Backscatter (e-mail)
Encyclopedia
Backscatter is incorrect automated bounce message
s sent by mail servers, typically as a side effect of incoming spam.
Recipients of such messages see them as a form of unsolicited bulk email or spam since they were not solicited by the recipients, are substantially similar to each other and are delivered in bulk quantities. Systems that generate email backscatter can end up being listed on various DNSBL
s and be in violation of internet service provider
s' Terms of Service
.
Backscatter occurs because worms
and spam messages often forge their sender address, and mailservers configured by naive administrators send a bounce message
to this address.
Measures to reduce the problem include avoiding the need for bounce message
by doing most rejections at the initial SMTP connection stage; and sending bounce messages only to addresses which can be reliably judged to have not been forged.
to scan usenet
postings, message boards, and web pages for legitimate email addresses.
Due to the design of SMTP mail, recipient mail servers receiving these forged messages have no simple standard way to determine the authenticity of the sender. If they accept the email during the connection phases then, after further checking refuse it - for example because they believe it to be spam
they will use the (potentially forged) sender's address to attempt a good-faith effort to report the problem to the apparent sender.
Mail servers can handle undeliverable messages in three fundamentally different ways:
Backscatter occurs when the "bounce" method is used, and the sender information on the incoming email was that of an unrelated third party.
, embedded as program code within a tiny javascript
or Adobe Flash
program for each address, which when clicked, opens a temporary window and sends the decoded mailto: address to the local email client, but all such obscuration methods can potentially be attacked by spammers in the same manner as CAPTCHA
s.
to generate a local bounce message
or Non-Delivery Notification (NDN) to a local, authenticated user.
Reasons for rejection include:
Mail transfer agent
s (MTAs) which forward mail can avoid generating backscatter by using a transparent SMTP proxy
.
s can use a range of measures to judge whether a return address has been forged.
In addition, systems using schemes such as Bounce Address Tag Validation
"tag" their outgoing email in a way that allows them to reliably detect incoming bogus bounce message
s.
Bounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
s sent by mail servers, typically as a side effect of incoming spam.
Recipients of such messages see them as a form of unsolicited bulk email or spam since they were not solicited by the recipients, are substantially similar to each other and are delivered in bulk quantities. Systems that generate email backscatter can end up being listed on various DNSBL
DNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
s and be in violation of internet service provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s' Terms of Service
Terms of Service
Terms of service are rules which one must agree to abide by in order to use a service. Unless in violation of consumer protection laws, such terms are usually legally binding...
.
Backscatter occurs because worms
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
and spam messages often forge their sender address, and mailservers configured by naive administrators send a bounce message
Bounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
to this address.
Measures to reduce the problem include avoiding the need for bounce message
Bounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
by doing most rejections at the initial SMTP connection stage; and sending bounce messages only to addresses which can be reliably judged to have not been forged.
Cause
Authors of spam and viruses wish to make their messages appear to originate from a legitimate source to fool recipients into opening the message so they often use web-crawling softwareWeb crawler
A Web crawler is a computer program that browses the World Wide Web in a methodical, automated manner or in an orderly fashion. Other terms for Web crawlers are ants, automatic indexers, bots, Web spiders, Web robots, or—especially in the FOAF community—Web scutters.This process is called Web...
to scan usenet
Usenet
Usenet is a worldwide distributed Internet discussion system. It developed from the general purpose UUCP architecture of the same name.Duke University graduate students Tom Truscott and Jim Ellis conceived the idea in 1979 and it was established in 1980...
postings, message boards, and web pages for legitimate email addresses.
Due to the design of SMTP mail, recipient mail servers receiving these forged messages have no simple standard way to determine the authenticity of the sender. If they accept the email during the connection phases then, after further checking refuse it - for example because they believe it to be spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
they will use the (potentially forged) sender's address to attempt a good-faith effort to report the problem to the apparent sender.
Mail servers can handle undeliverable messages in three fundamentally different ways:
- Reject. A receiving server can reject the incoming email during the connection stage while the sending server is still connected. If a message is rejected at connect time with a 5xx error code then the sending server can report the problem to the real sender cleanly.
- Drop. A receiving server can initially accept the full message, but then determine that it is spam, and quarantine it - delivering to "Junk" or "Spam" folders from where it will eventually be deleted automatically. This is common behaviour, even though RFC 5321 says: "...silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate..."
- Bounce. A receiving server can initially accept the full message, but then determine that it is spam or to a non-existent recipient, and generate a bounce messageBounce messageIn the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
back to the supposed sender indicating that message delivery failed.
Backscatter occurs when the "bounce" method is used, and the sender information on the incoming email was that of an unrelated third party.
Reducing the problem
- Every step to control wormsComputer wormA computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
and spam messages helps reduce backscatter, but there are also several other common approaches:
Preventing email address collection
It is common to attempt to obscure email addresses in a manner that is not easily machine-readable. Several methods are available, such as simply not using a standard text format (john (at) example.com) or using a bitmap image of the address rather than raw text. More complex address obscuration methods are available, such as encoding the addresses using a substitution cipherSubstitution cipher
In cryptography, a substitution cipher is a method of encryption by which units of plaintext are replaced with ciphertext according to a regular system; the "units" may be single letters , pairs of letters, triplets of letters, mixtures of the above, and so forth...
, embedded as program code within a tiny javascript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
or Adobe Flash
Adobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
program for each address, which when clicked, opens a temporary window and sends the decoded mailto: address to the local email client, but all such obscuration methods can potentially be attacked by spammers in the same manner as CAPTCHA
CAPTCHA
A CAPTCHA is a type of challenge-response test used in computing as an attempt to ensure that the response is generated by a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade...
s.
Connection-stage rejection
During the initial SMTP connection mailservers can do a range of checks, and often reject email with a 5xx error code while the sending server is still connected. Rejecting a message at the connection-stage in this way will usually cause the sending MTAMail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
to generate a local bounce message
Bounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
or Non-Delivery Notification (NDN) to a local, authenticated user.
Reasons for rejection include:
- Recipient validation
- Anti-forgery checks such as SPFSender Policy FrameworkSender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF...
, DKIM or Sender IDSender IDSender ID is an anti-spoofing proposal from the former MARID IETF working group that tried to join Sender Policy Framework and Caller ID. Sender ID is defined primarily in Experimental RFC 4406, but there are additional parts in RFC 4405, RFC 4407 and RFC 4408.- Principles of operation :Sender ID... - Servers that do not have a forward-confirmed reverse DNS entry
- Senders on block listsDNSBLA DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
. - Temporary rejection via greylistingGreylistingGreylisting is a method of defending e-mail users against spam. A mail transfer agent using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate the originating server will, after a delay, try again and, if sufficient time has elapsed, the...
methods
Mail transfer agent
Mail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
s (MTAs) which forward mail can avoid generating backscatter by using a transparent SMTP proxy
Transparent SMTP proxy
SMTP proxies are specialized Mail Transfer Agents that, similar to other types of proxy servers, pass SMTP sessions through to other MTAs without using the store-and-forward approach of a typical MTA. When an SMTP proxy receives a connection, it initiates another SMTP session to a destination MTA...
.
Checking bounce recipients
Mail servers sending email bounce messageBounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
s can use a range of measures to judge whether a return address has been forged.
Filtering backscatter
While preventing backscatter is desirable, it is also possible to reduce its impact by filtering for it, and many spam filtering systems now include the option to attempt to detect and reject backscatter emails as spam.In addition, systems using schemes such as Bounce Address Tag Validation
Bounce Address Tag Validation
In computing, Bounce Address Tag Validation is a method, defined in an Internet Draft, for determining whether the bounce address specified in an E-mail message is valid...
"tag" their outgoing email in a way that allows them to reliably detect incoming bogus bounce message
Bounce message
In the Internet's standard e-mail protocol SMTP, a bounce message, also called a Non-Delivery Report/Receipt , a Delivery Status Notification message, a Non-Delivery Notification or simply a bounce, is an automated electronic mail message from a mail system informing the sender of another...
s.