Backscatter Problems Persist

Backscatter problems are persisting and seem to be the new scourge of spam. They expose a lot of weakness in antispam filtering algorithms and require new approaches to truly stop them. Here’s why:

• Many backscatter attacks do not contain any message content, only bounce notifications. Stopping all bounce notifications or messages from mailer-daemon is dangerous
• Many backscatter attacks come from legitimate email servers so you can block the offending servers at the SMTP level without blocking legit email.
• Backscatter attacks can be extremely high volume and can crush a spamassassin/amavisd installation that is not micromanaged.

At Message Partners we have been working on some approaches to backscatter problems for our customers. The most heavy handed approach, and one that I have been utilizing on our site, is to block all traffic that originates from Mailer-Daemon with this regular expression for header filters: ^From:.*Mailer.*$ . This is annoying because you can’t see legit bounces, but I have taken an analogy from the US Post Office. If you need acknowledged delivery then you must send with delivery notification service. If you send a letter to the wrong address it may take weeks before it comes back to you, if it comes back at all. Anything I really care about I send with some delivery notification. I have decided that this should apply to email as well. If I really care about the email then I should send it with some delivery confirmation, hence, I have rationalized filtering out all bounces. This has ended my backscatter problem for the most part, but many messages do not come from mailer-daemon so the problem still exists, but on a much smaller scale.

We have a more intelligent solution in beta that utilizes our auto black list feature. With this approach a threshold is set that if x amount of messages are received that violate a content rule then all messages from any IP that sends with the same subject will be temporarily blocked. For example, if gmail.com sends me 400 bounces in 2 minutes (which they’ve done), and they all have Undeliverable Mail in the subject, then any message with Undeliverable Mail will be blocked during the block period. This is working pretty well, but not a complete solution by any means.

Some of our engine partners are quickly improving their backscatter detection, but when there is no actual message content they all seem to stumble.

Conclusion — Backscatter remains a problem but MPP is helping with our customers with a solution. In the meantime, administrators should be really careful about the rejection notices that they sent.

Technorati Tags: backscatter, spam, email security, mpp

Even More Amazing OS X Experiences

It sure feels like we are on a roll with our improvements for Mac OS X system administrators, so why should we stop? After listening to complaint after complaint about the difficulty of installing MPP we finally took the advice of Frank Zappa, though applied to software - ’shut up and play yer guitar’. Instead of explaining why our customers were just not getting it we shut up and listened and have created something that has exceeded our expectations.

Phase 1 was to redesign our admin GUI to make things more apparent, remove cryptic techno speak and drop the assumption that everyone has enough time to figure our product out. This is an ongoing battle, but we have conquered the initial campaign and now we are in clean-up mode.

Phase 2 was to redo our installers so that it was no longer necessary to have a compiler installed or to install any perl modules. This was a monster task believe it or not, but this is conquered thanks to Ovidiu, our main technical guru. This was great, but it still required an admin to use the terminal to run our configure scripts.

Phase 3 which we have now delivered has expanded on phase 2 by removing the need to run our configure script from the command line. Since our OS X customers are either using Postfix or CommuniGate we detect which email server is in use and make all of the appropriate configurations automatically. The installer is one click and it installs MPP, MPP Manager and all dependencies, configures our email server to use MPP and launches Safari at the end with MPP Manager opened up. Pretty slick if you ask me. You still need to disable the Apple junk mail filtering from the admin control panel, but this may change in the future as well.

Phase 4 has some surprises and I am hoping to announce them soon.

Technorati Tags: Mac OS X, MPP, Email Security, Spam Filtering, Mac Email Security

• Recent Posts

  • Privacy Concerns?
  • Should You Disinfect?
  • MPPv4 - Coolest MPP Yet
  • Google Competition? Cuil
  • A New Era for Email Security Appliances?

• Categories

  • MPP Releases and Fixes
  • News and Tidbits
  • Opinions on Email Security
  • Podcasts
  • Spam Wisdom
  • Uncategorized

• Archives

  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006

• Links

• Meta

  • Register
  • Login
  • WordPress
  • XHTML