Slashdot Mirror

← Back to Stories (view on slashdot.org)

100 Email Bouncebacks - Welcome to Backscattering

Posted by timothy on from the annoying-as-heck-if-heck-is-like-hell dept.

distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."

16 of 316 comments (clear)

  1. A trickle?! by Zombie · · Score: 3, Insightful

    A few every hour? This weekend marks the second weekend in which I got several hundred bounces in a single night!

    1. Re:A trickle?! by Jurily · · Score: 4, Insightful

      I've been using an "unprotected" gmail account for 2 years now. Currently I have 196 spam, all conveniently labeled as such.

      During that time I only got one false positive, but that was a really poorly formatted message, and they weren't even replying from the same adress I specifically asked the reply from.

      However, I got no false negatives in English, and it took about a week of "Report Spam" to get them up to speed on some new Hungarian torrent tracker spam. Now they're marked spam too.

      All in all, Google's spam filter rocks.

    2. Re:A trickle?! by MBGMorden · · Score: 5, Insightful

      Supposedly there's a mail configuration option you can set to make it possible for servers to verify mail from your domain (must originate from this ip range) but the domain hosting company I'm with doesn't expose that particular feature. It's called SPF which is Sender Policy Framework. Problem is, it's not used often enough at current time, so very few mail servers will actually reject a message that fails an SPF check.

      The best thing honestly would be for these servers to just clean their act up and handle things properly. Mail rejects should be done before the connection between the two servers closes. It should always be up to the SENDING mail server to generate a bounce rather than the receiving.

      The odds of that happening are pretty slim though. There is a "bounce killer" feature in the new version of amavisd-new that I'm looking at that might work well. Apparently (I haven't installed the new version yet) it will store the message ID's of your outgoing messages and if a bounce comes back with an invalid message ID it deletes it.
      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    3. Re:A trickle?! by rolfc · · Score: 3, Insightful

      Moderators,
      This guy know what he is talking about.

      If everyone was publishing SPF-records and enforcing them, the problem would go away. The real problem is that most mailadministrators doesnt have a clue.

    4. Re:A trickle?! by raddan · · Score: 2, Insightful

      Thing is-- in order to solve these problems with SMTP, we simply need to break backward compatibility. It's the fact that SMTP continues to allow a lowest-common-denominator kind of communication that enables people to abuse email. The next standard should use mutual authentication to prevent spoofing (maybe ala MIT's PGP key repository), encryption to prevent hijacking (and evesdropping), and all of the other tricks employed by modern network protocols to keep them working properly. I don't think incremental improvements to SMTP will ever solve SMTP's shortcomings, as long as people need to be able to receive email from any old non-compliant sender.

    5. Re:A trickle?! by MBGMorden · · Score: 2, Insightful

      Eh, not so, unfortunately.

      Sendmail has a drop-dead simple way of setting up "slave" mail servers in case the primary is down, an option that's commonly used for backup mail relaying. It's part of the official Sendmail documentation and so is very unlikely to "go away". And, when this is enabled, there is no address verification "before the connection between the two servers close[s].".

      So, good luck with enforcing your ideas on how the world should work! I'll not pretend to know how sendmail works as I admin a Postfix system, but why wouldn't any and all backup servers do address verification? For my systems they all update their list of valid addresses against an LDAP server as a cron job. Doesn't matter which server takes a message in - address verification works on all of them.

      It's just plain stupid for the receiving server to generate a bounce. EVER. Once that connection is closed all you have to go by to generate a bounce is who the message said it's from. That can't be trusted, and if you bounce to it you're contributing to the backscatter problem and your mail server/domain will quite likely end up on a blacklist. If you're going to configure you're mail system such that it accepts a message with no recipient verification (and I refuse to believe sendmail can't be configured to do this properly), then you shouldn't bother bouncing at all.
      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    6. Re:A trickle?! by Jurily · · Score: 1, Insightful

      Seriously, what are you mods smoking? That was merely Informative at best... How exactly is detailing my own experiences Insightful?

      Yes, I am complaining because I got modded up. Not because of the modding, but because of the wrong reasons for it.

  2. Re:For fsck's sake by Mattsson · · Score: 2, Insightful

    Start spreading the word:
    "Anyone who sends spam is a terrorist!"
    Add random bogus reason, like "spam finances terrorism" and tag a "think of the children" on at the end.

    Sooner or later, someone in power is bound to fall for it.

    --
    /.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
  3. Re:SPF + !SRS! by spydir31 · · Score: 3, Insightful

    Here's the solution to backscatter:

    1. only relay authorized messages
    2. reject as soon as possible. no bounces.
    3. do not send out virus warnings, spam warnings, challenge-response requests
  4. Re:De-standardize, and make it worthwhile. by Badanov · · Score: 5, Insightful
    My guess is you either don't write spam header filters, or you hate it so much you're trying to find an easier solution.

    Helluvua lot of mail servers out there not configured "properly." I can't block some mail even from "legitimate" mail servers because they are not configured well enough some of my spam rules don't pick them up, so how would a "list" fix that?

    As it is, the lists from the anti spam houses work very little. There are so many zombie mail servers out there, I guess, no one can really effectively police these things except through spam filters. And Google are the only folks who can afford a full time staff writing spam filter rules.

    Any more properly used to mean not an open relay; now it can can mean not in the same network segment that does have spamming email servers. Lists just add to the insanity and often punish legitimate mail servers.

    --
    Dawn of the Dead
  5. Re:Please Try Again Spammer Dickwads by T-Bone-T · · Score: 3, Insightful

    You say you don't get any but then explain that it gets filtered, meaning you DO get some but you don't see it. Those are mutually exclusive. You can't not get it and filter it, otherwise there wouldn't be anything to filter.

  6. I've been getting "backscatter" for years... by Panaqqa · · Score: 3, Insightful

    It used to really bug me, that someone was sending out spam and using my legitimate email address in the From, Return-path and Envelope-from headers. I began filtering out the "Spam received from YOU" type headers years ago. But what still bugs me about this is those people who set their systems up to add me to some domain based rather than IP address based block list based on these faked headers. For more than a year I have been unable to successfully send email to my insurance company due directly to this issue.

    Then again, I have never regarded email as a reliable method of communication. Everything truly important goes with a read receipt request and if I don't receive one then I phone or send snail mail. I continue to be amazed by the number of screwups I continue to hear about where someone says "I never got [such and such] email."

    1. Re:I've been getting "backscatter" for years... by Panaqqa · · Score: 3, Insightful

      I did not mean to suggest that a competent admin would ever lose legitimate email. The problem comes in many forms, but the biggest culprit is anti-spam filters. These days it seems that everybody and their cousin wants to spam filter your email. ISPs arbitrarily apply such filters to their users accounts, often without any notification. Hosting providers and domain registrars often do the same. System admins, under pressure from management, put in place imperfect solutions and compound the issue by misconfiguration. I employ some network admins myself to help clients with server problems. The number of times I have seen a program such as "Spam Assassin" set to an incredibly aggressive setting AND to delete flagged mail without it ever hitting an inbox is surprising. I have one client right now that has not been able to email their parent company for over 6 weeks. Their messages blackhole. And it is not as if the parent is unsophisticated: they are in the financial sector and employ 17,000 people. And of course nobody in their IT department will admit that any email is being blackholed.

      I personally am one of those who would like to see a new email protocol built from scratch with the spam problem as foremost consideration in the design process. I have a dislike for anything in IT that only "works most of the time", and that's where email has been for quite a while now.

      My 2 cents. Another 2 cents that is.

  7. Not "legitimate" mailservers by geminidomino · · Score: 2, Insightful

    If an MTA is sending backscatter, it is not legitimate, it is broken. The MTA should NOT be looking at the FROM header to determine where the error goes. Report 5xx during the transaction, sending MTA is responsible for routing it to the associated address.

    Any MTA I get backscatter from goes right into my local incompetent.dnsbl zone.

  8. Why do people send spam to me? (seriously) by Cedric+Tsui · · Score: 2, Insightful

    I've asked this question in Slashdot before, but I've never gotten a satisfactory answer.

    There are 7633 messages in my gmail spam folder. Now let's suppose I'm new to the internet, and I read spam message #1. Do I want Viagra? No thanks. Message #2, still don't want Viagra. #3 no thanks, I'm fine.

    Well, I didn't buy that stuff the first 7633 times you asked me THIS MONTH, but maybe if you ask me REALLY nicely with a few misspellings just once more, then I'll cave into my male inadequacies and buy prescription medicine from a sketchy online source.

    Now I'm going to pretend I'm a spammer. I want lots of money. What benefit is there to me to send a single address more than say... 5 messages? (not per month. EVER) If it didn't make it through the filters the first time, it won't the 800th time, and the more messages I send, the more likely my recipients will learn to evade them. More importantly, a jaded audience won't be receptive to buy.

    I can imagine that the newer scams could be useful. Like the ones pretending to be your bank. I've only received a few of those, and it took some thinking to realize that the facts didn't add up. But the normal viagra spam should only be useful in the very limited cases where a brand new user (8 years old?) who hasn't been exposed to it ever before reads one of the first messages and decided that it's a worthwhile endeavour.

    My hypothesis are:
    1) Spam is not used in the effort of making money, but as a way of crippling the internet for sport.
    OR
    2) The majority of spam is sent by poor, hungry and stupid script kiddies who are as of now still poor, hungry and stupid.

    1. Re:Why do people send spam to me? (seriously) by chromatic · · Score: 2, Insightful

      Someone has to be paying them and getting a return.

      Someone has to be paying them anticipating getting a return.

      --
      how to invest, a novice's guide