Slashdot Mirror

← Back to Stories (view on slashdot.org)

100 Email Bouncebacks - Welcome to Backscattering

Posted by timothy on from the annoying-as-heck-if-heck-is-like-hell dept.

distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."

35 of 316 comments (clear)

  1. A trickle?! by Zombie · · Score: 3, Insightful

    A few every hour? This weekend marks the second weekend in which I got several hundred bounces in a single night!

    1. Re:A trickle?! by Anonymous Coward · · Score: 3, Interesting

      I've had a GMail account since a month after launch, which I use for both automated signups and personal correspondance.

      I use Sneakemail free forwarding to sign up for automated things, so that I can revoke them if the spam gets too obnoxious. I have approximately 250 different Sneakemail addresses out there.

      I have never had a spam problem with my Gmail account. When I do get spam, I know where it's coming from - and I deactivate that address and vow never to use that service again. I see Sneakemail as using a condom for sites you'll probably only stick around for a single night - why worry? Bugzilla & SocialTextOpen are the only two spam-vulnerable legit sites I've encountered in the last year or two.

      If I ever need to put my personal address out there subject to crawlers, things will be a bit different.

    2. Re:A trickle?! by CastrTroy · · Score: 3, Informative

      I remember this being the reason I disabled my catch-all address for my domain, a couple of years ago. I was not only getting tons of bounce-backs from things that looked like they were being sent from my domain, I was also getting a lot of spam mail sent to random-non-existent-but-caught-by-the-catch-all addresses.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    3. Re:A trickle?! by Jurily · · Score: 4, Insightful

      I've been using an "unprotected" gmail account for 2 years now. Currently I have 196 spam, all conveniently labeled as such.

      During that time I only got one false positive, but that was a really poorly formatted message, and they weren't even replying from the same adress I specifically asked the reply from.

      However, I got no false negatives in English, and it took about a week of "Report Spam" to get them up to speed on some new Hungarian torrent tracker spam. Now they're marked spam too.

      All in all, Google's spam filter rocks.

    4. Re:A trickle?! by MBGMorden · · Score: 5, Insightful

      Supposedly there's a mail configuration option you can set to make it possible for servers to verify mail from your domain (must originate from this ip range) but the domain hosting company I'm with doesn't expose that particular feature. It's called SPF which is Sender Policy Framework. Problem is, it's not used often enough at current time, so very few mail servers will actually reject a message that fails an SPF check.

      The best thing honestly would be for these servers to just clean their act up and handle things properly. Mail rejects should be done before the connection between the two servers closes. It should always be up to the SENDING mail server to generate a bounce rather than the receiving.

      The odds of that happening are pretty slim though. There is a "bounce killer" feature in the new version of amavisd-new that I'm looking at that might work well. Apparently (I haven't installed the new version yet) it will store the message ID's of your outgoing messages and if a bounce comes back with an invalid message ID it deletes it.
      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
    5. Re:A trickle?! by rolfc · · Score: 3, Insightful

      Moderators,
      This guy know what he is talking about.

      If everyone was publishing SPF-records and enforcing them, the problem would go away. The real problem is that most mailadministrators doesnt have a clue.

    6. Re:A trickle?! by Intron · · Score: 3, Interesting

      Barracuda knows about the problem and gives out instructions on how to turn it off. They deliberately set the default to bounce spam to innocent victims because it is free advertising.

      --
      Intron: the portion of DNA which expresses nothing useful.
  2. same wine, old bottle by MollyB · · Score: 5, Informative

    This story was preceded less than a month ago:
    https://tech.slashdot.org/article.pl?sid=08/04/08/2258246

    I had a bunch of these back then, now they are happening again. Here is some information about the subject.
    http://spamlinks.net/prevent-secure-backscatter.htm

    You should only get NDRs from your own ISP, as I undestand it. The other mail admins are being fooled by your spoofed return address, and should know better.

    1. Re:same wine, old bottle by KinkyClown · · Score: 5, Funny

      This story was preceded less than a month ago: https://tech.slashdot.org/article.pl?sid=08/04/08/2258246 No this message is a backscatter automated post so technically it's not a dupe.
  3. Where's the news? by dotancohen · · Score: 4, Informative

    Where's the news here? I've been getting these for years. It's so bad that I filter bounce messages to a separate account on the server to download and review at the end of the week. I get almost as much backscatter as spam, both over 1000 messages a week.

    --
    It is dangerous to be right when the government is wrong.
  4. Re:De-standardize, and make it worthwhile. by erikina · · Score: 5, Interesting

    Ugh, care to elaborate? Anyway, I think the solution is simple. Just publish a giant list of all mail servers not configured properly. It wouldn't be hard to write a script, to verify if a domain is configured or not. It would function as a name and shame list. But more than that, all spammers would harvest from it, and absolutely smash the listed servers until they were forced to configure them properly.

  5. Please Try Again Spammer Dickwads by pandrijeczko · · Score: 4, Interesting
    Nope, you're just getting a little backscatter

    Nope, I'm not getting anything - procmail on my honeytrap spam email account sees it and stops it with a few simple filters

    So please try harder, spammers, or go and get extensions to your obviously miniscule penises so you no longer need to take you inadequacies out on the rest of the world.

    --
    Gentoo Linux - another day, another USE flag.
    1. Re:Please Try Again Spammer Dickwads by T-Bone-T · · Score: 3, Insightful

      You say you don't get any but then explain that it gets filtered, meaning you DO get some but you don't see it. Those are mutually exclusive. You can't not get it and filter it, otherwise there wouldn't be anything to filter.

  6. Easy filtering solution by Richard+W.M.+Jones · · Score: 5, Interesting

    There's an easy way to filter out backscatter while preserving bounce messages that you care about (ie. ones about email that you actually sent):

    1. Add your own custom header to all your outgoing emails. Doesn't matter what it is, but it should be unique, eg. 'X-Really-From-Richard-Jones: xsomesecretx'

    2. MTAs include the original headers in bounce messages, so discard bounce messages which don't contain your custom header.

    You can even be smart and sign the header based on the content of the email using a private key, which would make it unforgeable, but at the moment you don't need to do that.

    Rich.

    --
    libguestfs - tools for accessing and modifying virtual machine disk images
    1. Re:Easy filtering solution by djmurdoch · · Score: 5, Informative

      how do I do that in Thunderbird? Set the custom headers preference.
    2. Re:Easy filtering solution by rjames13 · · Score: 5, Informative

      Go into Preferences->Advanced Tab and click Config Editor Button.

      Alter the setting
      mail.identity.default.headers
      to include the string header1
      note header1 is just a label
      then add a new string called
      mail.identity.id1.header.header1
      Set the value of that to your X-line

      From now on all mail sent from Identity 1 will have that header on it.

      To create a filter based on that. Obtain an email with that header. Find a clickable link in the header and right click and select create filter from message.

      At first from the drop down box you can't select that X-line so you need to go to the bottom and click customise. You can put that header in there. Now you can create a filter from it.

    3. Re:Easy filtering solution by guruevi · · Score: 4, Informative

      You know, I have a digital certificate that does that for me. It automatically signs my e-mail and 'smart' filters and e-mail clients know that non-signed e-mail from me is not to be trusted as much.

      Get your free personal certificate and if 2 people have certificates, e-mail gets encrypted between you! There are a number of providers that give them.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  7. Why is this only getting noticed now? by gsslay · · Score: 5, Informative

    I must have read at least 3 news stories about backscatter in the last week. Why is this only getting attention now when it's been a problem for years? Is it just because someone has coined a word for it?

    I can remember years back when some spammer decided to use my domain name in their spam run. Hundreds of bounced emails every day and I cursed everyone of the dumb mail servers that mailed them; complete with original html email, images and any other crappy attachment. ("Hundreds" may be small potatoes these days, but they were a big deal at the time.) Just the very idea that spammers would supply a genuine reply address seemed so incredibly stupid, yet there they were; dozens of carefully worded variants of the same "naughty spammer, don't email me" reply. I could just see some smug sysadmin configuring their system with this badly thought-out garbage, thinking "ha! that'll show them!"

    None of my mail servers since then have ever bounced spam or mis-addressed emails.

  8. "legitimate?" by Michael+Hunt · · Score: 4, Informative

    As a 9-year veteran of the anti-spam industry (with experience within the regulator, although I've left that behind me now and work in telecoms,) it's a REAL stretch for anybody inside the IT industry to take these kinds of comments seriously.

    Anybody who says that 'legitimate' mailservers are sending backscatter instead of 5xx-ing the message in transit is wrong. Mailservers which send backscatter are NOT legitimate, EOL.

    - A pissed off mail admin.

    --
    You're doing it wrong.
    1. Re:"legitimate?" by Michael+Hunt · · Score: 3, Informative

      If Aunt Tillie sends me a message (forwarded from Betty, her next door neighbour, which was in turn forwarded from her nephew Boris, who goes to school in another city) which just happens to look like spam (who knows, maybe Boris is telling an amusing anecdote about how one of his friends stumbled across some h3rb4|_ v!agr4 or something,) I'm going to look like a fair dick if the message gets dropped on the floor and Aunt Tillie doesn't at least get notified that the message got eaten.

      The 5xx range of status codes exists for this (and other) reasons, there's no reason NOT to use them (by performing content verification inline and either 2xx-ing or 5xx-ing the message between "." and "QUIT".)

      --
      You're doing it wrong.
  9. SPF + !SRS! by spottedkangaroo · · Score: 3, Interesting

    It seems like the solution to "backscatter" has been around for quite a few years (SRS). I'm surprised how few of the commercially available anti-spam solutions use or interpret it.

    At my company, we just looked at Barracuda (PoS), Pineapp, St. Bernards ePrism, MX Force, Postini, and some other things. None of them understand SRS and only a few of the tech contacts had even heard of it. Sad Sad. But they all seem to have hand-rolled "backscatter" protection that partially works.

    It seems like everyone has an SPF record these days. But it feels like relatively few actually check them and almost nobody goes the full distance and uses SRS.

    --
    Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
    1. Re:SPF + !SRS! by spydir31 · · Score: 3, Insightful

      Here's the solution to backscatter:

      1. only relay authorized messages
      2. reject as soon as possible. no bounces.
      3. do not send out virus warnings, spam warnings, challenge-response requests
  10. Re:De-standardize, and make it worthwhile. by Badanov · · Score: 5, Insightful
    My guess is you either don't write spam header filters, or you hate it so much you're trying to find an easier solution.

    Helluvua lot of mail servers out there not configured "properly." I can't block some mail even from "legitimate" mail servers because they are not configured well enough some of my spam rules don't pick them up, so how would a "list" fix that?

    As it is, the lists from the anti spam houses work very little. There are so many zombie mail servers out there, I guess, no one can really effectively police these things except through spam filters. And Google are the only folks who can afford a full time staff writing spam filter rules.

    Any more properly used to mean not an open relay; now it can can mean not in the same network segment that does have spamming email servers. Lists just add to the insanity and often punish legitimate mail servers.

    --
    Dawn of the Dead
  11. Extension? by dreamchaser · · Score: 4, Funny

    "go and get extensions to your obviously miniscule penises "

    I think one of their products can help them with that.

  12. Postfix has a solution to this by AftanGustur · · Score: 3, Informative
    See here http://www.postfix.org/BACKSCATTER_README.html

    The trick is to use the "header_checks" and "body_checks" to look for signs of the email having being sent out from your email server in the first place.

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  13. Re:De-standardize, and make it worthwhile. by smittyoneeach · · Score: 3, Funny

    Just publish a giant list of all mail servers not configured properly.
    And then I manipulate this list to effect a soft kill on my competitor. If Acme Widgets has an apparently bad email server, who will do business with them?
    Think Machiavelli.
    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  14. I've been getting "backscatter" for years... by Panaqqa · · Score: 3, Insightful

    It used to really bug me, that someone was sending out spam and using my legitimate email address in the From, Return-path and Envelope-from headers. I began filtering out the "Spam received from YOU" type headers years ago. But what still bugs me about this is those people who set their systems up to add me to some domain based rather than IP address based block list based on these faked headers. For more than a year I have been unable to successfully send email to my insurance company due directly to this issue.

    Then again, I have never regarded email as a reliable method of communication. Everything truly important goes with a read receipt request and if I don't receive one then I phone or send snail mail. I continue to be amazed by the number of screwups I continue to hear about where someone says "I never got [such and such] email."

    1. Re:I've been getting "backscatter" for years... by Panaqqa · · Score: 3, Insightful

      I did not mean to suggest that a competent admin would ever lose legitimate email. The problem comes in many forms, but the biggest culprit is anti-spam filters. These days it seems that everybody and their cousin wants to spam filter your email. ISPs arbitrarily apply such filters to their users accounts, often without any notification. Hosting providers and domain registrars often do the same. System admins, under pressure from management, put in place imperfect solutions and compound the issue by misconfiguration. I employ some network admins myself to help clients with server problems. The number of times I have seen a program such as "Spam Assassin" set to an incredibly aggressive setting AND to delete flagged mail without it ever hitting an inbox is surprising. I have one client right now that has not been able to email their parent company for over 6 weeks. Their messages blackhole. And it is not as if the parent is unsophisticated: they are in the financial sector and employ 17,000 people. And of course nobody in their IT department will admit that any email is being blackholed.

      I personally am one of those who would like to see a new email protocol built from scratch with the spam problem as foremost consideration in the design process. I have a dislike for anything in IT that only "works most of the time", and that's where email has been for quite a while now.

      My 2 cents. Another 2 cents that is.

    2. Re:I've been getting "backscatter" for years... by mr100percent · · Score: 3, Interesting

      I wonder if you can sue them for infringing on your copywritten email address...

  15. Re:De-standardize, and make it worthwhile. by KillerBob · · Score: 4, Interesting
    You're talking about CAPTCHA.... most CAPTCHA algorithms have been compromised. Also, most forums that actually use it have a working e-mail address listed on the CAPTCHA page, asking people to e-mail the admins if they have problems with it. I've created accounts manually on the forums I administer, for people who have problems with CAPTCHA.

    One of the main reasons forums don't get hit by spammers is because the admin staff knows what they're doing. They lock down threads, respond quickly, and keep the software up to date. Temporary bans, and permanent bans... You also need a working e-mail address in order to register, which blocks an awful lot of spam. Finally, there's over 150 domains on the banlist for my forums... some of the most popularly used (by spammers) freebie e-mail accounts, like mail.ru.

    Oh... and it helps to have a robots.txt file. Mine looks like this:

    User-agent: *
    Disallow: /


    The forums are served up from a subdomain... the actual site shows up in search engines, but having the separate domain with robots.txt helps keep the forums off the search engines. If they don't know you're there, then they can't spam you. :)
    --
    If you believe everything you read, you'd better not read. - Japanese proverb
  16. Re:De-standardize, and make it worthwhile. by FatdogHaiku · · Score: 5, Interesting

    How about we change the delivery method. Instead of an email being sent to me and sitting on my server or service waiting for me to sort it, you send me the headers for the sender, subject, size, date, and attachment status while the message and attachments sit on YOUR server until I chose to pick it up or it expires. The reduction in bandwidth should pay for the increase in storage, and the spammers would have to leave their message sitting on a machine somewhere waiting for me to pick it up (hint, not gonna happen).
    1. No servers flooding the net with messages.
    2. Easily identifiable spam sources, making bot-nets less useful.
    3. Reduced bandwidth as the system replaces the old one.
    4. Allow email clients and webmail services to be configured retrieve every message for the few numb nuts that don't/won't get it.
    5. Profit (via reduced long term cost).
    Just spitballing...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  17. Re:De-standardize, and make it worthwhile. by PRC+Banker · · Score: 3, Interesting

    A nice trick is to put a no-follow link in robots.txt and have a well linked but no-follow (and to humans, obscured) page that when accessed denies that IP from getting anything from the site for a certain amount of time.

    --
    Oh.
  18. Re:Why do people send spam to me? (seriously) by WGR · · Score: 3, Informative

    Now I'm going to pretend I'm a spammer. I want lots of money. What benefit is there to me to send a single address more than say... 5 messages? (not per month. EVER) If it didn't make it through the filters the first time, it won't the 800th time, and the more messages I send, the more likely my recipients will learn to evade them. More importantly, a jaded audience won't be receptive to buy. Because spammers get paid by number of messages sent, not return on messages.
  19. Re:De-standardize, and make it worthwhile. by FatdogHaiku · · Score: 4, Interesting

    Problems:

    1. Only works for obvious spam. For non-obvious spam it means the user has to download it - which notifies the spammer of a known-good address. That means more spam. (Right now images do this, but images can be disabled while preserving the text.)

    2. They'll just advertise in the subject line. Perhaps easier to filter, but seems like a losing battle to me.

    3. How do you authenticate?

    4. Allows people to associate an email address with an IP even if that IP/address never sends them email.

    5. Completely fails to account for offline/IMAP use.

    Some of this can be mitigated by having the receiving server fetch the mail when the client requests it, but that adds more problems.

    1. I'm pretty much whitelisting by hand now, If I don't know you, I don't care what you put in the subject line, your stuff is gone.

    2. Set a size limit on all the headers, no hex or encoding, plain text and straight IP addresses for the server holding the mail.

    3. Their server sends me a key to pick up the message (a header I forgot), if a server sees the same key a thousand times in a minute or two... hmmmm...

    4. Works both ways: Gmail Warning, The message you are about to retrieve is located on a server KNOWN to send spam... Continue?

    5. If your offline you are pretty much working with the mail you already downloaded, right?

    I'm not saying I have a perfect answer, but there are plenty of people that can figure it out, just like other ideas have been brought to fruition on the web, by cooperation of parties that have a mutual interest... and on this topic, it a BIG group and they have the brain power and bucks to make it work without rattling to many cages.

    The point is to reverse it so that the abusers are left holding the bag, botted machines are quickly identified (and hopefully cleaned), and the free ride stops with the death of standard SMTP servers.

    All I can offer is my idea of a starting point...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  20. well if your feeling like having fun.. by tempest69 · · Score: 3, Interesting
    The return mail for spammers is an auto-reply. so feed it another spammers return mail..

    wait for infinite loop to finish..

    repeat as needed.

    Storm