A spammer's weapon: The envelope sender address

Learn how spammers take advantage of the envelope sender address to avoid a deluge of bounced e-mail.

sendmail Milters: A Guide for Fighting Spam

By Bryan Costales and Marcia Flynt                                    352 pages; $35.99     Addison-Wesley

All Internet e-mail is sent using a protocol called SMTP (Simple Mail Transfer Protocol). In SMTP, mail is sent in units called envelopes. First the address of the envelope sender is sent, followed by one or more envelope recipient addresses. Finally the actual message is sent, headers and body together. Note that the final recipient sees only the headers and body. Envelope information is generally visible only to sendmail and its Milters.

When a user replies to an e-mail message, the reply is generally sent to the header sender — the address listed in the From: header. But when a message is bounced, the bounce reply is generally sent to the envelope sender address.

Spam sites have learned about this property of e-mail and can use it to their advantage. Spammers know that a large percentage of the email they send will bounce, but they do not care about bounces. Even if an address in a list continues to bounce, spammers will not remove it, because the cost of cleaning their lists is too high.

Some spam detection software looks at the envelope sender on the theory that the envelope sender will point to the spam-sending site, because that is where bounced e-mail goes. But to avoid this type of detection (and also the potentially high volume of bounce return messages), spam-sending sites often use a false envelope sender. In other words, they lie about their identity. And not only do they lie, they also forge. That is, because many MTAs (sendmail included) reject the envelope sender if the host part of the address does not exist, spammers often use real envelope sender addresses (but not their own).

The result is that some poor user somewhere in the world will receive all of a spam site's bounces. This is certainly evil, but it is not illegal. There is nothing in the SMTP standard that can cause a sending site to tell the truth in the envelope sender specification. Because spamming sites never clean their address lists and because spamming sites often lie about the envelope sender, you should probably never bounce (reject) spam e-mail. If you do, you may be unwittingly adding to the problem by bouncing to an innocent user. In general, it is better to accept and discard spam e-mail or to accept and archive it.

An alternative (if you have some way to keep count) is to bounce spam the first time it is received from a site. In that way, if good e-mail is bounced, the sender (a real person) can contact someone at your site to have the problem corrected.

More Information

This chapter is excerpted from the new book, "sendmail Milters: A Guide for Fighting Spam," authored by Bryan Costales and Marcia Flynt, Copyright © 2005 Bryan Costales and Marcia Flynt. To learn more about the book, please visit: http://www.awprofessional.com/title/0321213335.

This was last published in April 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats