Network Security
Block backscatter
UTM filters can stop the flood of
e-mail bounce-back messages.
by Pierluigi Stella
Backscatter, also called blowback or
collateral spam, happens when spammers use
someone else’s legitimate e-mail address as
the “sender” of spam e-mails. Spammers do
not want return e-mail coming back to them
because it costs them bandwidth, so they
forge the sender address of spam they send
out. When the spam is sent to an address
that is no longer active or to an address
with an automated “out of office” message,
the message is bounced back to the “sender.”
Backscatter can become a deluge of
bounce-back messages after a large mailing
has gone out.
The core of the backscatter problem is
that it is easy to forge the sender address
of an e-mail, because the standard e-mail
protocols provide no mechanisms to
authenticate the sender’s e-mail address.
Therefore, spammers are able to use other
people’s valid e-mail addresses to send
spam. If that “sender” e-mail address
happens to be yours, the result is a large
amount of backscatter--nondeliverable and
vacation messages--directed back to you.
Backscatter can overload the e-mail system,
and consume bandwidth and resources.
The actual messages that make up
backscatter are valid and conform to
Internet standards. Most backscatter takes
the form of nondelivery receipts (NDRs). The
Internet simple mail transfer protocol
(SMTP) standards state that if a mail relay
has accepted but cannot deliver an e-mail
message, it should inform the sender of the
problem and then discard the message.
Although there is no standard for the
message structure, a common practice is to
include a short nondelivery report and
attach or include a fragment of the original
message. To prevent NDRs, the e-mail sender
mass mailings should be a null sender
address.
Undesirable NDRs are not technically
spam; they are messages created in reply to
spam. The key to controlling backscatter is
differentiating between legitimate NDRs and
undesirable backscatter. The solution is to
discover if the original message, now
reported as undeliverable, was actually sent
out from the e-mail address being used.
Unified threat management (UTM) devices
with a special scanning module can provide
protection against backscatter at two
levels:
- For coarse protection, usually during
periods of extreme backscatter, the device
offers a block-all-NDRs filter operating at
an early stage of the full message scan.
When enabled, the UTM device blacklists all
NDRs as spam, blocking both valid and
backscatter NDRs.
- Some UTM devices digitally sign all
outbound messages; therefore, the UTM device
can scan NDRs for digital signatures and
specific relay host entries to look for
evidence that the original message was an
outbound message. If this evidence is found,
the NDR can be allowed through, but if it
cannot be found, the message will be marked
as spam, and the NDR will not reach the
“sender.”
Pierluigi Stella is CTO of
Network Box USA, Houston, Texas.
Network Box USA