Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

INFO: Dealing with Backscatter

Expand / Collapse


This article applies to:

  • Trustwave MailMarshal (SEG)/Trustwave SEG

Question:

  • How do I deal with email "backscatter"?
  • Why are we getting bounce backs on messages we didn’t send?
  • How do I block Spam NDR (Non-Delivery Report) messages?
  • How do I differentiate between fake and legitimate DSN (Delivery Status Notification) messages?

What is Backscatter?

Backscatter is a serious problem for many email systems. Typically we think of backscatter as bogus NDR (Non-Delivery Report) messages – failed deliveries that are returned to you, even though you did not send the original message.

Backscatter encompasses all that noise which is generated as a result of spam using your return address. This includes NDRs or DSNs of course, but also out-of-office replies, change-of-address updates, challenge-response messages, list-server signup failures, and all sorts of other unwanted email that can be generated automatically by mailing systems.

The SMTP email protocol has no effective means to prevent spammers faking your from address when sending out spam. In fact, it serves their interest to use a fake return address when spamming in two key ways:

  • The spammers don’t have to deal with the inevitable backscatter generated by their spamming activities.
  • Their messages get a second chance at reaching potential customers, even if in the form of backscatter.

Detecting Backscatter

Trustwave MailMarshal (SEG) has two main layers of defense against backscatter.

  1. SpamProfiler
  2. SpamCensor

In addition, there are some Reputation Services or DNSBLs available which list mail systems that generate backscatter, for example backscatterer.org. Such lists are not endorsed or tested by Trustwave and should be used with caution. Use of these services could result in unacceptable numbers of false positive detections. Standard Reputation Services like Spamhaus and SpamCop typically do not target backscatter sources.

  • If using a DNSBL, to allow review of the blocked items you should set up a Category Script in a Content rule. See the Anti-Spam Advanced reference on the MailMarshal documentation page for details of setup. In most cases you would only apply this rule for messages with a blank return path.

Using both of the layers of defense should eliminate most of the backscatter you receive.

  • To benefit fully, ensure you are using the most recent release of SEG.
  • "NDRCensor", a third layer against backscatter that was distributed with earlier releases of MailMarshal, is now obsolete and deprecated.

Layer 1: SpamProfiler

SpamProfiler can detect false NDRs and the like, and is capable of cutting out a large proportion of backscatter at the Receiver. Messages can be rejected at the SMTP connection time, which means that the sending server is notified directly that it is generating a problem.

For more information on using SpamProfiler see the User Guide and Help for your product version.

Layer 2: SpamCensor

SpamCensor has good backscatter detection capabilities.

Don’t generate backscatter yourself

There are important steps you can take to avoid generating backscatter yourself.

  • Reject as much garbage as possible at the Receiver. Rejecting at the Receiver means that the connecting server, not your server, is responsible for notifying the original sender of a delivery problem. Any legitimate sender who gets blocked is notified immediately. Any potential risk associated with false positives is drastically reduced – there is no issue with messages disappearing into spam quarantine black holes.


    Consider using the following methods to reject garbage at the Receiver:
    • Configure SpamProfiler to reject spam at connection time.
    • Use an effective Reputation Service like Spamhaus.
    • Reject all traffic to invalid addresses. This is especially crucial if there is a chance your internal mail server will reject invalid addresses when SEG attempts to pass it on. This causes SEG to become an instant backscatter source.

In addition to some aggressive Receiver Rules, there are other more general ways to avoid being a source of backscatter:

  • Don’t use a Challenge-Response system. While Challenge-Response may help clear up your own inbox, it generates unwanted traffic for everyone else.
  • Use Out-of-Office notifications to the outside world as sparingly as possible. 
  • If you generate notifications for whatever reason, filter out as much spam and junk as possible before applying the notification rules.

To contact Trustwave about this article or to request support:


Rate this Article:
     

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.