Backscatter (email)

Backscatter, also known as bounce abuse, is the unintended sending of email messages to an innocent third party as a consequence of spam or virus attacks. It occurs when a spammer forges the "envelope sender" address (the return address) of an email to be an address belonging to someone who is not actually the sender.

Here's how it works:

1. A spammer sends out a large volume of emails, forging the return addresses to belong to legitimate email addresses that they have harvested or generated.
2. If the recipient server rejects one of these forged emails (e.g., because the recipient address doesn't exist), it generates a Non-Delivery Report (NDR), also known as a bounce message.
3. This NDR is sent to the forged return address - the innocent third party.
4. Because the spammer sent out so many messages with the forged return address, the innocent third party will receive many bounce messages for email they never sent.

Backscatter is a problem for several reasons:

• It wastes the resources of the innocent recipient, who must process and potentially delete the unwanted bounce messages.
• It can make it difficult for the innocent recipient to manage their legitimate email.
• It can be used to perform denial-of-service attacks against the innocent recipient's email server.

Techniques to mitigate backscatter include:

• Sender Policy Framework (SPF): SPF allows a domain owner to specify which mail servers are authorized to send mail on behalf of their domain. Receiving servers can then check the SPF record to verify if the sender is authorized.
• DomainKeys Identified Mail (DKIM): DKIM adds a digital signature to outgoing emails, allowing receiving servers to verify that the email was indeed sent by the claimed sender and that the message content hasn't been altered in transit.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM to provide a framework for email authentication and policy enforcement. It allows domain owners to specify how receiving servers should handle emails that fail SPF and/or DKIM checks. It also provides a mechanism for reporting authentication results back to the domain owner.
• Greylisting: Greylisting temporarily rejects emails from unknown senders. Legitimate mail servers will typically retry sending the email after a short delay, while spammers are less likely to retry.
• Rejecting Unsolicited Email at the SMTP Layer: Implementing policies that reject mail based on suspicious characteristics such as invalid recipient addresses, high volume originating from a single IP, or other indicators of spam can reduce backscatter.
• Validating Recipient Addresses: Ensuring that the recipient address exists before accepting the email can prevent bounce messages from being generated for invalid addresses. However, this can be exploited by spammers to harvest valid email addresses.