Backscatter and Misdirected Email Alerts

This is bizarre, if slightly nostalgic.

I spent a lot of time in the first half of this decade writing and presenting on problems with email filters that assumed that if the "From" field of an email header says that the sender was me@thenameofmysite.com (apologies to thenameofmysite.com if it actually exists, but I don’t think it does), then it must indeed have come from me@thenameofmysite.com.

Of course, there are any number of reasons why this might not be true. (Occasionally there are even understandable, arguably legitimate reasons for forging an email address, though that might open up all sorts of legal issues.) One, of course, is that spammers usually forge sender addresses – in fact, this is often one of the identifying characteristics that legal measures are based on, though there are almost as many definitions of spam as there are of malware.

  • A "Joe Job" is the name usually used when a specific person is targeted by forging his or her address as the sender, with the particular intention of causing trouble: for instance, by causing him or her to be targeted by anti-spam vigilantes, DNS blacklists, even law enforcement.
  • Mail sent from an automated source (a spambot, for instance) may have to forge a sender address, since otherwise it won’t be delivered. Sometimes that address will be a real address  harvested from a Direct Harvesting Attack (DHA), the address book on a bot-compromised system, and so on. Often it will be a made-up address that looks right, which is all that many mail servers require. However, there’s a possibility that a made-up or automatically generated address will correspond to a real account name somewhere on the wild and woolly internet.

Sometimes this results in what is often referred to as backscatter or outscatter: this usually results in the innocent party receiving a non-delivery notification for a message they never sent. Sometimes this is neutral in tone but confusing – some people get into a panic because they think someone may have taken over their account to send email (which can happen, but happens less than you might think). I often see questions relating to this phenomenon on sites where people ask for advice on security issues.

Sometimes the notification suggests malicious intent on the part of the innocent sender, misidentified as a spammer or virus distributor, which frightens the naive and irritates the knowledgeable. It used to annoy me particularly when people would accuse me of sending spam from an address that wasn’t actually capable of sending messages: it can be useful in some contexts to have addresses that are set up to receive and forward messages to another account, but are not set up for sending.

So I had something of a timeslip moment this morning when I got a non-delivery notification from a German company telling me that they found a virus in "my" email. To their credit, they did offer me help if I contact their postmaster address: when I was the fall guy for email security for a Certain Organization, it depressed me intensely to get this sort of stuff from no-reply addresses. Almost as much as it depressed me that the service I was supposed to look after used an outsourced service that didn’t allow me to get backscatter turned off (well, not till I’d nagged for about 18 months). So on one hand I was popping up at conferences and in print saying "misdirected virus alerts aren’t free advertising for an AV product, they’re a form of spam" – the term "collateral spam" is sometimes used, by analogy with "collateral damage" from "friendly fire." On the other hand I was getting angry mail from people telling me what was wrong with service that had my name on it (the administration was actually outsourced), as if I wasn’t already too aware.

Anyway, I don’t seem to see much of this any more. But if you’re still administering a mail server that sends virus alerts to the apparent sender, can I politely suggest that there’s a reason why AV companies don’t usually do this by default any more?

Author David Harley, ESET

  • David Harley

    Flow, assuming you’re an ESET product user, we cannot answer product support queries on the Threatblog: please go to the Support tab on the eset.com home page.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

7 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.