Spoofing / backscatter
What is Spoofing/Backscatter?
'Backscatter' is the name given to messages generated when a spammer uses your mail address in the 'From:' line of their messages. If the spammer's message can't be delivered for any reason, the receiving host will send back a bounce or non-delivery report to the address in the 'From:' line.
Backscatter messages takes several forms:
* DSN (Delivery Status Notification) advising that the message cannot be delivered - or that delivery is delayed
* Auto-replies - often advising that the mailbox is no longer in use due to spam or that the recipient is on vacation.
* Rejections advising that a messages has been caught by a spamblock
* Challenge/Response requesting that you confirm you sent the message
If a spammer sends a large number of messages, you may receive literally hundreds or thousands of 'backscatter' messages.
Why do spammers do this?
Many mail systems will not deliver mail if the 'From:' line in the message references a non-existent domain (or a known spam domain). Spammers try to get past this test by using addresses at other people's domains instead.
Where do they get the addresses?
Spammers put two kinds of forged addresses in their 'From:' lines. Sometimes they simply take a randomly chosen address from the same list of addresses to which they send spam. This typically generates only small amounts of backscatter.
Often, however, the spammer will choose someone else's domain and invent addresses at that domain, i.e. 'xgyu@yourdomain', 'bdfdssd@yourdomain' etc. These invented addresses are used on large spam runs, and can generate huge amounts of backscatter.
Is the spammer using my account?
No. The spammer is just putting your address on their messages. They don't need access to the FSU server or your account to do that.
Will real mail that I send start being rejected as spam?
It's possible but not very likely. Most anti-spam administrators now recognize that checking the 'From:' line is not a very good way to identify spam, precisely because spammers routinely forge other people's addresses.
Will it ever stop?
The good news is that the deluge of error messages probably won't go on indefinitely. Spammers will eventually switch addresses, not out of respect for you, but simply because if they use the same address or domain for too long, spam filters will eventually start blocking it.
In our experience, spammers will typically switch addresses every few hours or days. Unfortunately, there's nothing to stop them returning to an address that they've used before, and they often do.
How can I stop the spammer doing this?
Generally, you can't. The spammers who do this are usually the ones who are hardest to track down and the most contemptuous of any laws, such as stock spammers. There's no way to write to them and say "Please stop", and even if you could, they'd just ignore you.
So what can I do about it?
There is not much that can be done. The spammer is sending these emails out from their own server and they are sending the messages to users on servers all over the world. None of the spam messages pass through FSU's servers, so there isn't any way that we can block the spam from going out. Also, since the backscatter messages are generated by servers all over the world, most of which are legitimate and not spammers, we can't block those either.
Can I use mail filters to filter the bounces?
Yes. Many bounces will contain strings that can be recognized by a mail filter. You won't be able to filter all the bounce messages out, but you may be able to reduce the number you see.
However, if you choose to do this, you may run the risk of filtering out legitimate bounce messages for emails that you DID send, but were not delivered.
Why is it so hard to filter all the bounces?
Every mail system seems to invent its own way of reporting undeliverable mail. There is absolutely no standard form for the return messages and they can contain any address in the 'From:' line. Challenge-response systems are even worse than regular MTA's, which are at least slightly consistent.
What are some good filters to use?
Field Test String
From contains Mailer-Daemon
From contains postmaster@
Body contains Status: 5.1.1
Subject contains Returned mail
Subject starts with Delivery Status Notification
Subject starts with Undelivered Mail Returned to Sender
Subject contains failure notice
These tests may or may not work for you. They will probably reduce the number of bounces you see, but they will not catch all of them.
These tests could delete important mail. Use with care. You are recommended to use them to move suspect mail to another mail folder which you can then review before deleting. Do not automatically delete mail matching these tests unless you are prepared to lose mail.
Can I report backscatter?
Yes. You can contact the administrators of the system sending the bounces to suggest that they configure their systems to reduce or eliminate these messages. The WHOIS record for the domain will often list a technical contact, or you may simply mail 'postmaster@' the domain in question.
As always when reporting spam, be polite and try to provide as much information as possible to allow the postmaster to resolve the problem.
Can I report it to anyone else?
SpamCop accepts reports of backscatter, and will notify the administrators of affected systems. For more information, see the SpamCop wiki entry on misdirected bounces.