Spike in amount of backscatter spam in inbox

dodorkahedron · 28 Apr 2016, 06:54 AM

I have received several false "delivery status notifications" (with fake forged addresses from domains I manage through FM) in the past hour that show as recognized backscatter in the header but still arrive in my inbox.

My spam level is set at Standard (always block messages from known insecure email hosts/relays; move message to Spam when score is 5+; discard when score is 10+; add score as {spam xx.x} when 5+)

Is anyone else experiencing an inbox influx of backscatter spam? Or, regular spam in the inbox, for that matter. Seems to be on the rise again over the past few weeks. (I didn't realize 419 scammers were still so active!)

walesrob · 28 Apr 2016, 07:09 AM

Quote:

Originally Posted by dodorkahedron

I have received several false "delivery status notifications" (with fake forged addresses from domains I manage through FM) in the past hour that show as recognized backscatter in the header but still arrive in my inbox.

My spam level is set at Standard (always block messages from known insecure email hosts/relays; move message to Spam when score is 5+; discard when score is 10+; add score as {spam xx.x} when 5+)

Is anyone else experiencing an inbox influx of backscatter spam? Or, regular spam in the inbox, for that matter. Seems to be on the rise again over the past few weeks. (I didn't realize 419 scammers were still so active!)

Yep, me too, although all but one were correctly filed into spam. Must have had about 10 DSN's in one hour, then they suddenly stopped again.

Mugwhamp · 28 Apr 2016, 07:21 AM

Quote:

Originally Posted by walesrob

Yep, me too, although all but one were correctly filed into spam. Must have had about 10 DSN's in one hour, then they suddenly stopped again.

Same here, but my finely tuned spam folder is not catching them in most cases. They are using spoofed subdomains of FastMail domains that I use.

neilj · 28 Apr 2016, 07:56 AM

Make sure you have backscatter protection turned on in Settings -> Spam Protection (click the Show Advanced link).

dodorkahedron · 28 Apr 2016, 08:16 AM

Thanks, Neil. I thought I'd had it set to send backscatter to the Spam folder; apparently I didn't. Thanks to everyone else for your replies as well!

Mugwhamp · 28 Apr 2016, 09:19 AM

Quote:

Originally Posted by neilj

Make sure you have backscatter protection turned on in Settings -> Spam Protection (click the Show Advanced link).

I know for a fact that I had it enabled before the Settings screen update, but when I checked just now, it was not enabled. FYI. BTW, is it better to set to discard or put it in my Spam folder? I don't want it to upset the fine tuning of my spam filter.

WormholeLawyer · 28 Apr 2016, 01:45 PM

I am having the same thing. Why is this impacting all of us on Fastmail? I've never had this issue before.

Also, do we need to do anything with our SPF or DKIM to stop this?

anotherJeremy · 28 Apr 2016, 03:17 PM

I'm getting a lot of backscatter too. Could have sworn I had backscatter protection set up, but looking at my settings I saw that it was turned off. I hope turning it back on fixes the issue.

misc · 28 Apr 2016, 04:09 PM

I've not realized yet that there are advanced settings.

So, what to put in that 'Trusted Hosts' field exactly? E.g., I'm forwarding mail from my icloud.com address to fastmail. In the raw message view, I can find 'Received' headers containing icloud.com, me.com and apple.com as well. So put all those three domains as trusted host?

Same is with gmail, you can find gmail.com as well as google.com headers. Any suggestions?

Thanks,
Michael

walesrob · 28 Apr 2016, 07:08 PM

Wow, I had a snowstorm of these this morning. I've set up DMARC on the domains affected and the reports are coming in thick and fast. I've also temporarily changed the SPF record to -all as I only use FM for email.

CyberDyne · 29 Apr 2016, 01:06 AM

Huge amount of these in the last 48 hours but worryingly, while they were all initially sent from a faked alias of a number of my addresses, some were from aliases I've never even sent email from. I do hope there's not been some sort of breach during which said aliases were harvested.

dodorkahedron · 29 Apr 2016, 01:46 AM

I've received 29 more of these since I posted yesterday, 19 of which arrived this morning. Most are routed to Spam since re-enabling backscatter protection, but not all.

The forged return address format follows a specific pattern in each one:
Firstname Lastname and a 3 or 4 digit number. They reference an "invoice" and usually have an attachment. I'm worried that my domains, which I use solely for personal email, will end up being blacklisted.

Btw, I have two new domains which have not yet been used to send/receive mail and those have not seen any backscatter activity. It's the domains I use for public posting on listservs and forums that have been involved (so hopefully it's just bad actors webscraping addresses and not a breach within FM itself.)

BritTim · 29 Apr 2016, 02:51 AM

It is sending servers, not domains, that get blacklisted, so that concern (at least) should be groundless.

janusz · 29 Apr 2016, 03:15 AM

Quote:

Originally Posted by BritTim

It is sending servers, not domains, that get blacklisted.

Really?
From the Spamhaus site:

Quote:

The Spamhaus DBL is a realtime database of domains (typically web site domains) found in spam messages [...] The DBL is queriable in realtime by mail systems thoughout the Internet, allowing mail server administrators to identify, tag or block incoming email containing domains which Spamhaus deems to be involved in the sending, hosting or origination of Unsolicited Bulk Emai

(my emphasis)

BritTim · 29 Apr 2016, 06:37 AM

See https://www.spamhaus.org/faq/section/Spamhaus%20DBL#282.

Quote:

If my domain is forged in spam, will it be listed?

The DBL is built predominantly using automated spamtraps and email flow monitoring. It has many checks to prevent legitimate domains being listed. Even a large spam run that forges a legitimate domain will not cause a domain listing.

Nor is it possible for someone (say your competitor) to get your domain blacklisted by simply forging your domain and sending us a spam report. Spamhaus does not accept or process spam reports from the public.

Our system also ignores legitimate domains seen in backscatter bounce messages.

It is possible for your domain to be listed if your website has been hacked and a spam run includes links to malware infested pages on your site. Simple forged email addresses in your domain will not cause you to be listed in a DBL (though, of course, there are other issues).

28 Apr 2016, 06:54 AM	#1
dodorkahedron Junior Member Join Date: Jun 2013 Posts: 25	Spike in amount of backscatter spam in inbox I have received several false "delivery status notifications" (with fake forged addresses from domains I manage through FM) in the past hour that show as recognized backscatter in the header but still arrive in my inbox. My spam level is set at Standard (always block messages from known insecure email hosts/relays; move message to Spam when score is 5+; discard when score is 10+; add score as {spam xx.x} when 5+) Is anyone else experiencing an inbox influx of backscatter spam? Or, regular spam in the inbox, for that matter. Seems to be on the rise again over the past few weeks. (I didn't realize 419 scammers were still so active!)

28 Apr 2016, 07:56 AM	#4
neilj Cornerstone of the Community Join Date: Apr 2004 Location: Melbourne Posts: 971 Representative of: Fastmail.fm	Make sure you have backscatter protection turned on in Settings -> Spam Protection (click the Show Advanced link).

28 Apr 2016, 08:16 AM	#5
dodorkahedron Junior Member Join Date: Jun 2013 Posts: 25	Thanks, Neil. I thought I'd had it set to send backscatter to the Spam folder; apparently I didn't. Thanks to everyone else for your replies as well!

28 Apr 2016, 01:45 PM	#7
WormholeLawyer Member Join Date: Feb 2014 Posts: 56	I am having the same thing. Why is this impacting all of us on Fastmail? I've never had this issue before. Also, do we need to do anything with our SPF or DKIM to stop this?

28 Apr 2016, 03:17 PM	#8
anotherJeremy Essential Contributor Join Date: Aug 2004 Location: Japan Posts: 226	I'm getting a lot of backscatter too. Could have sworn I had backscatter protection set up, but looking at my settings I saw that it was turned off. I hope turning it back on fixes the issue.

28 Apr 2016, 04:09 PM	#9
misc Essential Contributor Join Date: Jul 2013 Location: Germany Posts: 251	I've not realized yet that there are advanced settings. So, what to put in that 'Trusted Hosts' field exactly? E.g., I'm forwarding mail from my icloud.com address to fastmail. In the raw message view, I can find 'Received' headers containing icloud.com, me.com and apple.com as well. So put all those three domains as trusted host? Same is with gmail, you can find gmail.com as well as google.com headers. Any suggestions? Thanks, Michael

28 Apr 2016, 07:08 PM	#10
walesrob Essential Contributor Join Date: Dec 2006 Location: UK Posts: 392	Wow, I had a snowstorm of these this morning. I've set up DMARC on the domains affected and the reports are coming in thick and fast. I've also temporarily changed the SPF record to -all as I only use FM for email.

29 Apr 2016, 01:06 AM	#11
CyberDyne Master of the @ Join Date: Sep 2004 Posts: 1,583	Huge amount of these in the last 48 hours but worryingly, while they were all initially sent from a faked alias of a number of my addresses, some were from aliases I've never even sent email from. I do hope there's not been some sort of breach during which said aliases were harvested.

29 Apr 2016, 01:46 AM	#12
dodorkahedron Junior Member Join Date: Jun 2013 Posts: 25	I've received 29 more of these since I posted yesterday, 19 of which arrived this morning. Most are routed to Spam since re-enabling backscatter protection, but not all. The forged return address format follows a specific pattern in each one: Firstname Lastname and a 3 or 4 digit number. They reference an "invoice" and usually have an attachment. I'm worried that my domains, which I use solely for personal email, will end up being blacklisted. Btw, I have two new domains which have not yet been used to send/receive mail and those have not seen any backscatter activity. It's the domains I use for public posting on listservs and forums that have been involved (so hopefully it's just bad actors webscraping addresses and not a breach within FM itself.)

29 Apr 2016, 02:51 AM	#13
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,090	It is sending servers, not domains, that get blacklisted, so that concern (at least) should be groundless.