Backscatter spam is back
Spammers resurrected a tried-and-true method in March
to wreak havoc on in-boxes, mail servers and networks, Symantec says
By Brian Prince Additionally, security pro-
Spammers increasingly used tocols do exist [that] allow
an old standby in March to outgoing messages to be
reach e-mail in-boxes—back- signed.
scatter. “If a bounce message
The practice is back and Symantec occurs, the recipient will
researchers are calling it a wake-up be able to determine if the
call for MTA (mail transfer agent) message is a ‘true’ bounce
administrators. message or if the bounce
In Symantec’s monthly State of message has occurred as a
Spam report, researchers reported consequenceofspammer’s
that an increase in bounced messages actions,” Harnett said.
had led to spammers forging sending T h e m a j o r i t y o f
e-mail addresses and putting them in the bounc ed e-mails
the “From” header of their spam mes- observed by Symantec
sages. The report noted that e-mail were Russian-language
processing programs that fire back the m e s s a g e s , t h o u g h
full content of a bounced message to This screen from a Trend Micro blog shows an example of many of the originat-
backscatter spam.
the apparent sender of an e-mail create ing IP addresses were
another spam attack vector. and an influx of unwanted spam mes- from across the globe. The United
The report states, “Spammers take sages in users’ in-boxes with a result- States, however, continued to be
advantageof MTA...programs, which ing loss in productivity,” said Der- the top country of origin for spam,
can be configured to send back not mot Harnett, principal analyst with leading the way with nearly 25 per-
only a list of failed recipient addresses, Symantec anti-spam engineering. cent, according to the report. Overall,
and an explanation [of] why each “MTA programs could be configured Symantec researchers found spam
address failed, but also a copy of the so that they do not send back a copy accounted for an average of 81 per-
original message in its entirety. Spam- of the original message in its entirety. cent of all e-mail during March. ´
mers can then bounce their messages
around the Internet until they end up
in someone’s spam folder, or worse, E-MAIL SECURITY FROM PAGE 44 air just moves to the left, to the
in-box. Since many users want to sensitive data is and what their right,” he said. “If you lock down
know if they have accidentally mis- business needs are, according e-mail, people start using files and
spelled their friends’ e-mail addresses to analysts. The risk of focusing Web and instant messaging. If you
by getting a failed recipient message, too much on a block-and-allow take this blocking mentality, you’re
these bounced messages will often approach is that employees—ulti- always in catch-up mode.
go unblocked due to configurations mately the last line of defense in “Instead, think about enable-
of anti-spam filters.” security—will simply circumvent ment, and tell people, ‘We’re going
While the technique is not new, whatever protections are put in to put some defensive controls that
Symantec officials said MTA admin- place, Thielens said. block the wrong ways of doing
istrators should take heed. “Think of the content manage- things in place, but we’re also
“The effect on corporate networks ment problem as a bubble in a long going to give you ways where you
in relation to bounce message spam balloon animal. If you squeeze the know how to do business with your
is potentially an increase in bandwidth controls around that bubble, the content.’” ´
