April 24, 2014

avatar

spammers gone wild

I’m sure this sort of behavior is old news, but it’s still really annoying.  Starting last night and continuing as I’m writing this, some annoying spammer has been forging my email address as the “From” line of a variety of spams.  This is causing a staggering volume of backscatter, mostly of the “Delivery Status Notification (failure)” variety.  Sampling these messages, I’m seeing several interesting things.

  1. The spammer is using my proper email address (dwallach@…) on each message, but a different “real” name on each one.  The name “Dan Wallach” does not appear anywhere.
  2. I forward everything to Gmail.  Gmail considers all of this backscatter to be spam.  That’s probably the correct answer, but I’m not sure I want to train my own DSPAM to do the same thing.  (DSPAM runs locally, and then I save a local copy and forward to Gmail.)  If I send a real message and it legitimately bounces, I want to know about it.  If I train DSPAM that all of these delivery status notifications are spam, it will inevitably throw away anything from “mailer-daemon”.  I’m unclear on whether that’s good or bad.
  3. You could easily build a bounce-message validator.  Every backscatter seems to have the original message ID in it, somewhere.  If the backscatter mentions a message ID that my system actually generated, then the backscatter is allowed.  Otherwise it’s dropped.  (This idea appears to be a variation of VERP; I’d make the message ID be a keyed MAC of a sequence number.)
  4. A large number of these spams have a message body consisting entirely of “Take a look at yourself :) ”  and linking to “video.exe” on a variety of different web sites.  Gmail helpfully rewrites those links such that they can track that I clicked on it.  This would also seem to give them an opportunity to give me an anti-virus warning, but they don’t do any such thing.  (“video.exe” is one of the common names used by the Storm worm.)
  5. Many spams include links that redirect through Google’s PageAd server to yet another server.  I clicked on one of them.  It appears that the PageAd redirector worked, but then Firefox’s “badware” detector caught the destination as being bad, ultimately taking me to stopbadware.org.  Go Firefox!
  6. Some legit antispam firewall products (including Barracuda) are helpfully telling me my message “was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED”.  This is clearly broken behavior.  Just drop it and move on!
  7. Several of the backscatter messages are actually validation messages (sender address verification).  This has been largely discredited due to a variety of practical problems, never mind common-case annoyance to normal users.
  8. One of the spammers seems to be quite keen to sell replicas of expensive wristwatches, and those links take you to some kind of seemingly real online store, albeit with a funky DNS name.  Somehow, even if I did want a fake expensive watch, I’m not sure I’d be comfortable typing my credit card number into a web site whose name is a list of random characters and who (clearly) is closely related to the underworld of lecherous spammers.

EDIT: fixed post that had gone out before it was done.

Comments

  1. Andrew Sweger says:

    This post appears to have been truncated or posted prematurely.

    • Monica says:

      As someone said already, David: Alternatively, just look for your mailservers’ hostnames in the bounced message’s Received: headers… which is what the SpamAssassin VBounce plugin does ;) I have used this in the past t block any kind of attack from spammers.

      Check our current accounts and isa savings offerings.

  2. Steve says:

    I’ve been experiencing the same thing during the last week; seveeral-hour periods over
    which I get several backscatter messages per minute. It would be helpful if spammers would
    rotate their return addresses more frequently, or at least use yours instead of mine :-)

    You didn’t mention that what really causes this is incorrect server setups. A “good”
    MTA should determine during the connection that the message is spam and reject
    it at that point… backscatter wouldn’t happen because the system relaying the spam
    would be notified, not you and me. A “bad” MTA (or Barracuda’s default configuration)
    figures out that spam is spam after the fact and makes the mistaken assumption that
    the return address is valid. IF THE MESSAGE IS SPAM THEN IT IS GUARANTEED TO
    HAVE A FORGED RETURN ADDRESS… so MTAs should drop, not bounce spam.

    I had high hopes when I found the backscatter blacklist at http://www.backscatter.org,
    which lists MTAs that cause backscatter. I tried it overnight, and out of roughly
    600 backscatter messages I got, it caught 350, and 250 got into my inbox
    (actually filtered out with rules to do so). The big problem with the black list
    is that the mail server configuration that it protects against is so prevalent that
    many of my customers’ mail servers were on the blacklist.

    Another hope is that one MTA, namely Google, was explicit in the headers that
    it checked the senders IP address and verified it against my domain’s SPF records
    (which don’t exist yet). Since it didn’t find an SPF record that denied that
    some server in Mexico couldn’t send mail for my domain, it went ahead and
    returned the message. Next stop, SPF records, but I doubt that it will affect
    more than a tiny handful of messages since I didn’t see in my logs that
    any MTA other than Google looked at them and made backscatter decisions
    based on them.

  3. Max says:

    One of my pet paranoid theories is that Gmail is training and evaluating its users ability to classify spam. When it encounters a message that it isn’t sure about, it presents the message to users who have correctly classified spam in the past. Tracking those clicks would inform that process.

  4. Peter says:

    > If I train DSPAM that all of these delivery status notifications
    > are spam, it will inevitably throw away anything from “mailer-daemon”.

    For me, DSPAM (unlike, say, SpamAssassin) distinguishes between backscatter and genuine bounces pretty well. There are often things like quoted subject in the bounce that help it.

    But it’s true I’m behind MTA that detects backscatter lately, so I don’t get to deal with this much. I suspect Google employs something similar to what my email provider does, too. In theory, it’s pretty simple: when sending email, you remember who it is sent to, when, message-id etc. and when you get a bounce, you check if the recipient is somewhere in bounce’s content (including routing information in headers).

  5. Charles Darke says:

    How timely. I just started receiving backscatter spam too. I guess I should finally get around to setting up the appropriate anti-forgery protections.

    Coincidentally(?), my SMTP server went down today so managed to avoid most of the backscatter.

  6. Ralph Hartley says:

    It could be yet another attack on our spam filters,
    exploiting the hesitation of many people to classify bounce messages as spam, since they sometimes are very important problem signs.

    Can we rule out the possibility that the messages are *forged* bounces – regular spam designed to look like backscatter in an attempt to increase the probability of getting to a human eyeball?

    Another, perhaps more likely, possibility is that messages are being *deliberately* sent to bad addresses, through a server that the sender knows will bounce it, with the “target” address in the from field.

  7. Karen in Wichita says:

    We’ve seen a huge spike in these this week at the Phoenyx, which makes me wonder if there isn’t some sort of new variety of botnet software out there recently.

    The spams seemed to be all over the map, though; I didn’t see the Storm pattern you got.

    (I did have great fun responding affirmatively to all the challenge/response systems, though. Try to offload your filtering onto me, will ya?)

  8. Chris S says:

    Bounce Address Tag Validation (BATV)

    http://mipassoc.org/batv/

    Some SMTP implementations already provide this as an option.

  9. Kevin Dick says:

    This has been hitting me too. It’s especially annoying when retrieving messages on my iPhone, which doesn’t have client side filters or bulk delete. So I spend five minutes deleting backscatter messages 1-by-1 to get to the 3 legitimate emails.

    It occurs to me that using someone else’s address and causing them real inconvenience may make one’s legal position stronger vis a vis the spammer and the sites benefiting from the spam. Do you know if there is a group prepared to take legal action against them for this sort of thing?

  10. Chris says:

    I started getting hit about 8 days ago.

    Three lines in my .procmailrc now toss it all in a folder.

    Exceptionally annoying.

  11. Chris says:

    This recently occured to me too. I solved it in the end by simply shutting down the email address, however 80-90% of the messages were from anti-spam software warning me that I was sending spam.

    It wasn’t just advertising one product either – it advertised many including downloads.

  12. student says:

    Lehigh University addresses have been receiving backscatter for months now. Not at the level you speak of but seems at least once or twice a day I email myself about enlarging my genitalia.

  13. Andreas Krey says:

    I got a bunch of backscatter like that a month ago or so. Hit at exacly the right time — tight inbox and just about to leave for a weekend, and now having to think up procmail rules for those.

    Sender address verification: Up to now I got those only for spams, and I merrily go througt the process.

  14. Justin Mason says:

    Yes, this has been going on for at least the past month or so. I think one of the big spammers has adopted backscattering as a tactic to evade (broken by design) Sender-Address Verification anti-spam systems.

    In the long run, BATV is the way to go (rather than homebrew systems a la point #3).

    In the meantime, and while all those broken mail systems around the world are still extant, SpamAssassin 3.2.0 and later include a builtin ruleset to detect backscatter and differentiate from “real” bounces, and there are MTA-level tricks that can help.

    I wrote this post last month which covers this in detail. You may find it useful.

  15. Bryan Feir says:

    I had this happening for a while. Started a month before Christmas, went through about three major pulses where about 90% of the mail I was receiving was backscatter like this, then stopped in January with no more warning than when it started. Granted, I can’t be certain it wasn’t my ISP’s spam filter catching on at the end, but I’m not receiving any anymore.

  16. Etaoin Shrdlu says:

    Some legit antispam firewall products (including Barracuda) are helpfully telling me my message “was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED”. This is clearly broken behavior. Just drop it and move on!

    That’s only broken if you’re absolutely certain of getting zero false positives. If I, a human being, send an email which gets mistakenly flagged as spam, I sure don’t want it silently disappearing — I want to know it didn’t get through.

  17. David Wagner says:

    There’s a simple solution to this: you add an extra header (“X-My-Bounce-Tag: secret”) to all of your outgoing email. (Replace “secret” with your own personalized secret value.) Then you write a simple procmail script: bounce messages that don’t contain this header get trashed (they’re spam); all other bounce messages are delivered (they’re not spam).

    The reason this works is that mail servers that send a bounce in response to some email almost always include all of email headers in the bounce message. If the original email was forged and sent by someone else, it won’t include your special header, and thus the bounce will be filtered by your procmail script.

    I’ve been doing this for many years and it works brilliantly. You can come up with more complex crypto-based solutions, and if everyone did this the crypto might be needed, but for now the simple approach works fine.

  18. Justin Mason says:

    David: Alternatively, just look for your mailservers’ hostnames in the bounced message’s Received: headers… which is what the SpamAssassin VBounce plugin does ;)

  19. Adam Stanhope says:

    I’m curious… What were the ads for? This used to happen a lot to me, but went away for a long time. This past week I got HUNDREDS of them. The spammer was selling watches – “CHEAP R***X,” “MEN’S DRESS WATCH,” etc. There was also a bit of phallus-raising formula promotion happening, too.

  20. Dan Wallach says:

    In my brief sample, the only scam that seemed to really jump out was people pimping “replica watches” (i.e., fake Rolex watches and the like).

  21. Jack Hartley says:

    Most of the spam results from messages with multiple links. Found that spam filters that seek out to look for the source of the links are best. Now they are using the redirects from legit sites. Lately my spam is composed of Viagra and rolex replica watches. It is a major PITA when you have to filter out legit emails that you need in order to run your business. The backscatter issue is one where they always seek to sneak into my inbox, I think gmail is actually picking those up now.

  22. online proxy says:

    I think Gmail is doing quite good job fighting spam. I rarely get spam emails those days, and I only saw 1 false positive email until now