Bouncing Spam Messages

October 4th, 2007 (SpamSieve)

From time to time, people ask why SpamSieve doesn’t have a feature to “bounce” spam messages back to the sender. They also ask whether they should use Apple Mail’s Message ‣ Bounce command. The thought is that a spammer will stop sending to your address if he thinks that the address was invalid and his message didn’t get through. The short answers are that SpamSieve lacks this feature on purpose and that I do not recommend using Mail’s Bounce command. More specifically, this sort of bouncing is ineffective or even counter productive for a variety of reasons:

  1. Spammers probably don’t care. They have lists of thousands or millions of e-mail addresses, and it’s cheap to keep sending messages to the entire list. They may get paid based on the size of their list, no matter whether all the addresses are valid. In any case, it wouldn’t be worth the effort to prune it down.

  2. You can’t contact them. Even if you believe that spammers care, your bounce message probably wouldn’t get to them. Spammers use hijacked machines and forged return addresses, so if you reply to a spam message you’re likely sending your bounce to an invalid address or an innocent bystander.

  3. If you could, it might be bad for you. There is a narrow window of time in which rejecting a spam message might work. When the mail server is in the process of receiving a message, it’s talking to the sending server and so theoretically it could communicate that the address is invalid. By the time the message has been delivered to your account, downloaded by the mail program on your Mac, and filtered by SpamSieve, this window has long since closed. At this point, if the spammer were listening, he’d already know that the message had been delivered. If you were able to get a bounce back to him, he’d know that it was a fake bounce. The original message must have gotten all through, so he should send you more spam.

Since bouncing doesn’t work, it would be a waste of your time and network resources to do it. Including such a feature in SpamSieve would fill out the feature checklist but give the false impression that the feature should be used.

Update: See this section of the SpamSieve manual.