Description of Backscatter / NDR spam

  • Article ID: 37088
  • Rating:
  • 1 customers rated this article 6.0 out of 6
  • Updated: 09 May 2014

Non-delivery report (NDR) messages that have been generated as a result of spam messages are often referred to as "backscatter."

Applies to the following Sophos product(s) and version(s)

Not product specific

What is backscatter?

It describes the NDR messages generated by mail systems that accept spam messages during an SMTP session. If there is a delivery error ("mailbox full," "user doesn't exist," etc), the system attempts to send a "bounce" message back to the supposed original sender. The bounce message is directed to the email address found in the envelope sender information (the Return-Path header) in the original message. Because this address has been forged in most spam messages, the bounce message is delivered to a mailbox of a sender who did not send the original spam message.

Who does this affect?

Most email accounts receive very few, if any, backscatter spam messages; however, specific addresses or domains that are favorites of spammers can be the target of hundreds (or even thousands) of messages of this type per day.

What is the problem?

SophosLabs will not block all NDR messages from all mail servers because not all NDR messages are backscatter, and mail servers that generate backscatter also send legitimate NDR messages. There are many legitimate bounce messages generated each day, which are delivered to the mail server that originally sent the message. The difficulty lies in differentiating between legitimate bounces and bounces that come as a result of spam messages.

How is SophosLabs blocking backscatter?

  • Many mail transfer agents (MTAs) generate a bounce message with some or all of the original message either attached or included in the message body. The Sophos Anti-Spam Engine marks these as spam if they contain enough spam content to warrant blocking.
  • Some poorly configured MTAs will accept and then bounce a message they deem to contain spam or a virus. If they add content to the message that indicates this kind of action, SophosLabs uses heuristic rules to detect and block these messages.

What should I do if I am the target of backscatter?

Submit samples to SophosLabs.  See How to submit a spam sample to SophosLabs for more information. There may be spam bounces for which SophosLabs can create additional heuristic rules.

For product specific workarounds, see the following article(s):

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments