Re: Dealing with s-p-a-m "backscatter"

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

Jeff Giacobbe wrote:
> Colleagues-
>
> Like many of you, we have been experiencing an increase in spam-related
> "backscatter" (non-delivery notifications sent to the victim of a
> spoofed email address)
>
> The incidents are still few in number, thankfully, but when they do
> occur to one of our users they often receive *thousands* of non-delivery
> notifications, usually within a 24hr period. The onslaught of messages
> is not only a nuisance but is often crippling to the victim as they wade
> through all that junk in their Inbox.
>
> I have followed various discussions on this topic but so far have not
> seen a clear solution other than simply blocking all inbound
> "non-delivery" notifications (and presumably other related SMTP
> diagnostic messages) at our gateway. While that would certainly fix the
> immediate problem, it would also mean legitimate non-delivery messages
> (i.e. a simple typo in an address) would never get sent back to our users.
>
> Has anyone come up with a more creative way to block the spam
> backscatter while allowing the legit non-delivery SMTP notifications to
> come through?

Nope.  Luckily it's short lived for each victim.

There's ips.backscatterer.org, which you could use to reject DSNs from
anyone listed on the DNSBL.  However there are a lot of legitimate
servers on that list.  Most notably: Google.

Blocking all DSNs would be a bad idea.

Jesse


> Thanks,
>
> Jeff Giacobbe
> Director of Systems, Security, Networking
> Montclair State University

--
  Jesse Thompson
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature