Why is backscatter spam so difficult to block, and is it ultimately possible to keep these particular unwanted messages out of inboxes?

Requires Free Membership to View

For network and email administrators who haven't yet encountered backscatter spam, it may only be a matter of time. When a backscatter spammer sends emails to invalid recipient addresses, the victim's address is forged as the sender's. Bounced messages then come back to that forged sender address, messages with subjects like: "Mail delivery failed: returning message to sender."

If you've seen just one or two of these backscatter messages in your own inbox --recognizable from the fact that the recipient, subject and content of the failed message are all unfamiliar to you -- it's likely that a spammer used random recipient addresses as the forged sender addresses. If a spammer, however, happens to send thousands of messages from a single forged address, you can end up seeing backscatter spam by the thousands. One organization, for example, has experienced a bounce flood surpassing 10,000 messages per second.

These unwanted, server-clogging, bandwidth-wasting messages are indeed hard to block. Backscatter spam looks just like any other legitimate failed message notification, and there's little chance that you can find out who is responsible for it, even less chance that the responsible party will give a hoot. Spammers forge sender addresses because they don't want to reveal where their messages come from. After all, sending spam, or hiring someone to send it for you, is illegal in many countries, including the U.S., where it violates the CAN-SPAM Act of 2003. Using false or misleading header information is also a violation of the CAN-SPAM Act, but since the spammer has already decided to break the law by sending the spam in the first place, adding the crime of email address forging is trivial.

Upon trying to filter out backscatter spam one soon realizes, as the author of the helpful spamnation.info pages observes: "Every mail system seems to invent its own way of reporting undeliverable mail. There is absolutely no standard form for the return messages, and they can contain any address in the 'From:'" However, here are the top ten backscatter filter terms as determined by spamnation.info, listed in descending order of frequency:

From contains Mailer-Daemon
From contains postmaster@
Body contains Status: 5.1.1
Subject contains Returned mail
Subject starts with Delivery Status Notification
Subject starts with Undelivered Mail Returned to Sender
Subject contains failure notice
Body contains Status: 5.7.1
From contains Mail Administrator
Subject contains blocked by our bulk email filter

Of course, it's unwise to automatically delete incoming messages that match these terms. Instead, send them to quarantine for review because, as previously noted, there may be legitimate bounces that match these terms.

What else can be done to reduce the impact of backscatter spam? Steer clear of "catch-all" accounts. For example, you don't want example.org to receive email for any address @example.org. Long ago, a catchall was considered convenient; today it's better to reject any email that arrives to an address that is not specifically authorized. Be sure to authorize the standard addresses, such as "postmaster," "abuse," "webmaster" and "info."

Also be sure the organization's email system is configured to reduce bounces. For example, incoming mail to nonexistent users should be dropped, instead of accepted and generating a bounce reply. Consider banning "out-of-office" auto-replies and challenge-response systems (are the extra messages really worth the trouble?). For those using antispam hardware like a spam firewall, be sure to configure it to minimize the backscatter it creates.

Beyond this, consider adopting one of the emerging methods of email authentication, such as Sender Policy Framework (SPF), Sender Identification Framework (Sender ID or SIDF) and DomainKeys Identified Mail (DKIM). The Messaging Anti-Abuse Working Group recently put out a good white paper on these methods: "Trust in Email Begins with Authentication."

There is also the Bounce Address Tag Validation (BATV) approach, which is being tested in products from a diverse group of vendors and consortiums including Exim, Cisco Systems Inc.'s IronPort Systems group, Sendmail Inc., Postfix, SonicWall Inc. and Qmail. The method provides each message with a return address that has a timestamp and cryptographic token that cannot be forged. Email authentication will not immediately end the problem of backscatter spam, or spam in general, but if, over time, email authentication becomes universal, spam as we know it today could be eliminated.

More information:

This was first published in July 2008