100 Email Bouncebacks - Welcome to Backscattering

distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."

same wine, old bottle

[MollyB]

This story was preceded less than a month ago:
https://tech.slashdot.org/article.pl?sid=08/04/08/2258246

I had a bunch of these back then, now they are happening again. Here is some information about the subject.
http://spamlinks.net/prevent-secure-backscatter.htm

You should only get NDRs from your own ISP, as I undestand it. The other mail admins are being fooled by your spoofed return address, and should know better.

Where's the news?

[dotancohen]

Where's the news here? I've been getting these for years. It's so bad that I filter bounce messages to a separate account on the server to download and review at the end of the week. I get almost as much backscatter as spam, both over 1000 messages a week.

Why is this only getting noticed now?

[gsslay]

I must have read at least 3 news stories about backscatter in the last week. Why is this only getting attention now when it's been a problem for years? Is it just because someone has coined a word for it?

I can remember years back when some spammer decided to use my domain name in their spam run. Hundreds of bounced emails every day and I cursed everyone of the dumb mail servers that mailed them; complete with original html email, images and any other crappy attachment. ("Hundreds" may be small potatoes these days, but they were a big deal at the time.) Just the very idea that spammers would supply a genuine reply address seemed so incredibly stupid, yet there they were; dozens of carefully worded variants of the same "naughty spammer, don't email me" reply. I could just see some smug sysadmin configuring their system with this badly thought-out garbage, thinking "ha! that'll show them!"

None of my mail servers since then have ever bounced spam or mis-addressed emails.

"legitimate?"

[Michael+Hunt]

As a 9-year veteran of the anti-spam industry (with experience within the regulator, although I've left that behind me now and work in telecoms,) it's a REAL stretch for anybody inside the IT industry to take these kinds of comments seriously.

Anybody who says that 'legitimate' mailservers are sending backscatter instead of 5xx-ing the message in transit is wrong. Mailservers which send backscatter are NOT legitimate, EOL.

- A pissed off mail admin.

Re:"legitimate?"

[Michael+Hunt]

If Aunt Tillie sends me a message (forwarded from Betty, her next door neighbour, which was in turn forwarded from her nephew Boris, who goes to school in another city) which just happens to look like spam (who knows, maybe Boris is telling an amusing anecdote about how one of his friends stumbled across some h3rb4|_ v!agr4 or something,) I'm going to look like a fair dick if the message gets dropped on the floor and Aunt Tillie doesn't at least get notified that the message got eaten.

The 5xx range of status codes exists for this (and other) reasons, there's no reason NOT to use them (by performing content verification inline and either 2xx-ing or 5xx-ing the message between "." and "QUIT".)

Re:Easy filtering solution

[djmurdoch]

how do I do that in Thunderbird? Set the custom headers preference.

Re:Easy filtering solution

[rjames13]

Go into Preferences->Advanced Tab and click Config Editor Button.

Alter the setting
mail.identity.default.headers
to include the string header1
note header1 is just a label
then add a new string called
mail.identity.id1.header.header1
Set the value of that to your X-line

From now on all mail sent from Identity 1 will have that header on it.

To create a filter based on that. Obtain an email with that header. Find a clickable link in the header and right click and select create filter from message.

At first from the drop down box you can't select that X-line so you need to go to the bottom and click customise. You can put that header in there. Now you can create a filter from it.

Postfix has a solution to this

[AftanGustur]

See here http://www.postfix.org/BACKSCATTER_README.html

The trick is to use the "header_checks" and "body_checks" to look for signs of the email having being sent out from your email server in the first place.

Re:A trickle?!

[CastrTroy]

I remember this being the reason I disabled my catch-all address for my domain, a couple of years ago. I was not only getting tons of bounce-backs from things that looked like they were being sent from my domain, I was also getting a lot of spam mail sent to random-non-existent-but-caught-by-the-catch-all addresses.

Re:Easy filtering solution

[guruevi]

You know, I have a digital certificate that does that for me. It automatically signs my e-mail and 'smart' filters and e-mail clients know that non-signed e-mail from me is not to be trusted as much.

Get your free personal certificate and if 2 people have certificates, e-mail gets encrypted between you! There are a number of providers that give them.

Re:Why do people send spam to me? (seriously)

[WGR]

Now I'm going to pretend I'm a spammer. I want lots of money. What benefit is there to me to send a single address more than say... 5 messages? (not per month. EVER) If it didn't make it through the filters the first time, it won't the 800th time, and the more messages I send, the more likely my recipients will learn to evade them. More importantly, a jaded audience won't be receptive to buy. Because spammers get paid by number of messages sent, not return on messages.