet that does anything but grab
the forged From or Return Path to send its "bounce".
Well, except Sam Spade, I guess.
Since most spammers place an innocent spammee's
address there, it goes to an innocent party who, upon
receipt, may in turn decide it's spam and report it as
such. I don't, but I know several people who do report
them. MailWasher makes that so easy to do that many
users often end up finding themselves reported for
spamming because of its "bounce" feature being used
over and over and over. MailWasher makes (last I knew)
zero effort to parse the headers in any way; it just
grabs the From field and sends it fake bounce there.

snip

Only an ISP can "bounce" am e-mail accureately, and
then only back to the source that sent it.

Actually, only the operator of the SMTP relay agent
which
tried to send the messsage, and failed, can
accurately
bounce the message.

Right; agreed. But not easily understood by all.


If there is another source beyond that one, it must
relay the bounce, too, until it gets back to the
originator; who,
BTW is going to be the spammer, which is NOT the
right
place to be notifying!

An Email Service Provider should only bounce to the
authorized user account. If it can't do that
accurately,
it should not send the bounce at all.

Agreed, too. I don't mean to imply that I understand
the server side of the transactions at all. I am
strictly from the user's side's Inbox. What you say is
correct with normal e-mail sent normally be at least
semi-normal people.
I agree that with most junk mail the source can be
parsed out of the forgeries in many cases too, though
it takes some work. But where they become impossible
to parse properly is whenever the spammer has injected
his tripe into a proxy, open port, anything he can find
to barge into. In those cases everything below the
last ISPs headers could be forged. And discovering a
single forged line makes all the lines below it
suspect, so there's some work involved to determing if
anything at all is non-forged after that.
I've even seen forged first Received lines but NO
idea how that's done.
In those cases, and this is most of the spam
anymore, and why blocking places like .cn, .ru, etc.
works so well, because that spam isn't going to be
easily traced. For those reasons, I also go after the
spamvertised web sites and especially drop boxes when I
come across them.

Anyway, them's my 2 ¢ on it all, as an active
spamfighter over the last several years. My major
spamfighting tools are spamcop.net, dnsstuff.com for
manual lookups, Sam Spade sometimes, and tracert.

I've no objections to your corrections if I've
misstated things, but realize please that I'm trying to
keep it non-technical as much as reasonable. Quotes
from an RFC or FYI are liable to go right over my head
but I'm cognizant of most of the buzz words in the
simpler contexts.

Regards,

Pop`