100 Email Bouncebacks - Welcome to Backscattering

distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."

same wine, old bottle

[MollyB]

This story was preceded less than a month ago:
https://tech.slashdot.org/article.pl?sid=08/04/08/2258246 [slashdot.org]

I had a bunch of these back then, now they are happening again. Here is some information about the subject.
http://spamlinks.net/prevent-secure-backscatter.htm [spamlinks.net]

You should only get NDRs from your own ISP, as I undestand it. The other mail admins are being fooled by your spoofed return address, and should know better.

Where's the news?

[dotancohen]

Where's the news here? I've been getting these for years. It's so bad that I filter bounce messages to a separate account on the server to download and review at the end of the week. I get almost as much backscatter as spam, both over 1000 messages a week.

Why is this only getting noticed now?

[gsslay]

I must have read at least 3 news stories about backscatter in the last week. Why is this only getting attention now when it's been a problem for years? Is it just because someone has coined a word for it?

I can remember years back when some spammer decided to use my domain name in their spam run. Hundreds of bounced emails every day and I cursed everyone of the dumb mail servers that mailed them; complete with original html email, images and any other crappy attachment. ("Hundreds" may be small potatoes these days, but they were a big deal at the time.) Just the very idea that spammers would supply a genuine reply address seemed so incredibly stupid, yet there they were; dozens of carefully worded variants of the same "naughty spammer, don't email me" reply. I could just see some smug sysadmin configuring their system with this badly thought-out garbage, thinking "ha! that'll show them!"

None of my mail servers since then have ever bounced spam or mis-addressed emails.

"legitimate?"

[Michael Hunt]

As a 9-year veteran of the anti-spam industry (with experience within the regulator, although I've left that behind me now and work in telecoms,) it's a REAL stretch for anybody inside the IT industry to take these kinds of comments seriously.

Anybody who says that 'legitimate' mailservers are sending backscatter instead of 5xx-ing the message in transit is wrong. Mailservers which send backscatter are NOT legitimate, EOL.

- A pissed off mail admin.

Re:Easy filtering solution

[djmurdoch]

how do I do that in Thunderbird?

Set the custom headers preference. [mozillazine.org]

Re:Easy filtering solution

[rjames13]

Go into Preferences->Advanced Tab and click Config Editor Button.

Alter the setting
mail.identity.default.headers
to include the string header1
note header1 is just a label
then add a new string called
mail.identity.id1.header.header1
Set the value of that to your X-line

From now on all mail sent from Identity 1 will have that header on it.

To create a filter based on that. Obtain an email with that header. Find a clickable link in the header and right click and select create filter from message.

At first from the drop down box you can't select that X-line so you need to go to the bottom and click customise. You can put that header in there. Now you can create a filter from it.

Re:A trickle?!

[Dan541]

Gmail seems to get ALLOT more spam than other service's.

Re:Implement at MTA, not MUA

[Richard W.M. Jones]

Unless you like playing around with your user's machines a lot, you should better implement that at the MTA level and configure your mail server(s) so that they include the header.

Sure ...

Or you could just use SPF, which basically does the same thing, only more elegantly.

SPF doesn't do the same thing at all. It relies on the receiver MTA to do something about the non-matching SPF records, which evidently many don't (or at least, I've got proper SPF records, but still get huge amounts of backscatter spam).

Rich.

Re:Why is this only getting noticed now?

[statemachine]

While it is rare considering the volume of e-mail I receive, I've noticed backscatter is gradually increasing. More and more admins are just installing anti-spam/anti-virus devices without learning which options to enable or disable.

so as long as your MTA is not allowing emails to arrive to nonexistant users
I wholeheartedly agree, but SPF won't even allow it to get this far. Why should clueless admins expect me to pick up their slack?

Re:"legitimate?"

[mlts]

Agreed. Microsoft Exchange 2007, out of the box, does not bounce messages it gets. It either gives an error code and refuses to process the message, or it accepts it. An Exchange admin can configure rules for messages to bounce (say someone is trying to carbon copy multiple internal company distribution lists), but its nowhere near the default settings.

I wonder if backscatter has been used as a threat for extortion sometimes. A few years back, I was seeing spammers E-mail people who owned domains threatening to use their email address as the From: header for subsequent spam if they didn't pay some thousands of dollars, then later on (days/weeks), backscatter would start hitting that username. One of my addresses that I used to use for years got hit by so much backscatter that I eventually just added a whitelist, added in a ruleset with password that would autoforward anything that had that word in the subject or body, and had procmail just dump everything else.

Re:A trickle?!

[tolomea]

It's not targeted at me, it's the spammers using random addresses on my domain as as source addresses.

Re:"legitimate?"

[Michael Hunt]

If Aunt Tillie sends me a message (forwarded from Betty, her next door neighbour, which was in turn forwarded from her nephew Boris, who goes to school in another city) which just happens to look like spam (who knows, maybe Boris is telling an amusing anecdote about how one of his friends stumbled across some h3rb4|_ v!agr4 or something,) I'm going to look like a fair dick if the message gets dropped on the floor and Aunt Tillie doesn't at least get notified that the message got eaten.

The 5xx range of status codes exists for this (and other) reasons, there's no reason NOT to use them (by performing content verification inline and either 2xx-ing or 5xx-ing the message between "." and "QUIT".)

Re:A trickle?!

[Anonymous Coward]

15,420 since May 1. My hosting company actually asked me to move to google apps because my shared account couldn't handle the loads from these attacks.

Google apps ( http://www.google.com/a/help/intl/en/admins/editions_spe.html ) handles the domain mail for free, without complaint, and only about 3 messages out of the 15,420 made it through the spam filters.

Supposedly there's a mail configuration option you can set to make it possible for servers to verify mail from your domain (must originate from this ip range) but the domain hosting company I'm with doesn't expose that particular feature.

It is a pretty horrible problem, until I moved to google and their pretty remarkable spam filters boucneback was really had me at my wits end to the point where I actually considered closing my domain to mail.

Re:Why is this only getting noticed now?

[Tony Hoyle]

Unfortunately so few ISPs support SPF it's not reliable. I've published SPF records for years on all my domains.. OTOH for incoming it merely gets a spam score - when SPF is used it is alas sometimes misconfigured so bouncing on it has too many false positives.

Postfix has a solution to this

[AftanGustur]

See here http://www.postfix.org/BACKSCATTER_README.html [postfix.org]

The trick is to use the "header_checks" and "body_checks" to look for signs of the email having being sent out from your email server in the first place.

Re:A trickle?!

[CastrTroy]

I remember this being the reason I disabled my catch-all address for my domain, a couple of years ago. I was not only getting tons of bounce-backs from things that looked like they were being sent from my domain, I was also getting a lot of spam mail sent to random-non-existent-but-caught-by-the-catch-all addresses.

Re:Easy filtering solution

[guruevi]

You know, I have a digital certificate that does that for me. It automatically signs my e-mail and 'smart' filters and e-mail clients know that non-signed e-mail from me is not to be trusted as much.

Get your free personal certificate and if 2 people have certificates, e-mail gets encrypted between you! There are a number of providers that give them.

Re:Easy filtering solution

[MaufTarkie]

MTAs include the original headers in bounce messages, so discard bounce messages which don't contain your custom header.

Not all MTAs. Exchange doesn't, for example. Maybe it's been fixed in Exchange 2007, but I haven't upgraded to that yet.

The solution is called Watermarking

[hipsterdufus]

MailScanner, which ships with Fedora, includes a feature called watermarking. Like those that have already posted, it works by creating a custom header with a secret key that is used to add a quick little seemingly random text and puts it in the header. If mail is coming from a bounceback, MailScanner checks the message for a match on the header. If it doesn't see one, then you can have it act based on that scenario. After turning this on, I get zero bounceback/scatterback emails into my Inbox. A perfectly elegant solution that works well and is easy to implement.

Re:De-standardize, and make it worthwhile.

[Dark_Gravity]

Just publish a giant list of all mail servers not configured properly.

It exists. See http://www.backscatterer.org/ [backscatterer.org]

Re:I've been getting "backscatter" for years...

[Anonymous Coward]

People who run hobby/toy systems have no idea what it takes to run even a mid-size corporate system.

At large businesses email gets deleted automatically all the time. Some of my users get 2000 spam per day and they do not want to see it. Other times it's porn and we'd get sued for having a sexually hostile workplace we delivered it to the desktop.

So yes email does get deleted.

Re:Easy filtering solution

[nuzak]

Exchange 2007 does include headers when using the SMTP transport. It's been pretty well-behaved in that area since 2005 or so.

Re:A trickle?!

[sheddd]

SPF also breaks email forwarding; that's why I don't use it.
Reference [openspf.org]

Re:Why do people send spam to me? (seriously)

[WGR]

Now I'm going to pretend I'm a spammer. I want lots of money. What benefit is there to me to send a single address more than say... 5 messages? (not per month. EVER) If it didn't make it through the filters the first time, it won't the 800th time, and the more messages I send, the more likely my recipients will learn to evade them. More importantly, a jaded audience won't be receptive to buy.

Because spammers get paid by number of messages sent, not return on messages.

Re:A trickle?!

[Sosarian]

Except when you're subscribed to a Google group, and then the spammer opens a gmail account and spams the group, no filtering appears to occur.

One of the ways that I get spam these days.

Re:Extreme Backscatter

[nuzak]

> Ended up installing a barracuda

You better have changed the default settings, or you just added to the backscatter problem.

gmail aliasii for spam detection

[QuestionsNotAnswers]

Gmail makes it easy to create multiple aliasii (and to send from those aliasii I think).

Append a plus followed by a word, and it resolves to the name before the plus. e.g. happypenguin+amazon@gmail.com goes to happypenguin@gmail.com account. Or use dots in your email address and the gmail address resolves to your account without dots e.g. ha.ppy.pen.guin@gmail.com goes to happypenguin@gmail.com account

You can then easily create a spam filter if an address is snarfed by a spammer.

This article says it better: http://somegirlwitha.com/2008/04/17/the-dot-plus-and-googlemail-gmail-hacks/ [somegirlwitha.com]