Paul: Stilgar, do we have backscatter?
Stilgar: Usul, we have backscatter the likes of which God himself has never seen!

I'm a little busy today, which was why I was not pleased when one of my mailservers chose to start refusing mail. Restarting the server didn't resolve the matter, but I noticed that the mail queue was unusually large. Then the bounces started arriving.

Yesterday I had noticed some new stock spams promoting RCHN.PK. They're embedded image spams but the style was subtly different from anything I'd seen previously. It occurred to me that this might have been a new arrival on the now crowded stock spam scene

This morning, the RHCN.PK spammer decided to use invented addresses at a domain that I manage in the 'From:' lines of his messages. For historical reasons, the catch-all address was enabled on this domain and any messages that don't get processed there are pushed on to another mail server for handling. That second mail server was staggering under a near constant barrage of bounce messages triggered by the spammer's attempt to deliver to nonexistent or invalid addresses.

The obvious solution was to turn off the catch-all address and blackhole anything sent to an unrecognized address. The bounces are still hitting the upstream server, but that's relatively robust and appears to be able to take it. At least the backscatter isn't finishing in anyone's mailbox or preventing legitimate mail from moving through the back-end server.

One thing that strikes me is the uselessness of bounce messages. Yes, it is important for a mail system to report when it can't deliver mail. Unfortunately, the lack of any kind of standard for indicating a bounce means that automatic identification of the bounce is next to impossible. Bounces are human-readable only: they come with a hundred different subject lines, a hundred different formats and a hundred different senders (those that put the 'sender' of the bounced message in the 'From:' line are the most irritating of all), in what appears to be a hundred different languages (among others, the spammer is bombarding thousands of Japanese addresses with advertisements for US small-cap stocks: good thinking there, spam boy). There's apparently no standard way for a message to say "This is a non-delivery report". Or at least not one that is honored by about half the MTA's out there.

The scary part is the sheer volume. The very prolific 'pastel stock spammer' used to generate about 30-50 bounce messages a day when he was forging addresses at another of my domains, apparently because he shifted domains every few thousand messages in order to avoid filtering. This new one generated literally thousands of bounces in half an hour. This may give some indication of the volume that he's sending.

A few days ago, I exchanged mail with someone who felt that spammers should be given the death penalty (he said the idea had been suggested to him by a website run by a priest, implying that the Church may be having second thoughts about that "turn the other cheek" stuff). I suggested that this might be a little too extreme, given that spamming is typically not a violent crime.

I still feel that way, but the strength of my conviction has been diminished slightly by recent events. At this point, I think it would only take a couple more DDoS attacks on my infrastructure for me to start calling for more drastic measures to be taken. I don't really think we should start sticking the severed heads of spammers on pikes along the edges of our major roads, but it's certainly not the least appealing idea I've heard this week. If someone wanted to propose it as an extension to the CAN-SPAM Act, I wouldn't rush to call my congressperson to tell them to vote against the measure.