Duration of backscatter

billymayday · 01-18-2007, 03:01 AM

I'm currently the victim of a truckload of backscatter email bounces thanks to some $%%^ spammer(s) forging my domain and crappily configured mail servers around the planet.

Does anyone have any view on how long these tend to last for? I assume that the spammers move on to a new set of domain names pretty quickly and the crap will drop off. Does this sound correct?

Hangdog42 · 01-18-2007, 06:46 AM

I wouldn't bet on it. Once spammers got ahold of my company domain name, the crap was flowing for months until I set the server to drop everything that wasn't from a legitimate email account. As far as I know, they are still using our domain name, but at least I don't have to deal with their garbage.

billymayday · 01-18-2007, 01:24 PM

I always drop mail to non-existent users. I'd just prefer to be able to see something useful in my logs and not chewe up bandwidth on crap connections.

Will revert as to timing

Nice looking site

Rgds

billymayday · 01-19-2007, 03:13 AM

Volume seems to have dropped off significantly today.

I'll post daily volumes once things peter out

billymayday · 01-19-2007, 07:36 PM

Having posted this

http://www.linuxquestions.org/questi...d.php?t=520417

the other day, I thought it may be interesting for readers if I posted some data relating to the progression of the backscatter I received.

Taking "rejected as undeliverable" totals from my daily logwatch cron job, here is what I saw day by day.

15 Jan 308
16 Jan 1,695
17 Jan 3,056
18 Jan 5,846
19 Jan 4,408
20 Jan 596

I guess I just sit and wait for the next one now!

chort · 01-19-2007, 07:53 PM

"Backscatter" is a term typically reserved for traffic that results from spoofed IPs in DDoS attacks. When e-mail domains are forged to send spam, it's known as a "Joe Job". I cover that (and other attacks) on my site. Check out e-mail threats and click on The "Joe Job" under Threats/Network.

billymayday · 01-19-2007, 07:56 PM

Certainly Wietse Venema of postfix fame seems to refer to this as backscatter.

http://www.postfix.org/BACKSCATTER_README.html

Anyway, here's what I saw:

http://www.linuxquestions.org/questi...d.php?t=521020

and thanks for the link

billymayday · 01-19-2007, 08:01 PM

Interesting chort, but it would seem to me that since most of the crap I get is from sites that bounce mail to unknown users, they are probably the least likely to implement spf or anything similar.

chort · 01-19-2007, 08:12 PM

Yes, but you can only control your own site. There are two third parties involved: The spammer, and the recipient of the spam. You can't control what they do. The best you can do is publish an SPF/Sender-ID record (soon to be superceded by DKIM in all likelihood) and hope that ricipients of spam will check your records to avoid ever accepting the spam in the first place.

If you do get the bounces, you can filter them, but it's potentially tricky--especially if they used a valid e-mail address from your domain. Of course, they've already used your bandwidth at that point.

As for the term "Joe Job", I'm now working at my second e-mail security company and both have called it "Joe Job". That's the only term I see used to describe it in the e-mail security industry and in press about it.

Crito · 01-20-2007, 05:47 AM

Makes me glad I don't have to administer email servers. Sounds like a frickin' nightmare!