Backscatter Simulates Spam
If you’ve been inundated lately with bounced email from addresses you’ve never sent a note to, you’re experiencing the heartbreak of backscatter. Backscatter is an attempt by scammers to get you to read unsolicited email by sending it using your return address – forging it, which is simple – and then having you open the messages that mail servers innocently return.
I’ve received thousands of backscatter bounces in the last few weeks, even as my spam filters have worked relatively well. It’s irritating, because I have to handle it much more manually than any other unfiltered message. Sometimes there are commonalities in the bounces that make it somewhat easier to filter – for instance, the last time Adam Engst suffered a backscatter attack, most of the bounces came from Russian addresses, so he temporarily filtered mail from .ru domains to the trash until the problem died down, which it usually does.
Your return email address can be forged without any effort by anyone – including systems that let you forward links to other people from news sites – because return addresses aren’t registered in any fashion. DNS may control the use of domain names, but there’s no such similar method of looking up email addresses to validate them.
Four years ago, I wrote “Sender Policy Framework: SPF Protection for Email” (2004-03-2), an article about an independent effort to create a way to register authority for email return addresses via DNS. Microsoft, Yahoo, and AOL all got in the game in different ways, extending SPF, developing their own systems, deploying anti-forging rules, or adopting rules to prevent forged messages from arriving for their email users and customers.
But none of the efforts has emerged as a winner, and verifying return addresses is still only one of several pieces that would restrict spam of a con-game nature. It’s a shame that even with several companies handling hundred of millions of email accounts, the kind of cooperative work that would be required to improve several parts of the way in which Internet email still seems beyond our reach.