Spike in amount of backscatter spam in inbox

[ewal]

Looking at this in more detail.

To try mitigate the impact of my own domains being used for spam campaigns I have implemented SPF, DKIM and DMARC. Now I want to go further.

1. On SPF I still have the 'all' qualifier as ?all. I would ideally like to change this to -all but I understand that will prevent recipients of my valid emails being able to forward emails. Is this true?

2. On DMARC I have changed the P to 'p=quarantine'. Not sure if I set it to reject that will help.

3. I was going to upload to my address book all email addresses I have received emails on. But I now understand that whitelisting is no longer implemented. Not sure why (or when that was announced) but I guess I can now skip populating my address book in such a way??

4. I am also going to populate my 'aliases' with the various email addresses I have actually sent from. I will have to in the future have to populate new addresses (which is a pain).

5. Once I have done all that I will turn off all wildcards for both domains. Specifically the *.domain.tld in aliases and in my addresses books.

The hope then is that this will stop my domains being used by spam merchants (as the email From addresses they use will not exist) and the SPF and DMARC settings will mitigate most other stuff.

Is this correct? Anything I'm missing?

What I want to avoid is losing valid incoming emails or my valid outgoing emails being blocked.

Cheers
Ed

[ao1]

I'd happily set the SPF record to -all, but some family members use gmail while still setting the From address to be theirname@mydomain.example

How do I whitelist FM and gmail only while disabling the rest?

[BritTim]

Quote:

Originally Posted by dodorkahedron

My situation is very similar. I really hesitate to disable the wildcards; I'd hoped that first wave was going to be the end of it, but there are over a hundred new ones (most of which routed correctly to Spam this time, but not the few which woke me at 3:30am and caused me to check the forum to see if others were similarly affected.)

I will be very disappointed if my main domain becomes blacklisted because of this. I've had it for years and it is paid-up for quite some time into the future. It's been my main online nickname since the 90s! Blasted miscreant spammers.

While the situation is very annoying, I am curious to know why you think your domain could become blacklisted as a result of this. Domain (as opposed to server) blocklists are not intended to block regular spam. (RBLs, the IP addresses of the servers sending the spam satisfy that function.) DBLs are intended to block messages that contain links to malware. Sending a billion or two spam messages with spoofed from addresses that include your domain will not get your domain on a blocklist unless your website for the domain has been hacked and contains malware (a different issue).

[n5bb]

I completely agree with BritTim's remarks. You shouldn't worry about someone spoofing your address and using it to send spam. It's a pain when you get loads of backscatter delivery failure or other rejection messages, but that shouldn't cause blacklisting for your domain.

Bill

[emailer84]

I've been receiving many of these "failed to deliver" backscatter messages as well in the past couple of weeks, all sent to invalid addresses at my domain.

Two things:

- Is it worth enabling the option to automatically discard these messages? Is it guaranteed that no "real" email will be wrongly discarded?

- Why are FM's users receiving these emails all of a sudden? Have FM changed a setting somewhere that now means we see these messages, or have FM's customers somehow become a target?

Thanks,

[n5bb]

Quote:

Originally Posted by emailer84

Is it worth enabling the option to automatically discard these messages? Is it guaranteed that no "real" email will be wrongly discarded?

I have used the backscatter filter to move such messages to my spam folder for years. I do this not so much because of worry about a false positive (which is very unlikely) as so that I can keep track of such address spoofing. If you don't wish to know about them I see no big problem with deleting backscatter in the filter.

Quote:

Originally Posted by emailer84

Why are FM's users receiving these emails all of a sudden? Have FM changed a setting somewhere that now means we see these messages, or have FM's customers somehow become a target?

You say that these messages are being sent to aliases at your personal domain. So unless you have changed your spam protection backscatter settings, I'm sure any changes you see are related to changes by the spammers. It would be possible for a spammer to send out thousands of such messages in an hour if they sent them to different targets while always using your From address. In fact, it's possible that this is currently happening, and only a few are being sent to email addresses which generate bounces back to you. There are many spammers, and they often change their techniques. It's hard to guess whether they are attacking particular domains and servers or just randomly trying different techniques.

The only way you can attempt to block spammers spoofing your address is to use SPF and DMARC for your domain.

• SPF lets destination email systems know which sending servers you use for email from your domain. For example, I publish this SPF record for my personal domain, which informs interested servers that I only send messages from Fastmail servers:
  
  Code:

  v=spf1 include:spf.messagingengine.com -all

  SPF only requires you to publish the SPF DNS record and then only send through allowed email servers. The sending servers do not need to do anything special.
• DKIM adds an encrypted signature to a message which indicates whether the message was generated at the From domain and verifies that the message was not modified in transit. Using DKIM requires that you publish a DNS record for your domain specifying a cryptographic key, and then send only using email systems which add an encrypted signed header to each message based on that key. So special actions are necessary at the sending servers you use.
• DMARC informs destination email servers what actions you wish them to perform if both SPF and DKIM tests fail. More systems have recently been following DMARC recommendations. Fastmail has recently started disabling whitelisting under some conditions regarding DMARC and the From and To addresses. But Fastmail does not yet discard messages based on strict adherence to published DMARC policy.
• Message forwarding (and some group discussion systems which send messages using the poster's From address) typically breaks SPF, and sometimes DKIM. So message forwarding is becoming more and more of a problem, and in the future it might be difficult to use automatic forwarding due to spam prevention techniques.
• SPF, DKIM, and DMARC only help domains and sending email systems which make use of these authentication systems. If the recipient email system makes use of SPF and you publish a SPF policy which excludes the spammer's domain, this should stop backscatter in this case.

By the way, you can search for backscatter messages using the following search term:

Code:

header:"X-Backscatter: yes"

Bill

[emailer84]

Thanks very much for your detailed response Bill.

If this trend continues, I may look into enabling these options.

[WormholeLawyer]

I too have been getting hundreds of these over the past week using the exact same formula as everyone else. Before this, I never received any back scatter spam and nothing has changed.

I know we can't "know" what the spammers are doing, but obviously it is not a coincidence that all the sudden everyone on FM is getting back scatter.

Was there a breach in FM that allowed a third party to see what domains are using FM?

[janusz]

Quote:

Originally Posted by WormholeLawyer

Was there a breach in FM that allowed a third party to see what domains are using FM?

There is no need for a breach in anywhere. DNS MX records are free for everybody to see.

[n5bb]

Quote:

Originally Posted by WormholeLawyer

... I know we can't "know" what the spammers are doing, but obviously it is not a coincidence that all the sudden everyone on FM is getting back scatter. Was there a breach in FM that allowed a third party to see what domains are using FM?

Since I'm not getting any abnormal amount of backscatter (and I have many FastMail domain aliases and a person domain hosted at FastMail), I disagree with your premise. I have received two backscatter messages in the past 60 days, sent on April 16 & April 17. These were obviously random dictionary spoofs, since they were both FastMail domain short username aliases which were easy to guess (Bill @ fastmail-owned domain). I have received no backscatter from common FastMail aliases I use or my personal domain in the past 60 days. I discard spam older than 60 days or with spam scores 11, and I have received 94 spam messages with scores <11 in the past 60 days, or an average of about 1.5 spam messages a day filed in my spam folder. I have received many more backscatter in the past, but not recently.

The only way I know of protecting the reputation of your domain and reducing backscatter is as I suggested below (SPF, DKIM, and DMARC). Without publishing SPF for your domain, a receiving email server has no way of knowing which servers send email for your domain, so they have to assume that any message which appears to be from your domain is indeed a proper message. When the message is bounced at the SMTP stage, there is usually no spam filtering at the receiving server and the only way for the server to block the message (not send you backscatter) is if SPF fails, if the sending IP is a known insecure server, or if other behavior of the server is suspicious (such as bad response to greylisting).

My guess is that these reports are the results of random behavior by spammers.

Bill

[WormholeLawyer]

Quote:

Originally Posted by n5bb

Since I'm not getting any abnormal amount of backscatter (and I have many FastMail domain aliases and a person domain hosted at FastMail), I disagree with your premise. I have received two backscatter messages in the past 60 days, sent on April 16 & April 17. These were obviously random dictionary spoofs, since they were both FastMail domain short username aliases which were easy to guess (Bill @ fastmail-owned domain). I have received no backscatter from common FastMail aliases I use or my personal domain in the past 60 days. I discard spam older than 60 days or with spam scores 11, and I have received 94 spam messages with scores <11 in the past 60 days, or an average of about 1.5 spam messages a day filed in my spam folder. I have received many more backscatter in the past, but not recently.

The only way I know of protecting the reputation of your domain and reducing backscatter is as I suggested below (SPF, DKIM, and DMARC). Without publishing SPF for your domain, a receiving email server has no way of knowing which servers send email for your domain, so they have to assume that any message which appears to be from your domain is indeed a proper message. When the message is bounced at the SMTP stage, there is usually no spam filtering at the receiving server and the only way for the server to block the message (not send you backscatter) is if SPF fails, if the sending IP is a known insecure server, or if other behavior of the server is suspicious (such as bad response to greylisting).

My guess is that these reports are the results of random behavior by spammers.

Bill

Fair points, but again I have never in my two years of Fastmail and multiple domains received a single back scatter message until this began at the exact same time as other posters and with the exact same naming convention (first name, last name, two numbers, request for a bill to be paid). It just seems too coincidental that folks who never had an issue are all being impacted by the same exact spammers. Just strange is all.

[Flyingout]

Just adding another victim to the list. It started just over three weeks ago. I'm getting a dozen (or fewer) a day, most of which are moved to spam. FirstLastNumber addresses asking for payment or with zip attachments. This isn't the first time, but the first in many years.

It's not a huge problem and I could have them discarded but want to monitor. The main annoyance is that I get iPhone Mail alerts.

It's happening to one of my three FM hosted domains. This could be an overall trend of increasing domain hijacking, or random DNS harvesting targeting FM hosted addresses. However, this domain is the one that I use to give companies unique addresses (so I need to wildcard accept) so it could have been a leak from one of those companies.

It is curious that it happened to a number of us at the same time.

I tightened SPF to -all with no apparent effect. Hopefully it helps with future attacks. Now looking into DMARC.

Cheers

[CyberDyne]

Would it be safe to filter the following, or is it likely that some legitimate messages also contain this?

Code:

X-Backscatter: NotFound1

Edit:
https://www.fastmail.com/help/techni...ckscatter.html

I think I'll filter them to spam and leave them unread so I can check them.

[n5bb]

The subject of this email thread concerns backscatter spam, so I'm going to assume that everyone posting in this thread is describing their experience with backscatter, which is not email directly addressed to you from a spammer.

• Backscatter messages were sent by a spammer to an email address which is not yours and which does not exist. The message you receive nearly always has a subject line created by the innocent email system generating the bounce, such as "Mail delivery failed: returning message to sender". The From header on the bounce message you received is usually something such as "Mail Delivery System" or "Postmaster" at a system address for that domain.
• If you receive a spam message directly (not a bounce), it's not backscatter and the comments in this thread are not necessarily relevant.

Fastmail adds a X-Backscatter header when the message appears to be an automated response which was not triggered by a message you genuinely sent, and quite a few spam messages seem to cause this header to be generated, even if the headers indicate the message is not a bounce. I believe this is because these spam messages (and a few non-spam messages) have an empty Return-Path header.

Here is my experience in the past 60 days - that's how long I keep old spam (96 spam messages as of today):

• The NotFound1 tag is added if the original message which generated the backscatter can't be found.
• I find that about 22% of the true spam messages I receive have a X-Backscatter: NotFound1 header.
• Only two (2%) of the messages I have received (X-Backscatter: yes) in the past 60 days are true backscatter spam, and they appear to have been sent by the same spammer on adjacent days.
• I find a few ham (good) messages which contain the X-Backscatter: NotFound1 header, but these are pretty rare. I think this may be because the sending servers were somehow blacklisted.

If you want to perform your own tests on messages stored on your account, perform searches with these search strings:

• header:"X-Backscatter: yes"
• header:"X-Backscatter: NotFound1"

Every true spam message I get with the header X-Backscatter: NotFound1 is marked with spam score of at least 1.8, and nearly all have scores of 3.8 or greater. Only a very few ham (non-spam) have this header set (when the Return-Path is empty). So my feeling is that it's fine to use the header X-Backscatter: NotFound1 to file messages to your Spam folder as long as you are checking this folder periodically for ham.

I am checking with Fastmail staff to see if my interpretation of the empty Return-Path header causing X-Backscatter: NotFound1 is correct.

Bill

[Mugwhamp]

Quote:

Originally Posted by n5bb

The subject of this email thread concerns backscatter spam, so I'm going to assume that everyone posting in this thread is describing their experience with backscatter, which is not email directly addressed to you from a spammer.

• Backscatter messages were sent by a spammer to an email address which is not yours and which does not exist. The message you receive nearly always has a subject line created by the innocent email system generating the bounce, such as "Mail delivery failed: returning message to sender". The From header on the bounce message you received is usually something such as "Mail Delivery System" or "Postmaster" at a system address for that domain.
• If you receive a spam message directly (not a bounce), it's not backscatter and the comments in this thread are not necessarily relevant.

Fastmail adds a X-Backscatter header when the message appears to be an automated response which was not triggered by a message you genuinely sent, and quite a few spam messages seem to cause this header to be generated, even if the headers indicate the message is not a bounce. I believe this is because these spam messages (and a few non-spam messages) have an empty Return-Path header.

Here is my experience in the past 60 days - that's how long I keep old spam (96 spam messages as of today):

• The NotFound1 tag is added if the original message which generated the backscatter can't be found.
• I find that about 22% of the true spam messages I receive have a X-Backscatter: NotFound1 header.
• Only two (2%) of the messages I have received (X-Backscatter: yes) in the past 60 days are true backscatter spam, and they appear to have been sent by the same spammer on adjacent days.
• I find a few ham (good) messages which contain the X-Backscatter: NotFound1 header, but these are pretty rare. I think this may be because the sending servers were somehow blacklisted.

If you want to perform your own tests on messages stored on your account, perform searches with these search strings:

• header:"X-Backscatter: yes"
• header:"X-Backscatter: NotFound1"

Every true spam message I get with the header X-Backscatter: NotFound1 is marked with spam score of at least 1.8, and nearly all have scores of 3.8 or greater. Only a very few ham (non-spam) have this header set (when the Return-Path is empty). So my feeling is that it's fine to use the header X-Backscatter: NotFound1 to file messages to your Spam folder as long as you are checking this folder periodically for ham.

I am checking with Fastmail staff to see if my interpretation of the empty Return-Path header causing X-Backscatter: NotFound1 is correct.

Bill

Bill,

I'm filtering all of the backscatter messages into the folder of the same name, which doesn't have spam learning activated. Is there an advantage to learning all of these messages as spam? As it is, I'm only moving backscatter messages to the spam folder if they make it to my inbox, which is not frequent. I'm worried that marking those messages as spam (552 in May alone) might skew the finely tuned balance currently evident in my spam filtering.

My current settings, which up to this backscatter spate, have been highly effective:
Apply a spam # to subject line: >1
Move to spam folder: >2
Discard: >7

Kevin