100 Email Bouncebacks - Welcome to Backscattering 316
distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."
same wine, old bottle (Score:5, Informative)
https://tech.slashdot.org/article.pl?sid=08/04/08/2258246 [slashdot.org]
I had a bunch of these back then, now they are happening again. Here is some information about the subject.
http://spamlinks.net/prevent-secure-backscatter.htm [spamlinks.net]
You should only get NDRs from your own ISP, as I undestand it. The other mail admins are being fooled by your spoofed return address, and should know better.
Where's the news? (Score:5, Informative)
Why is this only getting noticed now? (Score:5, Informative)
I can remember years back when some spammer decided to use my domain name in their spam run. Hundreds of bounced emails every day and I cursed everyone of the dumb mail servers that mailed them; complete with original html email, images and any other crappy attachment. ("Hundreds" may be small potatoes these days, but they were a big deal at the time.) Just the very idea that spammers would supply a genuine reply address seemed so incredibly stupid, yet there they were; dozens of carefully worded variants of the same "naughty spammer, don't email me" reply. I could just see some smug sysadmin configuring their system with this badly thought-out garbage, thinking "ha! that'll show them!"
None of my mail servers since then have ever bounced spam or mis-addressed emails.
"legitimate?" (Score:5, Informative)
Anybody who says that 'legitimate' mailservers are sending backscatter instead of 5xx-ing the message in transit is wrong. Mailservers which send backscatter are NOT legitimate, EOL.
- A pissed off mail admin.
Re:Easy filtering solution (Score:5, Informative)
Re:Easy filtering solution (Score:5, Informative)
Alter the setting
mail.identity.default.headers
to include the string header1
note header1 is just a label
then add a new string called
mail.identity.id1.header.header1
Set the value of that to your X-line
From now on all mail sent from Identity 1 will have that header on it.
To create a filter based on that. Obtain an email with that header. Find a clickable link in the header and right click and select create filter from message.
At first from the drop down box you can't select that X-line so you need to go to the bottom and click customise. You can put that header in there. Now you can create a filter from it.
Re:A trickle?! (Score:3, Informative)
Re:Implement at MTA, not MUA (Score:3, Informative)
Unless you like playing around with your user's machines a lot, you should better implement that at the MTA level and configure your mail server(s) so that they include the header.
Sure ...
Or you could just use SPF, which basically does the same thing, only more elegantly.
SPF doesn't do the same thing at all. It relies on the receiver MTA to do something about the non-matching SPF records, which evidently many don't (or at least, I've got proper SPF records, but still get huge amounts of backscatter spam).
Rich.
Re:Why is this only getting noticed now? (Score:3, Informative)
so as long as your MTA is not allowing emails to arrive to nonexistant users
I wholeheartedly agree, but SPF won't even allow it to get this far. Why should clueless admins expect me to pick up their slack?
Re:"legitimate?" (Score:3, Informative)
I wonder if backscatter has been used as a threat for extortion sometimes. A few years back, I was seeing spammers E-mail people who owned domains threatening to use their email address as the From: header for subsequent spam if they didn't pay some thousands of dollars, then later on (days/weeks), backscatter would start hitting that username. One of my addresses that I used to use for years got hit by so much backscatter that I eventually just added a whitelist, added in a ruleset with password that would autoforward anything that had that word in the subject or body, and had procmail just dump everything else.
Re:A trickle?! (Score:2, Informative)
Re:"legitimate?" (Score:4, Informative)
The 5xx range of status codes exists for this (and other) reasons, there's no reason NOT to use them (by performing content verification inline and either 2xx-ing or 5xx-ing the message between "." and "QUIT".)
Re:A trickle?! (Score:2, Informative)
Google apps ( http://www.google.com/a/help/intl/en/admins/editions_spe.html ) handles the domain mail for free, without complaint, and only about 3 messages out of the 15,420 made it through the spam filters.
Supposedly there's a mail configuration option you can set to make it possible for servers to verify mail from your domain (must originate from this ip range) but the domain hosting company I'm with doesn't expose that particular feature.
It is a pretty horrible problem, until I moved to google and their pretty remarkable spam filters boucneback was really had me at my wits end to the point where I actually considered closing my domain to mail.
Re:Why is this only getting noticed now? (Score:3, Informative)
Postfix has a solution to this (Score:4, Informative)
The trick is to use the "header_checks" and "body_checks" to look for signs of the email having being sent out from your email server in the first place.
Re:A trickle?! (Score:4, Informative)
Re:Easy filtering solution (Score:5, Informative)
Get your free personal certificate and if 2 people have certificates, e-mail gets encrypted between you! There are a number of providers that give them.
Re:Easy filtering solution (Score:3, Informative)
The solution is called Watermarking (Score:2, Informative)
Re:De-standardize, and make it worthwhile. (Score:2, Informative)
It exists. See http://www.backscatterer.org/ [backscatterer.org]
Re:I've been getting "backscatter" for years... (Score:1, Informative)
At large businesses email gets deleted automatically all the time. Some of my users get 2000 spam per day and they do not want to see it. Other times it's porn and we'd get sued for having a sexually hostile workplace we delivered it to the desktop.
So yes email does get deleted.
Re:Easy filtering solution (Score:3, Informative)
Re:A trickle?! (Score:3, Informative)
Reference [openspf.org]
Re:Why do people send spam to me? (seriously) (Score:4, Informative)
Re:A trickle?! (Score:3, Informative)
One of the ways that I get spam these days.
Re:Extreme Backscatter (Score:3, Informative)
You better have changed the default settings, or you just added to the backscatter problem.
gmail aliasii for spam detection (Score:2, Informative)
Append a plus followed by a word, and it resolves to the name before the plus. e.g. happypenguin+amazon@gmail.com goes to happypenguin@gmail.com account. Or use dots in your email address and the gmail address resolves to your account without dots e.g. ha.ppy.pen.guin@gmail.com goes to happypenguin@gmail.com account
You can then easily create a spam filter if an address is snarfed by a spammer.
This article says it better: http://somegirlwitha.com/2008/04/17/the-dot-plus-and-googlemail-gmail-hacks/ [somegirlwitha.com]