Saturday, October 27, 2007

Victims of email backscatter unite!

Currently I receive close to 500 backscattered messages per day at one of my email addresses. Some spammers must be really pissed off at me, or maybe my alias is a good one to use because it's on a common email alias provider. Anyway, I decided it's time to do something about it, if possible.

First, you may be asking what's a backscattered message? It's a "bounce" email that arrives in your in-box, that usually has a subject of "Delivery notification: delivery has failed", "Deliver status notification", "failure notice", etc. The messages typically originate from "Mailer daemon", "postmaster", or "Mail delivery subsystem". Backscatter are messages that tell you about problems with messages you did not send.

Huh? This is weird... What's up with that? Well, you get backscattered messages because of two problems:

  1. a spammer has forged your email address in the "From:" field of the spam she sent;
  2. some email server has received that spam, and for some reason decided to reply to the forged email address (yours), probably to tell you:
    • it couldn't be delivered because the destination address was not valid, the user's mailbox was full, etc.;
    • the user is on vacation (vacation auto-responder);
    • the message contained a virus and was blocked;
    • the message was detected as spam and blocked.

The last two reasons are particularly incredible. If the mail server is smart enough to determine a message was a virus or spam, then it should know darn well that replying to its "From:" address makes no sense because -- guess what -- spammers/viruses nearly always forge the "From:" address!

The following image shows the anatomy of email backscatter. Click on it to see a bigger version.

Anatomy of email backscatter

The bad news is, you won't be able to stop spammers from forging your email address (problem #1 above). But there is some good news -- you may be able to do something about the servers that bounce messages (they create the backscatter messages, problem #2). Did you know that AOL, Hotmail, Yahoo, Gmail, etc. are examples of email services that do NOT create backscatter? This is because they are well administered and their email servers are correctly configured.

Sadly, there are too many email servers on the Internet today that create backscatter. See the links about backscatter on the side menu of this blog for information about the technical details. One of the worst offenders is the Barracuda Spam Firewall. I get sometimes 15 of their bounces per day, telling me the "Message you sent was blocked by our bulk email filter". Their software accuse me of sending spams, because the designer of the software made a mistake in thinking it was a good thing to reply to spams that have forged emails. That is irresponsible, and Barracuda should fix their product.

All ranting aside, if you're willing to work a little, I suspect there is a huge potential to fight spam if one is a victim of backscatter. Here are a couple of thoughts about useful information that could be exploited, provide there was some way to process it:

  • Email bounces arrive practically in "real time" from spam runs. As soon as the spammer starts hitting mail servers with her spam, the bounces of failed messages come in to the victim of the forged "From:" address.
  • Some of the bounces themselves contain full headers of the spam email. Most often, one can trace back the IP address to a spam-sending zombie.
  • A spam run will typically have the same subject of spam, or even the same "spamvertised" URL to a web page.
  • (if you have concrete ideas or resources about how to use this information, send me an email or post your ideas here in response)

There is a block-list for backscattering hosts at www.backscatterer.org. I have already contacted them, but they are only interested in my backscatter if I host an MX on UCEProtect.net's system. Apparently their backscatter-reporting is hard-coded from that system. Sadly, I would lose the backscatter if I were to move my email there, as it's coming into an email alias, which forwards to my Gmail system. By the way, Gmail does a great job of classifying spam, including backscattered messages.

You can report backscatter to Spamcop.net, and, in principle, the administrators of offending sites will get a SpamCop report. However, the link that SpamCop sends to them does a poor job of explaining the problem and the solution, and I don't think it has much affect. Sadly, a backscattering host will only get put on the SpamCop block-list if enough different people report it. So, if you're a victim of backscatter, you can make a difference by reporting it to SpamCop!

I report all backscatter (and other spams) to SpamCop fairly easily using a combination of Gmail, FreePOPs, Thunderbird and SpamCop's quick-report feature (which is free). See how to setup FreePOPs to download spam from your Gmail spam folder. In the interest of getting more people to report their backscatter, I would be happy to help you set up your system to do it easily. Please post your requests here, but don't identify your emails on this blog. If you want me to know specific info, you can email me at my Gmail address if you choose.

10 comments:

Paul Schmidt said...

You wrote that Yahoo was well administered to stop backscatter. As an emailer this may be true, but as a mail server administrator this is NOT the case.

Yahoo, when it sees spam, instead of replying with a rejected code in the response, sends a "deferred". This makes any mail server that is trying to send to yahoo hold the mail in their queue (usually 7 days.) Instead of being the "bad guy", Yahoo dumps all the responsibility back on the net instead of taking responsibility themselves.

Since they are inaccurate with their response messages, I would not call Yahoo well administored.

Spam Fighter said...

Paul,

I think I follow your description of what yahoo does. But I can't say I've investigated that.

However, I would say that any mail server forwarding spam is part of the problem. A huge percentage of spam is sent by zombies, so "deferring" it would be a great way to bog down the zombies. In my backscatter analyses, I have seen that most backscatter is sent by one zombie to one mail server, and rarely there is an intermediate mail server. I could argue that any intermediate mail server should easily identify zombies by 1) block lists or 2) dynamic IP lists.

dragonsmama said...

I use AOL for email and for several months have been getting what appears to be bulk 'returned mail' in an asian script I cannot read. AOL initially said it was my computer or anti-virus software, but after a complete change of computer (and receipt of bulk 'returned mail' when I was not connected to the internet) they are now saying it is backscatter. Although that appeared initially to make sense, what I do not understand is that at almost the same time as the 'Returned mail' starts to appear, if I look in my 'Sent' box, I see what looks like the 'original' emails suddenly appearing there - although the times on them indicate they were sent many hours earlier or even the previous day.
Is this still backscatter, and if so, why is it appearing also in my 'sent' box?
If this is not backscatter, why would it happen when I am not even connected to the internet (I had to wait for a new router for my new computer) and why would it happen on unconnected old then new computer?
AOL is being very unhelpful, so please can you let me know what is happening? You might have guessed, I am not a computer expert, but do not want to have to change my email address.

Spam Fighter said...

Dragonsmama,

If you're speaking of your AOL "sent" box, then it sounds like your AOL account is sending the email, and they're bouncing. Technically, this isn't backscatter, but just normal bounces.

As for why these items appear in the "Sent" box on AOL, it might be that someone else is using your account. Are these spam emails?

AOL should help you with this if they are indeed spams that were "Sent", since it implies that your AOL account is sending bulk messages without you knowing about it. That explains why your account sends out emails when you're not online.

The obvious thing to do immediately is change your AOL password, using a virus-free computer.

dragonsmama said...

Thank you for your answer. AOL is being very unhelpful - it has taken months for me to get even the answer of 'backscatter' from them, and I suspected it may be incorrect.
The emails cannot be coming from my keyboard as it does not have the 'correct' asian script - and I would not know how to go about getting it! I don't even know what language it is.
I don't think they can be coming from my computer hardware as they were also sent out in between disconnecting my old computer and the week later that my new one was connected to the internet.
I imagine they are spam emails - but as they are in this foreign script I have no idea what they are about!
I also suspected that someone else may be using my email account - but AOL deny this is happening. Yesterday it happened at exactly the same time that I was using my computer and logged in to my email account - can AOL be allowing two separate computers to be logged into the same email account at the same time?
I have tried changing my email password - however, when I try to do it, it just alters the password of the main account, not my subsidiary account - even though I have specifically logged in to my settings and it states that it is my email password that has been altered.
I am awaiting an answer (!) from AOL about why this password transfer is occuring.
However, I would be most grateful to hear your response. AOL insists it is backscatter and that I should just ignore it.

Spam Fighter said...

Hmmm... A great question to ask AOL is how to explain the Asian script mails in the "Sent" folder. Maybe they can tell you which IP address sent them.

As for origin of the spams causing the bounces, you might be able to find out more. Some bounce messages have the SMTP headers of the original email (that caused the bounce) included as MIME attachments. If some of the bounces have that info, you can do an analysis of that to find out the time and maybe the IP address of the origin of the message. It's like CSI stuff on an email. It's too complicated to do this through blog correspondence. Email me directly with the header info if you can find it. Or you can try this web page (I found with Google) that tells you how to analyze it: http://www.emailaddressmanager.com/tips/header.html

thelogix said...

Im currently receiving tons of backscatter from GMail. (I've validated the received chain in the headers).

So aparently gmail is not safe from backscattering.

Angry said...

Spam blockers, blacklisting companies that protect the hard working individual from spammers, what a joke. They are as bad as the spammers, hackers, fraudsters themselves. They take a situation and just make it worse. I am a recent victim of backscatter. My company does not understand concepts of backscatter and spoofing, that backscatter is a deliberate malicious act that I did not actually send spam. My company is a game reserve, we do not spam nor employ email as a mass marketing tool yet our main communicating tool is email due to our location and that has been severally compromised due to blacklisting. Every forum that I have been on says that the actual culprit is impossible to back trace and the real culprit always gets away, why then did I the victim get blacklisted?Shouldn't blacklisting companies have proof? No they play the judge and executioner at will. My company lost thousands in revenue. What do you think is going to be the consequences?. Blacklisting companies destroy lives at will. People seem to forget that some actions have some real severe consequences. I have a question, how do you blacklist a blacklist company and what will be the next step in legal action?

Spam Fighter said...

Angry: I've been the victim of backscatter, but I was never black listed. My guess is that your ISP needs educating, or you should change to one that can handle the situation. Backscatter can be malicious, but I believe in my case it was not. Spammers may pick (at random) an address of a real sender for whatever reason. If you happen to be unlucky in this case, it's like the opposite of winning the lottery. On the other hand, if you're a game reserve company, perhaps there are some animal-lover folks intent on disrupting your business, even if it means breaking the rules. Again, if you have a good ISP, this shouldn't be an issue. I realize your post is more than a year old, but I'd recommend changing ISPs to one that understands what is backscatter and who can protect you against it.

Blacklists are relentless because spammers are pervasive. I wouldn't blame them. I believe the spam problem has changed in a very positive way (without any government legislation) thanks to black lists.

kaserei said...

Hi Spam Fighter,

Good blog, I am going to link this to any idiot that sends me obscene emails as a result of other system admins lack of knowledge/stupidity/laziness from now on.

I use gmail via apps for business with dkim and spf records all setup for both my custom domains and I still get about 100 backscatter messages on each of my domains each day.. sometimes less, other days none at all. This is ofc as you say the recipient systems are not configured to check the spf and dkim records correctly if at all, and the mail relays along the route somewhere also allow anonymous relaying of messages.

As a result of the later above, earlier this week I revived an obscene email complaining about the spam being received by a marketing company in London. I have complained about the employee to the company directly, but not received a reply yet. I would like to get some closure on it though just to educate the guy that it's HIS systems that are at fault, and me and my family run business should not expect to get that sort of unsolicited abuse from a supposedly legitimate business in the UK.

I do have some questions that you might be able to help with though: Firstly, google seems to let some "bouncespam" through (all my backscatter is normally caught as spam), I've not identified a pattern yet.

Secondly, my outgoing mail received 2 dkim records, one for google (x-google-dkim) and my own configured for my domain. What I was wondering is which of these would cause a fail/pass and with what priority (maybe different for gmail recipients to other email providers too). I guess that if the check is done for the domain, it would be mine, else if done against the relay (like spf?) it would be google (which again is a range if dynamic ip's as they keep changing them,).

As a closing comment, I use a catch-all email, to give addresses to one of contacts so I can ignore in future (like marketers and recruiters). I'm not sure if I stop doing this, so I can completely ignore most backscatter, will google then send backscatter for the "black hole" mails?