Backscatter (email) explained

Backscatter (also known as outscatter, misdirected bounces, blowback or collateral spam) is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

Recipients of such messages see them as a form of unsolicited bulk email or spam, because they were not solicited by the recipients. They are substantially similar to each other, and are delivered in bulk quantities. Systems that generate email backscatter may be listed on various email blacklists and may be in violation of internet service providers' Terms of Service.

Backscatter occurs because worms and spam messages often forge their sender addresses.[1] Instead of simply rejecting a spam message, a misconfigured mail server sends a bounce message to such a forged address. This normally happens when a mail server is configured to relay a message to an after-queue processing step, for example, an antivirus scan or spam check, which then fails, and at the time the antivirus scan or spam check is done, the client already has disconnected. In those cases, it is normally not possible to reject the SMTP transaction, since a client would time out while waiting for the antivirus scan or spam check to finish. The best thing to do in this case, is to silently drop the message, rather than risk creating backscatter.

Measures to reduce the problem include avoiding the need for a bounce message by doing most rejections at the initial SMTP connection stage; and for other cases, sending bounce messages only to addresses which can be reliably judged not to have been forged, and in those cases the sender cannot be verified, thus ignoring the message (i.e., dropping it).

Cause

Authors of spam and viruses wish to make their messages appear to originate from a legitimate source to fool recipients into opening the message, so they often use web-crawling software to scan usenet postings, message boards, and web pages for legitimate email addresses.

Due to the design of SMTP mail, recipient mail servers receiving these forged messages have no simple or standard way to determine the authenticity of the sender. If they accept the email during the connection phases and then, after further checking, refuse it (e.g., software determines the message is likely spam), they will use the (potentially forged) sender's address to attempt a good-faith effort to report the problem to the apparent sender.

Mail servers can handle undeliverable messages in four fundamentally different ways:

Backscatter occurs when the "bounce" method is used, and the sender information on the incoming email was that of an unrelated third party.

Reducing the problem

Every step to control worms and spam messages helps reduce backscatter, but other common approaches, such as those in this section, also reduce the same problem.

Connection-stage rejection

During the initial SMTP connection, mailservers can do a range of checks, and often reject email with a 5xx error code while the sending server is still connected. Rejecting a message at the connection-stage in this way will usually cause the sending MTA to generate a local bounce message or Non-Delivery Notification (NDN) to a local, authenticated user.[2]

Reasons for rejection include:

Mail transfer agents (MTAs) which forward mail can avoid generating backscatter by using a transparent SMTP proxy.

Checking bounce recipients

Mail servers sending email bounce messages can use a range of measures to judge whether a return address has been forged.

Filtering backscatter

While preventing backscatter is desirable, it is also possible to reduce its impact by filtering for it, and many spam filtering systems now include the option to attempt to detect and reject[6] backscatter email as spam. In addition, systems using schemes such as Bounce Address Tag Validation "tag" their outgoing email in a way that allows them to reliably detect incoming bogus bounce messages.

See also

External links

Notes and References

  1. Book: 2007 . http://dx.doi.org/10.1109/seccom.2007.4550292 . i . IEEE . 10.1109/seccom.2007.4550292. 978-1-4244-0974-7 . Proceedings of the third international conference on security and privacy in communication networks . 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007 .
  2. Alternatively, if the MTA is relaying the message, it should only send such an NDN to a plausible originator Simple Mail Transfer Protocol . 2821 . 25 . Klensin . J . April 2001 . . as indicated in the reverse-path . cs2. e.g. where an SPF check has passed.
  3. .
  4. .
  5. .
  6. http://wiki.apache.org/spamassassin/VBounceRuleset "The "Virus Bounce Ruleset" is a SpamAssassin ruleset to catch backscatter"