Backscatter Problems Persist

Backscatter problems are persisting and seem to be the new scourge of spam. They expose a lot of weakness in antispam filtering algorithms and require new approaches to truly stop them. Here’s why:

• Many backscatter attacks do not contain any message content, only bounce notifications. Stopping all bounce notifications or messages from mailer-daemon is dangerous
• Many backscatter attacks come from legitimate email servers so you can block the offending servers at the SMTP level without blocking legit email.
• Backscatter attacks can be extremely high volume and can crush a spamassassin/amavisd installation that is not micromanaged.

At Message Partners we have been working on some approaches to backscatter problems for our customers. The most heavy handed approach, and one that I have been utilizing on our site, is to block all traffic that originates from Mailer-Daemon with this regular expression for header filters: ^From:.*Mailer.*$ . This is annoying because you can’t see legit bounces, but I have taken an analogy from the US Post Office. If you need acknowledged delivery then you must send with delivery notification service. If you send a letter to the wrong address it may take weeks before it comes back to you, if it comes back at all. Anything I really care about I send with some delivery notification. I have decided that this should apply to email as well. If I really care about the email then I should send it with some delivery confirmation, hence, I have rationalized filtering out all bounces. This has ended my backscatter problem for the most part, but many messages do not come from mailer-daemon so the problem still exists, but on a much smaller scale.

We have a more intelligent solution in beta that utilizes our auto black list feature. With this approach a threshold is set that if x amount of messages are received that violate a content rule then all messages from any IP that sends with the same subject will be temporarily blocked. For example, if gmail.com sends me 400 bounces in 2 minutes (which they’ve done), and they all have Undeliverable Mail in the subject, then any message with Undeliverable Mail will be blocked during the block period. This is working pretty well, but not a complete solution by any means.

Some of our engine partners are quickly improving their backscatter detection, but when there is no actual message content they all seem to stumble.

Conclusion — Backscatter remains a problem but MPP is helping with our customers with a solution. In the meantime, administrators should be really careful about the rejection notices that they sent.

Technorati Tags: backscatter, spam, email security, mpp

Comments

• Recent Posts

  • A New Era for Email Security Appliances?
  • Introducing MPPxpress
  • Search AmavisD and Postfix Mailing Lists with MPP!
  • The end-user view of Antispam
  • Email Archive Improvements

• Categories

  • MPP Releases and Fixes
  • News and Tidbits
  • Opinions on Email Security
  • Podcasts
  • Spam Wisdom
  • Uncategorized

• Archives

  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006

• Links

• Meta

  • Register
  • Login
  • WordPress
  • XHTML