Backscatter

Understanding Internet Clutter and Congestion Part 2
Welcome back to part 2 of my several part series on things that confuse, annoy and wipe out system resources. Today I wanted to explain the silent killer of resources, and still current issue known as "Backscatter".

In an attempt to make sure their spam reaches as many inboxes as possible, spammers are currently utilizing a very large botnet to send out massive amounts of this annoying unsolicited email. This is nothing new, in itself, however this time there is a twist. The spam email even though originally sent out by the spammers (botnets) themselves, are actually being delivered by somewhat innocent domains via deflection or what’s known as “backscatter”.

Once upon a time, it used to be pretty safe, and dare I say a courtesy to return a message to a sender who may have accidentally made a typo in the recipient’s email address, or just plain got it wrong, to say “Sorry I couldn’t find that user.” These messages are called NDRs for Non-Delivery Receipts.

However, times have changed and mail servers have to be leaner and meaner. Imagine if you will how these NDRs might behave in the face of a typical spammer's dictionary attack. A dictionary attack is when you attempt to use brute-force through a sequence of plausible strings (in this case, e-mail addresses) that have a chance of matching. Spammers (and viruses) will often use this technique to spam a domain by simply trying to deliver mail over and over to every conceivable username on a domain. The problem this creates with respect to NDRs from a receiving mail server is twofold:

Resource/Bandwidth utilization -- simply put, it takes a lot of resources to handle these completely illegitimate messages. Aside from the fact that they are spam, they are for users that don't even exist. The mail server is forced to accept, queue, process, and re-deliver a message in response to every single message.

More importantly, spammers and viruses are rarely so polite as to actually include a legitimate sender’s e-mail address. Instead, they are using forged email addresses from legitimate domains to appear as though they had sent the original email. So when a mail server that is configured to return NDRs to invalid users receives spam, it does the spammer a favor by delivering the same piece of spam again to the forged return address. This is the definition of “backscatter”, and it is a big problem. This has another benefit for the spammer. It masks the sending IP of the original spam thereby prolonging the life of the botnet.

Solution – This can be prevented fairly easily by mail server administrators everywhere by simply configuring your mail server to reject mail for unknown users right off the bat at the SMTP “RCPT TO” command, rather than accepting, queuing and generating NDRs. Any modern mail server will allow you to configure it in this way. It’s win – win situation for everyone.

Here is another great article on backscatter:

http://www.spamresource.com/2007/02/backscatter-what-is-it-how-do-i-stop-it.html

As well as a great list of resources in order to configure your mail server:

http://www.spamlinks.net/prevent-secure-backscatter.htm#reject