CYBERSPACE — Everyone receives them at least occasionally: those pesky email messages that land in the inbox with a subject line saying you’ve sent spam when you unquestionably haven’t.Even more annoying: The email address that returned the message and the message itself don’t tickle even the vestige of a memory.
What’s up with that? Has your computer been hacked and turned into a spambot while your attention was elsewhere?
In a word, no. The phenomenon is called “backscatter,” and it occurs when spammers are successful at using spoofed “from” addresses to sneak their wares past the filters employed by well-meaning mail-server guardians.
As spammers have become more sophisticated, so have anti-spam measures. Once it was relatively easy to rig email headers to obscure a sender’s real domain simply by inserting a non-existent URL. Filter manufacturers quickly caught on to that trick, though, and now most simply delete messages arriving from domains that don’t exist. To overcome that minor hurdle, spammers began to comb the Web for legitimate addresses they could “borrow” for their nefarious purposes.
In short, if your real email address ever has been published anywhere online, you’re an A-list candidate for backscatter.
Anti-virus and anti-spam software developer Sophos estimates backscatter composes only two to three-percent of all spam, but experts say the phenomenon is on the rise.
Although the “you’ve been spamming” messages are annoying, security researchers say another aspect of backscatter is potentially more disruptive. In many cases, email servers bounce back the entire original message (instead of just a stub), and spammers now are using that knowledge to get around filters. By sending messages to servers they know will reject them, spammers can bypass filters on the backscatter victim’s mail server.
Backscattering also is an excellent means to distribute malware in cases where the entire original message is returned to the spoofed original sender. Even more insidious, backscattering can take mail servers offline in the spam equivalent of a denial-of-service attack.
Although it’s aggravating, backscatter can be managed. According to experts, bounceback messages come in three basic varieties: “user unknown,” “out of office” and challenge-response. The latter two are particularly egregious contributors to the backscatter problem. “Out of office” messages only should be used when there’s no other alternative, experts say, and challenge-response messages that require a sender to reply in order to confirm his message is legitimate are passé. A better solution, according to researchers, is to employ white lists or third-party verification services.
“As for ‘no such user’ bouncebacks, that can be fixed too,” according to Computerworld. “There are a few e-mail standards that could help with the problem: Variable Envelope Return Path (VERP) and Bounce Address Tag Validation (BATV), for example.”
An even better solution: Email admins should configure their servers to delete, not return, mail sent to unknown or no-longer-active addresses.
“This is a serious problem that is hard to deal with, to be honest,” Dmitry Samosseiko, manager of Sophos Labs Canada, told Computerworld. “We can blame spammers for causing the issue in the first place, but it exists because of the mail servers that are not configured to deal with spam.”
