This article applies to:
- Trustwave MailMarshal (SEG)/Trustwave SEG
Question:
- How do I deal with email "backscatter"?
- Why are we getting bounce backs on messages we didn’t send?
- How do I block Spam NDR (Non-Delivery Report) messages?
- How do I differentiate between fake and legitimate DSN (Delivery Status Notification) messages?
What is Backscatter?
Backscatter is a serious problem for many email systems. Typically we think of backscatter as bogus NDR (Non-Delivery Report) messages – failed deliveries that are returned to you, even though you did not send the original message.
Backscatter encompasses all that noise which is generated as a result of spam using your return address. This includes NDRs or DSNs of course, but also out-of-office replies, change-of-address updates, challenge-response messages, list-server signup failures, and all sorts of other unwanted email that can be generated automatically by mailing systems.
The SMTP email protocol has no effective means to prevent spammers faking your from address when sending out spam. In fact, it serves their interest to use a fake return address when spamming in two key ways:
- The spammers don’t have to deal with the inevitable backscatter generated by their spamming activities.
- Their messages get a second chance at reaching potential customers, even if in the form of backscatter.
Detecting Backscatter
Trustwave MailMarshal (SEG) has two main layers of defense against backscatter.
- SpamProfiler
- SpamCensor
In addition, there are some Reputation Services or DNSBLs available which list mail systems that generate backscatter, for example backscatterer.org. Such lists are not endorsed or tested by Trustwave and should be used with caution. Use of these services could result in unacceptable numbers of false positive detections. Standard Reputation Services like Spamhaus and SpamCop typically do not target backscatter sources.
- If using a DNSBL, to allow review of the blocked items you should set up a Category Script in a Content rule. See the Anti-Spam Advanced reference on the MailMarshal documentation page for details of setup. In most cases you would only apply this rule for messages with a blank return path.
Using both of the layers of defense should eliminate most of the backscatter you receive.
- To benefit fully, ensure you are using the most recent release of SEG.
- "NDRCensor", a third layer against backscatter that was distributed with earlier releases of MailMarshal, is now obsolete and deprecated.
Layer 1: SpamProfiler
SpamProfiler can detect false NDRs and the like, and is capable of cutting out a large proportion of backscatter at the Receiver. Messages can be rejected at the SMTP connection time, which means that the sending server is notified directly that it is generating a problem.
For more information on using SpamProfiler see the User Guide and Help for your product version.
Layer 2: SpamCensor
SpamCensor has good backscatter detection capabilities.
Don’t generate backscatter yourself
There are important steps you can take to avoid generating backscatter yourself.
- Reject as much garbage as possible at the Receiver. Rejecting at the Receiver means that the connecting server, not your server, is responsible for notifying the original sender of a delivery problem. Any legitimate sender who gets blocked is notified immediately. Any potential risk associated with false positives is drastically reduced – there is no issue with messages disappearing into spam quarantine black holes.
Consider using the following methods to reject garbage at the Receiver: - Configure SpamProfiler to reject spam at connection time.
- Use an effective Reputation Service like Spamhaus.
- Reject all traffic to invalid addresses. This is especially crucial if there is a chance your internal mail server will reject invalid addresses when SEG attempts to pass it on. This causes SEG to become an instant backscatter source.
In addition to some aggressive Receiver Rules, there are other more general ways to avoid being a source of backscatter:
- Don’t use a Challenge-Response system. While Challenge-Response may help clear up your own inbox, it generates unwanted traffic for everyone else.
- Use Out-of-Office notifications to the outside world as sparingly as possible.
- If you generate notifications for whatever reason, filter out as much spam and junk as possible before applying the notification rules.