Sunday, May 18, 2008

Hundreds of underliverable emails you never sent

This blog entry's goal is to give a lay person's explanation as to why a user might be receiving hundreds of delivery failures for messages that he/she never sent.

Email is insecure and very exploitable. This is a fact. The standard for email was designed in the late 60s and early 70s, long before spam and other types of abuse existed or were even thought of. Today, we live with the repercussions of the insecurity and exploitability of the original designs of the email standard. For more detail on the email standard and why it's exploitable, please see my advanced user's explanation (forthcoming as of 5/18/08).

What's happening is that an unethical spammer somewhere in the world has set up his/her own email server and is sending out spam. The exploitability of email is that this spammer can send out emails with any email address he/she wants. He can use; he can use; he can use The spammer can send using any address he/she wants - but the email standard does not require that the spammer be a legitimate sender of that domain. The email standard also does not require that the receiving email server check to see that an email is coming from the legitimate server for that domain.

So the spammer can send emails to anyone he/she wants with YOUR address. He/she can be doing that from his/her house in China, Norway, or next door. We have no control over this because it can be done from anywhere in the world. And this spammer is sending emails potentially with YOUR address (as well as other people's addresses) to other people. This process does not involve your server and is not disallowed in the email standard, so we have no control over it.

In these instances where a user gets several hundred undeliverable emails ... the spammer sends out spams to a random list of email addresses (many of which do not exist). And then the recipient's email server sends a bounceback to the sender's address (your email address) that says "undeliverable - this address does not exist."

So what can be done about this? Not a lot, unfortunately. The spammer is taking advantage of an exploitable part of the email standard. It may be unethical and improper, but it's not preventable.

The standard way to deal with this issue is to ignore the emails. Oftentimes, the spammer will send out 200 to 500 of theses emails over a period of 2 to 5 hours and then stop.

For additional questions on this issue, please email me:

No comments: