Exclaimer bounce messages
Abstract
You are probably seeing this page because you clicked on a link in an email indicating that a message was blocked from delivery by one of our customers.
You will have received this email message for one of two reasons.
- You sent an email to that organisation and it triggered their anti-spam and/or anti-virus protection system.
- A spammer has used your identity to attempt to evade the anti-spam and/or anti-virus software at that organisation.
What to do if you did send the message.
If you originally sent the message then you may be able to bypass the anti-spam checks if the bounce message indicates that you may do so.
This normally takes the form of a special code that can be inserted into the subject of your message.
If you do this and the recipient of the message then replies to you, you should also be added to their automatic Whitelist. This will ensure that you can continue to communicate with them without any further interruption.
Note: Placing this code in the subject does not compel the recipient to reply to you.
What to do if you didn’t send the message.
We understand that this message can be construed as SPAM too, but we have gone to some lengths to ensure that we don’t unnecessarily generate these messages (often called “Backscatter”).
We only issue these “bounce” messages to the sender where we can be reasonably certain of some facts.
When the spam message was originally blocked, there were two pieces of critical information that were gathered at that time; the sender’s IP address and the sender’s domain.
Normally there is no requirement for any correlation between these pieces of information. In other words, anyone on the internet could pretend to be you.
However, in this instance there was some correlation between these pieces of information, and so we took a chance and sent this message to you.
What this might indicate is that a computer within your organisation has become infected by a zombie Trojan and is spewing out spam to the internet in general.
Warning: You should be concerned about this because it may lead to your inability to send email to other domains that are being careful who they speak to.
You should certainly investigate your systems to ensure that they haven’t been infected and you should take reasonable precautions to prevent these kinds of infection in the future.
Best internet practice indicates that you should certainly run a firewall. You should also consider some anti-virus and anti-spam software too.
In addition, you should also make sure that the operating systems of your computers are up-to-date and patched with the latest service packs.
Technical Details
The relationship that was present between the sender’s IP address and the domain is one validated by SPF.
If you have an SPF policy in DNS
The spam message was definitely sent by you or someone within your domain. You should be worried about this because your domain stands to get blacklisted because of the spam output.
If you do not have an SPF policy in DNS
There is a likelihood that the spam originated from you, but it could have also originated from someone in your internet neighbourhood.
Exclaimer took an educated guess because the sender’s IP address was in the /24 subnet of either your MX record or an A record listed in DNS against your domain. This is obviously not foolproof, but it is a good guess.
To ensure that your domain is not spoofed (or mistakenly blamed) in the future, you could consider publishing an SPF record in DNS that declares which servers are permitted to send email on behalf of your domain.
See http://en.wikipedia.org/wiki/Sender_Policy_Framework for more details