SpamSentinel Stops Backscatter
Tags: Backscatter
Although backscatter is not spam, many of our Lotus Notes customers complain about it to us, as they know we can be pretty creative when stopping unwanted email. I'll admit that this one had us stumped for a few weeks. We tried to find a way to distinguish between a backscatter email and good mail. Backscatter is a common issue at the moment. What happens is that the spam sender forges the return address so that it points to you. When the receiving server rejects the message, due to an invalid user name or mail box full error (for example), the server creates a non-delivery failure and sends it back to the user who it thinks the mail came from - i.e. you or one of your users.
Some customers report hundreds of these each day for a single user, and one customer had so many it amounted to a Denial of Service attack (see Case Study of DoS Attack ). Customers were begging us for a solution to this problem.
Well, we finally figured out how to stop baskscatter that your server receives.
We accomplish this using unique properties of Domino messages that help distinguish real NDRs from backscatter. The trick was that some senders send back a non-delivery report (NDR) and some send back only a "Memo", which complicates the problem. These Memos are simple mail messages from a legitimate email server to your email server. If they include the body of the message, SpamSentinel is able to stop the message as spam. If they simply say "We are unable to deliver the message" then it is almost impossible to stop. But we have found a way!
So, if you upgrade to version 7.5.3.1 of SpamSentinel, your problem is solved. This version has two new options:
- Block NDRs that are not from Emails generated from one of your Domino SMTP servers
- Block Memos that are effectively NDRs
Here is a sample email backscatter message that SpamSentinel 7.5.3.1 catches:
This version is available by request. Email me Frank Paolino and I will get you the software. This is a "no charge" upgrade, and includes the ability to block spam at the SMTP gateway (see the blog posting SpamSentinel Now Blocks Spam at the SMTP Level)
Although backscatter is not spam, many of our Lotus Notes customers complain about it to us, as they know we can be pretty creative when stopping unwanted email. I'll admit that this one had us stumped for a few weeks. We tried to find a way to distinguish between a backscatter email and good mail. Backscatter is a common issue at the moment. What happens is that the spam sender forges the return address so that it points to you. When the receiving server rejects the message, due to an invalid user name or mail box full error (for example), the server creates a non-delivery failure and sends it back to the user who it thinks the mail came from - i.e. you or one of your users.
Some customers report hundreds of these each day for a single user, and one customer had so many it amounted to a Denial of Service attack (see Case Study of DoS Attack ). Customers were begging us for a solution to this problem.
Well, we finally figured out how to stop baskscatter that your server receives.
We accomplish this using unique properties of Domino messages that help distinguish real NDRs from backscatter. The trick was that some senders send back a non-delivery report (NDR) and some send back only a "Memo", which complicates the problem. These Memos are simple mail messages from a legitimate email server to your email server. If they include the body of the message, SpamSentinel is able to stop the message as spam. If they simply say "We are unable to deliver the message" then it is almost impossible to stop. But we have found a way!
So, if you upgrade to version 7.5.3.1 of SpamSentinel, your problem is solved. This version has two new options:
- Block NDRs that are not from Emails generated from one of your Domino SMTP servers
- Block Memos that are effectively NDRs
Here is a sample email backscatter message that SpamSentinel 7.5.3.1 catches:
This version is available by request. Email me Frank Paolino and I will get you the software. This is a "no charge" upgrade, and includes the ability to block spam at the SMTP gateway (see the blog posting SpamSentinel Now Blocks Spam at the SMTP Level)
| Permalink | 
-
Comments
Posted by Frank Paolino At 09:02:18 AM On 05/17/2008 | - Website - |
ips.backscatterer.org is a blocklist which covers backscatterer and sender callout abuser only.
BIG FAT WARNING:
Please be sure you don't use it like a regular DNSBL, because almost all listees are real (but poorly configured) mailservers.
Doing requests just if sender claims to be a bounce is the only real safe usage of this blocklist.
Posted by Claus von Wolfhausen At 07:47:07 PM On 05/16/2008 | - Website - |
Frank
Posted by Frank Paolino At 10:47:38 AM On 05/10/2008 | - Website - |
Posted by Peter Zolnay At 05:36:56 AM On 05/07/2008 | - Website - |
Frank
Posted by Frank Paolino At 09:25:54 AM On 05/03/2008 | - Website - |
Posted by Lee Keener At 12:43:18 PM On 05/01/2008 | - Website - |
I have searched High and Low and not found it.
Posted by Dag Kvello At 09:14:14 AM On 04/30/2008 | - Website - |