What Should I Do About "Returned" E-mails I Never Sent?

[benalias]

Ok, maybe this is a really "dumb" question that I should know the
answer to, but I don't, and haven't seen it discussed elsewhere, so
I'll ask it here: What should I do about all these "returned" e-mails
I am getting that I never sent? I assume that SoBig.F or Klez or
Blaster or some other malicious code program is "spoofing" my e-mail
address(es) and sending out various messages--almost always to people
I never heard of--with virus or malicious code packages attached, and
then these messages are "bouncing" and being sent back to me--usually
with their virus "packages" attached.

So, what are my options here? And what is the best option?

I should say that I have multiple defenses against getting infected by
a virus or other malicious code program (knock on wood). So that is
not really the problem. The problem is the "clog" of the system due to
all these bogus messages.

EarthLink, my ISP, has an "address blocker" feature. Should I just
block out every address that is sending back such messages? These
addresses usually take the form of
(e-mail address removed)

But some of these are from AOL or YahooGroups, and I might need to be
able to get notices from these addresses in the future, so am
reluctant to block them.

Also, it is unclear whether blocking will help solve the "social"
problem, or whether it will just increase the number of "bounced"
messages bouncing around and clogging the system. In other words, it
might just make the "macro" problem even worse.

Any help or any references to other web sources that discuss this
problem would be welcomed

TIA.

Ben

 

[W.S.Blevins]

Ok, maybe this is a really "dumb" question that I should know the
answer to, but I don't, and haven't seen it discussed elsewhere, so
I'll ask it here: What should I do about all these "returned" e-mails
I am getting that I never sent?

Delete them.

 

[benalias]

Delete them.

Why is that the best option?

C'ya.

Ben

 

[W.S.Blevins]

Why is that the best option?

<shakes head>

Plonk

 

[W.S.Blevins]

Because there's not much alse you can do, the sorry excuse for a virus
scanner on the other end was too stupid to detect the email address was
spoofed or the mail was relayed and not actually sent by you .... Since I
receive many of those every day I some times reply out of pure frustration:

Virus scanners aren't designed to determine if a return address is
valid or not. They are designed to detect viruses.

 

[W.S.Blevins]

Since it is typically virusses spoofing email addresses, and spammers relaying,
you'd expect a virus scanner to use simple rules of thumb to determine if an
email address is valid or not.

As in the case of the recent (and previous) worms, they infected
millions of computers and harvested even more email addresses from the
victim's computers. There is no way for any AV to determine whether
the origin of the message is valid or not. Only that the attachment is
infected.

Many of the recent messages are 'triggered' by the Sobig virus. So, if the
scanner *knows* the Sobig virus (after all it intercepted it), and *knows*
the actual payload if the virus, it also *knows* that it is highly unlikely
that the email address it is sending it's notification to, isn't the actual
sender of the 'infected' message. In other words, it's stupid and serves no
purpose.

That's the job of the admin that set up the auto-responder on the mail
server, not the AV vendor. Again, anti-virus programs detect/disinfect
viruses. That's what they do. If you are getting barraged with
"returned mail" either delete it or filter it. It's pretty simple.

 

[benalias]

<shakes head>

Plonk

Well, I think that is quite arrogant and rude, among other things.

"Plonk," if I understand it correctly, means that you have
"killfiltered" me, so you will not be reading this message.
But I have to allow for the possibility that you have not done so, or
else just allow someone else to continue the conversation.

If you are getting barraged with
"returned mail" either delete it or filter it.

This seems to me to contradict Blevins earlier comments, which implied
that deletion was the only option and/or that its merits were
self-evident.

In fact, it seems that there are (at least) four basic options
available:

1. Deletion
2. Filtering
3. Address Blocking
4. Writing the administrator in charge of the auto-responder to
request that such auto-responses be stopped (or limited), etc.

These options are not necessarily mutually exclusive.

If there are other options, I'd be interested in finding out what they
are and having their respective merits discussed.

TIA.

Ben

 

[me]

Why is that the best option?

C'ya.

Ben

Yes.

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

 

[Joep]

Because there's not much alse you can do, the sorry excuse for a virus
scanner on the other end was too stupid to detect the email address was
spoofed or the mail was relayed and not actually sent by you .... Since I
receive many of those every day I some times reply out of pure frustration:

Dear thickhead admin,

I *never* sent this email, so your warning serves no purpose! The email
address is spoofed. If your excuse for a 'virus scanner' has a problem
detecting an email address was in fact spoofed, I suggest you turn off this
worthless 'reply to sender' feature. It is likely 9 out of 10 people you are
sending this notification to didn't in fact sent the potentially dangerous
email. Your notification does not serve any purpose other than wasting
bandwith.

 

[Joep]

Virus scanners aren't designed to determine if a return address is
valid or not.

Then, if you don't know if the address is right (while it is fact easy to
make educated guesses about that), don't sent a message. It is actually very
easy to make educated guesses about the validity of email addresses. Since
it is typically virusses spoofing email addresses, and spammers relaying,
you'd expect a virus scanner to use simple rules of thumb to determine if an
email address is valid or not. Using rules of thumb or 'heuristics' that
determine the validity of an email address can be an additional criterium to
distrust an email message and treat it with extra care.

They are designed to detect viruses.

Sure, who argues that? It is very good the scanner did intercept the virus,
however since I wasn't the one who sent it (and neither OP), I *DON'T* wanna
know about it. The detection of the virus, as you pointed out, is the
primary task for the virus scanner, sending useles messages isn't one and
that's the point. I receive many of those messages every day, because
*other* peoples PCs are infected, something I can not do anything about.

Many of the recent messages are 'triggered' by the Sobig virus. So, if the
scanner *knows* the Sobig virus (after all it intercepted it), and *knows*
the actual payload if the virus, it also *knows* that it is highly unlikely
that the email address it is sending it's notification to, isn't the actual
sender of the 'infected' message. In other words, it's stupid and serves no
purpose.

 

[Joep]

posted the following useless information:


As in the case of the recent (and previous) worms, they infected
millions of computers and harvested even more email addresses from the
victim's computers.

Indeed, good point. That's the 'issue' I am talking about, still the
*harvested addresses* is where the stupid AV tools sents it messages
although it is NOT those computers that sent the infected email so they
*don't* need to be notified. Assume the infected PC contains 150 references
to email addresses, it means potentially 150 AV scanners will sent 150
messages to PCs that are NOT infected.

There is no way for any AV to determine whether
the origin of the message is valid or not.

That's what you don't get, simple 'rules of thumb / common sense' allow you
to make an educated guess about validity of an email address. And even so,
if they're too stupid for that, it is more economical to NOT reply to sender
as in 9 out of 10 cases it's just a waste of bandwith.

That's the job of the admin that set up the auto-responder on the mail
server, not the AV vendor.

First, that's your opinion, and second, even so, AV products can start using
a little more common sense to begin with and not sent those useles messages.

Again, anti-virus programs detect/disinfect
viruses.

Yes, we *both* know that and we agree on that, no point in keeping repeating
this.

That's what they do.

Sigh ... yes, that *PLUS* sending useles messages, that's the point ...

If you are getting barraged with
"returned mail" either delete it or filter it. It's pretty simple.

Yes it is simple, I am glad you see this, and in fact I am doing this with
some home made software to delete such messages from the server.

Now, if I can with this simple tool, determine email is bad (and I am not
all that smart but at least smarter than you it seems), relayed or using
spoofed addresses (as *that* is pretty simple as well), why can't AV tools?!
That's the whole point you seem to miss. With my simple home made tool I
delete spoofed, relayed AND most infected messages. It *stops the unwanted
emails* (like you expect your AV product to do) rather than *replying* to
those messages and triggering a chain of useles and undesired email trafic
like the AV tools do.

So summarizing: The fact they *stop the virus* is GOOD, the fact that they
*sent useles messages* is STUPID. Now, which part of that you didn't get?

 

[FromTheRafters]

Ok, maybe this is a really "dumb" question that I should know the
answer to, but I don't, and haven't seen it discussed elsewhere, so
I'll ask it here: What should I do about all these "returned" e-mails
I am getting that I never sent?

Delete them if you have downloaded them, they are pretty
much useless unless you want to hassle the sending party
about sending them (which they deserve).

I assume that SoBig.F or Klez or
Blaster

Not Blaster, it is not an e-mail worm.

or some other malicious code program is "spoofing" my e-mail
address(es) and sending out various messages--almost always to people
I never heard of--with virus or malicious code packages attached,

Or spam doing the same sort of thing, only perhaps without the
malicious code.

and
then these messages are "bouncing" and being sent back to me--usually
with their virus "packages" attached.

That's right, the mail is either bounced due to an invalid address,
or filtered as malware and a notification is sent, but to the wrong
person.

So, what are my options here? And what is the best option?

Best for whom?

I should say that I have multiple defenses against getting infected by
a virus or other malicious code program (knock on wood). So that is
not really the problem. The problem is the "clog" of the system due to
all these bogus messages.

The clogging of your account mailbox at your ISP can be avoided
if you frequently purge it. I use Mailwasher which can delete the mails
from the server.

EarthLink, my ISP, has an "address blocker" feature.

Even better, that way you don't have to try to keep up
with the incoming crap by being online like I do with
Mailwasher.

Should I just
block out every address that is sending back such messages? These
addresses usually take the form of
(e-mail address removed)

Yes, that would be best (imo) but a lot depends on what
the ISP's filter is capable of doing.

But some of these are from AOL or YahooGroups, and I might need to be
able to get notices from these addresses in the future, so am
reluctant to block them.

I don't know the capabilities of your ISP's filtering, but it
is possible with some filters to set a rule for the addresses
that you want to pass through the filter, and then subsequent
rules for the others. This way you would set e-mail with AOL
and Yahoo addresses to 'not process any further rules', and
thus avoid them being deleted by the second rule which would
be 'delete all with MAILER-DAEMON in the address'.

Also, it is unclear whether blocking will help solve the "social"
problem,

No, it does nothing to help solve the social aspect of the problem.
Filtering or deleting (or bouncing) spam does nothing to solve the
spam problem either. Only harrasment of the enablers seems to
have any real value.

or whether it will just increase the number of "bounced"
messages bouncing around and clogging the system.

Filtering (deleting) does not bounce anything, neither does it
address the cause of the problem. Only harrassing the one
that sent you the unwanted (and undeserved) message will
have a chance of having any effect at all.

(keep in mind that a Mailer-Daemon is not a person, but
rather is a program that makes automated replies, so it is
senseless to argue with one)

In other words, it
might just make the "macro" problem even worse.

....or at least, no better.

Bouncing makes it worse, but there is a need for legitimate bouncing.

Any help or any references to other web sources that discuss this
problem would be welcomed

There must be some, but I can't help you there.

 

[FromTheRafters]

Delete them.

How does this help?

 

[W.S.Blevins]

How does this help?

Unless you have very little else to do, deleting them and going about
your business requires the least effort.

 

[FromTheRafters]

Unless you have very little else to do, deleting them and going about
your business requires the least effort.

Indeed, but it doesn't do anything to help.

The OP asked about helping on a social scale as well as
just how to deal on a personal level.

Apathy is the world's #1 problem, but who gives a shit....

 

[W.S.Blevins]

Apathy is the world's #1 problem, but who gives a shit....

Zactly

 

[David]

But really what does help on a social scale? If you reply to these messages
are you only creating another email that ends up unread in a systems
"trashcan"? Or will someone read it and decide it is time to reconfigure
their email server? Or was the server reconfigured after the last fifty
people decided to email the admin or support staff so you added wasted a few
seconds of someone's time? Or is it simply another email with or without a
virus attached that has forged address?

It's sometimes a tough call. Maybe sending one less email does help. And
then again maybe your email is the one that make someone else decide a
different configuration setting is better. But keep in mind that chances are
good these days that if it has an attachment it is a virus and the sender's
address is forged. And if it doesn't have an attachment it may be the result
of a someone else system propagating a virus.

Do what you makes you feel best about what you are doing!