Anonymous® Radio Show

The Internet's Premier LIVE Programme™

Stopping SPAM | Backscatter?

Backscatter” is basically “bounce emails you receive for messages you never sent”. These are usually bounced spam messages from spammers using your email address as a forged ‘From’ address. 

When email is delivered to a system, if there is a problem delivering the email (eg account doesn’t exist, user over quota, etc) then most systems will generate a “bounce” email back to the sender to let them know there was a problem.

The way to determine the original sender of the email (and thus where to send the bounce) is by using the ‘From’ address on the original email. Unfortunately there is no way for systems to verify that a ‘From’ address is correct (there are attempts like SPF and DomainKeys, though these have flaws).

When spammers send email, they almost always forge the ‘From’ address the email is sent from. This is why blocking specific sender addresses is ineffective, spammers usually forge every email to come from a different address.

If there is a problem delivering the email the spammer has sent, then a bounce will be sent back to the ‘From’ address on the email, which is whatever the spammer has made up. (Stay with me 🙂

The problem occurs when spammers use YOUR email address as the ‘From’ address on emails. In these cases, you may get many bounce emails appearing in your inbox for emails you never sent!

This is called “backscatter”, and is unfortunately a consequence of just how the internet email system was originally setup.

The good news is there are a few things that can be done to try and reduce backscatter.

When most systems bounce an email, they include all or part of the original email in the bounce. What some ISP’s do is check the original email as attached in the bounce, and see that it appears to have been sent through their servers. If not, then they know it was an email sent by a spammer with a forged ‘From’ address.

When this happens, most will mark the email as “backscatter”, and perform whatever action is specified.

Unfortunately the backscatter filter isn’t perfect. To work, the “bounce” email has to have part of the original message in it so they can check if you were actually the original sender. Quite a few systems don’t include the original message in the “bounce” (the most common being challenge/response systems that are supposed to stop spam, and just end up adding to the problem for others). In these cases, ISP’s can’t determine the true original sender of the email, and thus can’t mark the emails as backscatter.

Testing suggests the backscatter filter is still very effective, catching around 90% to 95% of all unsolicited bounce emails.

Unfortunately if for some reason a spammer is forging your address on their emails, then they can send millions of spam emails. Most systems will absorb, SMTP block, or discard the spam emails, but for those systems that do bounce them, if even 1000 of those generate backscatter bounces and 5% to 10% get through, that’s still around 50 to 100 emails that get through, a lot better than 1000, but still annoying. Unfortunately there’s not much ISP’s can do to improve that until more systems correctly attach the original email in the bounce message.

As part of the backscatter analysis process, some ISP’s attach a header to the email when they think it might be backscatter. The header is X-Backscatter and can be one of these values:

NotFound1– “We thought this email might be backscatter (eg the From address is a postmaster type address), but we couldn’t find the original message attached in any way.”

NotFound2/3/4 – “We thought we had found the attached original message, but something about it was corrupted and it’s not a valid format message.”

Whitelist Hosts

As mentioned in the backscatter section, bounces where the original email does not appear to have come through one of your ISP’s hosts is usually marked as spam backscatter. However, if you regularly send email through a non-ISP’s server, then if any of those emails bounce, they will be classed as backscatter as they did not originate through one of their servers.

To avoid that, tech-savvy individuals can enter a list of hostnames (separated by commas) of servers that you regularly also send email through where replies might come to your ISP’s mail.

For instance, if you use the ISP iinet.com.au, and regularly send email through their SMTP server with your Hotmail address as the ‘From’ address, then you should add iinet.com.au to the Backscatter Whitelist Hosts text box, this will ensure that any email sent via the iinet.com.au SMTP server that bounces will correctly arrive and not be considered backscatter.

No comments yet»

Join the conversation :

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: