Backscatter or Misdirected Bounces

In this post we will try to explain how it is possible that you receive notifications of bounced emails when you are unaware of sending them in the first place.

The scenario that you might be afraid of and the first one that might come to mind is that your mail account has been hacked and is being used to send spam. If you fear that this has happened, the first thing to do is a scan of your computer with an antivirus or anti-malware software to check for worms, botnets and the likes. The second action should be to change the password of the account. And make sure to use a strong password. But there is also a chance that you are looking at backscatter aka collateral spam.

What is backscatter?

Backscatter is a side-effect caused by spam. When a spammer uses your email address and puts it in the “From” field of his mails, this is called “spoofing”. Spoofing happens quite a lot as spammers are usually unwilling to use their own email address since that would get them blacklisted in no time. So, when a mail-server does not recognize the message as spam and is unable to deliver the mail, it sends the bounce notification to the address in the “From” (or “Reply-To”) field.

screenshot1

What can I do?

Not much if you are not in control of the mail-server that is sending the Non-Delivery Reports (NDR). If you are running a mail server, see if you can enable some sort of “Bounce Verification”. This is an option that checks if the actual sender matches the bounce address. If they are not the same the message will not be sent, thus reducing the amount of backscatter.

If you are just a receiver and you do get a lot of backscatter, you should try and work the problem out with the entity that is in control of the mail-server (oftentimes your ISP). They may be able to change their settings or help you in another way.

screenshot2

Deliberate bounces

Another, less likely option, is spam that is pretending to be a bounced mail. Some spammers found out that users are more likely to open a bounced mail than mails with other keywords in the title, so there are spammers using that to their advantage and they send out spam disguised as bounces.

Summary

While bounces can be useful, getting them when you have no idea what caused them, can be a nuisance. Short of suspecting your account has been hacked, you could be looking at misdirected bounces brought about by spammers spoofing your email-address as the sender. Bounce verification on the mail-server could be an option to reduce their number.

Resources

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.