Improving Backscatter detection with Boomerang

One of the features we have been working on in Office 365/Exchange Online Protection  (EOP) is called Boomerang which is a mechanism to better detect backscatter spam.   Image taken from here.   What is Backscatter? Backscatter spam occurs when a spammer spoofs your email address and sends it to a random person on the…

7

The Backscatterer.org IP list

Office 365 (Exchange Online Protection, or EOP) frequently receives questions about the Backscatterer.org IP blocklist.  Customers call in and say “Your outbound IPs for the service are on Backscatterer!  What are you doing about it?” This often occurs when people go to a 3rd party website, enter in our outbound IPs, and it says that…

8

Apple Mail and the Bounce feature

The other day, I was talking with a friend of mine who owns a Mac and how he finds the Bounce feature of Apple mail very useful.  "Bounce feature?" I asked.  "Is that what I think it is?" I don’t use Apple Mail anymore.  I do have a Mac but I use it mostly (though…

3

The problem of backscatter, part 18 - Wrapping it up

Backscatter spam is annoying.  It’s tough to filter because the contents of it can fool content filters and can also fool end users. Indeed, if your content filter could recognize an NDR and ignore the parts that typically occur in NDRs, you could then filter the rest of the message normally and make the spam/not-spam…

6

The problem of backscatter, part 17 - Limitations of BATV

While BATV is a good technique, we’ve seen that there can be some limitations with it when combining it with an SPF policy.  What else do we have to consider with BATV? Catch-all addresses or non-deliverable addresses – Some MTAs will look up the recipient in the SMTP conversation.  For example, in a hosted service,…

2

The problem of backscatter, part 16 - BATV and SPF

We’ve seen that BATV is one of the better mechanisms to stop backscatter, the question now is how do we use it?  What stuff does it potentially break? Some of the commenters in my other posts have alluded to it when they have said that you can’t use BATV unless you have an SPF policy…

1

The problem of backscatter, part 15: BATV in a nutshell

The following is a diagram that I drew that illustrates a summary of how BATV is supposed to work to prevent backscatter. Note the sequence of steps: Bender sends a message and hands it off through the outbound server. The outbound server signs his SMTP MAIL FROM. The recipient email server, mail.planet.express.ca, sees that the…

5

The problem of backscatter, part 14 - Bounce Address Tag Validation

As we approach the end of my series on backscatter, there is still one more piece of technology that holds real promise to combating backscatter – Bounce Address Tag Validation, or BATV.  That sounds a bit like a successor to HDTV… but it’s not. BATV is a more secure mechanism of my part 11 post…

2

The problem of backscatter, part 13 - An idiosyncrasy

Around the internet world, specifically dealing with email and MTAs, there are people who are familiar with and have expertise with a number of MTAs.  Things like Exchange, Postfix, Sendmail, Qmail, Exim, and so forth.  I am not one of those people.  So, in writing this series I have learned a few things about the…

3

The problem of backscatter, part 12 - Don't make the problem worse by contributing to it

Many of the web sites that discuss backscatter encourage mail administrators to not further contribute to the problem of backscatter.  I would be remiss if I did not include a section on it. Don’t accept mail, and then bounce.  The primary problem of general backscatter is when email servers accept a message, discover they can’t…

3

The problem of backscatter, part 11 - Check to see if you sent it in the first place

Other than content filtering and SPF, there’s another way to combat backscatter – check to see if you sent the message in the first place.  We have already seen that NDR messages and backscatter contain a notice from the bouncing email server as well as all or part of the original message.  We can use…

11

The problem of backscatter part 10 - Use SPF

Using content analysis is one trick you can use to stop backscatter.  Another is to use SPF records. SPF records are designed to help combat backscatter on the theory that the recipient mail server will be able to figure out that your server didn’t send it.  Here’s how it works: Bob has his own mail…

3

The problem of backscatter, part 9 - Block it with content analysis

We can see how backscatter is a problem, so how do we go about stopping it?  What are some of the techniques we can employ to keep it out of our inboxes? One such technique is to block all NDR messages, or at least tag phrases and characteristics that commonly occur in NDR backscatter as…

4

The problem of backscatter, part 8 - Why is it so hard to stop?

I came across the following diagram at this site, and it nicely summarizes the issue of backscatter spam: Getting a single piece of backscatter spam is one thing, getting dozens, hundreds or even thousands of them is a major problem.  While spammers may be nefarious in attempting to spam indirectly, what’s more annoying is that…

2

The problem of backscatter, part 7 - What is it?

Having worked our way through how NDRs and DSNs are supposed to work, we can now finally look at what backscatter actually is. Recall the SMTP protocol – when you send a message, you specify the HELO, the MAIL FROM, the RCPT TO, the DATA (email contents including other miscellaneous headers) and the QUIT.  Here’s…

1