I had just did a report for one of the organisation, show the mail traffic and they were impress by the amount of volume passing through their mail server. With just a user size of 200 +/-, the MTA are processing 11000 mail in a day! Now this is a very busy company, or is it?
The answer is "NO". Infact, out of this 11000 mails, approximately 8500 of them are backscatter mail and additional 500 of them are spam that slip past their anti spam appliance and only 2000 are legitimate mails. So what is this backscatter mail about?
Backscatter mail are basically bounced mail cause by an failure in delivery. It can also be named as "Delivery Failure Notification" or "DFN". At this point, i can see that the system and network administrator are showing a face of worried. They are probably thinking if the network been "hacked" or has the network been part of an zombie network blasting out thousand of mails a day and therefore resulting in such number of "DFN". Indeed the next question that came from them is that what is causing the large number of "DFN" and can they see who is the user that is sending out those mail? I am sure my reply had make them felt at ease.
These "DFN" are not caused by mail sending out through their network. These "DFN" are casued by spammer spoofing their emails and blasting out to thousand and thousand of users out in the world where internet exist. Take for example;
Spammer A sent a mail from to "Invaliduser@yourdomain.com" then at the "from" line of his messages, he put "spoofemail@yourdomain.com".
What happen is that, when the email reached "Invaliduser@yourdomain.com" network, high chances is that it will reply with a message to tell that the user is invalid. When that happen, instead of returning the mail to the spammer, the mail will be return to the MX record of "youremail@yourdomain.com" domain.
The second reason that the MTA is processing 8500 of DFN is also because that when the DFN came in to inform "spoofemail@yourdomain.com" that the mail fail to be sent, the anti spam appliance didn't drop the DFN mails. This is an architecture error.
What should happen here is that both the recipient and sender network should have drop the mail for invalid user instead of processing it. When the mail first reached "Invaliduser@yourdomain.com" network, the MTA should reply with an "5XX" error code and reject it. Same for the MTA at "spoofemail@yourdomain.com" domain. When the DFN came it for the user "spoofemail", the MTA should reply with an "5xx" error code to the anti spam appliance and drop/reject the mail without processing. It should be highly encourage that MTA should reject a mail for invalid recipient instead of giving out reply of "4xx", etc. This will help not only your network but also many others network in the world.
I hope this simple write up could help some administrators out there clear their doubts on backscatter mails.
Subscribe to:
Post Comments (Atom)
Posts
2 comments:
Hey i was not aware form this term "Blackscatter Mails". But your post is very helpful to understand how spammer use this tool for spamming..........
Download Anti Spam Tools
Windows Server Monitor
The spammer are always on the look out for opportunity to strike.. we just have to be constantly look out for them. :)
Post a Comment