Block E-Mail Bounces with BATV

Opinion: A new standard, implemented in IronPort hardware, can nip blowback in the bud.

Imagine your incoming e-mail volume suddenly leaping 360 times above normal. Its not spam, not strictly speaking. Its a misdirected bounce attack.

Bounces used to be a good and useful thing. When you send an e-mail to an invalid address or make some other sort of error, you want to know that it didnt go well. But along the way, bounces got abused just like everything wholesome about e-mail to the point where you had to avoid them as a matter of course.

First, bounces became accomplices to spamming through directory harvest attacks. In this attack, a spammer picks a domain and sends out a large number of messages, guessing at the user name portion of the e-mail address and probably pulling a lot of them out of a directory of names (e.g., john@foo.com, martha@foo.com, etc.). If the spammer gets a bounce on a message, then its not an address in that domain. The messages that dont bounce are real addresses, and then you spam them. Because of this threat, many domains dont send back bounces for wrong addresses anymore.

Another threat these days is what is sometimes called spam blowback. As most of you know, when an e-mail is sent on the Internet from sender@foo.com to recipient@bar.com, there is no mechanism with which the folks at bar.com can confirm that the message was in fact sent by sender@foo.com, or from anyone at foo.com.

So imagine that the message is false and not sent by anyone at foo.com and that there is no user "recipient" at bar.com. If bar.com still sends bounce messages, it will send them to foo.com. Sender@foo.com (if there is such a user), receiving the bounce message, will say to himself, "Huh? I didnt send this."

/zimages/1/28571.gifSMTP authentication standards work may have hit a wall, but the industry has taken the ball and run with it. Click here to read more.

Now imagine that a major phishing attack goes out with millions of e-mails sent from support@facelessnationalbank.com. Some percentage of these messages, amounting to a very large absolute number, will be wrong, and the bounces will "blow back" to the mail server at Faceless National.

This has the potential to massively clog the banks infrastructure. According to IronPort, one bounce attack against US Life Insurance increased its inbound mail volume from the typical 10,000 messages to 3,653,201. A jump like that will cause anyone problems. And often the bounce messages themselves will contain malware.

Next page: The answer to blowback.