100 Email Bouncebacks - Welcome to Backscattering

distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."

Re:De-standardize, and make it worthwhile.

[erikina]

Ugh, care to elaborate? Anyway, I think the solution is simple. Just publish a giant list of all mail servers not configured properly. It wouldn't be hard to write a script, to verify if a domain is configured or not. It would function as a name and shame list. But more than that, all spammers would harvest from it, and absolutely smash the listed servers until they were forced to configure them properly.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Easy filtering solution

[Richard W.M. Jones]

There's an easy way to filter out backscatter while preserving bounce messages that you care about (ie. ones about email that you actually sent):

1. Add your own custom header to all your outgoing emails. Doesn't matter what it is, but it should be unique, eg. 'X-Really-From-Richard-Jones: xsomesecretx'

2. MTAs include the original headers in bounce messages, so discard bounce messages which don't contain your custom header.

You can even be smart and sign the header based on the content of the email using a private key, which would make it unforgeable, but at the moment you don't need to do that.

Rich.

Easy anti spam system

[Anonymous Coward]

My easy anti spam system would block this. Only works if you have your own domain, though.

I have anyemail@mydomain.com forwarded to a gmail account, which then forwards ONLY email with a certain extension (for instance, somesite.spam@mydomain.com) to my private email address. The bonus is, if you use a different email address for each site (for instance, slashdot.spam@mydomain.com), you can nail down the sites that spam like crazy (not that slahdot would do such things :-)!

clicking next ? youve been splogged

[Anonymous Coward]

1280px wide layout but the column with the actual content in is only 200px the other 1080px are dedicated to adverts and sponsors

i think that computerworld site is a classic example of a site that cares nothing for its readers (like spam) and is only a means to an end, when a site has more space dedicated to advertising than content you know you've hit a spam site

funny how they are telling us about spam while promoting more adverts on a single page than a spam message has

What's new about this?

[Anonymous Coward]

I lost my "email for life" account (randeg at alum.rpi.edu) nearly five years ago because of backscatter. I got a lot of it because that address appeared in-the-clear in libpng and zlib documentation. The people at RPI did not understand the backscatter phenomenon, and I assume they are still getting plenty of it.

SPF + !SRS!

[spottedkangaroo]

It seems like the solution to "backscatter" has been around for quite a few years (SRS [openspf.org]). I'm surprised how few of the commercially available anti-spam solutions use or interpret it.

At my company, we just looked at Barracuda (PoS), Pineapp, St. Bernards ePrism, MX Force, Postini, and some other things. None of them understand SRS and only a few of the tech contacts had even heard of it. Sad Sad. But they all seem to have hand-rolled "backscatter" protection that partially works.

It seems like everyone has an SPF record these days. But it feels like relatively few actually check them and almost nobody goes the full distance and uses SRS.

Re:What's new about this?

[statemachine]

Eternal September.

Sure, I once got angry at people who sent me spam and bounced it back to the sender with a nastygram. But that was 1995. There wasn't SPF, and there weren't content filters. And most installations were open relays on Sendmail. Administering e-mail was simply giving someone a home directory and pine.

Nowadays, the e-mail administrators are the biggest enablers. If they just checked SPF records and stopped automated bounces after a content filter determines it's spam.... It's also up to the admin to educate their users. But, there will always be clueless new admins and new users.

Re:A trickle?!

[Anonymous Coward]

I've had a GMail account since a month after launch, which I use for both automated signups and personal correspondance.

I use Sneakemail free forwarding to sign up for automated things, so that I can revoke them if the spam gets too obnoxious. I have approximately 250 different Sneakemail addresses out there.

I have never had a spam problem with my Gmail account. When I do get spam, I know where it's coming from - and I deactivate that address and vow never to use that service again. I see Sneakemail as using a condom for sites you'll probably only stick around for a single night - why worry? Bugzilla & SocialTextOpen are the only two spam-vulnerable legit sites I've encountered in the last year or two.

If I ever need to put my personal address out there subject to crawlers, things will be a bit different.

Re:I've been getting "backscatter" for years...

[jimicus]

Then again, I have never regarded email as a reliable method of communication. Everything truly important goes with a read receipt request and if I don't receive one then I phone or send snail mail. I continue to be amazed by the number of screwups I continue to hear about where someone says "I never got [such and such] email."

As an admin, let me assure you that no (competent) email administrator has email randomly disappearing into the Magical Land of the Email Fairies.

I have had more people than I care to remember come to me complaining that "X says they sent me an email and I never received it, can you look into it?". Every single time I have been able to tell them exactly what happened. 8 times out of 10 the email's sat in their Inbox and they just have such a cluttered inbox that they can never find anything. (The other 2 times it's an internal mail that the sender sent to a number of people, but the complaining recipient isn't one of them).

Re:I've been getting "backscatter" for years...

[mr100percent]

I wonder if you can sue them for infringing on your copywritten email address...

Re:De-standardize, and make it worthwhile.

[KillerBob]

You're talking about CAPTCHA.... most CAPTCHA algorithms have been compromised. Also, most forums that actually use it have a working e-mail address listed on the CAPTCHA page, asking people to e-mail the admins if they have problems with it. I've created accounts manually on the forums I administer, for people who have problems with CAPTCHA.

One of the main reasons forums don't get hit by spammers is because the admin staff knows what they're doing. They lock down threads, respond quickly, and keep the software up to date. Temporary bans, and permanent bans... You also need a working e-mail address in order to register, which blocks an awful lot of spam. Finally, there's over 150 domains on the banlist for my forums... some of the most popularly used (by spammers) freebie e-mail accounts, like mail.ru.

Oh... and it helps to have a robots.txt file. Mine looks like this:

User-agent: *
Disallow: /

The forums are served up from a subdomain... the actual site shows up in search engines, but having the separate domain with robots.txt helps keep the forums off the search engines. If they don't know you're there, then they can't spam you. :)

Re:Where's the news?

[dotancohen]

Depends. I can start keeping count if you want, but anywhere from 800-5000 backscatters would not surprise me in any given week. That, plus 1200-7000 spam messages a week.

I now have four filter mechanisms at work:
1) All my contacts get a unique email address. Something along the lines of your-name@my-server.com
2) Spamassasin on the server.
3) Thunderbird's standard junk mail filter on the client.
4) Whitelist addresses of known contacts to my "whitelist" folder.

I see maybe 10-20 spam messages a day in my inbox, and the only time I get spam in my whitelist box is when a contact of mine is irresponsible with my address. I then change the address, scold the contact, and give him a new address until next time. I could not do this without the terrific Virtual Identities Thunderbird extension, which remembers which addresses I use to email each contact:
https://addons.mozilla.org/en-US/thunderbird/addon/594 [mozilla.org]

The Inbox gets about 10-20 spams a day, the Tbird junk mail gets around 200 I think, and about once a week or three I grep the spamassasin folder on the server for anything interesting.

Spam costs me money, bandwidth, and time away from my studies, work, and family. Spam is the modern Chinese water tourture: one drop does nothing, but drop after drop my life is being eroded. Not just online life, mind you, but real life as the internet is no less important to everyday life than the telephone is today.
http://what-is-what.com/what_is/spam.html [what-is-what.com]

Re:"legitimate?"

[Palinchron]

So what is the proper response if Aunt Tillie forwarded the mail to both me and my brother (both of who have a mailbox on the same server) in the situation that I want my spam dropped whereas my brother wants his spam delivered for manual checking?

There will be a single mail with two recipients, one who doesn't want the mail and one who does. Should I 5xx the mail (even though my brother wants to receive it) or should I 2xx it and drop my copy silently? AFAIK, there's nothing in between.

Re:A trickle?!

[KillerBob]

That works great, until one of your friends makes a typo and sends a message to lupmy@yourdomain.com instead of lumpy.... they get no confirmation that the message they sent to you didn't go through... because it *did* go through. It just went straight into your spam filter.

I could make it sound worse than it is, by making this fictional friend your significant other, and creating some kind of facetious situation in which your relationship will end if you don't respond to said message... but you get the idea.

It's your choice. But I get very few spam messages in my inbox, and I don't use a catch-all. I have SpamAssassin updating itself automatically by a cron job, and that works pretty well.

Re:A trickle?!

[Intron]

Barracuda knows about the problem and gives out instructions on how to turn it off. They deliberately set the default to bounce spam to innocent victims because it is free advertising.

Re:De-standardize, and make it worthwhile.

[FatdogHaiku]

How about we change the delivery method. Instead of an email being sent to me and sitting on my server or service waiting for me to sort it, you send me the headers for the sender, subject, size, date, and attachment status while the message and attachments sit on YOUR server until I chose to pick it up or it expires. The reduction in bandwidth should pay for the increase in storage, and the spammers would have to leave their message sitting on a machine somewhere waiting for me to pick it up (hint, not gonna happen).
1. No servers flooding the net with messages.
2. Easily identifiable spam sources, making bot-nets less useful.
3. Reduced bandwidth as the system replaces the old one.
4. Allow email clients and webmail services to be configured retrieve every message for the few numb nuts that don't/won't get it.
5. Profit (via reduced long term cost).
Just spitballing...

Re:A trickle?!

[Mr. Slippery]

If everyone was publishing SPF-records and enforcing them, the problem would go away.

...and new problems would arise, because SPF is fundamentally flawed [woodhou.se].

Re:De-standardize, and make it worthwhile.

[PRC Banker]

A nice trick is to put a no-follow link in robots.txt and have a well linked but no-follow (and to humans, obscured) page that when accessed denies that IP from getting anything from the site for a certain amount of time.

Re:De-standardize, and make it worthwhile.

[Anonymous Coward]

Problems:

1. Only works for obvious spam. For non-obvious spam it means the user has to download it - which notifies the spammer of a known-good address. That means more spam. (Right now images do this, but images can be disabled while preserving the text.)

2. They'll just advertise in the subject line. Perhaps easier to filter, but seems like a losing battle to me.

3. How do you authenticate?

4. Allows people to associate an email address with an IP even if that IP/address never sends them email.

5. Completely fails to account for offline/IMAP use.

Some of this can be mitigated by having the receiving server fetch the mail when the client requests it, but that adds more problems.

We have been seeing this problem ALOT lately.

[ubercaff]

We have noticed a DRAMATIC increase in backscatter over the last month or so. It has forced us to configure our E-mail systems to automatically flag NDR's as SPAM and quarantine them. I cant wait until the next new method of spam shows up.

Re:De-standardize, and make it worthwhile.

[FatdogHaiku]

Problems:

1. Only works for obvious spam. For non-obvious spam it means the user has to download it - which notifies the spammer of a known-good address. That means more spam. (Right now images do this, but images can be disabled while preserving the text.)

2. They'll just advertise in the subject line. Perhaps easier to filter, but seems like a losing battle to me.

3. How do you authenticate?

4. Allows people to associate an email address with an IP even if that IP/address never sends them email.

5. Completely fails to account for offline/IMAP use.

Some of this can be mitigated by having the receiving server fetch the mail when the client requests it, but that adds more problems.

1. I'm pretty much whitelisting by hand now, If I don't know you, I don't care what you put in the subject line, your stuff is gone.

2. Set a size limit on all the headers, no hex or encoding, plain text and straight IP addresses for the server holding the mail.

3. Their server sends me a key to pick up the message (a header I forgot), if a server sees the same key a thousand times in a minute or two... hmmmm...

4. Works both ways: Gmail Warning, The message you are about to retrieve is located on a server KNOWN to send spam... Continue?

5. If your offline you are pretty much working with the mail you already downloaded, right?

I'm not saying I have a perfect answer, but there are plenty of people that can figure it out, just like other ideas have been brought to fruition on the web, by cooperation of parties that have a mutual interest... and on this topic, it a BIG group and they have the brain power and bucks to make it work without rattling to many cages.

The point is to reverse it so that the abusers are left holding the bag, botted machines are quickly identified (and hopefully cleaned), and the free ride stops with the death of standard SMTP servers.

All I can offer is my idea of a starting point...

Re:De-standardize, and make it worthwhile.

[raddan]

I think you are misunderstanding the poster. The point is-- do not accept nondelivery (aka "bounce") messages from senders with misconfigured SMTP relays. This would be very easy to implement: bounce senders always set the "MAIL FROM" field to "[less than][greater than]". So if you receive an email from "[less than][greater than]", check it against the list. If it's from a misconfigured server, drop it.

This is one area where greylisting (taking advantage of the SMTP protocol to implement some primitive challenge-response) does not work, because MTAs involved in backscatter are indeed real SMTP servers.

BTW, interpret the "[less than][greater than]" as the actual angle braces. Stupid /. filter.

well if your feeling like having fun..

[tempest69]

The return mail for spammers is an auto-reply. so feed it another spammers return mail..

wait for infinite loop to finish..

repeat as needed.

Storm

Re:A trickle?!

[jabuzz]

Having been the victim of spam backscatter on several occasions in the last five years, it occurred to me some years ago, the solution to bounce issues was to insert random ID into each email as a header. Then track these against the domain they where sent to. Only bounces from matching domains, that contained the magic ID would ever get delivered.

Re:"legitimate?" Yeah, like Yahoo?

[SpammersAreScum]

I suppose this qualifies as a mis-directed 5xx rather than backscatter, but... Exactly a year ago, coincidentally, I received "failure delivery" bounces from a Yahoo.com server, for email I never sent, apparently because the actual sender put my corporate email address in the Return-Path! You'd think Yahoo'd know better.

Re:"legitimate?"

[miles zarathustra]

Here's a simple way to eliminate 80% of backscatter:

Ban qmail from the internet!!

The stock version doesn't check for validity until after the connection with the SMTP server has broken. Then it obediently sends the bounce to the reply-to address. Yuck!