Getting Users removed due to SPAM...

[wagenknecht]

Hi there, using an uptodate version of LMP I encountered that the BOUNCE-Managment has some quirks: I get users removed due to SPAM that is send to the bounce-to adress... anybody else has experienced this? So far I thought LMP would check that a bounced message IS in fact a bounce.. but it seems like it just looks at the mail-adress....

Example (personal info x-marked):
A user has been removed from your list: Newsletter

Their information was as follows:

Email: koeln@mydomain.tld
First Name: Kerstin
Last Name: xxxxxxx

IP Address: 80.135.xxx.xxx (xxxx.dip.t-dialin.net)
Ref. URL: http://www.mydomain.tld/_newsletter.html

Unique ID: e0481aa

---------- The bouncing message follows ----------

> Return-Path: <IlaEngel@registerednurses.com>
> Delivered-To: bounce@mydomain.tld
> Received: (qmail 13569 invoked from network); 12 Jul 2006 16:59:33 -0000
> Received: from unknown ([80.67.18.6])
>           by halo.ispgateway.de (qmail-ldap-1.03) with QMQP; 12 Jul 2006 16:59:33 -0000
> Delivered-To: CLUSTERHOST mx06.ispgateway.de bounce@fgsv-verlag.de
> Received: (qmail 24293 invoked from network); 12 Jul 2006 16:59:32 -0000
> Received: from c-67-173-151-10.hsd1.il.comcast.net (HELO 5fegb.it8a1st3.verizon.net) ([67.173.151.10])
>           (envelope-sender <IlaEngel@registerednurses.com>)
>           by mx06.ispgateway.de (qmail-ldap-1.03) with SMTP
>           for <koeln@mydomain.tld>; 12 Jul 2006 16:59:29 -0000
> Message-ID: <84809312614371.0E5BD6CD1C@DOE8>
> From: "Ila Engel" <IlaEngel@soon.com>
> To: <koeln@mydomain.tld>
> Subject: big up-grade on marcket, look through the letter
> Date: Wed, 12 Jul 2006 11:58:54 -0500
> MIME-Version: 1.0
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> Thread-Index: v2uQggvfMoDJHPo1LB4NOwHcoyzMSf3vL906
> Content-Type: text/plain;
>         charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
>    spamfilter03.ispgateway.de
> X-Spam-Level: *
> X-Spam-Status: No, hits=1.8 required=9999.0 tests=FORGED_RCVD_HELO,
>    RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.4
>
> We’re all afraid of down days. I’m a trader, too, I know that! What I want to do is share some really valuable information that can help you.
>
> This stock is heading into extremely promising territories. Make use of it before crowds of traders come and take all the cream!
>
> Get GDKI First Thing Today, This Is Going To Explode! Check out for HOT NEWS!!!
>
> GOLDMARK INDUSTRIES (GDKI) CURRENT_PRICE: $7.70 GET IT N0W!

*SPAM deleted*

Any chance to stop this? I only affects those subscribers from within the customers domain - but they are the first to complain if they miss their own newsletter.....

Regards

Joerg W.

[DW]

ListMail once tried to track exactly which message was bounced.  Unfortunately, up to 40% of servers were not returning the additional email headers I added to facilitate this - that leaves the message body as the only reliable storage area, which a lot of clients would not want to use.

We now simply track the second "To:" line in incoming email... The first "To:" is from the mailer-daemon to your bounce address, the second is contained ni the header of the forwarded/included message that bounced.  The "To:" string must occur within the first 5 characters of the line to count.

What might be done is ignore bounces for the entire domain by modifying bounce.php.  The last line:

Code: [Select]

if($target && $target <> $errmail) bounce($target,$em);
Could be modified to:

Code: [Select]

$baddomains = array('domain1.com','domain2.com');
foreach($baddomains as $value){
 if(strstr($target,$value)) $baddomain=1;
}
if($target && $target <> $errmail && !$baddomain) bounce($target,$em);

[wagenknecht]

I added your modification - thanks for this fast response! Time will tell, if it works *g*
Strange - now I am waiting for some SPAM... *just kidding*

Kind regards

Joerg W.

[BGSWebDesign]

Hi Joerg,

: I get users removed due to SPAM that is send to the bounce-to adress...

Hmmm, but that must ONLY happen IF the email also has the exact TO Email address of a user in your database - is that right?

I don't see how else that could happen... Sure, spammers can fake you as a sender and act like they are sending FROM your account, BUT, how could they guess your users email addresses?  Please tell me more, about how you think this is working?

Ok, I see you also say:

It only affects those subscribers from within the customers domain

Ok, so you say IF a spammer sends SPAM and they are using a faked email address as the FROM domain - that ANY of your users with that same Domain name as their domain will bounce??? That means is somone does a fake FROM aol.com, it would cause ALL users with aol.com as the domain to be bounced?

Is that really what is happening DW?  IF that is what is happening this is a HUGE, HUGE issue... since eventually then - EVERY SINGLE SUBSCRIBER in your Users Database would bounce!

[wagenknecht]

Is that really what is happening DW?  IF that is what is happening this is a HUGE, HUGE issue... since eventually then - EVERY SINGLE SUBSCRIBER in your Users Database would bounce!

No, it only affected name@domain.tld-Adresses when domain.tld is the clients (aka senders) own adress...
This email-adress somehow got harvested by a spammer and now gets SPAM to the bounce-to-adress.
Never noticed any other subscriber getting "lost" due to this way...

[BGSWebDesign]

Hi,

Ok, I got it...

somehow got harvested by a spammer and now gets SPAM to the bounce-to-adress

That's still a problem, so what you're saying is that if a spammer wanted to remove all of the users from your database, they would try to harvest everyone they thought existed in your database and then send spam coming from your bounce to email address, is that right?

I know it doesn't sound possible, but if someone really wanted to damage your company it sounds like they could sure try... by spamming millions of email addresses as coming from your bounce-to-address, and hope that enough of these people are in your mailing list to remove them all....  :twisted:  now that is really, really twisted - and scary...

Anything that can be done about that DW?