Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

100 Email Bouncebacks - Welcome to Backscattering

timothy posted more than 6 years ago | from the annoying-as-heck-if-heck-is-like-hell dept.

Spam 316

distefano links to a story on Computerworld, excerpting: "E-mail users are receiving an increasing number of bounceback spam, known as backscatter, and security experts say this kind of spam is growing. The bounceback e-mail messages come in at a trickle, maybe one or two every hour. The subject lines are disquieting: 'Cyails, Vygara nad Levytar,' 'UNSOLICITED BULK EMAIL, apparently from you.' You eye your computer screen; you're nervous. What's going on ? Have you been hacked? Are you some kind of zombie botnet spammer? Nope, you're just getting a little backscatter — bounceback messages from legitimate e-mail servers that have been fooled by the spammers."

Sorry! There are no comments related to the filter you selected.

De-standardize, and make it worthwhile. (0)

Rockoon (1252108) | more than 6 years ago | (#23298486)

The solution is to de-standardize email.

Re:De-standardize, and make it worthwhile. (5, Interesting)

erikina (1112587) | more than 6 years ago | (#23298510)

Ugh, care to elaborate? Anyway, I think the solution is simple. Just publish a giant list of all mail servers not configured properly. It wouldn't be hard to write a script, to verify if a domain is configured or not. It would function as a name and shame list. But more than that, all spammers would harvest from it, and absolutely smash the listed servers until they were forced to configure them properly.

Re:De-standardize, and make it worthwhile. (0)

Rockoon (1252108) | more than 6 years ago | (#23298772)

I don't know how much more elaborate it could be stated.. Why are (most) forums spammed less than inboxes?

Re:De-standardize, and make it worthwhile. (1)

Dan541 (1032000) | more than 6 years ago | (#23298834)

Because email is an open medium!

How do you suggest we change it?
Because right now your comment is no more useful than "We should fix it"

Re:De-standardize, and make it worthwhile. (2, Funny)

Anonymous Coward | more than 6 years ago | (#23298852)

MY JEWELER COULD NOT TELL
IT WAS NOT A REAL ROLEX!

More information how to buy an AAA+ quality replica!

Re:De-standardize, and make it worthwhile. (1)

tepples (727027) | more than 6 years ago | (#23299084)

Why are (most) forums spammed less than inboxes?
For one thing, free reg. req. For another thing, a lot of forums block blind people from signing up because there are more spammers that look like blind people than actual blind people.

Re:De-standardize, and make it worthwhile. (5, Insightful)

Badanov (518690) | more than 6 years ago | (#23298870)

My guess is you either don't write spam header filters, or you hate it so much you're trying to find an easier solution.

Helluvua lot of mail servers out there not configured "properly." I can't block some mail even from "legitimate" mail servers because they are not configured well enough some of my spam rules don't pick them up, so how would a "list" fix that?

As it is, the lists from the anti spam houses work very little. There are so many zombie mail servers out there, I guess, no one can really effectively police these things except through spam filters. And Google are the only folks who can afford a full time staff writing spam filter rules.

Any more properly used to mean not an open relay; now it can can mean not in the same network segment that does have spamming email servers. Lists just add to the insanity and often punish legitimate mail servers.

Re:De-standardize, and make it worthwhile. (3, Funny)

smitty_one_each (243267) | more than 6 years ago | (#23299094)

Just publish a giant list of all mail servers not configured properly.
And then I manipulate this list to effect a soft kill on my competitor. If Acme Widgets has an apparently bad email server, who will do business with them?
Think Machiavelli.

Re:De-standardize, and make it worthwhile. (1)

morgan_greywolf (835522) | more than 6 years ago | (#23299178)

Uh, hasn't that been tried [wikipedia.org] already?

Re:De-standardize, and make it worthwhile. (1)

lorenzo.boccaccia (1263310) | more than 6 years ago | (#23299274)

I think google is configured properly, but the registration process is broken so the spammer could use the google servers. how a blacklist would cure spam, if almost every mail site allow user to register?
also closing the open relay could be damaging for network anonymity, with all the deterrent associated censorship

A trickle?! (3, Insightful)

Zombie (8332) | more than 6 years ago | (#23298498)

A few every hour? This weekend marks the second weekend in which I got several hundred bounces in a single night!

Re:A trickle?! (1)

tolomea (1026104) | more than 6 years ago | (#23298678)

My record is over 1000 in a single 8 hour crap flood.

Re:A trickle?! (1)

tolomea (1026104) | more than 6 years ago | (#23298684)

on the spam note, gmail has this feature where it automatically deletes stuff in the spam folder after 30 days, this means the spam folder total is effectively a 1 month rolling average of spam rates, my gmail spam folder currently has 3000 items in it

Re:A trickle?! (2, Informative)

Dan541 (1032000) | more than 6 years ago | (#23298840)

Gmail seems to get ALLOT more spam than other service's.

Re:A trickle?! (3, Interesting)

Anonymous Coward | more than 6 years ago | (#23298898)

I've had a GMail account since a month after launch, which I use for both automated signups and personal correspondance.

I use Sneakemail free forwarding to sign up for automated things, so that I can revoke them if the spam gets too obnoxious. I have approximately 250 different Sneakemail addresses out there.

I have never had a spam problem with my Gmail account. When I do get spam, I know where it's coming from - and I deactivate that address and vow never to use that service again. I see Sneakemail as using a condom for sites you'll probably only stick around for a single night - why worry? Bugzilla & SocialTextOpen are the only two spam-vulnerable legit sites I've encountered in the last year or two.

If I ever need to put my personal address out there subject to crawlers, things will be a bit different.

Re:A trickle?! (4, Insightful)

Jurily (900488) | more than 6 years ago | (#23299530)

I've been using an "unprotected" gmail account for 2 years now. Currently I have 196 spam, all conveniently labeled as such.

During that time I only got one false positive, but that was a really poorly formatted message, and they weren't even replying from the same adress I specifically asked the reply from.

However, I got no false negatives in English, and it took about a week of "Report Spam" to get them up to speed on some new Hungarian torrent tracker spam. Now they're marked spam too.

All in all, Google's spam filter rocks.

Re:A trickle?! (1)

dekemoose (699264) | more than 6 years ago | (#23299298)

I have a Gmail and a Yahoo account. I get no spam at my Gmail account, but it is used fairly little. I get lots of Spam at my Yahoo account, but it has been around awhile. Some time ago I signed up for a second Yahoo email address one character different from my original name. Within hours I was getting spam at that account even though I had never used it. I'm not sure what this says, perhaps there are a lot of dictionary type spamming attacks against Yahoo.

Re:A trickle?! (1)

Ctrl-Z (28806) | more than 6 years ago | (#23299378)

In the past six months or so, mine has grown from 3000 to 11000. That means I have had over 11000 items added to my spam box in the past 30 days. It's madness.

Re:A trickle?! (1)

Asztal_ (914605) | more than 6 years ago | (#23298892)

What exactly do they have to gain by sending thousands of messages to one person (and this sounds like it was from one source)? Are they just trying to evade the spam filter, or do they perhaps think that if they just send enough, finally you'll start to believe them?

Spam confuses the wossname out of me.

Re:A trickle?! (2, Informative)

tolomea (1026104) | more than 6 years ago | (#23298944)

It's not targeted at me, it's the spammers using random addresses on my domain as as source addresses.

Re:A trickle?! (1)

Asztal_ (914605) | more than 6 years ago | (#23299014)

Ah, I see. Funny, I've never had any of that, even though I have a catch-all set up.

Re:A trickle?! (1)

ozmanjusri (601766) | more than 6 years ago | (#23299260)

Funny, I've never had any of that

It's called a "Joe Job" [techtarget.com]

It's been around almost as long as spam has.

I was fairly active in chasing down a couple of Australian spammers a few years ago, and had to deal with thousands of bounced responses and constant blacklisting as a result.

Re:A trickle?! (1)

LiquidCoooled (634315) | more than 6 years ago | (#23298906)

I got over 12000 one night from a mailing send out to some "Liquid club in Santo Domingo".
They sent out a massive world wide spam inviting people to their club.

Its half way around the world from me and I got every single bounceback.

They did it again a few days later as well.
Most made it into my gmail spam folder but hundreds didnt.

Re:A trickle?! (0)

Anonymous Coward | more than 6 years ago | (#23298680)

my top was close to 2000 of those mails in a single night...

I usually get about 50 of these mails per day.

Re:A trickle?! (-1, Offtopic)

penisman2 (1284426) | more than 6 years ago | (#23298826)

Re:A trickle?! (0)

Anonymous Coward | more than 6 years ago | (#23299042)

Parent is NSFW... I don't recommend following.

Re:A trickle?! (0)

Anonymous Coward | more than 6 years ago | (#23298882)

I am seeing a lot more of this junk. Most of seems to come from clueless admins of the "Barracuda Spam Firewall". Gotta love the inept PHB like mine who keep pushing these canned "appliances" and "solutions".

Re:A trickle?! (2, Informative)

Anonymous Coward | more than 6 years ago | (#23298964)

15,420 since May 1. My hosting company actually asked me to move to google apps because my shared account couldn't handle the loads from these attacks.

Google apps ( http://www.google.com/a/help/intl/en/admins/editions_spe.html ) handles the domain mail for free, without complaint, and only about 3 messages out of the 15,420 made it through the spam filters.

Supposedly there's a mail configuration option you can set to make it possible for servers to verify mail from your domain (must originate from this ip range) but the domain hosting company I'm with doesn't expose that particular feature.

It is a pretty horrible problem, until I moved to google and their pretty remarkable spam filters boucneback was really had me at my wits end to the point where I actually considered closing my domain to mail.

Re:A trickle?! (3, Informative)

CastrTroy (595695) | more than 6 years ago | (#23299076)

I remember this being the reason I disabled my catch-all address for my domain, a couple of years ago. I was not only getting tons of bounce-backs from things that looked like they were being sent from my domain, I was also getting a lot of spam mail sent to random-non-existent-but-caught-by-the-catch-all addresses.

Re:A trickle?! (1)

Lumpy (12016) | more than 6 years ago | (#23299194)

I find my catchall to be an awesome address. I use it to feed my spam filter. This way I typically never see the spam because the catch all get's all the first spam.

works great.

Re:A trickle?! (1)

Lunarsight (1053230) | more than 6 years ago | (#23299430)

It's been a problem over the last few months.

I work an IT job, and we get employees bringing this up all the time with us. (I think they fear they've been hacked.)

same wine, old bottle (5, Informative)

MollyB (162595) | more than 6 years ago | (#23298506)

This story was preceded less than a month ago:
https://tech.slashdot.org/article.pl?sid=08/04/08/2258246 [slashdot.org]

I had a bunch of these back then, now they are happening again. Here is some information about the subject.
http://spamlinks.net/prevent-secure-backscatter.htm [spamlinks.net]

You should only get NDRs from your own ISP, as I undestand it. The other mail admins are being fooled by your spoofed return address, and should know better.

Re:same wine, old bottle (1)

shitzu (931108) | more than 6 years ago | (#23298560)

You should only get NDRs from your own ISP, as I undestand it.
Wrong. The mail message may pass several servers on its way to destination and you will receive NDR from the server that can not deliver to the next hop. I might in most cases be your ISP's, but that doesn't mean it is always the case.

Where's the news? (4, Informative)

dotancohen (1015143) | more than 6 years ago | (#23298508)

Where's the news here? I've been getting these for years. It's so bad that I filter bounce messages to a separate account on the server to download and review at the end of the week. I get almost as much backscatter as spam, both over 1000 messages a week.

Re:Where's the news? (1)

Lalo Martins (2050) | more than 6 years ago | (#23299132)

What the man said. IIRC, I started getting "backscatter" in 1997 or 98.

Re:Where's the news? (0)

Anonymous Coward | more than 6 years ago | (#23299192)

So you filter out the messages, and then spend time going over them weekly with more than 1000 messages to go over. Hmmm. Seems like a massive waste of time. You need some BATV, or someone with a lower pay-grade to go over them.

Re:Where's the news? (1)

Fweeky (41046) | more than 6 years ago | (#23299360)

How much over 1000 a week? I get on the order of 1500 a *day*. Am I really getting ~10x as much spam as you, or do you just filter it more proactively with greylisting and stuff?

This needs to be a poll; quantity of received/filtered spam in an average day :)

Please Try Again Spammer Dickwads (4, Interesting)

pandrijeczko (588093) | more than 6 years ago | (#23298518)

Nope, you're just getting a little backscatter

Nope, I'm not getting anything - procmail [procmail.org] on my honeytrap spam email account sees it and stops it with a few simple filters

So please try harder, spammers, or go and get extensions to your obviously miniscule penises so you no longer need to take you inadequacies out on the rest of the world.

Extension? (4, Funny)

dreamchaser (49529) | more than 6 years ago | (#23298924)

"go and get extensions to your obviously miniscule penises "

I think one of their products can help them with that.

Re:Please Try Again Spammer Dickwads (3, Insightful)

T-Bone-T (1048702) | more than 6 years ago | (#23298976)

You say you don't get any but then explain that it gets filtered, meaning you DO get some but you don't see it. Those are mutually exclusive. You can't not get it and filter it, otherwise there wouldn't be anything to filter.

Re:Please Try Again Spammer Dickwads (1)

pandrijeczko (588093) | more than 6 years ago | (#23299112)

Apologies. It gets filtered.

I keep an email account for honeytrapping that I throw on every web site possible to make sure I get huge amounts of spam on it that I then test my procmail filters on.

Re:Please Try Again Spammer Dickwads (1)

smartfart (215944) | more than 6 years ago | (#23299400)

You wouldn't want to share your filter rules, by any chance? Simply linking to procmail's website isn't exactly helpful.

Thanks.

Don't forget ... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23298536)

... to pay your $699 licensing fee you cock-smoking tea-baggers [twofo.co.uk] .

Easy filtering solution (5, Interesting)

Richard W.M. Jones (591125) | more than 6 years ago | (#23298538)

There's an easy way to filter out backscatter while preserving bounce messages that you care about (ie. ones about email that you actually sent):

1. Add your own custom header to all your outgoing emails. Doesn't matter what it is, but it should be unique, eg. 'X-Really-From-Richard-Jones: xsomesecretx'

2. MTAs include the original headers in bounce messages, so discard bounce messages which don't contain your custom header.

You can even be smart and sign the header based on the content of the email using a private key, which would make it unforgeable, but at the moment you don't need to do that.

Rich.

Re:Easy filtering solution (2)

gbjbaanb (229885) | more than 6 years ago | (#23298600)

interesting.. now, how do I do that in Thunderbird?

It may be slightly redundant though, all those emails bounced back at me are ones that are obviously spam - otherwise the recipient's spam filter wouldn't be bouncing them to me, and so you'd expect my spam filters to detect and delete them without any intervention on my part.

Re:Easy filtering solution (1)

Richard W.M. Jones (591125) | more than 6 years ago | (#23298636)

interesting.. now, how do I do that in Thunderbird?

I've no idea. I used Thunderbird at work for a while, but got so sick of it that I replaced it with mutt and have been much happier (and calmer) at work ever since.

Rich.

Re:Easy filtering solution (5, Informative)

djmurdoch (306849) | more than 6 years ago | (#23298686)

how do I do that in Thunderbird?
Set the custom headers preference. [mozillazine.org]

Re:Easy filtering solution (5, Informative)

rjames13 (1178191) | more than 6 years ago | (#23298762)

Go into Preferences->Advanced Tab and click Config Editor Button.

Alter the setting
mail.identity.default.headers
to include the string header1
note header1 is just a label
then add a new string called
mail.identity.id1.header.header1
Set the value of that to your X-line

From now on all mail sent from Identity 1 will have that header on it.

To create a filter based on that. Obtain an email with that header. Find a clickable link in the header and right click and select create filter from message.

At first from the drop down box you can't select that X-line so you need to go to the bottom and click customise. You can put that header in there. Now you can create a filter from it.

Re:Easy filtering solution (1)

dotancohen (1015143) | more than 6 years ago | (#23298656)

Nice, thanks! Mods!

Implement at MTA, not MUA (1)

Doctor O (549663) | more than 6 years ago | (#23298786)

Unless you like playing around with your user's machines a lot, you should better implement that at the MTA level and configure your mail server(s) so that they include the header.

Or you could just use SPF, which basically does the same thing, only more elegantly.

Re:Implement at MTA, not MUA (2, Informative)

Richard W.M. Jones (591125) | more than 6 years ago | (#23298896)

Unless you like playing around with your user's machines a lot, you should better implement that at the MTA level and configure your mail server(s) so that they include the header.

Sure ...

Or you could just use SPF, which basically does the same thing, only more elegantly.

SPF doesn't do the same thing at all. It relies on the receiver MTA to do something about the non-matching SPF records, which evidently many don't (or at least, I've got proper SPF records, but still get huge amounts of backscatter spam).

Rich.

Re:Easy filtering solution (4, Informative)

guruevi (827432) | more than 6 years ago | (#23299454)

You know, I have a digital certificate that does that for me. It automatically signs my e-mail and 'smart' filters and e-mail clients know that non-signed e-mail from me is not to be trusted as much.

Get your free personal certificate and if 2 people have certificates, e-mail gets encrypted between you! There are a number of providers that give them.

Why is this only getting noticed now? (5, Informative)

gsslay (807818) | more than 6 years ago | (#23298550)

I must have read at least 3 news stories about backscatter in the last week. Why is this only getting attention now when it's been a problem for years? Is it just because someone has coined a word for it?

I can remember years back when some spammer decided to use my domain name in their spam run. Hundreds of bounced emails every day and I cursed everyone of the dumb mail servers that mailed them; complete with original html email, images and any other crappy attachment. ("Hundreds" may be small potatoes these days, but they were a big deal at the time.) Just the very idea that spammers would supply a genuine reply address seemed so incredibly stupid, yet there they were; dozens of carefully worded variants of the same "naughty spammer, don't email me" reply. I could just see some smug sysadmin configuring their system with this badly thought-out garbage, thinking "ha! that'll show them!"

None of my mail servers since then have ever bounced spam or mis-addressed emails.

Re:Why is this only getting noticed now? (1)

statemachine (840641) | more than 6 years ago | (#23298606)

I must have read at least 3 news stories about backscatter in the last week.

At least they're writing stories about it now. I'm glad they're finally publicizing this. I've published SPF records almost since SPF started, and it amazes me that people still don't set up their servers to check this before accepting a message -- which is the initial problem. The more publicity, the better.

Re:Why is this only getting noticed now? (1)

Tony Hoyle (11698) | more than 6 years ago | (#23298888)

I rarely ever see it. Spammers normally use made up email addresses.. they're just using your domain name, so as long as your MTA is not allowing emails to arrive to nonexistant users you'll filter 95% of it as a part of normal operation.

Re:Why is this only getting noticed now? (2, Informative)

statemachine (840641) | more than 6 years ago | (#23298916)

While it is rare considering the volume of e-mail I receive, I've noticed backscatter is gradually increasing. More and more admins are just installing anti-spam/anti-virus devices without learning which options to enable or disable.

so as long as your MTA is not allowing emails to arrive to nonexistant users
I wholeheartedly agree, but SPF won't even allow it to get this far. Why should clueless admins expect me to pick up their slack?

Re:Why is this only getting noticed now? (2, Informative)

Tony Hoyle (11698) | more than 6 years ago | (#23298970)

Unfortunately so few ISPs support SPF it's not reliable. I've published SPF records for years on all my domains.. OTOH for incoming it merely gets a spam score - when SPF is used it is alas sometimes misconfigured so bouncing on it has too many false positives.

Re:Why is this only getting noticed now? (1)

mgh02114 (655185) | more than 6 years ago | (#23299396)

Just the very idea that spammers would supply a genuine reply address seemed so incredibly stupid
I'm not saying that this is smart, but they DO have a reason for configuring their mail servers this way: for the false positives. Those do have valid reply addreses. Ignoring the backscatter problem, I do appreciate it when Verizon tells me that it has blocked a message I sent to my mom.

For fsck's sake (1)

blind biker (1066130) | more than 6 years ago | (#23298566)

Hasn't this crap been going on long enough? Aren't people tired of spam - tired, as in totally pissed! I know I am.

Something drastic should be done about it, yesterday. Doesn't matter if it fails at first, I just want to see some political will. As it is, it seems like noone who has the power, gives a sh*t.

Re:For fsck's sake (1)

KinkyClown (574788) | more than 6 years ago | (#23298630)

I agree but I don't it's possible to scrap 'email' as we currently know it and replace it with 'email 2.0' that uses protection because we would have to migrate all together. Same reason we are still waiting for IPv6 (because no one wants the extra costs involved with IP4-to-IP6 gateways).

Re:For fsck's sake (2, Insightful)

Mattsson (105422) | more than 6 years ago | (#23298696)

Start spreading the word:
"Anyone who sends spam is a terrorist!"
Add random bogus reason, like "spam finances terrorism" and tag a "think of the children" on at the end.

Sooner or later, someone in power is bound to fall for it.

Re:For fsck's sake (1)

Zorque (894011) | more than 6 years ago | (#23298930)

You have a point, spam helps finance the Russian mafia, and who knows who they're involved with.

Re:For fsck's sake (1)

Gavagai80 (1275204) | more than 6 years ago | (#23298758)

The junk in my physical mailbox is more annoying, and such junk mail has been going on for centuries without a solution. So I don't think you can expect a solution to non-physical spam either.

Re:For fsck's sake (1)

phoenixwade (997892) | more than 6 years ago | (#23299048)

The junk in my physical mailbox is more annoying, and such junk mail has been going on for centuries without a solution. So I don't think you can expect a solution to non-physical spam either.
You really think junk mail is over 200 years old?

Re:For fsck's sake (1)

maxume (22995) | more than 6 years ago | (#23299252)

If Ogg was good at making axes, I bet he put fractured animal skulls by other Ogg's huts.

Let Ogg hear, Ogg make Ogg axe! Ogg!

Re:For fsck's sake (1)

blind biker (1066130) | more than 6 years ago | (#23299428)

I dunno about your place, but here we only have to put "Ei mainoksia" ("No commercials") on the door/postbox, and voilà, no more junk mail. Besides, physical junkmail is much easier to fight because it costs SOMETHING to send. It costs NOTHING to send e-mails - hence the problem (for most of us anyway - looks like you have lucked out).

Easy anti spam system (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23298576)

My easy anti spam system would block this. Only works if you have your own domain, though.

I have anyemail@mydomain.com forwarded to a gmail account, which then forwards ONLY email with a certain extension (for instance, somesite.spam@mydomain.com) to my private email address. The bonus is, if you use a different email address for each site (for instance, slashdot.spam@mydomain.com), you can nail down the sites that spam like crazy (not that slahdot would do such things :-)!

Re:Easy anti spam system (1)

bhtooefr (649901) | more than 6 years ago | (#23299240)

There's a modification of that system that works for most stuff, even if you don't own your own domain, although a few providers (*cough*hotmail*cough*) treat it as invalid.

The downside is that the real address can rather easily be backed out of the address.

For the address user@example.com, one could provide Slashdot with user+slashdot@example.com.

Of course, a spambot could just delete everything from the plus to before the at sign, and still get you. But, it still gives better sorting if you don't make the address public.

clicking next ? youve been splogged (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23298644)


1280px wide layout but the column with the actual content in is only 200px the other 1080px are dedicated to adverts and sponsors

i think that computerworld site is a classic example of a site that cares nothing for its readers (like spam) and is only a means to an end, when a site has more space dedicated to advertising than content you know you've hit a spam site

funny how they are telling us about spam while promoting more adverts on a single page than a spam message has

What's new about this? (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23298660)

I lost my "email for life" account (randeg at alum.rpi.edu) nearly five years ago because of backscatter. I got a lot of it because that address appeared in-the-clear in libpng and zlib documentation. The people at RPI did not understand the backscatter phenomenon, and I assume they are still getting plenty of it.

Re:What's new about this? (2, Interesting)

statemachine (840641) | more than 6 years ago | (#23298740)

Eternal September.

Sure, I once got angry at people who sent me spam and bounced it back to the sender with a nastygram. But that was 1995. There wasn't SPF, and there weren't content filters. And most installations were open relays on Sendmail. Administering e-mail was simply giving someone a home directory and pine.

Nowadays, the e-mail administrators are the biggest enablers. If they just checked SPF records and stopped automated bounces after a content filter determines it's spam.... It's also up to the admin to educate their users. But, there will always be clueless new admins and new users.

Solution (0)

Anonymous Coward | more than 6 years ago | (#23298664)

Cant we just bounce these messages?

"legitimate?" (4, Informative)

Michael Hunt (585391) | more than 6 years ago | (#23298672)

As a 9-year veteran of the anti-spam industry (with experience within the regulator, although I've left that behind me now and work in telecoms,) it's a REAL stretch for anybody inside the IT industry to take these kinds of comments seriously.

Anybody who says that 'legitimate' mailservers are sending backscatter instead of 5xx-ing the message in transit is wrong. Mailservers which send backscatter are NOT legitimate, EOL.

- A pissed off mail admin.

Re:"legitimate?" (2, Funny)

Anonymous Coward | more than 6 years ago | (#23298770)

Airport Announcer: "Mike Hunt? White Courtesy Telephone, please. Mike Hunt..."

Parents had a sense of humor?

Re:"legitimate?" (1)

Tony Hoyle (11698) | more than 6 years ago | (#23298908)

For spam even a 5xx is wasted... spammers don't care. File it in a spam folder or simply drop it on the floor. I agree replying to it with a new message (which is what these misconfigured servers do) is utterly moronic. Personally I just report such servers as spammers. Automated ones, but spammers nontheless.

Re:"legitimate?" (3, Informative)

Michael Hunt (585391) | more than 6 years ago | (#23298948)

If Aunt Tillie sends me a message (forwarded from Betty, her next door neighbour, which was in turn forwarded from her nephew Boris, who goes to school in another city) which just happens to look like spam (who knows, maybe Boris is telling an amusing anecdote about how one of his friends stumbled across some h3rb4|_ v!agr4 or something,) I'm going to look like a fair dick if the message gets dropped on the floor and Aunt Tillie doesn't at least get notified that the message got eaten.

The 5xx range of status codes exists for this (and other) reasons, there's no reason NOT to use them (by performing content verification inline and either 2xx-ing or 5xx-ing the message between "." and "QUIT".)

Re:"legitimate?" (2, Informative)

mlts (1038732) | more than 6 years ago | (#23298932)

Agreed. Microsoft Exchange 2007, out of the box, does not bounce messages it gets. It either gives an error code and refuses to process the message, or it accepts it. An Exchange admin can configure rules for messages to bounce (say someone is trying to carbon copy multiple internal company distribution lists), but its nowhere near the default settings.

I wonder if backscatter has been used as a threat for extortion sometimes. A few years back, I was seeing spammers E-mail people who owned domains threatening to use their email address as the From: header for subsequent spam if they didn't pay some thousands of dollars, then later on (days/weeks), backscatter would start hitting that username. One of my addresses that I used to use for years got hit by so much backscatter that I eventually just added a whitelist, added in a ruleset with password that would autoforward anything that had that word in the subject or body, and had procmail just dump everything else.

A Death from Shame (0)

Anonymous Coward | more than 6 years ago | (#23298704)

Old chinese proverb:

"Fool me once
Shame on you
Fool me twice
Shame on me."

FTFA:

At its worst the phenomenon can even wipe Internet servers off the map.
While one might say that some servers should die of shame apparently they truely can.

Last month, Stephen Gielda, president of Packetderm, upset a fraudster who was trying to use his anonymous Internet service. Soon his servers were inundated with a tidal wave of backscatter messages. [google.com] At one point, he was being hit by 10,000 bounceback messages per second, enough to throttle the server's Internet connection.

SPF + !SRS! (3, Interesting)

spottedkangaroo (451692) | more than 6 years ago | (#23298716)

It seems like the solution to "backscatter" has been around for quite a few years (SRS [openspf.org] ). I'm surprised how few of the commercially available anti-spam solutions use or interpret it.

At my company, we just looked at Barracuda (PoS), Pineapp, St. Bernards ePrism, MX Force, Postini, and some other things. None of them understand SRS and only a few of the tech contacts had even heard of it. Sad Sad. But they all seem to have hand-rolled "backscatter" protection that partially works.

It seems like everyone has an SPF record these days. But it feels like relatively few actually check them and almost nobody goes the full distance and uses SRS.

Re:SPF + !SRS! (0)

Anonymous Coward | more than 6 years ago | (#23298780)

Interesting list, especially considering that Barracuda (PoS) and Postini are exactly the entities responsible for the biggest identifiable source of my backscatter traffic.

But seriously, why is this news? Backscatter has been a problem for ages now. Did some reporter finally get the brunt of it?

Re:SPF + !SRS! (3, Insightful)

spydir31 (312329) | more than 6 years ago | (#23298816)

Here's the solution to backscatter:

  1. only relay authorized messages
  2. reject as soon as possible. no bounces.
  3. do not send out virus warnings, spam warnings, challenge-response requests

Re:SPF + !SRS! (1)

Fjan11 (649654) | more than 6 years ago | (#23298868)

Dropping incorrect addresses is technical "solution", but not a user friendly way to deal with the problem. It's bad engineering.

Just enforcing SPF by itself would already go a long way to fixing this, and cure a lot of other spam in the process.

Re:SPF + !SRS! (1)

spottedkangaroo (451692) | more than 6 years ago | (#23299346)

SRS isn't about dropping incorrect addresses. It's about droping fake bounce messages (DSN) that aren't signed/generated by the server that's supposed to accept them.

Re:SPF + !SRS! (1)

Tony Hoyle (11698) | more than 6 years ago | (#23298928)

There's a reason - such a scheme breaks many anti-spam measures and is a particularly poor way to do it.

I've seen such crap in my logs and didn't realize what it was.. it fails sender verification and gets dropped as spam anyway. Lying about who you are to a mailserver is not the way to solve spam.

Re:SPF + !SRS! (1)

spottedkangaroo (451692) | more than 6 years ago | (#23299332)

I don't think it lies about who you are. It certainly shouldn't break any anti-spam measures.

It makes the return path verifiable to the sender and if you decode it the original return path is there (with exactly the same reliability as before: 0).

So I guess I don't understand your argument at all.

Re:SPF + !SRS! (0)

Anonymous Coward | more than 6 years ago | (#23298974)


It's true, more people have implemented SPF records in DNS, but still are waiting for the mail servers to catch up. It's easy to understand why... zone records are easy to create, and there are pleenty of SPF generators out there. But patching/upgrading your mail server to check SPF requires time, and time is money.
MailEnable is one packaged server that has SPF builtin... too bad it only runs on Windows,

None here. (1)

Rakeris (1114111) | more than 6 years ago | (#23298804)

I have never gotten any "backscatter". At least to my knowledge. Hopefully it stays this way!

Where (1)

Wowsers (1151731) | more than 6 years ago | (#23298942)

I don't have any of these "bounce" messages. I don't know it it means I have no nerdy friends, or I have very good rules for dealing with spam.

Backscatter: Say goodbye to your catch-all account (1)

SoupIsGoodFood_42 (521389) | more than 6 years ago | (#23298958)

Every so often, I'll get backscattered for a few days with the catch-all e-mail account I've setup for my domain. Since I'm lazy, I usually just log-in to my ISP and set up an alias to redirect to another mailbox I have set up for this crap. If it gets any worse, then I'll have to look at a real solution, or even drop my catch-all account, which would be a real pain.

Postfix has a solution to this (3, Informative)

AftanGustur (7715) | more than 6 years ago | (#23298996)

See here http://www.postfix.org/BACKSCATTER_README.html [postfix.org]

The trick is to use the "header_checks" and "body_checks" to look for signs of the email having being sent out from your email server in the first place.

No backscatter here. (1)

cryptodan (1098165) | more than 6 years ago | (#23299008)

I have hardly received any back scatter on any of my email addresses with Comcast, Yahoo, and my very own personal one. I guess im one of the fortunate ones. Could you all post the headers of these so called messages, so I can be on the look out for them.

AOL (1)

eulernet (1132389) | more than 6 years ago | (#23299068)

I'm a victim of this sort of spam since several years, and it may happen to anybody that has an email address since a long time.

A few years ago, AOL always blocked my legitimate emails to AOL users, due to the fact that my email address was blacklisted due to this spam infection.

SPF Record (0)

Anonymous Coward | more than 6 years ago | (#23299072)

If you own the domain you can make it more difficult for spammers to spoof your email with an SPF record

http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.openspf.org/

I've been getting "backscatter" for years... (3, Insightful)

Panaqqa (927615) | more than 6 years ago | (#23299100)

It used to really bug me, that someone was sending out spam and using my legitimate email address in the From, Return-path and Envelope-from headers. I began filtering out the "Spam received from YOU" type headers years ago. But what still bugs me about this is those people who set their systems up to add me to some domain based rather than IP address based block list based on these faked headers. For more than a year I have been unable to successfully send email to my insurance company due directly to this issue.

Then again, I have never regarded email as a reliable method of communication. Everything truly important goes with a read receipt request and if I don't receive one then I phone or send snail mail. I continue to be amazed by the number of screwups I continue to hear about where someone says "I never got [such and such] email."

Re:I've been getting "backscatter" for years... (2, Interesting)

jimicus (737525) | more than 6 years ago | (#23299280)

Then again, I have never regarded email as a reliable method of communication. Everything truly important goes with a read receipt request and if I don't receive one then I phone or send snail mail. I continue to be amazed by the number of screwups I continue to hear about where someone says "I never got [such and such] email."
As an admin, let me assure you that no (competent) email administrator has email randomly disappearing into the Magical Land of the Email Fairies.

I have had more people than I care to remember come to me complaining that "X says they sent me an email and I never received it, can you look into it?". Every single time I have been able to tell them exactly what happened. 8 times out of 10 the email's sat in their Inbox and they just have such a cluttered inbox that they can never find anything. (The other 2 times it's an internal mail that the sender sent to a number of people, but the complaining recipient isn't one of them).

Re:I've been getting "backscatter" for years... (3, Insightful)

Panaqqa (927615) | more than 6 years ago | (#23299466)

I did not mean to suggest that a competent admin would ever lose legitimate email. The problem comes in many forms, but the biggest culprit is anti-spam filters. These days it seems that everybody and their cousin wants to spam filter your email. ISPs arbitrarily apply such filters to their users accounts, often without any notification. Hosting providers and domain registrars often do the same. System admins, under pressure from management, put in place imperfect solutions and compound the issue by misconfiguration. I employ some network admins myself to help clients with server problems. The number of times I have seen a program such as "Spam Assassin" set to an incredibly aggressive setting AND to delete flagged mail without it ever hitting an inbox is surprising. I have one client right now that has not been able to email their parent company for over 6 weeks. Their messages blackhole. And it is not as if the parent is unsophisticated: they are in the financial sector and employ 17,000 people. And of course nobody in their IT department will admit that any email is being blackholed.

I personally am one of those who would like to see a new email protocol built from scratch with the spam problem as foremost consideration in the design process. I have a dislike for anything in IT that only "works most of the time", and that's where email has been for quite a while now.

My 2 cents. Another 2 cents that is.

Change the RFC for bounce messages (1)

WGR (32993) | more than 6 years ago | (#23299248)

Bounce messages should go to the postmaster of the domain that sent the message (the last Received: line before your MTA), rather than the "sender" in the From: header. That way, the actual forwarding server will be notified that it is being used to send spam and should be able to prevent further misuse. That also means the true sender gets the problem, not innocent bystanders.

Not "legitimate" mailservers (2, Insightful)

geminidomino (614729) | more than 6 years ago | (#23299452)

If an MTA is sending backscatter, it is not legitimate, it is broken. The MTA should NOT be looking at the FROM header to determine where the error goes. Report 5xx during the transaction, sending MTA is responsible for routing it to the associated address.

Any MTA I get backscatter from goes right into my local incompetent.dnsbl zone.

Not sure if it happened to me. (1)

nickull (943338) | more than 6 years ago | (#23299470)

I had originally contemplated that this was the case however figured that due to my self declared war on spammers, they decided to spoof my email as the send bit. I am 100% sure I have not been hacked or any system compromised but it was really a crappy experience nonetheless. http://technoracle.blogspot.com/2008/04/spam-war-deepens-am-i-winning.html [blogspot.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?