# [Solved]Spam is getting out of control

## grooveman

Hi.

I run a sendmail server.  I have been for years, and never had any problems.  For about the last 16 months or so, however, spam started to seep in past my filters.  I use spamassassin, I only allow ssl/tls traffic, I use three different SBLs (including spamhaus), I force authentication for all smtp, imap and pop traffic and I do not allow relay from any other servers.  It has always been good enough.  But not anymore.  Messages squeak through with spamicity ratings of 2.0 and less.  Baysean analysis is cranked as far is reason allows, and they still slip through, no matter how much the filter is trained.  Spamassassin still bags about 75% of the total spam load coming in, but it still allows hundreds of spam emails through.  My users are starting to miss legitimate email, and accidentally delete them because legit email is becoming the needle in the haystack.

I have googled on this for hours on end, and I cannot seem to find anything new on good practices for reducing spam.  I did notice, however, that people are implementing things like SPF, DMARC and DKIM...  I'm finding spotty information on how this applies to sendmail, and that few DNS providers actually support these records.  Are these methods what people are using now days to stave-off spam?  I don't have much time for this these days, and it looks like a LOT of work to set these things up... 

Anyone out there managing an email server now and able to more or less thwart their spam?

Thanks.

G

----------

## eccerr0r

I guess this is an advantage of google, hotmail, yahoo, etc. that collate a bunch of peoples' mail and thus can easily check mass produced mail from a particular server and cut them off...(which has the other side of the coin, google indeed is looking at your mails!).

I don't know if there really is a good solution.  Best we had was learning like as you said, bayesian), but I ended up using a different approach: make sure I toss out spam ridden email addresses and make a new one...  Any questionable email address gets its own disposable email address.  Perhaps forward it to your 'main' address and remove the forwarding once spam through that avenue gets too high.

Yes, this is a pain to manage, but it's the best the small mail servers can do...

----------

## UberLord

 *grooveman wrote:*   

> Are these methods what people are using now days to stave-off spam?

 

I've been using DSPAM for many years now with great success.

My mail server processes anywhere from 2k-10k messages per week of which about 99% is spam. I rarely see a spam in my inbox, and even rarer a false positive.

Very very happy with my setup, as are other family members who also have a @marples.name account.

----------

## NeddySeagoon

grooveman,

I use spamdyke in front of qmail.

I think the most effective filter is greylisting. Most spammers don't retry.

----------

## msst

 *Quote:*   

> Anyone out there managing an email server now and able to more or less thwart their spam? 

 

Yes, still working a lot better than hotmail and co. I think the freemailers have slowly been getting better, but they still allow quite some spam through!

Statistics over last 6 weeks were

ca. 750 received (accepted) emails from 250 hosts

ca. 3000 hard-rejects at SMTP level from 800 hosts (all from detected spam)

ca. 11000 tempfails (mostly greylisting including too fast retries / delivery attempts)

Connection refused not counted, but likely even more...

Amount of spam delivered last 6 weeks was exactly 0. Normal is 1 per Quarter to slip through. There is 1-2 false positives per year, so such an aggressive spam filtering is not viable for a corporate site I guess.

What helps IMHO:

1. Adaptive greylisting (Known servers, whitelisted senders addresses and mails with super low spamscore bypass it, all that is remotely suspicious gets tested). Notice that 90% of all received legitimate emails come from known senders or mailservers!

2. Enable DCC / Razor checks in spamassassin! Almost all spam that hits here triggers this as well. Great for bumping score!

3. Use verify in exim (no callouts though), many spammers dont do their nameserver homework etc.

4. Use rejects on SMTP level with some 20sec teergrubing - seems to lower spam attack ratio on the long run. I did have >>90% spam attempts once

5. Hardblock "@googlegroups.com" at rcpt-smtp level. It is unbelievable how bad google behaves here. This ranks relatively high on my reject list! If anyone else than google would misbehave so much their servers would be blackholed since a long time.

6. Also hardblock any connection opened fromsbl-xbl.spamhaus.org. This is usually safe as only active bot infested IPs and deliberate spammers get listed here

What does not help:

1. DKIM - is a good idea to support nevertheless, but it will not really help against spam

2. SPF - that is even detrimental. Don't use it! Spam seems to have a higher SPF pass ratio than average mail. I would rather use it as a spam indication if it has a SPF pass! Almost ridiculous and anyway a fundmentally flawed idea.

Here is an example of a spam that spamassassin just barely cought, eg a "dangerous" SPAM:

```
-0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)

 -0.0 SPF_PASS             

 -0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay

                             domain

  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail

                             domains are different

  0.8 BAYES_50               BODY: 40-60% [score: 0.5035]

  0.0 HTML_FONT_LOW_CONTRAST BODY

  0.0 T_KAM_HTML_FONT_INVALID BODY

  0.6 HTML_IMAGE_RATIO_04    BODY

  0.0 HTML_MESSAGE           BODY

  0.6 SARE_UNI               RAW: No description available.

  0.9 RAZOR2_CHECK           Listed Razor2 system (http://razor.sf.net/)

 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature

  1.9 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100]

  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid

  0.5 RAZOR2_CF_RANGE_51_100 Razor2 [cf: 100]

 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders

```

As you can see the main contributor to catch this one was the razor check. Sometimes also DCC hits first. It was consequently greylisted. After some hours greylisting they either do not return or DCC and other checks start to catch them as well and they get hard-rejected then later.

So the combination of DCC / razor and greylisting is mainly responsible for blocking the "clever spammers".

----------

## grooveman

Hmm... you guys have given me some things to think about here.  I appreciate your input here (and welcome any more).  I hope to have some time here soon to explore these options.

You guys are great.

Thanks.

G

----------

## grooveman

I made a few tweaks and implemented dcc (as recommended by mas).  Things still slipping through, though it seems like the filter got a little stronger (time will tell).

Here is an example of one of the nasty ones... actually scores a zero on Spamassassin, and gets past my SBLs.

```
Return-Path: <Touchfire@1brightbox.science>

Received: from 5tsexxtc.1brightbox.science (5tsexxtc.1brightbox.science [66.248.195.178])

   by myserver.com (8.14.4/8.14.4/Debian-4) with ESMTP id t5RIb5io009785

   for <eml_fin@myserver.com>; Sat, 27 Jun 2015 14:37:15 -0400

Received: from 022eedc9.5tsexxtc.1brightbox.science (amavisd, port 6347)

   by 5tsexxtc.1brightbox.science with ESMTP id 02MEE2EEDWEVC9;

   for <eml_fin@myserver.com>; Sat, 27 Jun 2015 11:37:03 -0700

Date: Sat, 27 Jun 2015 11:37:03 -0700

To: <eml_fin@myserver.com>

Message-ID: <33472523662661433477168234439@5tsexxtc.1brightbox.science>

From: "Touchfire" <Touchfire@1brightbox.science>

Subject: TIME Magazine Called This iPad Product Ingenious. Do you Agree?

Content-Language: en-us

MIME-Version: 1.0

Content-Transfer-Encoding: 8bit

Content-Type: multipart/alternative;

   boundary="----=Part.852.3144.1435430223"

X-Spam-Status: No, score=-0.0 required=5.0 tests=HTML_MESSAGE,SPF_PASS,

   T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=disabled version=3.3.2

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on

   mx2.myserver.com

X-Virus-Scanned: clamav-milter 0.98.5 at mx2.myserver.com

X-Virus-Status: Clean

------=Part.852.3144.1435430223

Content-Transfer-Encoding: 8bit

Content-Type: text/plain; charset="UTF-8"

Touchfire

Transform your IPad into a laptop replacement

http://www.1brightbox.science/l/lt7Q3347AU68V/71BY234HT439L33A36626614K1123599282

See Touchfire in action

http://www.1brightbox.science/l/lt7J3347YL68H/71HE234FK439C33H36626614F1123599282

Click here

http://www.1brightbox.science/l/lt7M3347DO68D/71RW234EK439R33F36626614C1123599282

Touchfire Case & Keyboard

Touchfire, Inc. | 1117 NW 54th Street | Seattle, WA 98107

If you'd prefer not to receive future emails, Unsubscribe Here.
```

----------

## grooveman

Ok... We are going on day 5 here, and I think I have this locked down.  Adding DCC support gave it a little nudge, but was not enough.  The silver bullet here was grey listing.  I installed milter-greylist -- and what a difference!  I had to disable the SPF exclusion, because all of these spams coming through had valid SPF records.

Implementing even a very lenient policy in grey-listing gives the SBLs out there enough time to catch these most nefarious spammers (who really seem to have done their homework on anti-spam measures).

I've always been leery of grey listing, and never used to need it, but when mails can get past SpamAssassin with scores of 2 and lower (even zero, as above) with the million tests it does AND have valid SPF records it became impossible to manage without.  It really isn't that bad either, so far not causing any issues and it drove my spam bagging accuracy way above 99% now (in combination with SA).

Thank you mas-!

G

----------

## msst

As an update, especially as you mentioned:

 *Quote:*   

> 
> 
> Return-Path: <Touchfire@1brightbox.science> 

 

I saw over the last year a stiff rise in spam originating from a number of pretty useless gTLDs such as .science, but even worse .xyz, .date, .pw,  .win and other. 

Basically it seems that really almost noone uses these worthless domains for useful / legitimate websites and mail. So I get the feeling several of these shady businesses started to give discounts to spam operators who seem to use newly registered domain names as throwaway spam dumps.

This helps them overcome DNS checks looking for likely botnet /d ynamic senders and avoiding misconfigured rDNS.

And as a consequence I am now forcing all emails coming from such suspicious low-reputuation gTLDs through a non-adaptive greylisting, regardless of their spam-score or other spam-signs. So far that helps 100%, as I have seen no retries exceeding 30 minutes from any of these spam senders. They definitely have no meaningful resending schedule and seem to burn these domains quite fast.

I am excepting a few of the more meaningful gTLDs such as .aero and .name from this, as I have so far not seen spam from them.

----------

## grooveman

Interesting.  

I'm finding that greylisting seems to be enough.  The biggest problem was the office 365 users.  MS does some crazy round-robin and obfuscating tactics to ensure that you almost never get the same originating IP twice -- and to make matters worse, they seem to hold on to resend requests for several hours... sometimes nearly a day.  That was angering some of my user base. Got around it though with wildcard usage in my greylist.conf.

I am curious though, you say you use adaptive greylisting.  How is the "adaptive" portion accomplished?  Through your own personal scripting, or does your greylist software accommodate this?  I'm using sendmail with milter-greylist.  What do you use?

Thanks  :Smile: 

-G

----------

## msst

 *Quote:*   

> I am curious though, you say you use adaptive greylisting. How is the "adaptive" portion accomplished? Through your own personal scripting, or does your greylist software accommodate this? I'm using sendmail with milter-greylist. What do you use? 

 

I use exim with a heavily customized exim.conf and spamassassin with the almost complete plugin list. The greylisting is done directly from exim with sql queries. So no greylist software, it sits in exim.conf, "personal scripting" one could call it.

The adaptive part is done by only greylisting "somewhat spammy" emails. I use the spamassassin score, some not-sufficiently reliable RBLs and some custom stuff to determine that and to exclude/include domains in the greylisting. Such as these gTLDs that are now always (non-adaptively) greylisted by marking them "somewhat spammy".

Mails with a higher spam-probability get teergrubed and 500 rejected immediately. Mails without any spamminess (or anything autowhitelisted) gets through immediately.

The hard to decide (somewhat spammy) stuff gets greylisted for 6-18 hours depending. Then I reevaluate the post and either let it pass or reject it seeing how the score developed.

This works well because it does not delay most of the normal first-time emails, only few are affected. Regular email correspondents are anyway auto-whitelisted. Only those emails with some spamminess get delayed and the vast majority will finally be dropped, either because the mailserver does not properly resent (as almost all legitimate- but few spam-mailservers do) or the email has in the meantime been DCC/pyzor/razor listed.

----------

## patrix_neo

 *mas- wrote:*   

>  *Quote:*   I am curious though, you say you use adaptive greylisting. How is the "adaptive" portion accomplished? Through your own personal scripting, or does your greylist software accommodate this? I'm using sendmail with milter-greylist. What do you use?  
> 
> I use exim with a heavily customized exim.conf and spamassassin with the almost complete plugin list. The greylisting is done directly from exim with sql queries. So no greylist software, it sits in exim.conf, "personal scripting" one could call it.
> 
> That's just about the nail in the coffin for anyone but the curious crowd of black hatters. Go away from the defaults and norms for a solution to security problems.
> ...

 

----------

## gordonb3

 *mas- wrote:*   

> As an update, especially as you mentioned:
> 
>  *Quote:*   
> 
> Return-Path: <Touchfire@1brightbox.science>  
> ...

 

Hate to say it, but those entries are completely random and as a consequence will not help in automatically detecting spam. Killing the whole domain will only prevent honest people from using it to send mail to you.

----------

## msst

 *Quote:*   

> Hate to say it, but those entries are completely random and as a consequence will not help in automatically detecting spam. Killing the whole domain will only prevent honest people from using it to send mail to you.

 

I also hate to say it, but the bad reputation of these domains is well earned and has something to do with how these domains are predominantly used. 

So this is not random. These mail domains are statistically significantly more used by illegitimate spammers and crooks than by any honest person. There are so called domain-reports looking up the Top100 most used domain names under these TLDs and some of these gTLDs score >95% illegitimate use domains (that means used for fishing, fraud, spam etc. - porn is usually not counted as illegitimate use).

Many of these generic TLDs are simply quite unattractive for those with a legitimate use (too clumsy, too long, too exotic, etc.), so it seems they increasingly need to find other (more doubtful) customers to survive.

That is what we are seeing here now. A slow demise of certain gTLDs. Right at the introduction many were sceptic about the huge number of gTLDs introduced. And in many cases it now turns out the sceptics were right. This is the classical bad-neighbourhood problem and it is a vicious circle:

The more spam originates using these domains and the more general illegitimate usees these domains see, the more counter-measures will ensue and honest users are then indeed de-facto forced to abandon these "neighbourhoods" or suffer the consequences. That is the way of life and it is unfair to some degree.

Also I am not blacklisting these whole domains. I am so far only greylisting them, which means if the "honest people" send an email from these domains, their first email will be delayed, not more. That is acceptable if it reduces spam.

But already now, if you are a honest user of a domain like these, do yourself the favour and consider moving to another TLD. Some of these will go down the drain.

----------

## msst

 *Quote:*   

> That's just about the nail in the coffin for anyone but the curious crowd of black hatters. Go away from the defaults and norms for a solution to security problems. 

 

If you want to run a mailserver on you own for fun, you will need to invest some time for customization. Most of the stuff I am using is standard - spamassassin is, greylisting is, RBL lookups are. But they need customization and you need to observe the effects. Fire-and-forget does not work. Spammers are not all dumb.

Gmail, gmx, hotmail they all use heavily customized solutions and that is what a majority of users use. Their implementations are actually less efficient nevertheless, but that is because they are specifically targetted by spammers and they often cannot afford (heavy load, side-effects, etc.) some of the measures that are very helpful - such as adaptive greylisting. Why not using that to ones advantage?

Using entirely standard solutions you can already get better than the freemailers I believe - if and only if you configure them well. And that is always gonna be somewhat complicated. It is an arms race.

----------

## gordonb3

 *mas- wrote:*   

> 
> 
> I also hate to say it, but the bad reputation of these domains is well earned and has something to do with how these domains are predominantly used. 
> 
> So this is not random. These mail domains are statistically significantly more used by illegitimate spammers and crooks than by any honest person. There are so called domain-reports looking up the Top100 most used domain names under these TLDs and some of these gTLDs score >95% illegitimate use domains (that means used for fishing, fraud, spam etc. - porn is usually not counted as illegitimate use).

 

I guess the results you are referring to depend on what you might want to classify as spam. If we restrict ourselves to the viagra and on-line gambling emails nothing you find in the headers will be real. In most cases it will not even contain your own address in the "To" field and half of the MTA log entries may be invented as well. Obviously one of those entries will be the real starting MTA, but the address that precedes it as "received from" will be either spoofed or a compromised computer belonging to some unaware person.

BTW I myself have not (yet) seen any of those "suspect" TLDs you mentioned pop up in my logs. Except for a few they are all .com addresses.

----------

## msst

 *Quote:*   

> I guess the results you are referring to depend on what you might want to classify as spam.

 

Well, I do not think we have to discuss what is spam. That is defined by the recipient. But I can provide an example to satisfy your curiosity.

These mails were all types of spam, fishing and other illegal crap mails. One can often judge that from the subject in the log file alone. Here one totally unknown person wants to inform me of a "reduction in payment", likely hoping that I click a link out of greed ...

Look at the example (slightly edited and the subject translated to english):

```
Feb  1 05:48:32 xxx exim[15160]: 2016-02-01 05:48:32 [15160] 1aQ6PF-0003wW-Dp H=mail.tzxg4.xyz [85.214.195.174]:35620 I=[192.168.1.3]:25 F=<BOUNCE_PREFIX-1454283322.10766.KDjqMt3romq@tzxg4.xyz> temporarily rejected after DATA: greylisted low reputation sender domain (tzxg4.xyz)

Feb  1 05:48:32 xxx exim[15160]: [2\34] Envelope-from: <BOUNCE_PREFIX-1454283322.10766.KDjqMt3romq@tzxg4.xyz>

Feb  1 05:48:32 xxx exim[15160]: [3\34] Envelope-to: <myemail>

Feb  1 05:48:32 xxx exim[15160]: [4\34] P Received: from mail.tzxg4.xyz ([85.214.195.174]:35620)

Feb  1 05:48:32 xxx exim[15160]: [5\34] #011by myserver with esmtp (Exim 4.85)

Feb  1 05:48:32 xxx exim[15160]: [6\34] #011(envelope-from <BOUNCE_PREFIX-1454283322.10766.KDjqMt3romqN@tzxg4.xyz>)

Feb  1 05:48:32 xxx exim[15160]: [7\34] #011id 1aQ6PF-0003wW-Dp

Feb  1 05:48:32 xxx exim[15160]: [8\34] #011for myemail; Mon, 01 Feb 2016 05:48:06 +0100

Feb  1 05:48:32 xxx exim[15160]: [9\34] P Received: by mail.tzxg4.xyz id hlrhoc000dsb for <myemail>; Mon, 1 Feb 2016 00:36:46 +0100 (envelope-from <BOUNCE_PREFIX-1454283322.10766.KDjqMt3romq@tzxg4.xyz>)

Feb  1 05:48:32 xxx exim[15160]: [10\34]   DKIM-Signature: v=1; a=rsa-sha256; s=c; d=tzxg4.xyz; l=755; t=1454283322;

Feb  1 05:48:32 xxx exim[15160]: [11\34] #011c=relaxed/relaxed;

Feb  1 05:48:32 xxx exim[15160]: [12\34] #011h=mime-version:content-type:content-transfer-encoding:from:to:subject:message-id:date;

Feb  1 05:48:32 xxx exim[15160]: [13\34] #011bh=lKyV/RwClrcqlX89MW51WNnZ9le6xZryfnED1zMTFh0=;

Feb  1 05:48:32 xxx exim[15160]: [14\34] #011b=T2VqSnS9UPfmmLHWp6teKsjILFfm51ScPnu6QxU9ld89fitqds19tLcsX5HxlmZ+04a3LXXnYdK/

Feb  1 05:48:32 xxx exim[15160]: [15\34] #011JtZzbAm1/KfA8Ym7Gt02hQ2WV2etgNxYGoKoG2pt6ln1i8UAob1GyAExzZnSkQzjR/2gF+PM4RQe

Feb  1 05:48:32 xxx exim[15160]: [16\34] #011pKbQF+3hUjkoZpGTiD8=

Feb  1 05:48:32 xxx exim[15160]: [17\34]   DomainKey-Signature: a=rsa-sha1; c=nofws; d=tzxg4.xyz; s=c;

Feb  1 05:48:32 xxx exim[15160]: [18\34] #011h=mime-version:content-type:content-transfer-encoding:from:to:subject:message-id:date;

Feb  1 05:48:32 xxx exim[15160]: [19\34] #011b=hLpg0RXrplKOhIe8SNCNsx7g0MEfXcVeW+mtV8C9af7zg6Ww63kbYYe6fNXk+w2w7EsqSi1pJMcQ

Feb  1 05:48:32 xxx exim[15160]: [20\34] #011VrC1H4AnoRQ544vcuHqUDTkMQ1Op4Ke4B04cDj27x6p7buYgTEPcZIwnRmeLoM/dRsHjjoJTvee4

Feb  1 05:48:32 xxx exim[15160]: [21\34] #011FhvUjraCScP//uIaDGA=

Feb  1 05:48:32 xxx exim[15160]: [22\34]   MIME-Version: 1.0

Feb  1 05:48:32 xxx exim[15160]: [23\34]   Content-Type: text/plain; charset=ISO-8859-1

Feb  1 05:48:32 xxx exim[15160]: [24\34]   Content-Transfer-Encoding: quoted-printable

Feb  1 05:48:32 xxx exim[15160]: [25\34] F From: Vivienne Lorenz <Vivienne.Lorenz@tzxg4.xyz>

Feb  1 05:48:32 xxx exim[15160]: [26\34] * Return-Path: BOUNCE_PREFIX-1454283322.10766.KDjqMt3romq@tzxg4.xyz

Feb  1 05:48:32 xxx exim[15160]: [27\34] T To: myemail

Feb  1 05:48:32 xxx exim[15160]: [28\34]   Subject: Reduction of your monthly payments February 2016

Feb  1 05:48:32 xxx exim[15160]: [29\34] I Message-ID: <26b756a211bea76f79fdff14361972d@tzxg4.xyz>

Feb  1 05:48:32 xxx exim[15160]: [30\34]   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101

Feb  1 05:48:32 xxx exim[15160]: [31\34]  Thunderbird/38.4.0

Feb  1 05:48:32 xxx exim[15160]: [32\34]   List-Unsubscribe: <http://www.tzxg4.xyz/abm/KDjqMt3romq/>,

Feb  1 05:48:32 xxx exim[15160]: [33\34]  <mailto:u-KDjqMt3romq@tzxg4.xyz>

Feb  1 05:48:32 xxx exim[15160]: [34/34]   Date: Mon, 1 Feb 2016 05:48:06 +0100

```

And this is actually a technically very good fishing email. It passed spamassassin with a negative spam score! The greylisting got it due to the fact that I marked .xyz as low reputation. The "mailserver" did not attempt a single resend, probably because they knew that after some hours DCC and the other digest systems would have blacklisted their email.

 *Quote:*   

> nothing you find in the headers will be real.

 

Here the opposite is true. Whoever sent this email is not dumb. He sent that email from a hired server and registered a domain for it. The email was really sent from "mail.tzxg4.xyz [85.214.195.174]:35620" with correct and matching DNS and reverse DNS entries and a valid domainkey, that was used to sign this email.

Without this effort the spamscore would have been way worse. Spamassassin is quite good to catch up on bogus headers. Wrongly configured DNS entries as well as using IPs from a dynamic range are caught and rejected through RBL queries and DNS checks.

They do this to bypass exactly such efforts as spamscoring and RBL checks. For this they need lots of new, not-spoiled and of course cheap domains that they can fully configure and where the domain registrar does not mind they practices too much.

Be glad if you only get the dumb type of spam mails so far. 8-;

----------

## gordonb3

Agreed on the part that this appears to be a real email server. I question your conclusion that the spammer(s) is the owner of that server though. Observe the envelope from address. It's completely bonkers and does not come anywhere close to the from address in the email. The prefix "BOUNCE_PREFIX-" appears to indicate here that the server actually contains a very ill-configured bouncing mechanism that silently forwarded this email to you because the original email to the (likely) non existent Vivienne Lorenz was marked as being sent by you.

----------

## msst

 *Quote:*   

> 
> 
> The prefix "BOUNCE_PREFIX-" appears to indicate here that the server actually contains a very ill-configured bouncing mechanism that silently forwarded this email to you because the original email to the (likely) non existent Vivienne Lorenz was marked as being sent by you.

 

Who knows, we are both speculating now.

But I doubt this interpretation because neither does this BOUNCE-prefix mangling look like a misconfigured SRS implementation (which you imply), nor is this an exceptional case. I get similar spam from other crappy gTLDs. And there is no forward-header in it, which almost all servers would add in such a case as you assume.

Bounce address tagging (https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation), of which this appears to be a subform, is used for other means and cannot be used to send out spam - unless you operate an open relay or your mailserver got hacked.

I can see why a spammer might want to use it however, as he can nicely see who blocks his emails and for what reason.

By the way, that observation that many of the gTLDs are getting an increasingly bad reputation is not only based on what I see. Many others have seen the same and are publishing it as well:

http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-become-internets-bad-neighborhoods/

http://vamsoft.com/forum/topic/597/existing-list-of-garbage-new-tlds

http://www.cio.com/article/2992445/internet/the-webs-10-most-shady-neighborhoods.html

You will find a number of these reports on the internet. This is just a small sample. And if you really wonder why the shady side of the internet loves these domains, look e.g. here

https://www.google.nl/search?q=how+to+get+.xyz+for+free

----------

