Slashdot Mirror
100 Email Bouncebacks - Welcome to Backscattering
distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."
The solution is to de-standardize email.
"His name was James Damore."
A few every hour? This weekend marks the second weekend in which I got several hundred bounces in a single night!
This story was preceded less than a month ago:
https://tech.slashdot.org/article.pl?sid=08/04/08/2258246
I had a bunch of these back then, now they are happening again. Here is some information about the subject.
http://spamlinks.net/prevent-secure-backscatter.htm
You should only get NDRs from your own ISP, as I undestand it. The other mail admins are being fooled by your spoofed return address, and should know better.
Where's the news here? I've been getting these for years. It's so bad that I filter bounce messages to a separate account on the server to download and review at the end of the week. I get almost as much backscatter as spam, both over 1000 messages a week.
It is dangerous to be right when the government is wrong.
Nope, I'm not getting anything - procmail on my honeytrap spam email account sees it and stops it with a few simple filters
So please try harder, spammers, or go and get extensions to your obviously miniscule penises so you no longer need to take you inadequacies out on the rest of the world.
Gentoo Linux - another day, another USE flag.
There's an easy way to filter out backscatter while preserving bounce messages that you care about (ie. ones about email that you actually sent):
1. Add your own custom header to all your outgoing emails. Doesn't matter what it is, but it should be unique, eg. 'X-Really-From-Richard-Jones: xsomesecretx'
2. MTAs include the original headers in bounce messages, so discard bounce messages which don't contain your custom header.
You can even be smart and sign the header based on the content of the email using a private key, which would make it unforgeable, but at the moment you don't need to do that.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
I must have read at least 3 news stories about backscatter in the last week. Why is this only getting attention now when it's been a problem for years? Is it just because someone has coined a word for it?
I can remember years back when some spammer decided to use my domain name in their spam run. Hundreds of bounced emails every day and I cursed everyone of the dumb mail servers that mailed them; complete with original html email, images and any other crappy attachment. ("Hundreds" may be small potatoes these days, but they were a big deal at the time.) Just the very idea that spammers would supply a genuine reply address seemed so incredibly stupid, yet there they were; dozens of carefully worded variants of the same "naughty spammer, don't email me" reply. I could just see some smug sysadmin configuring their system with this badly thought-out garbage, thinking "ha! that'll show them!"
None of my mail servers since then have ever bounced spam or mis-addressed emails.
Hasn't this crap been going on long enough? Aren't people tired of spam - tired, as in totally pissed! I know I am.
Something drastic should be done about it, yesterday. Doesn't matter if it fails at first, I just want to see some political will. As it is, it seems like noone who has the power, gives a sh*t.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
My easy anti spam system would block this. Only works if you have your own domain, though.
:-)!
I have anyemail@mydomain.com forwarded to a gmail account, which then forwards ONLY email with a certain extension (for instance, somesite.spam@mydomain.com) to my private email address. The bonus is, if you use a different email address for each site (for instance, slashdot.spam@mydomain.com), you can nail down the sites that spam like crazy (not that slahdot would do such things
1280px wide layout but the column with the actual content in is only 200px the other 1080px are dedicated to adverts and sponsors
i think that computerworld site is a classic example of a site that cares nothing for its readers (like spam) and is only a means to an end, when a site has more space dedicated to advertising than content you know you've hit a spam site
funny how they are telling us about spam while promoting more adverts on a single page than a spam message has
I lost my "email for life" account (randeg at alum.rpi.edu) nearly five years ago because of backscatter. I got a lot of it because that address appeared in-the-clear in libpng and zlib documentation. The people at RPI did not understand the backscatter phenomenon, and I assume they are still getting plenty of it.
Cant we just bounce these messages?
As a 9-year veteran of the anti-spam industry (with experience within the regulator, although I've left that behind me now and work in telecoms,) it's a REAL stretch for anybody inside the IT industry to take these kinds of comments seriously.
Anybody who says that 'legitimate' mailservers are sending backscatter instead of 5xx-ing the message in transit is wrong. Mailservers which send backscatter are NOT legitimate, EOL.
- A pissed off mail admin.
You're doing it wrong.
"Fool me once
Shame on you
Fool me twice
Shame on me."
FTFA:While one might say that some servers should die of shame apparently they truely can.
It seems like the solution to "backscatter" has been around for quite a few years (SRS). I'm surprised how few of the commercially available anti-spam solutions use or interpret it.
At my company, we just looked at Barracuda (PoS), Pineapp, St. Bernards ePrism, MX Force, Postini, and some other things. None of them understand SRS and only a few of the tech contacts had even heard of it. Sad Sad. But they all seem to have hand-rolled "backscatter" protection that partially works.
It seems like everyone has an SPF record these days. But it feels like relatively few actually check them and almost nobody goes the full distance and uses SRS.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
Unless you like playing around with your user's machines a lot, you should better implement that at the MTA level and configure your mail server(s) so that they include the header.
Or you could just use SPF, which basically does the same thing, only more elegantly.
Who is General Failure and why is he reading my hard disk?
I have never gotten any "backscatter". At least to my knowledge. Hopefully it stays this way!
If brute force isn't working, you are not using enough.
"go and get extensions to your obviously miniscule penises "
I think one of their products can help them with that.
I don't have any of these "bounce" messages. I don't know it it means I have no nerdy friends, or I have very good rules for dealing with spam.
Take Nobody's Word For It.
Every so often, I'll get backscattered for a few days with the catch-all e-mail account I've setup for my domain. Since I'm lazy, I usually just log-in to my ISP and set up an alias to redirect to another mailbox I have set up for this crap. If it gets any worse, then I'll have to look at a real solution, or even drop my catch-all account, which would be a real pain.
The trick is to use the "header_checks" and "body_checks" to look for signs of the email having being sent out from your email server in the first place.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
I have hardly received any back scatter on any of my email addresses with Comcast, Yahoo, and my very own personal one. I guess im one of the fortunate ones. Could you all post the headers of these so called messages, so I can be on the look out for them.
I'm a victim of this sort of spam since several years, and it may happen to anybody that has an email address since a long time.
A few years ago, AOL always blocked my legitimate emails to AOL users, due to the fact that my email address was blacklisted due to this spam infection.
If you own the domain you can make it more difficult for spammers to spoof your email with an SPF record
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.openspf.org/
It used to really bug me, that someone was sending out spam and using my legitimate email address in the From, Return-path and Envelope-from headers. I began filtering out the "Spam received from YOU" type headers years ago. But what still bugs me about this is those people who set their systems up to add me to some domain based rather than IP address based block list based on these faked headers. For more than a year I have been unable to successfully send email to my insurance company due directly to this issue.
Then again, I have never regarded email as a reliable method of communication. Everything truly important goes with a read receipt request and if I don't receive one then I phone or send snail mail. I continue to be amazed by the number of screwups I continue to hear about where someone says "I never got [such and such] email."
Bounce messages should go to the postmaster of the domain that sent the message (the last Received: line before your MTA), rather than the "sender" in the From: header. That way, the actual forwarding server will be notified that it is being used to send spam and should be able to prevent further misuse. That also means the true sender gets the problem, not innocent bystanders.
Comment removed based on user account deletion
If an MTA is sending backscatter, it is not legitimate, it is broken. The MTA should NOT be looking at the FROM header to determine where the error goes. Report 5xx during the transaction, sending MTA is responsible for routing it to the associated address.
Any MTA I get backscatter from goes right into my local incompetent.dnsbl zone.
I had originally contemplated that this was the case however figured that due to my self declared war on spammers, they decided to spoof my email as the send bit. I am 100% sure I have not been hacked or any system compromised but it was really a crappy experience nonetheless. http://technoracle.blogspot.com/2008/04/spam-war-deepens-am-i-winning.html
"Question everything, including this!" - http://technoracle.blogspot.com/
I've figured out how to stop all spam, and it's very simple: I block all incoming email.
I know what you're thinking... what about the false positives? Yes, there are some, but here's the great part of the system... the more spam I receive, the lower my false positive rate. I don't need to worry about backscatter, phishing, viruses, or anything, and the CPU usage for this is incredibly minimal.
Last year we had an issue with spammers targeting our postfix server to do this. They would insert an extra Delivered-To line, which postfix would happily bounce back to wherever the spammer wished. I wound up writing a header_check for this. Last I heard there were no plans to change postfix's default behavior.
Computer World trying to get street cred by re-hashing old and moldy.
Nothing new here, move along.
Rick B.
Try my recept, feedback welcome !
http://www.bueche.ch/wp/2008/05/05/fighting-backscatter-using-procmail/
In the mean time, here's some music...
This is a joke. I am joking. Joke joke joke.
Yeah, the spammers' bots ignore the robots.txt and the indexing control headers. But the spammers don't have near the capacity of Google. It's easier for the spammers to search the forums through google, and more productive of e-mail addresses that can be sold.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I've gotten apparent backscatter containing malware since more than five years back. Some of those might be actual backscatter from mail servers that bounce full messages+attachments.
But many of those have claimed to come from my provider. I know the peculiarities of my provider's headers. Those are definitely spoofed.
I have been seeing more of these apparent spoofs of backscatters from other ISPs (check them headers!) lately.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Ok, I know some people *have* to, for business reasons and so on.
But for most individual email addresses, you can just give it to your friends. I have not gotten a single spam in probably over 8 years, and I don't run any filters locally, and I have my ISP's filters disabled on my account, so I would know.
There is no need for spam to be much of a problem, if people would just be a little careful. I don't understand why so many people are willing to receive spam. It pissed me off so bad when I started getting them in the 90's that I took steps to make sure I wouldn't get any more (secret email addy, given to friends only, and if I order things online I do so with a temporary drop box that's later deleted), and since then I've been spam free. Really, it isn't that hard (again obviously except for certain kinds of addresses for business reasons that you might have to publish, but most people's addresses aren't like that). There's absolutely no reason for 90% of us to ever get a single spam.
Count me among those who were worried. I have been getting, say about a hundred a week for the last few weeks. At first I thought my mail provider had been hijacked, then I realized that the spammers were just using my return address. It is really, really frustrating. At least now I know that I'm not the only one suffering... small consolation, but perhaps this will mean that some attention gets focused to it and a resolution will be coming.
MailScanner, which ships with Fedora, includes a feature called watermarking. Like those that have already posted, it works by creating a custom header with a secret key that is used to add a quick little seemingly random text and puts it in the header. If mail is coming from a bounceback, MailScanner checks the message for a match on the header. If it doesn't see one, then you can have it act based on that scenario. After turning this on, I get zero bounceback/scatterback emails into my Inbox. A perfectly elegant solution that works well and is easy to implement.
I've used Gmail for years and had maybe 1 spam the whole time, now every few hours I have 2 or 3 in my SPAM folder. Don't like it at all.
I've asked this question in Slashdot before, but I've never gotten a satisfactory answer.
There are 7633 messages in my gmail spam folder. Now let's suppose I'm new to the internet, and I read spam message #1. Do I want Viagra? No thanks. Message #2, still don't want Viagra. #3 no thanks, I'm fine.
Well, I didn't buy that stuff the first 7633 times you asked me THIS MONTH, but maybe if you ask me REALLY nicely with a few misspellings just once more, then I'll cave into my male inadequacies and buy prescription medicine from a sketchy online source.
Now I'm going to pretend I'm a spammer. I want lots of money. What benefit is there to me to send a single address more than say... 5 messages? (not per month. EVER) If it didn't make it through the filters the first time, it won't the 800th time, and the more messages I send, the more likely my recipients will learn to evade them. More importantly, a jaded audience won't be receptive to buy.
I can imagine that the newer scams could be useful. Like the ones pretending to be your bank. I've only received a few of those, and it took some thinking to realize that the facts didn't add up. But the normal viagra spam should only be useful in the very limited cases where a brand new user (8 years old?) who hasn't been exposed to it ever before reads one of the first messages and decided that it's a worthwhile endeavour.
My hypothesis are:
1) Spam is not used in the effort of making money, but as a way of crippling the internet for sport.
OR
2) The majority of spam is sent by poor, hungry and stupid script kiddies who are as of now still poor, hungry and stupid.
OK, so how do I handle these messages?
I am responsible for periodically updating our spam filter (at work) by flagging individual messages as either spam or ham--the usual Bayesian method, I think.
Should I be tagging these backscattered messages as spam, ham, or just leaving them untagged? Ideally I'd like to filter most of them out, but I don't want to start getting false positives on legitimate bouncebacks.
We have noticed a DRAMATIC increase in backscatter over the last month or so. It has forced us to configure our E-mail systems to automatically flag NDR's as SPAM and quarantine them. I cant wait until the next new method of spam shows up.
If their default is to terrorize bounce victims, no sale.
DT
Is this thing on? Hello?
A few weeks ago we were getting 100,000 - 200,000 backscatter emails a day. Some one was using our domain to send massive amounts of spam. Not from our servers of course, but it didn't matter. I think at its peak we were doing around 60 emails per second. Ended up installing a barracuda and that was barely able to handle the load. Then mysteriously after about 3 weeks, it just stopped.
neorush
wait for infinite loop to finish..
repeat as needed.
Storm
SMTP is completely broken. It has no accountability beyond the end of the connection. Hence, I don't see a reason to set up my server to be "RFC-Compliant", but just drop that crap right away. If you want to send me something important, use phone, fax, IM, or carrier pigeon. I'm sure we can find a suitable mode of communication that won't get you re-routed to the deep dark places where the IMAP folders don't reach.
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
It's been here for years!
Spoofing my peers
and holding admins in fear!
There is but one inexhaustible resource on the planet earth, and that resource is the constant stream of idiots. Let's face it, we're a planet of electric monks!
Not me, i'm averaging about 4000 a day ( to my domain ).
Im expecting to get blacklisted any day by idiot sysadmins that don't understand how things work..
---- Booth was a patriot ----
there are probably hundreds of ways to solve spam "if everyone was doing it"
There is just no way a significant enough fraction of the billions of domains, most of them simply registered and parked or forgotten, will publish SPF records
If there was an alternate email system which each email had a price USD$0.20c, it would cost too much to spam out. Internal email would be free, but as soon as it leaves your organisation you would get a bill. Or, just scrap the worldwide email system and build another from the ground up, with billing and some sort of banning / server authentication.
This is exactly why you use spam filters like MIMEDefang (or his commercial big brother CanIt). They actually do all of the spam filtering *during* the actual SMTP dialog. Ie, DSNs are not sent to forged senders. The server sending the spam does not have the opportunity to get rid of its message before the message is identified as spam. RFC 2821 permits the issuing of 4xx or 5xx error codes right up until the final 221 QUIT message. A rejection before the QUIT forces the sending MTA to handle the bounce to the envelope from.
I suppose this qualifies as a mis-directed 5xx rather than backscatter, but... Exactly a year ago, coincidentally, I received "failure delivery" bounces from a Yahoo.com server, for email I never sent, apparently because the actual sender put my corporate email address in the Return-Path! You'd think Yahoo'd know better.
If a spammer claims to be sending SPAM from your domain, that is at the very least slander, and if you have a trade mark, it's trade mark infringement.
The only other case I can think of where an ad email is that illegal is when it's sexual harassment - a sexually suggestive spam sent to a coprorate email address.
Andy Out!
Gmail makes it easy to create multiple aliasii (and to send from those aliasii I think).
Append a plus followed by a word, and it resolves to the name before the plus. e.g. happypenguin+amazon@gmail.com goes to happypenguin@gmail.com account. Or use dots in your email address and the gmail address resolves to your account without dots e.g. ha.ppy.pen.guin@gmail.com goes to happypenguin@gmail.com account
You can then easily create a spam filter if an address is snarfed by a spammer.
This article says it better: http://somegirlwitha.com/2008/04/17/the-dot-plus-and-googlemail-gmail-hacks/
Happy moony
There are other situations where SPF does not work which a little bit of googling will reveal.
I think you are misunderstanding the poster. The point is
College-Pages.com - Online Colleges, Degrees, and Programs
I work for a company that owns several dialup ISP's and I hear about this all the time. Our customers believe someone has hijacked their PC or their email account when it is just someone spoofing their address. Usually the only thing to be done about it is a message rule to filter them out, unfortunately.
They generally dont get paid per message sent. they get paid per message REPLIED TO (by acting on the offer).
Its all about odds. It costs you virtually nothing to send an email. Yes, you have to pay for the list of emails you bought but by using open relays, etc. your cost is minimal.
Assume you make $10 per rube that actually takes your offer.
Assume that your rate of response is 2%.
so for every 100 messages you send, 2 people acutally fall for it and give you money.
With that being said, do you want to make $20 (100 emails), or $20,000 (a million emails)? Its all in the amount of email you send.
THAT my friend is why you get so much. The more they send, the more $$ they are likely to make. Anytime you can increase your income without increasing expenses its a good thing and you are going to do it.
So its not the number of emails, its the number of customers those messages entice.
I am so clueless that I thought I'd done just what the piece suggested; as grotesque and box-clogging as this is at least it isn't something going to people who know me. Bummer though.