Backscatter, also known as blowback, is the result of a spammer forging the
sender address on an email that is sent to a non-existent address. Many
mail servers do not reject invalid addresses when they receive the email
and instead generate a bounce message sometime later. The unfortunate
victim, then, is the one whose address was forged as the sender. Sometimes,
hundreds or thousands of bounce messages can be generated which flood the
inbox of an innocent bystander.
Backscatter seems to be on the rise recently, the LWN inbox has seen a huge
increase in the number of bounces over the last week or so. There may be
some connection to some Google
domains contributing to the problem, but that cannot explain all of
it. One basic problem is that many mail servers are generating the bounce
messages after accepting mail for invalid addresses, rather than
rejecting it while the SMTP transaction is still in progress.
When a mail server gets a connection from a sending machine, it gets several
pieces of information about the email in addition to its contents. Both a
"from" and "to" address are included in this extra information, which is
usually called the envelope, for obvious reasons. After receiving each
piece of the envelope, a mail server has the opportunity to reject the
message. Typically this isn't done for valid-looking sender addresses, except in limited
blacklist situations, but it certainly can and should be done when the
recipient address is invalid.
Due to a variety of mail server configuration issues, many mail servers do
not avail themselves of rejecting mail for invalid senders. Instead, they
defer their decision until sometime later. Servers that relay mail will
not know whether some of the addresses they relay are valid, while other servers
(qmail for example) separate the SMTP conversation program from the local
delivery program for security reasons and thus do not have that information
available. Other valid or semi-valid reasons exist, but once the mail has
been accepted, the proper means of indicating a bad address is no longer available.
In the days before spam—remember those?—a mail server could
generally trust that the sender address in the envelope was the real
sender. So an incorrectly addressed email could be bundled up in a bounce
message and sent to the sender. If the sender address is valid, it is
very little different than a bounce that is generated by the sender's
machine when the mail gets rejected at SMTP time. Unfortunately, the
majority of sender addresses these days are forged.
But spammers don't want to use just any forged address, they want to use
something that is valid or appears valid. Mail servers have gotten better
at testing sender addresses for validity before accepting mail from them.
So, where does an enterprising spammer get a valid email address? They
pick one at random from their list of "500,000 guaranteed opt-in email
addresses" that they bought from some other miscreant. They use those
lists to send their spam to as well as using them to choose sender
addresses to use.
As might be guessed, the SpamAssassin
mailing lists have been discussing the problem recently, especially
trying to find ways to reduce the amount received. SpamAssassin does have
plugin to recognize bounce messages. By default, it doesn't increase
the score of bounces by much as it is meant to be used with procmail to put
bounces in a
separate place from spam.
Another idea floated on the list is to use SPF or DKIM records for a domain. The
belief is that spammers avoid using those domains because it is likely to
cause their message to be immediately classified as spam. Anecdotal
evidence seems to indicate that backscatter can be significantly reduced in
to post comments)