User: Password:
Subscribe / Log in / New account


Backscatter increase clogs inboxes

By Jake Edge
April 9, 2008

Backscatter, also known as blowback, is the result of a spammer forging the sender address on an email that is sent to a non-existent address. Many mail servers do not reject invalid addresses when they receive the email and instead generate a bounce message sometime later. The unfortunate victim, then, is the one whose address was forged as the sender. Sometimes, hundreds or thousands of bounce messages can be generated which flood the inbox of an innocent bystander.

Backscatter seems to be on the rise recently, the LWN inbox has seen a huge increase in the number of bounces over the last week or so. There may be some connection to some Google domains contributing to the problem, but that cannot explain all of it. One basic problem is that many mail servers are generating the bounce messages after accepting mail for invalid addresses, rather than rejecting it while the SMTP transaction is still in progress.

When a mail server gets a connection from a sending machine, it gets several pieces of information about the email in addition to its contents. Both a "from" and "to" address are included in this extra information, which is usually called the envelope, for obvious reasons. After receiving each piece of the envelope, a mail server has the opportunity to reject the message. Typically this isn't done for valid-looking sender addresses, except in limited blacklist situations, but it certainly can and should be done when the recipient address is invalid.

Due to a variety of mail server configuration issues, many mail servers do not avail themselves of rejecting mail for invalid senders. Instead, they defer their decision until sometime later. Servers that relay mail will not know whether some of the addresses they relay are valid, while other servers (qmail for example) separate the SMTP conversation program from the local delivery program for security reasons and thus do not have that information available. Other valid or semi-valid reasons exist, but once the mail has been accepted, the proper means of indicating a bad address is no longer available.

In the days before spam—remember those?—a mail server could generally trust that the sender address in the envelope was the real sender. So an incorrectly addressed email could be bundled up in a bounce message and sent to the sender. If the sender address is valid, it is very little different than a bounce that is generated by the sender's machine when the mail gets rejected at SMTP time. Unfortunately, the majority of sender addresses these days are forged.

But spammers don't want to use just any forged address, they want to use something that is valid or appears valid. Mail servers have gotten better at testing sender addresses for validity before accepting mail from them. So, where does an enterprising spammer get a valid email address? They pick one at random from their list of "500,000 guaranteed opt-in email addresses" that they bought from some other miscreant. They use those lists to send their spam to as well as using them to choose sender addresses to use.

As might be guessed, the SpamAssassin mailing lists have been discussing the problem recently, especially trying to find ways to reduce the amount received. SpamAssassin does have the VBounce plugin to recognize bounce messages. By default, it doesn't increase the score of bounces by much as it is meant to be used with procmail to put bounces in a separate place from spam.

Another idea floated on the list is to use SPF or DKIM records for a domain. The belief is that spammers avoid using those domains because it is likely to cause their message to be immediately classified as spam. Anecdotal evidence seems to indicate that backscatter can be significantly reduced in this way.

Comments (20 posted)

Brief items

Bruce Schneier reviews Access Denied

Bruce Schneier takes a look at Access Denied, a new book on internet censorship from the MIT Press. "Today, things are very different. Internet censorship is flourishing. Organizations selectively block employees' access to the Internet. At least 26 countries -- mainly in the Middle East, North Africa, Asia, the Pacific and the former Soviet Union -- selectively block their citizens' Internet access. Even more countries legislate to control what can and cannot be said, downloaded or linked to. 'You have no sovereignty where we gather,' said Barlow. Oh yes we do, the governments of the world have replied."

Comments (15 posted)

New Massive Botnet Twice the Size of Storm (Dark Reading)

Dark Reading reports from the RSA conference on an enormous botnet that is currently active with roughly 400,000 bots. "The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa."

Comments (11 posted) 1.0 Is Live

From Richard Bejtlich's weblog comes the news that is open for business. "The mission of is to provide quality network traffic traces to researchers, analysts, and other members of the digital security community. One of the most difficult problems facing researchers, analysts, and others is understanding traffic carried by networks. At present there is no central repository of traces from which a student of network traffic could draw samples. will provide one possible solution to this problem."

Comments (1 posted)

Security reports

Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model

A paper that will be presented at the USENIX Usability, Psychology and Security (UPSEC) conference takes a look at the OLPC Bitfrost security model [PDF]. "In this paper, we discuss Bitfrost, the security model developed by the One Laptop Per Child project for its XO laptop computers. Bitfrost implements a number of security measures intended primarily to deter theft and malware, but which also introduce severe threats to data security and individual privacy. We describe several of the technical provisions in Bitfrost, outline the risks they enable, and consider their legal ramifications and the psychological impact posed for children and society."

Comments (14 posted)

New vulnerabilities

alsaplayer: arbitrary code execution

Package(s):alsaplayer CVE #(s):CVE-2007-5301
Created:April 7, 2008 Updated:April 9, 2008

From the Debian advisory:

Erik Sjölund discovered a buffer overflow vulnerability in the Ogg Vorbis input plugin of the alsaplayer audio playback application. Successful exploitation of this vulnerability through the opening of a maliciously-crafted Vorbis file could lead to the execution of arbitrary code.

Debian DSA-1538-1 alsaplayer 2008-04-04

Comments (none posted)

audit: privilege escalation

Package(s):audit CVE #(s):CVE-2008-1628
Created:April 9, 2008 Updated:August 1, 2008

From the Red Hat bugzilla entry:

A vulnerability has been reported in Linux Audit, which potentially can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to a boundary error within the "audit_log_user_command()" function in lib/audit_logging.c. This can be exploited to cause a stack-based buffer overflow via an overly long "command" argument and potentially execute arbitrary code with the privileges of the application using libaudit.

Gentoo 200807-14 audit 2008-07-31
SuSE SUSE-SR:2008:010 licq, libpng, asterisk, openldap2, audit, blender 2008-04-25
Mandriva MDVSA-2008:083 audit 2008-04-09
Fedora FEDORA-2008-3012 audit 2008-04-08

Comments (none posted)

comix: arbitrary code execution

Package(s):comix CVE #(s):CVE-2008-1568
Created:April 9, 2008 Updated:April 28, 2008

From the NVD entry:

comix 3.6.4 allows attackers to execute arbitrary commands via a filename containing shell metacharacters that are not properly sanitized when executing the rar, unrar, or jpegtran programs

Gentoo 200804-29 comix 2008-04-25
Fedora FEDORA-2008-2981 comix 2008-04-08
Fedora FEDORA-2008-2993 comix 2008-04-08

Comments (none posted)

flash-plugin: multiple vulnerabilities

Package(s):flash-plugin CVE #(s):CVE-2007-6637 CVE-2007-6019 CVE-2007-0071 CVE-2008-1655 CVE-2008-1654
Created:April 9, 2008 Updated:April 18, 2008

From the Red Hat advisory:

Several input validation flaws were found in the way Flash Player displayed certain content. These may have made it possible to execute arbitrary code on a victim's machine, if the victim opened a malicious Adobe Flash file. (CVE-2007-0071, CVE-2007-6019)

A flaw was found in the way Flash Player established TCP sessions to remote hosts. A remote attacker could, consequently, use Flash Player to conduct a DNS rebinding attack. (CVE-2007-5275, CVE-2008-1655)

A flaw was found in the way Flash Player restricted the interpretation and usage of cross-domain policy files. A remote attacker could use Flash Player to conduct cross-domain and cross-site scripting attacks. (CVE-2007-6243, CVE-2008-1654)

A flaw was found in the way Flash Player interacted with web browsers. An attacker could use malicious content presented by Flash Player to conduct a cross-site scripting attack. (CVE-2007-6637)

Gentoo 200804-21 netscape-flash 2008-04-18
SuSE SUSE-SA:2008:022 flash-player 2008-04-11
Red Hat RHSA-2008:0221-01 flash-plugin 2008-04-08

Comments (none posted)

gnome-ssh-askpass, openssh: privilege escalation

Package(s):gnome-ssh-askpass CVE #(s):CVE-2008-1657
Created:April 7, 2008 Updated:October 2, 2008

From the Gentoo advisory:

OpenSSH will execute the contents of the ".ssh/rc" file even when the "ForceCommand" directive is enabled in the global sshd_config (CVE-2008-1657).

Ubuntu USN-649-1 openssh 2008-10-01
Mandriva MDVSA-2008:098 openssh 2007-05-06
SuSE SUSE-SR:2008:009 openssh, opera 2008-04-11
Gentoo 200804-03 openssh 2008-04-05
rPath rPSA-2008-0139-1 gnome-ssh-askpass 2008-04-04

Comments (none posted)

konversation: arbitrary code execution

Package(s):konversation CVE #(s):CVE-2007-4400
Created:April 9, 2008 Updated:April 9, 2008

From the Red Hat bugzilla:

Media script (/usr/share/apps/konversation/scripts/media) that is distributed with konversation package reportedly does not escape tags from media files corr[e]ctly allowing command injection into IRC channel.

Fedora FEDORA-2008-2062 konversation 2008-04-08
Fedora FEDORA-2008-2122 konversation 2008-04-08

Comments (none posted)

m4: execution of arbitrary code

Package(s):m4 CVE #(s):CVE-2008-1687 CVE-2008-1688
Created:April 8, 2008 Updated:April 9, 2008
Description: m4-1.4.11 fixes two issues with possible security implications. A minor security fix with the use of "maketemp" and "mkstemp" -- these are now quoted to prevent the (rather unlikely) possibility that an unquoted string could match an existing macro causing operations to be done on the wrong file. Also, a problem with the '-F' option (introduced with version 1.4) could cause a core dump or possibly (with certain file names) the execution of arbitrary code.
Slackware SSA:2008-098-01 m4 2008-04-08

Comments (none posted)

nx nxnode: multiple vulnerabilities

Package(s):nx nxnode CVE #(s):
Created:April 7, 2008 Updated:July 10, 2008

From the Gentoo advisory:

Multiple integer overflow and buffer overflow vulnerabilities have been discovered in the X.Org X server as shipped by NX and NX Node (vulnerabilities 1-4 in GLSA 200801-09).

A remote attacker could exploit these vulnerabilities via unspecified vectors, leading to the execution of arbitrary code with the privileges of the user on the machine running the NX server.

Gentoo 200807-07 nxnode 2008-07-09
Gentoo 200804-05:02 nx nxnode 2008-04-06

Comments (none posted)

otrs: SOAP command execution

Package(s):otrs CVE #(s):CVE-2008-1515
Created:April 4, 2008 Updated:April 17, 2008
Description: A bug in the trouble ticket system OTRS allowed a remote attacker to get remote access without specifying a valid user name via the SOAP interface.
Fedora FEDORA-2008-3100 otrs 2008-04-17
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04

Comments (none posted)

pdns-recursor: DNS cache poisoning

Package(s):pdns-recursor CVE #(s):CVE-2008-1637
Created:April 9, 2008 Updated:August 21, 2008

From the Red Hat bugzilla entry:

Amit Klein of Trusteer discovered and documented weakness in a way PowerDNS Recursor generates DNS queries and transaction IDs used in DNS queries. This weakness can be used to predict transaction IDs used in a subsequent queries after observing certain amount of consequent previous queries, leading to a high possibility of performing a successful cache poisoning attack.

Gentoo GLSA 200804-22 pdns-recursor 2008-04-18
Debian DSA-1544-2 pdns-recursor 2008-07-16
SuSE SUSE-SR:2008:012 xine, xemacs, emacs, opensuse-updater, libvorbis, vorbis-tools, pdns-recursor, openwsman 2008-06-06
Gentoo 200804-22 pdns-recursor 2008-04-18
Debian DSA-1544-1 pdns-recursor 2008-04-09
Fedora FEDORA-2008-3036 pdns-recursor 2008-04-08
Fedora FEDORA-2008-3010 pdns-recursor 2008-04-08

Comments (none posted)

pecl-apc: arbitrary code execution

Package(s):pecl-apc CVE #(s):CVE-2008-1488
Created:April 9, 2008 Updated:July 15, 2008

From the Gentoo advisory:

Daniel Papasian discovered a stack-based buffer overflow in the apc_search_paths() function in the file apc.c when processing long filenames.

A remote attacker could exploit this vulnerability to execute arbitrary code in PHP applications that pass user-controlled input to the include() function.

Fedora FEDORA-2008-6401 php-pecl-apc 2008-07-15
Fedora FEDORA-2008-6344 php-pecl-apc 2008-07-15
Mandriva MDVSA-2008:082 php-apc 2008-04-09
Gentoo 200804-07 pecl-apc 2008-04-09

Comments (none posted)

PolicyKit: authentication bypass

Package(s):PolicyKit CVE #(s):CVE-2008-1658
Created:April 9, 2008 Updated:April 17, 2008

From the Red Hat bugzilla entry:

Format string vulnerability was discovered in the PolicyKit grant helper. User may specify password with formatting sequences and cause polkit-grant-helper to crash or bypass authentication.

Mandriva MDVSA-2008:087 policykit 2008-04-16
Fedora FEDORA-2008-2987 PolicyKit 2008-04-08

Comments (none posted)

silc-toolkit: buffer overflow

Package(s):silc-toolkit CVE #(s):CVE-2008-1552
Created:April 4, 2008 Updated:July 31, 2008
Description: A flaw in processing PKCS#1-Messages in silc-toolkit could lead to a buffer overflow. Remote attackers could exploit that to crash the server.
Mandriva MDVSA-2008:158 silc-toolkit 2008-07-30
Gentoo 200804-27 silc-toolkit 2008-04-24
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04

Comments (1 posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2008-1561 CVE-2008-1562 CVE-2008-1563
Created:April 4, 2008 Updated:October 2, 2008
Description: Multiple flaws in wireshark could lead to crashes when certain packets are processed.
Red Hat RHSA-2008:0890-01 wireshark 2008-10-01
CentOS CESA-2008:0890 No RH alert RHSA-2008:0890-01 2008-10-01
Gentoo 200805-05 wireshark 2008-05-07
Mandriva MDVSA-2008:091 wireshark 2007-04-24
Fedora FEDORA-2008-3040 wireshark 2008-04-08
Fedora FEDORA-2008-2941 wireshark 2008-04-08
rPath rPSA-2008-0138-1 wireshark 2008-04-04
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds