Backscatter Spam Is Back

Spammers resurrected a tried-and-true method in March to wreak havoc on in-boxes, mail servers and networks, Symantec says.

Spammers increasingly used an old standby in March to reach e-mail inboxes- backscatter.

The practice is back and Symantec researchers are calling it a wake-up call for MTA (mail transfer agent) administrators.

In Symantec's monthly State of Spam report, researchers reported that an increase in bounced messages had led to spammers forging sending e-mail addresses and putting them in the "From" header of their spam messages. The report noted that e-mail processing programs that fire back the full content of a bounced message to the apparent sender of an e-mail create another spam attack vector.

For coverage of this year's RSA Conference, click here.

The report states, "Spammers take advantage of MTA (mail transfer agent) programs, which can be configured to send back not only a list of failed recipient addresses, and an explanation [of] why each address failed, but also a copy of the original message in its entirety. Spammers can then bounce their messages around the Internet until they end up in someone's spam folder, or worse, inbox. Since many users want to know if they have accidentally misspelled their friends' e-mail addresses by getting a failed recipient message, these bounced messages will often go unblocked due to configurations of anti-spam filters."

While the technique is not new, Symantec officials said MTA administrators should take heed.

"The effect on corporate networks in relation to bounce message spam is potentially an increase in bandwidth and an influx of unwanted spam messages in users' inboxes with a resulting loss in productivity," said Dermot Harnett, principal analyst with Symantec anti-spam engineering. "MTA programs could be configured so that they do not send back a copy of the original message in its entirety. Additionally, security protocols do exist [that] allow outgoing messages to be signed."

"If a bounce message occurs, the recipient will be able to determine if the message is a 'true' bounce message or if the bounce message has occurred as a consequence of spammer's actions."

The majority of the bounced e-mails observed by Symantec were Russian-language messages, though many of the originating IP addresses were from across the globe. The United States, however, continued to be the top country of origin for spam, leading the way with nearly 25 percent, according to the report. Overall, Symantec researchers found spam accounted for an average of 81 percent of all e-mail during March.