Feature Story

BLOCK BACKSCATTER: UTM FILTERS CAN STOP THE FLOOD OF EMAIL BOUNCE-BACK MESSAGES

Backscatter, also called blowback or collateral spam, happens when spammers use someone else's legitimate e-mail address as the "sender" of spam e-mails. Spammers do not want return e-mail coming back to them because it costs them bandwidth, so they forge the sender address of spam they send out. When the spam is sent to an address that is no longer active or to an address with an automated "out of office" message, the message is bounced back to the "sender." Backscatter can become a deluge of bounce-back messages after a large mailing has gone out.

The core of the backscatter problem is that it is easy to forge the sender address of an e-mail, because the standard e-mail protocols provide no mechanisms to authenticate the sender's e-mail address. Therefore, spammers are able to use other people's valid e-mail addresses to send spam. If that "sender" e-mail address happens to be yours, the result is a large amount of backscatter--nondeliverable and vacation messages--directed back to you. Backscatter can overload the e-mail system, and consume bandwidth and resources.

The actual messages that make up backscatter are valid and conform to Internet standards. Most backscatter takes the form of nondelivery receipts (NDRs). The Internet simple mail transfer protocol (SMTP) standards state that if a mail relay has accepted but cannot deliver an e-mail message, it should inform the sender of the problem and then discard the message.

Although there is no standard for the message structure, a common practice is to include a short nondelivery report and attach or include a fragment of the original message. To prevent NDRs, the e-mail sender mass mailings should be a null sender address.

Undesirable NDRs are not technically spam; they are messages created in reply to spam. The key to controlling backscatter is differentiating between legitimate NDRs and undesirable backscatter. The solution is to discover if the original message, now reported as undeliverable, was actually sent out from the e-mail address being used.

Unified threat management (UTM) devices with a special scanning module can provide protection against backscatter at two levels:

For coarse protection, usually during periods of extreme backscatter, the device offers a block-all-NDRs filter operating at an early stage of the full message scan. When enabled, the UTM device blacklists all NDRs as spam, blocking both valid and backscatter NDRs.
Some UTM devices digitally sign all outbound messages; therefore, the UTM device can scan NDRs for digital signatures and specific relay host entries to look for evidence that the original message was an outbound message. If this evidence is found, the NDR can be allowed through, but if it cannot be found, the message will be marked as spam, and the NDR will not reach the "sender."

Return to: 2009 Feature Stories