MPP and Beyond

Yesterday seemed to be backscatter day for us and for a few of our customers so I thought I would write a little bit about it. First of all, a brief definition. Backscatter refers to bounce messages that come from spam that was bounced by some remote site. Hopefully, it stems from someone forging your email address as the original sender. The alternative is that some machine in your network was exploited, but mostly it is just simple forgery. The net result in either case is that you are flooded with bounce messages from all over the world from email that was sent to unknown email accounts or recognized as spam before it was accepted.

Backscatter is a major pain in the ass for many reasons. If your email server bounces the bounce messages, for example if the original bounces are going to unknown users, and the rate of bounces is high then your mailserver can be blacklisted as a spammer. For example, forged mail to stevewashedupbillionairecase@aol.com from wannabebillionaire@messagepartners.com is bounced by aol.com. Now message partners bounces wannabebillionaire@messagepartners.com since it is unknown. If you multiply this by 1000 as can happen in a backscatter deluge then you can imagine that AOL get’s pissed about all of our bounce messages and they will blacklist us for a while

Even more annoying is when the forged address is your real email address. Now your mobile email device is going nuts telling you about all of the bounce messages that were sent to invalid users in your name.

Here is an example of headers from backscatter:

Microsoft Mail Internet Headers Version 2.0
Received: from 68-185-134-174.dhcp.jcsn.tn.charter.com ([68.185.134.174]) by ppcwm.org with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 26 Mar 2008 18:37:03 -0400
Message-ID: <000501c88f92$0569e9fb$dcc2daaf@ilefylfs>
From: “hubert chanshin”
To:
Subject: Massive discounts for purchases in the month of March are available.

The problem is further exacerbated because most filters don’t bounce the message, the send a bounce message, hence spam gateways see the messages as legit bounces and don’t classify them as spam.

The problem is because of a major design flaw in the SMTP protocol that allows anyone to say that they are anyone when sending email. There have been a number of bandaids to fix this such as Sender Policy Framework, but they are mostly ineffective. I get a laugh looking at all of the bounce messages I see from the recent backscatter attack, many have SPF checks that show a violation, yet they still send me a bounce.

You can learn a lot from all of these bounce messages and to me, being geekish in the antispam industry, I find it interesting. I can see what types of email gateways are in use, how many people use home grown spamassassin based gateways, how different spam configurations are setup, how botnets work and more. But most of all, backscatter is just annoying.

So here are some tips to end it.

1) With MPP we were able to block many thousands of messages using our thresholds. Once we detect a certain amount of bounces from a remote server in a period of time we temporarily block the host.

2) With MPP we also blocked many using our contentfilter module and setting some very basic PCRE based filters to block based on content. This is not very dynamic, but pretty effective.

3) The Postfix site has some good tips, but it is a similar approach to using static content filters as described in step 2.

So in summary, backscatter sucks, MPP can help, but it is a problem endemic to a poorly designed sender verification protocol (i.e. none) in basic SMTP.