this post was submitted on 26 Apr 2025
39 points (97.6% liked)

Cybersecurity

14 readers
9 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
[email protected]
[email protected]
39
Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send (hear-me.social)
submitted 1 week ago by [email protected] to c/[email protected]
35 comments fedilink hide all child comments
 

Did you know that if a spammer uses your email address as the FROM: address, which is easy to do, all the bounce messages will go to your email address? If the spammer really hates you, they will send millions of emails with your FROM: address and you will get a million bounce messages.

Can you stop this or prevent this? No

Why would a mail provider send you a bounce message, knowing you're innocent? Because that's how someone wrote the protocol back then, and nobody changes it or does it differently because ... reasons.

Does the spammer get a bounce message? Nope, not one.

Does the SMTP sending account owner whose credentials were stolen be notified about bounces so they can stop the spam? Nope.

Just millions of emails sent every day to poor schlameels who have no idea why they are getting them and who can't do anything about them.

The more I learn about the email protocols, the more I realize how terrible the design is.

#emailsecurity #spoofing #cybersecurity #spam

you are viewing a single comment's thread
view the rest of the comments
[โ€“] ExperimentalGuy 2 points 6 days ago (1 children)

I haven't looked into email in a while, but I'm pretty sure this is like saying TCP is insecure. Like yeah, if you communicate using plaintext over TCP you are vulnerable but most out of the box solutions nowadays don't even function that way. You'd have to go write your own application that communicates using plaintext over TCP.

In the same vein, the boxes out there that just run SMTP without any security would be the same way, but most boxes won't be susceptible to this attack because very few people are running just SMTP.

Disclaimer: I have not read up on SMTP in awhile but iirc, SMTP works with very little verification and is very susceptible to a lot of different attacks by itself.

[โ€“] [email protected] 1 points 6 days ago

@[email protected] This doesn't involve security. This is just about a protocol that says a server must let you know, via one email for each rejection, that an email with your from address couldn't be delivered, regardless of whether you sent it.

It's a procedural problem.

If a spammer sends 5 million emails with your email address in the FROM: then you can expect hundreds of thousands of messages from your email provider telling you that it couldn't deliver an email, for whatever reason.

Here. Let Google explain it: https://support.google.com/mail/thread/209018675/my-sent-email-box-is-filling-up-with-bounce-emails-and-emails-i-did-not-send-my-inbox-is-fine?hl=en