Mail backscatter

From Exterior Memory
Jump to: navigation, search

Backscatter is mail that is sent as a reply to spam.

Examples of mail that is sent as a reply to another mail are bounce messages ("we could not deliver your message"), mail confirmations ("Please click this link to confirm your mail address"), spoofed e-cards ("click this link") and even (stupid) anti-spam mesaures ("acknowledge that you want to sent this person an e-mail").

The Sender of a spam message is often forged, and these replies often end up at the wrong address: someone whose mail address was forged. Backscatter mail is just as annoying as normal spam, and must be prevented.

Prevent Bounce Messages

The general rule: Do not accept bogus mail, only to sent out an error (bounce) mail a second later. Instead, block the bogus mail at the port.

A typical scenario: You have a primary and a backup mail server. The primary mail server only accepts mail for and, but not for other mail addresses at

The backup mail server accepts all mail for, and forwards it to the primary mail server. It accepts mail for Tries to forward it to the primary server, which rejects is, and the backup mails server responds by replying with a bounce message to the (perhaps forged) sender.
The backup mail server also has a list of valid recipients, and immediately responds with a "no such recipient" error if someone tries to sent a message to

Again: the trick is to have a list of valid recipients, and let the SMTP server return an error immediately after the sender gives a non existing recipient address.

To configure this in Postfix, have a look at the relay_recipient_maps configuration parameter:

relay_recipient_maps = hash:/etc/postfix/relay_recipients

With relay_recipients simply a list of valid mail address (run postmap /etc/postfix/relay_recipients after creating this list).

Prevent Mail Confirmation Backscatter

It is hard to prevent mail confirmation backscatter, since mail confirmation messages are useful. They are typically sent during the registration process of a new account, or when subscribing to a mailing list.

They can never be completely prevented, but at least you can limit the rate of the mail confirmation messages:

  • Only sent mail confirmation after you make sure the request is genuine.
  • For registration, use a CAPTCHA (e.g. random numbers in an image) to make sure the request comes from a real human, not from a robot. At least that prevents some of the backscatter.
  • Record the IP address of the requester, and include this in the mail confirmation mail. This way, a victim of backscatter knows were it originated from, and may be able to find the attacker.
  • For mailing list confirmations, that are sent out after a subscription request, make sure the mail is genuine. Check the body and make sure it is not spam. Do not create and aliases. Instead, create a which process "subscribe", "unsubscribe" and "help" in the subject and the body, but silently ignores all other mails (or best: bounces bad requests during the SMTP session).

Prevent "Anti-spam" Backscatter

The solution should be obvious: Do not use anti-spam mesaurements which spams innocent people.

In particular, stay far, far away from idiots like SpamArrest or Vanquish.

Instead, apply Sender Policy Framework (SPF) records to your mail domain, or use DomainKeys Identified Mail.

The reason I call companies like SpamArrest idiots because they fail to properly check SPF records (they check for them, but don't process them if there are other genuine TXT records), resulting in more backscatter for me -- all the result of "anti-spam". This is like a doctor giving you a treatment for a cold, with influenza as a side-effect. No thanks.

Remove bounce messages from the queue

If -for whatever reason- you find messages in your mail queue that is backscatter (e.g. bounce messages that remain in your queue because the original sender is also forged), there is a shell script to delete those bounce messages from the Postfix mail queue:

mailq | awk ' /^[0-9A-F][0-9A-F]*[^*].*MAILER-DAEMON$/ {print $1}' | sudo xargs -rn1 postsuper -d

(source: Notes from a messy desk)