Dr. I Doctor
Dr. I Doctor's Informational Juggernaut
August 1, 2008
Backscatter Spam
Dear Doctor,
Over the last few weeks, our users have seen an alarming increase in e-mail bounce messages that claim we are sending spam. The messages have subjects such as "Message rejected as spam" and "Message could not be delivered: policy reject." The thing is, they're definitely from legitimate companies, not spoofed. I immediately suspected some kind of spam-spewing virus on our network, but after a careful check of our intrusion detection system (which is great about flagging illegitimate messages originating from within our network), I find no evidence of a problem. Moreover, the only mail server permitted by our firewall to transmit SMTP (port 25) packets has a detailed log of every message sent, and none of the bounce messages' mail addresses are in the log. Meanwhile, the problem continues, and I'm concerned that our mail server will get blacklisted.
Gentle User,
Dr. I Doctor admires your diligence at both instituting quality network protections and searching for the cause of this problem. In this instance, however, the problem is not with your network, as your network never originated the messages in question. No computers have been infected, no servers hijacked, and no borders penetrated. What you're seeing is the fallout from the latest spammer attack strategy called "backscatter spam."
You were close to the cause of the problem when you suspected spoofing. It's not the source of the bounce-back message being spoofed, however; it's the source of a message the spammer meant for you to receive. The spammer simply put one of your users' e-mail addresses on the "from" line, then sent the message to hundreds of perfectly legitimate companies, which then promptly identified it as spam and bounced it back to what they though was the source but, in reality, was your spoofed e-mail address.
How did the spammer get your e-mail addresses? Let Dr. I Doctor count the ways: viruses in the computers of your correspondents, past viruses on your old network, Internet posts, compromised membership mailing lists, drive-by Trojan websites, backdoor sales of mailing lists, your own corporate website, even simply guessing. Getting addresses isn't a problem for spammers; their problem is getting the message into your mailbox and making you read it. Bounce messages are the perfect vehicle for that, at least for now.
Undoubtedly you want to know how to block these messages. It's not simple, since you would like to get bounce-back e-mail to alert you when a destination address is unreachable or nonexistent. Although one of the most powerful tools against spam, Sender Provider Framework (SPF) fails to block backscatter because the messages originate from a legitimate server and are addressed to a correct destination.
Currently there's no foolproof fix. You can block all bounce messages — most mail servers have provisions for this, and bounce messages have a "bounce" flag in their headers, but then you'll miss important feedback about your messages in flight. The phenomenon is new, and soon spam filter vendors should have the ability to detect these messages based on content. But perhaps the most useful measure is for your own mail server to never bounce messages that have invalid destinations — simply drop them. That way, at least you're not contributing to the problem.
Posted by mbeckman at August 1, 2008 1:01 AM
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 |
Blog Policy
We welcome your comments and opinions and encourage lively debate on the issues. However, Penton Media reserves the right to delete or move any content that it may determine, in its sole discretion, violates or may violate its Terms of Use or is otherwise unacceptable. For more information, see Penton Media's Terms of Use.