If you’ve been inundated lately with bounced email from addresses you’ve never sent a note to, you’re experiencing the heartbreak of backscatter. Backscatter is an attempt by scammers to get you to read unsolicited email by sending it using your return address - forging it, which is simple - and then having you open the messages that mail servers innocently return.
I’ve received thousands of backscatter bounces in the last few weeks, even as my spam filters have worked relatively well. It’s irritating, because I have to handle it much more manually than any other unfiltered message. Sometimes there are commonalities in the bounces that make it somewhat easier to filter - for instance, the last time Adam Engst suffered a backscatter attack, most of the bounces came from Russian addresses, so he temporarily filtered mail from .ru domains to the trash until the problem died down, which it usually does.
Your return email address can be forged without any effort by anyone - including systems that let you forward links to other people from news sites - because return addresses aren’t registered in any fashion. DNS may control the use of domain names, but there’s no such similar method of looking up email addresses to validate them.
Four years ago, I wrote “Sender Policy Framework: SPF Protection for Email” (2004-03-2), an article about an independent effort to create a way to register authority for email return addresses via DNS. Microsoft, Yahoo, and AOL all got in the game in different ways, extending SPF, developing their own systems, deploying anti-forging rules, or adopting rules to prevent forged messages from arriving for their email users and customers.
But none of the efforts has emerged as a winner, and verifying return addresses is still only one of several pieces that would restrict spam of a con-game nature. It’s a shame that even with several companies handling hundred of millions of email accounts, the kind of cooperative work that would be required to improve several parts of the way in which Internet email still seems beyond our reach.
Copyright © 2008 Glenn Fleishman. TidBITS is copyright © 2008 TidBITS Publishing Inc. If you’re reading this article on a Web site other than TidBITS.com, please let us know, because if it was republished without attribution, by a commercial site, or in modified form, it violates our Creative Commons License.
MARK/SPACE, INC: The Missing Sync provides the very best insynchronization for Mac users with BlackBerry, Palm OS, or
Windows Mobile devices. Integrates with Address Book, iCal,
Entourage, iPhoto, and iTunes. <http://www.markspace.com/bits>
Original post by glenn@tidbits.com (Glenn Fleishman) and software by Elliott Back
