Backscatter (email)

Last updated September 27, 2023

Backscatter (also known as outscatter, misdirected bounces, blowback or collateral spam) is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

Recipients of such messages see them as a form of unsolicited bulk email or spam, because they were not solicited by the recipients. They are substantially similar to each other, and are delivered in bulk quantities. Systems that generate email backscatter may be listed on various email blacklists and may be in violation of internet service providers' Terms of Service.

Backscatter occurs because worms and spam messages often forge their sender addresses.^[1] Instead of simply rejecting a spam message, a misconfigured mail server sends a bounce message to such a forged address. This normally happens when a mail server is configured to relay a message to an after-queue processing step, for example, an antivirus scan or spam check, which then fails, and at the time the antivirus scan or spam check is done, the client already has disconnected. In those cases, it is normally not possible to reject the SMTP transaction, since a client would time out while waiting for the antivirus scan or spam check to finish. The best thing to do in this case, is to silently drop the message, rather than risk creating backscatter.

Measures to reduce the problem include avoiding the need for a bounce message by doing most rejections at the initial SMTP connection stage; and for other cases, sending bounce messages only to addresses which can be reliably judged not to have been forged, and in those cases the sender cannot be verified, thus ignoring the message (i.e., dropping it).

Cause

Authors of spam and viruses wish to make their messages appear to originate from a legitimate source to fool recipients into opening the message, so they often use web-crawling software to scan usenet postings, message boards, and web pages for legitimate email addresses.

Due to the design of SMTP mail, recipient mail servers receiving these forged messages have no simple or standard way to determine the authenticity of the sender. If they accept the email during the connection phases and then, after further checking, refuse it (e.g., software determines the message is likely spam), they will use the (potentially forged) sender's address to attempt a good-faith effort to report the problem to the apparent sender.

Mail servers can handle undeliverable messages in four fundamentally different ways:

Reject. A receiving server can reject the incoming email during the connection stage while the sending server is still connected. If a message is rejected at connect time with a 5xx error code, then the sending server can report the problem to the real sender cleanly.
Drop. A receiving server can initially accept the full message, but then determine that it is spam or virus, and then delete it automatically, sometimes by rewriting the final recipient to "/dev/null" or similar. This behavior can be used when the "spam score" of an email is seriously high or the mail contains a virus. RFC 5321 says: "silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate."
Quarantine. A receiving server can initially accept the full message, but then determine that it is spam, and quarantine it - delivering to "Junk" or "Spam" folders from where it will eventually be deleted automatically. This is common behavior.
Bounce. A receiving server can initially accept the full message, but then determine that it is spam or to a non-existent recipient, and generate a bounce message back to the supposed sender indicating that message delivery failed.

Backscatter occurs when the "bounce" method is used, and the sender information on the incoming email was that of an unrelated third party.

Reducing the problem

Every step to control worms and spam messages helps reduce backscatter, but other common approaches, such as those in this section, also reduce the same problem.

Connection-stage rejection

During the initial SMTP connection, mailservers can do a range of checks, and often reject email with a 5xx error code while the sending server is still connected. Rejecting a message at the connection-stage in this way will usually cause the sending MTA to generate a local bounce message or Non-Delivery Notification (NDN) to a local, authenticated user.^[2]

Reasons for rejection include:

Failed recipient validation^[3]^[4]^[5]
Failed anti-forgery checks such as SPF, DKIM or Sender ID
Servers that do not have a forward-confirmed reverse DNS entry
Senders on block lists ^[6]
Temporary rejection via greylisting methods

Mail transfer agents (MTAs) which forward mail can avoid generating backscatter by using a transparent SMTP proxy.

Checking bounce recipients

Mail servers sending email bounce messages can use a range of measures to judge whether a return address has been forged.

Filtering backscatter

While preventing backscatter is desirable, it is also possible to reduce its impact by filtering for it, and many spam filtering systems now include the option to attempt to detect and reject^[7] backscatter email as spam.

In addition, systems using schemes such as Bounce Address Tag Validation "tag" their outgoing email in a way that allows them to reliably detect incoming bogus bounce messages.

Related Research Articles

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

A tarpit is a service on a computer system that purposely delays incoming connections. The technique was developed as a defense against a computer worm, and the idea is that network abuses such as spamming or broad scanning are less effective, and therefore less attractive, if they take too long. The concept is analogous with a tar pit, in which animals can get bogged down and slowly sink under the surface, like in a swamp.

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by e-mail

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address, and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing, and is often used in phishing and email spam.

A Joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early Joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them, but they are now typically used by commercial spammers to conceal the true origin of their messages and to trick recipients into opening emails apparently coming from a trusted source.

Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again after a delay, and if sufficient time has elapsed, the email will be accepted.

A bounce message or just "bounce" is an automated message from an email system, informing the sender of a previous message that the message has not been delivered. The original message is said to have "bounced".

Email filtering is the processing of email to organize it according to specified criteria. The term can apply to the intervention of human intelligence, but most often refers to the automatic processing of messages at an SMTP server, possibly applying anti-spam techniques. Filtering can be applied to incoming emails as well as to outgoing ones.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

<span class="mw-page-title-main">Message submission agent</span>

A message submission agent (MSA), or mail submission agent, is a computer program or software agent that receives electronic mail messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. It uses ESMTP, a variant of the Simple Mail Transfer Protocol (SMTP), as specified in RFC 6409.

The Sender Rewriting Scheme (SRS) is a scheme for bypassing the Sender Policy Framework's (SPF) methods of preventing forged sender addresses. Forging a sender address is also known as email spoofing.

<span class="mw-page-title-main">Email spoofing</span> Creating email spam or phishing messages with a forged sender identity or address

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.

In computing, Bounce Address Tag Validation (BATV) is a method, defined in an Internet Draft, for determining whether the bounce address specified in an E-mail message is valid. It is designed to reject backscatter, that is, bounce messages to forged return addresses.

A challenge–response system is a type of spam filter that automatically sends a reply with a challenge to the (alleged) sender of an incoming e-mail. It was originally designed in 1997 by Stan Weatherby, and was called Email Verification. In this reply, the purported sender is asked to perform some action to assure delivery of the original message, which would otherwise not be delivered. The action to perform typically takes relatively little effort to do once, but great effort to perform in large numbers. This effectively filters out spammers. Challenge–response systems only need to send challenges to unknown senders. Senders that have previously performed the challenging action, or who have previously been sent e-mail(s) to, would be automatically whitelisted.

<span class="mw-page-title-main">Callback verification</span> Technique used with SMTP to validate e-mail addresses

Callback verification, also known as callout verification or Sender Address Verification, is a technique used by SMTP software in order to validate e-mail addresses. The most common target of verification is the sender address from the message envelope. It is mostly used as an anti-spam measure.

SMTP proxies are specialized mail transfer agents (MTAs) that, similar to other types of proxy servers, pass SMTP sessions through to other MTAs without using the store-and-forward approach of a typical MTA. When an SMTP proxy receives a connection, it initiates another SMTP session to a destination MTA. Any errors or status information from the destination MTA will be passed back to the sending MTA through the proxy.

A bounce address is an email address to which bounce messages are delivered. There are many variants of the name, none of them used universally, including return path, reverse path, envelope from, envelope sender, MAIL FROM, 5321-FROM, return address, From_, Errors-to, etc. It is not uncommon for a single document to use several of these names.

People tend to be much less bothered by spam slipping through filters into their mail box, than having desired e-mail ("ham") blocked. Trying to balance false negatives vs false positives is critical for a successful anti-spam system. As servers are not able to block all spam there are some tools for individual users to help control over this balance.

Amavis is an open-source content filter for electronic mail, implementing mail message transfer, decoding, some processing and checking, and interfacing with external content filters to provide protection against spam and viruses and other malware. It can be considered an interface between a mailer and one or more content filters.

References

↑ "Proceedings of the third international conference on security and privacy in communication networks". 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007. IEEE. 2007. pp. i. doi:10.1109/seccom.2007.4550292. ISBN 978-1-4244-0974-7.
↑ Alternatively, if the MTA is relaying the message, it should only send such an NDN to a plausible originatorKlensin, J (April 2001), Simple Mail Transfer Protocol, IETF, p. 25, doi: 10.17487/RFC2821 , RFC 2821, as indicated in the reverse-path e.g. where an SPF check has passed.
↑ The Hidden Power of Sender and Recipient Filtering, MS Exchange.org.
↑ "Configuring Recipient Filtering", Technet, Microsoft
↑ "Recipient address verification", Address verification readme, Postfix.org.
↑ Marsono, MN (2007), "Rejecting Spam during SMTP Sessions", Proc. Communications, Computers and Signal Processing, Pacific Rim: IEEE, pp. 236–39.
↑ "The "Virus Bounce Ruleset" is a SpamAssassin ruleset to catch backscatter"

External links

Mail DDoS Attacks through Non Delivery Messages (PDF), Techzoom, 2004, archived from the original (paper) on 2013-01-16, retrieved 2008-04-11.
"Backscatter", Postfix (readme).
"Backscatter", SpamLinks, archived from the original on 2008-04-05.
RFC 3834: Recommendations for Automatic Responses to Electronic Mail.
"Moronic Mail Autoresponders", A FAQ From Hell, FI: Iki.
"Why are auto responders bad?", FAQ, SpamCop .
Don't bounce spam : why you shouldn't bounce spam.
100 E-mail Bouncebacks? You've Been Backscattered, PC World.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Proceedings of the third international conference on security and privacy in communication networks". 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007. IEEE. 2007. pp. i. doi:10.1109/seccom.2007.4550292. ISBN 978-1-4244-0974-7.

[2] Alternatively, if the MTA is relaying the message, it should only send such an NDN to a plausible originatorKlensin, J (April 2001), Simple Mail Transfer Protocol, IETF, p. 25, doi: 10.17487/RFC2821 , RFC 2821, as indicated in the reverse-path e.g. where an SPF check has passed.

[3] The Hidden Power of Sender and Recipient Filtering, MS Exchange.org.

[4] "Configuring Recipient Filtering", Technet, Microsoft

[5] "Recipient address verification", Address verification readme, Postfix.org.

[6] Marsono, MN (2007), "Rejecting Spam during SMTP Sessions", Proc. Communications, Computers and Signal Processing, Pacific Rim: IEEE, pp. 236–39.

[7] "The "Virus Bounce Ruleset" is a SpamAssassin ruleset to catch backscatter"

[1]

[2]

[3]

[4]

[5]

[6]

[7]