Backscatter - In a Nutshell

Perhaps you haven't heard of this term before. Backscatter refers to a bounce on an email that you didn't send. Email reply to addresses can easily be forged, it's not really anything new, many people have been doing it since the dawn of email. However, if someone sends a forged email as you to an email address that does not exist, the recipient email server may bounce that message back to you even though you did not send the email.

This is a major problem for a lot of servers around the internet and you may be suprised to learn that as a server admin receiving backscatter, there isn't a whole lot you can do about it. The problem lies with the email server that received the email address that wasn't valid. The scenario plays out, spammer sends an email forged to say it comes from you to a guessed recipient. The server that handles the domain for the guessed recipient bounces the message because the guessed recipient isn't a real email address, it bounces that email to the address listed as the "Reply-To" email, which is you. Now you have received an email bounce for an email you did not send.

There have been backscatter registries created to try and get system administrators to get on board in stopping backscatter. If you become listed in one of these backscatter registries, your emails may be blocked by a receiving party just as if you were listed in a spam registry.

The easiest way to do your part to prevent backscatter, is to drop the email at SMTP time if the recipient doesn't actually exist on your server instead of bouncing a reply back to the "Reply-To" address that may be forged. Essentially, when the sending server connects to your email server to deliver a message, and tells your server that it wants to deliver it to invaliduser@yourdomain.com, if your server does not immediately find the recipient "invaliduser" on your domain it will give an smtp error instead of accepting the message and sending a bounce back later.

It is all of our responsibility to try and reduce backscatter on the internet, as I am sure someday you will encounter this headache. Setting up your email server to reject at SMTP time addresses that don't exist can vary greatly from server to server, so you should look for instructions for your specific daemon.

Comments

jc
08/01/2008 2:22pm
Good point - just think of those sysadmins out there that don't disable double bounce!?

Leave a comment

To leave a comment, please log in / sign up