« What's Worse: The Disease or Cure? | Main | Internet Bandwidth is a Terrible Thing to Waste »

June 24, 2007

As I scanned through a recent collection of spam suspects trapped at my email server, I saw a message that is now known as backscatter. Backscatter is a message that is blindly sent to the apparent sender of a message to alert the apparent sender that the message couldn't be delivered for a variety of reasons. Backscatter takes a number of forms, including the (dreaded) out-of-office notification and the "you are infected because you tried to send malware" virus warning.

The problem with backscatter—and why it has attracted its own named classification among antispammers—is that the vast majority of malware propagation and botnet-generated spam messages do not contain addresses of the real senders in the From: fields of those messages (or Reply-To: fields, if present). It is just as likely that such messages have working addresses of real email accounts that had been harvested from various places on the Internet—perhaps yours.

What happens as a result is that an individual receives a thoroughly puzzling backscatter message. Thoughts race:

• "I didn't send a message to so-and-so. Why did I get this bounce message?"
• "Does my email program have a ghost that is sending out messages I don't know about?"
• "Oh my god! My computer is infected with a virus! Die, computer, die!" [sounds of shattering plastic and breaking glass]

At one time in the history of backscatter, the mechanism was even used by spammers. The real targets of the intended spam messages would be written to the From: field of message headers. The To: field was intentionally set to an email address that was known to issue backscatter to the apparent sender, along with a complete copy of the original message. Thus, the spammer could essentially relay spam through the backscatter mechanism.

Things were getting ugly.

In some ways, backscatter has tapered off. For a long time, server-side antivirus software was notorious for issuing the "you are infected" backscatter messages. But when the malware senders were found to be using hijacked computers to launch further attacks with forged From: fields as the basic modus operandi, the default settings of these server programs changed. The volume of those virus warnings has dropped significantly over the years.

The piece (pieces, actually) of backscatter I mentioned at the start of this entry came from a Polish software company. The message begins as follows:

Subject: Deleting message due to invalid address at [Removed] Website
To: dannyg@dannyg.com
From: spam@[removed].com
Reply-To: devnull@[removed].com

Dear Sir/Madam,

Some of addresses at [removed].com have been cancelled due to heavy inflow of spam.

In particular, the following addresses had to go:

[list of 34 addresses, including usernames "support," "webmaster," and names of company principals.]

E-mail sent to those addresses is deleted and WILL NOT BE RETRIEVED!

If this is not spam, please resend your e-mail to a valid address listed on [Removed] Website in the Contact section

We apologize for this inconvenience

Most email administrators would immediately recognize that this company is doing it all wrong. Instead of accepting all messages and issuing this bounce message to those addressed to invalid accounts, the server should immediately reject such messages (which generates the appropriate server-level notification—not another email message—to the sending server).

I wondered what the company was doing differently today to handle contacts from site visitors. It's clear that the firm started out being very open and inviting to visitors by providing a lot of email addresses in the clear. That policy has now stopped—and wisely so. Instead they use a somewhat complicated (for visitors) technique, showing a contact email address as the account name followed by the "@" sign, but no domain name. At the top of the page are instructions how to assemble a valid address out of those pieces. At least that should stop most, if not all, of the automated address harvesters that crawl through the Web.

Next, I looked at their FAQ (Frequently Asked Questions) page. More than half of the questions had to do with contacting via email and spam issues. It's clear that email—a vital communications medium for the company—has been a problem. Then I noticed one question that referenced the kind of backscatter message I had just received. The question was dated from the year 2004!

I think that this small company, like many others, has been waging its own spam battles for years. Such organizations have been forced to change their policies and systems to defend themselves. They have even had to disable normal "role" accounts, such as "webmaster" and "support." Unfortunately, while possibly solving most of the problem for themselves, their long-running backscatter is only contributing to the overall spam problem.