Backscatter: Be part of the solution, not the problem
I read Robert McMilan's article on backscattering with great interest, primarily because my personal account has been a "bounceback" victim for the past couple of weeks. His article contains a great explanation of what backscatter is and why it happens; it's the kind of article I'd send to my friends who are asking about all the bouncebacks they're seeing these days.
What is backscatter?backscatter -- bounceback messages from legitimate e-mail servers that have been fooled by the spammers.Spammers like to put fake information in their e-mail messages in order to sneak them past e-mail filters. Because e-mail filters now just delete messages that come from nonexistent domains, the spammers like to make their messages look like they come from real e-mail addresses. That means, if your e-mail address has been published on the Web somewhere, you're a prime candidate for backscattering.
The problem is that backscatter is the side-effect of a poorly configured mail server or ineffective SPAM prevention system. It's not something the victim can stop, it has to be addressed by the administrators of those systems which are too easily fooled by spammers. And from the looks of my inbox, that's a whole lotta systems.
Robert goes on to suggest this [reconfiguration] as a solution.
But the problem would largely disappear if server administrators configured their mail servers to immediately reject mail that is sent to nonexistent users, rather than accepting it and then bouncing it back to the faked addresses. Some ISPs (Internet service providers), AOL for example, have done this and have largely eliminated their role in the problem.
This certainly would decrease a lot of the backscatter, but it wouldn't catch it all. You need something a bit more robust and crafty in its determination of who is a legitimate sender of e-mail and who is not. Something that, say, bases its decisions on the reputation of the sender rather than just on the contents of the e-mail.
Reputation-based spam prevention works because it doesn't just look at the message, it looks at the sender. In the real world we filter information based on both; you're not likely to listen to tech advice when it's given by a fifteen year old who looks like she should be on the cover of "emo-tech" magazine even if it is the same advice given by a respected member of the tech community. Why shouldn't we treat e-mail the same way, with an eye toward the credibility of the sender?
Between correctly configuring mail servers to verify senders - even to the point of requiring authentication if necessary - and taking into consideration the reputation of the sender, we should be able to eliminate 70% of the SPAM out there, if not more.
If you don't think keeping backscatter out of my inbox is a good enough reason to implement a reputation-based mail system, then consider this: by preventing SPAM from reaching your mail servers you are saving (a) CPU cycles, (b) storage, and (c) employee's time. That's because a reputation-based system prevents SPAM from passing beyond it and into the realm of the mail servers, which means you don't have to waste storage (7 years of SPAM, anyone?) or processing power on it. And if you can decrease the load on your mail servers by not passing along every piece of SPAM for inspection, you might not need a second or third mail server to handle the load.
If you're wondering how such a system saves employee time, consider the results of a recent survey of e-mail monitoring practices by Proofpoint:
Someone is reading your e-mail...Proofpoint found that 41% of the largest companies surveyed (those with 20,000 or more employees) reported that they employ staff to read or otherwise analyze the contents of outbound e-mail. 22% of these companies said they employ staff primarily or exclusively for this purpose."
Obviously less e-mail means fewer employees needing to dedicate time and energy to reading through employees' e-mail, which saves time and, if you can reduce the staff and redirect those resources elsewhere, maybe money, too.
Did I mention that reputation-based mail systems are a great help if you're trying to go green? Cause they are, of course. Reductions in processing of SPAM result in less power consumed by mail servers, storage devices, and AV servers because they're processing fewer messages.
Reputation-based systems can't prevent backscatter, but it can prevent the cause of backscatter by not attempting to deliver what are obviously fraudulent e-mail messages in the first place.
So be a part of the solution instead of the problem and consider a reputation-based mail system.
My inbox will thank you for it.
Imbibing: Coffee
More on message security:
Enhanced Message Security: Slicing SPAM and Other Threats At The Edge