100 Email Bouncebacks - Welcome to Backscattering 316
distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."
Re:De-standardize, and make it worthwhile. (Score:5, Interesting)
Comment removed (Score:5, Interesting)
Easy filtering solution (Score:5, Interesting)
There's an easy way to filter out backscatter while preserving bounce messages that you care about (ie. ones about email that you actually sent):
1. Add your own custom header to all your outgoing emails. Doesn't matter what it is, but it should be unique, eg. 'X-Really-From-Richard-Jones: xsomesecretx'
2. MTAs include the original headers in bounce messages, so discard bounce messages which don't contain your custom header.
You can even be smart and sign the header based on the content of the email using a private key, which would make it unforgeable, but at the moment you don't need to do that.
Rich.
Easy anti spam system (Score:1, Interesting)
I have anyemail@mydomain.com forwarded to a gmail account, which then forwards ONLY email with a certain extension (for instance, somesite.spam@mydomain.com) to my private email address. The bonus is, if you use a different email address for each site (for instance, slashdot.spam@mydomain.com), you can nail down the sites that spam like crazy (not that slahdot would do such things
clicking next ? youve been splogged (Score:2, Interesting)
1280px wide layout but the column with the actual content in is only 200px the other 1080px are dedicated to adverts and sponsors
i think that computerworld site is a classic example of a site that cares nothing for its readers (like spam) and is only a means to an end, when a site has more space dedicated to advertising than content you know you've hit a spam site
funny how they are telling us about spam while promoting more adverts on a single page than a spam message has
What's new about this? (Score:2, Interesting)
SPF + !SRS! (Score:4, Interesting)
It seems like the solution to "backscatter" has been around for quite a few years (SRS [openspf.org]). I'm surprised how few of the commercially available anti-spam solutions use or interpret it.
At my company, we just looked at Barracuda (PoS), Pineapp, St. Bernards ePrism, MX Force, Postini, and some other things. None of them understand SRS and only a few of the tech contacts had even heard of it. Sad Sad. But they all seem to have hand-rolled "backscatter" protection that partially works.
It seems like everyone has an SPF record these days. But it feels like relatively few actually check them and almost nobody goes the full distance and uses SRS.
Re:What's new about this? (Score:3, Interesting)
Sure, I once got angry at people who sent me spam and bounced it back to the sender with a nastygram. But that was 1995. There wasn't SPF, and there weren't content filters. And most installations were open relays on Sendmail. Administering e-mail was simply giving someone a home directory and pine.
Nowadays, the e-mail administrators are the biggest enablers. If they just checked SPF records and stopped automated bounces after a content filter determines it's spam.... It's also up to the admin to educate their users. But, there will always be clueless new admins and new users.
Re:A trickle?! (Score:3, Interesting)
I use Sneakemail free forwarding to sign up for automated things, so that I can revoke them if the spam gets too obnoxious. I have approximately 250 different Sneakemail addresses out there.
I have never had a spam problem with my Gmail account. When I do get spam, I know where it's coming from - and I deactivate that address and vow never to use that service again. I see Sneakemail as using a condom for sites you'll probably only stick around for a single night - why worry? Bugzilla & SocialTextOpen are the only two spam-vulnerable legit sites I've encountered in the last year or two.
If I ever need to put my personal address out there subject to crawlers, things will be a bit different.
Re:I've been getting "backscatter" for years... (Score:3, Interesting)
I have had more people than I care to remember come to me complaining that "X says they sent me an email and I never received it, can you look into it?". Every single time I have been able to tell them exactly what happened. 8 times out of 10 the email's sat in their Inbox and they just have such a cluttered inbox that they can never find anything. (The other 2 times it's an internal mail that the sender sent to a number of people, but the complaining recipient isn't one of them).
Re:I've been getting "backscatter" for years... (Score:4, Interesting)
Re:De-standardize, and make it worthwhile. (Score:5, Interesting)
One of the main reasons forums don't get hit by spammers is because the admin staff knows what they're doing. They lock down threads, respond quickly, and keep the software up to date. Temporary bans, and permanent bans... You also need a working e-mail address in order to register, which blocks an awful lot of spam. Finally, there's over 150 domains on the banlist for my forums... some of the most popularly used (by spammers) freebie e-mail accounts, like mail.ru.
Oh... and it helps to have a robots.txt file. Mine looks like this:
The forums are served up from a subdomain... the actual site shows up in search engines, but having the separate domain with robots.txt helps keep the forums off the search engines. If they don't know you're there, then they can't spam you.
Re:Where's the news? (Score:3, Interesting)
I now have four filter mechanisms at work:
1) All my contacts get a unique email address. Something along the lines of your-name@my-server.com
2) Spamassasin on the server.
3) Thunderbird's standard junk mail filter on the client.
4) Whitelist addresses of known contacts to my "whitelist" folder.
I see maybe 10-20 spam messages a day in my inbox, and the only time I get spam in my whitelist box is when a contact of mine is irresponsible with my address. I then change the address, scold the contact, and give him a new address until next time. I could not do this without the terrific Virtual Identities Thunderbird extension, which remembers which addresses I use to email each contact:
https://addons.mozilla.org/en-US/thunderbird/addon/594 [mozilla.org]
The Inbox gets about 10-20 spams a day, the Tbird junk mail gets around 200 I think, and about once a week or three I grep the spamassasin folder on the server for anything interesting.
Spam costs me money, bandwidth, and time away from my studies, work, and family. Spam is the modern Chinese water tourture: one drop does nothing, but drop after drop my life is being eroded. Not just online life, mind you, but real life as the internet is no less important to everyday life than the telephone is today.
http://what-is-what.com/what_is/spam.html [what-is-what.com]
Re:"legitimate?" (Score:2, Interesting)
There will be a single mail with two recipients, one who doesn't want the mail and one who does. Should I 5xx the mail (even though my brother wants to receive it) or should I 2xx it and drop my copy silently? AFAIK, there's nothing in between.
Re:A trickle?! (Score:3, Interesting)
I could make it sound worse than it is, by making this fictional friend your significant other, and creating some kind of facetious situation in which your relationship will end if you don't respond to said message... but you get the idea.
It's your choice. But I get very few spam messages in my inbox, and I don't use a catch-all. I have SpamAssassin updating itself automatically by a cron job, and that works pretty well.
Re:A trickle?! (Score:4, Interesting)
Re:De-standardize, and make it worthwhile. (Score:5, Interesting)
1. No servers flooding the net with messages.
2. Easily identifiable spam sources, making bot-nets less useful.
3. Reduced bandwidth as the system replaces the old one.
4. Allow email clients and webmail services to be configured retrieve every message for the few numb nuts that don't/won't get it.
5. Profit (via reduced long term cost).
Just spitballing...
Re:A trickle?! (Score:2, Interesting)
...and new problems would arise, because SPF is fundamentally flawed [woodhou.se].
Re:De-standardize, and make it worthwhile. (Score:4, Interesting)
Re:De-standardize, and make it worthwhile. (Score:1, Interesting)
1. Only works for obvious spam. For non-obvious spam it means the user has to download it - which notifies the spammer of a known-good address. That means more spam. (Right now images do this, but images can be disabled while preserving the text.)
2. They'll just advertise in the subject line. Perhaps easier to filter, but seems like a losing battle to me.
3. How do you authenticate?
4. Allows people to associate an email address with an IP even if that IP/address never sends them email.
5. Completely fails to account for offline/IMAP use.
Some of this can be mitigated by having the receiving server fetch the mail when the client requests it, but that adds more problems.
We have been seeing this problem ALOT lately. (Score:2, Interesting)
Re:De-standardize, and make it worthwhile. (Score:4, Interesting)
1. Only works for obvious spam. For non-obvious spam it means the user has to download it - which notifies the spammer of a known-good address. That means more spam. (Right now images do this, but images can be disabled while preserving the text.)
2. They'll just advertise in the subject line. Perhaps easier to filter, but seems like a losing battle to me.
3. How do you authenticate?
4. Allows people to associate an email address with an IP even if that IP/address never sends them email.
5. Completely fails to account for offline/IMAP use.
Some of this can be mitigated by having the receiving server fetch the mail when the client requests it, but that adds more problems.
1. I'm pretty much whitelisting by hand now, If I don't know you, I don't care what you put in the subject line, your stuff is gone.
2. Set a size limit on all the headers, no hex or encoding, plain text and straight IP addresses for the server holding the mail.
3. Their server sends me a key to pick up the message (a header I forgot), if a server sees the same key a thousand times in a minute or two... hmmmm...
4. Works both ways: Gmail Warning, The message you are about to retrieve is located on a server KNOWN to send spam... Continue?
5. If your offline you are pretty much working with the mail you already downloaded, right?
I'm not saying I have a perfect answer, but there are plenty of people that can figure it out, just like other ideas have been brought to fruition on the web, by cooperation of parties that have a mutual interest... and on this topic, it a BIG group and they have the brain power and bucks to make it work without rattling to many cages.
The point is to reverse it so that the abusers are left holding the bag, botted machines are quickly identified (and hopefully cleaned), and the free ride stops with the death of standard SMTP servers.
All I can offer is my idea of a starting point...
Re:De-standardize, and make it worthwhile. (Score:3, Interesting)
This is one area where greylisting (taking advantage of the SMTP protocol to implement some primitive challenge-response) does not work, because MTAs involved in backscatter are indeed real SMTP servers.
BTW, interpret the "[less than][greater than]" as the actual angle braces. Stupid
well if your feeling like having fun.. (Score:4, Interesting)
wait for infinite loop to finish..
repeat as needed.
Storm
Re:A trickle?! (Score:3, Interesting)
Re:"legitimate?" Yeah, like Yahoo? (Score:2, Interesting)
Re:"legitimate?" (Score:2, Interesting)
Ban qmail from the internet!!
The stock version doesn't check for validity until after the connection with the SMTP server has broken. Then it obediently sends the bounce to the reply-to address. Yuck!