Protecting Yourself and Others from Backscatter Spam with Exchange Server 2007Written by Paul Cunningham on April 29, 2009
Most of the articles you’ll read on a blog such as this will describe how to protect yourself from certain types of spam. Most of the articles I’ve written so far do exactly that. Today I’m going to add another dimension to my post and discuss how to protect both yourself and others from “backscatter” spam.
What is Backscatter Spam?
The term “backscatter spam” refers to a spam attack that targets non-existent email addresses and causes email “bounce” messages to be sent to innocent parties. The “bounce” messages are known as Non-Delivery Reports (NDRs) and are sent by an email server to let the sender know that the message was not delivered.
NDRs are a normal and useful part of the SMTP protocol. However when NDRs were first envisaged the concept of address spoofing was not considered. Address spoofing is when a spammer forges the “From” address on a piece of spam they are sending. This is how backscatter affects innocent parties – even though they didn’t send the spam, they receive the NDR because their email address was forged by the spammer.
Why does Backscatter Occur with Exchange Server 2007?
An Exchange Server 2007 email server will contribute to the backscatter problem simply due to this default configuration.
This check box tells the Exchange server to send NDRs back to any sending domain (note the wildcard * used as the domain name). Because the message has already been accepted in full and the original SMTP connection from the spam source disconnected, the Exchange server performs a DNS lookup for the MX record (Mail eXchanger) and sends the NDR to that server.
If the spam forged the email address of john.smith[at]contoso.com, then John is the one who receives the NDR. John also receives a copy of the spam message, which is included with the NDR message. So although the spammer has not successfully reached the first intended recipient, they have reached John who is now curious as to what email he apparently sent that caused the NDR (this curiosity increases the chance that he will open the spam and maybe click on a link within it).
Preventing Backscatter from Being Sent by Your Exchange Server
The simplest and most obvious way to prevent an Exchange server sending backscatter spam is to uncheck the box for allowing NDRs to be sent to external domains. Unfortunately this is not the best way to go about doing it. NDRs are a valid part of the SMTP protocol and serve a genuinely useful purpose. Imagine if a business partner incorrectly addressed a critical email and received no NDR. A business could lose money if the mistake is not noticed straight away, which it would be if an NDR was sent back to the sender. NDRs are necessary and should not be disabled.
The safest way to prevent backscatter from originating from your server is to block the inbound spam to begin with. Because most spam originates from compromised home computers it therefore usually comes from untrustworthy blocks of IP addresses. These IP addresses are included in popular RBL databases such as SpamHaus. With Exchange Server 2007 you can make use of Connection Filtering to look up sending IP addresses in the SpamHaus database and terminate the SMTP connection.
Because the SMTP connection is terminated without accepting the message your Exchange server does not need to send an NDR to the forged sender address. Furthermore, because the software used by spammers to send out emails from compromised computers does not bother sending NDRs it will not send one to the forged sender either.
Preventing Backscatter from Being Received by Your Exchange Server
Protecting your own Exchange server from receiving backscatter spam is a little more complicated. Connection Filtering is not useful here, because the NDRs containing the original spam are likely to be coming from trusted IP addresses.
Content filtering is the most effective way of detecting and blocking backscatter spam that is wrapped up in NDR messages. Exchange Server 2007 has content filtering capabilities, but they are not very effective in dealing with backscatter spam for some reason.
Fortunately the problem has been solved by third party Exchange 2007 spam filters that can block NDR spam. If NDR spam is becoming a problem for your organisation then it is time to evaluate and deploy one of these anti-spam solutions.