Currently I receive close to 500 backscattered messages per day at one of my email addresses. Some spammers must be really pissed off at me, or maybe my alias is a good one to use because it's on a common email alias provider. Anyway, I decided it's time to do something about it, if possible.
First, you may be asking what's a backscattered message? It's a "bounce" email that arrives in your in-box, that usually has a subject of "Delivery notification: delivery has failed", "Deliver status notification", "failure notice", etc. The messages typically originate from "Mailer daemon", "postmaster", or "Mail delivery subsystem". Backscatter are messages that tell you about problems with messages you did not send.
Huh? This is weird... What's up with that? Well, you get backscattered messages because of two problems:
- a spammer has forged your email address in the "From:" field of the spam she sent;
- some email server has received that spam, and for some reason decided to reply to the forged email address (yours), probably to tell you:
- it couldn't be delivered because the destination address was not valid, the user's mailbox was full, etc.;
- the user is on vacation (vacation auto-responder);
- the message contained a virus and was blocked;
- the message was detected as spam and blocked.
The last two reasons are particularly incredible. If the mail server is smart enough to determine a message was a virus or spam, then it should know darn well that replying to its "From:" address makes no sense because -- guess what -- spammers/viruses nearly always forge the "From:" address!
The following image shows the anatomy of email backscatter. Click on it to see a bigger version.
The bad news is, you won't be able to stop spammers from forging your email address (problem #1 above). But there is some good news -- you may be able to do something about the servers that bounce messages (they create the backscatter messages, problem #2). Did you know that AOL, Hotmail, Yahoo, Gmail, etc. are examples of email services that do NOT create backscatter? This is because they are well administered and their email servers are correctly configured.
Sadly, there are too many email servers on the Internet today that create backscatter. See the links about backscatter on the side menu of this blog for information about the technical details. One of the worst offenders is the Barracuda Spam Firewall. I get sometimes 15 of their bounces per day, telling me the "Message you sent was blocked by our bulk email filter". Their software accuse me of sending spams, because the designer of the software made a mistake in thinking it was a good thing to reply to spams that have forged emails. That is irresponsible, and Barracuda should fix their product.
All ranting aside, if you're willing to work a little, I suspect there is a huge potential to fight spam if one is a victim of backscatter. Here are a couple of thoughts about useful information that could be exploited, provide there was some way to process it:
- Email bounces arrive practically in "real time" from spam runs. As soon as the spammer starts hitting mail servers with her spam, the bounces of failed messages come in to the victim of the forged "From:" address.
- Some of the bounces themselves contain full headers of the spam email. Most often, one can trace back the IP address to a spam-sending zombie.
- A spam run will typically have the same subject of spam, or even the same "spamvertised" URL to a web page.
- (if you have concrete ideas or resources about how to use this information, send me an email or post your ideas here in response)
There is a block-list for backscattering hosts at www.backscatterer.org. I have already contacted them, but they are only interested in my backscatter if I host an MX on UCEProtect.net's system. Apparently their backscatter-reporting is hard-coded from that system. Sadly, I would lose the backscatter if I were to move my email there, as it's coming into an email alias, which forwards to my Gmail system. By the way, Gmail does a great job of classifying spam, including backscattered messages.
You can report backscatter to Spamcop.net, and, in principle, the administrators of offending sites will get a SpamCop report. However, the link that SpamCop sends to them does a poor job of explaining the problem and the solution, and I don't think it has much affect. Sadly, a backscattering host will only get put on the SpamCop block-list if enough different people report it. So, if you're a victim of backscatter, you can make a difference by reporting it to SpamCop!
I report all backscatter (and other spams) to SpamCop fairly easily using a combination of Gmail, FreePOPs, Thunderbird and SpamCop's quick-report feature (which is free). See how to setup FreePOPs to download spam from your Gmail spam folder. In the interest of getting more people to report their backscatter, I would be happy to help you set up your system to do it easily. Please post your requests here, but don't identify your emails on this blog. If you want me to know specific info, you can email me at my Gmail address if you choose.
