Proofpoint is launching an attack on backscatter spam, joining a chorus of voices supporting Bounce Address Tag Validation that includes Cisco and Webroot.
Backscatter spam is far from a new phenomenon. Also called non-delivery receipt spam (NDR spam), backscatter occurs when spammers put someone else’s e-mail address in the “From” field of spam messages. If the spam e-mail is bounced back for whatever reason, the non-delivery receipt for the e-mail will go to the address in the “From” field instead of to the spammer. The net result is unwary e-mail users getting NDRs for e-mails they never sent.
“The large volume of spam being sent by botnets typically is sent with a spoofed “From” line that, of course, has nothing to do with the actual origin of the spammy e-mail,” said Rami Habal, director of product marketing for Proofpoint. “Because of the large volume of messages being sent-and the high likelihood that the recipient address doesn’t actually exist-when one’s domain is spoofed in this way, a huge volume of NDRs can be generated. These bogus bounces clog both the mail server itself and…cause the same type of consternation and productivity impacts as -actual’ spam.”
Looking to address this problem, Proofpoint has built support for the latest BATV specification into Proofpoint 5.5, the latest version of its e-mail and data security platform. BATV tags outbound messages and then checks incoming NDRs and auto-responses against those tags to block backscatter.
Other security vendors are doing the same. Cisco, which acquired IronPort Systems in 2007, utilizes the BATV approach in IronPort’s e-mail security portfolio. In addition, Webroot included BATV support in the latest version of its e-mail security SAAS (software-as-a-service) offering in August.
Part of the problem in stopping backscatter spam is that mail systems often have their own way of reporting undeliverable e-mails. While some anti-spam techniques can identify bogus bounces, many NDRs don’t have contextual clues that can be used to determine their legitimacy, Habal said.
“In some cases, the NDR contains the entire original message – with or without various headers – or an excerpt of that message and its original headers,” he explained. “In those cases, an anti-spam system might be able to catch the NDR as spam based on the -spammy content’ that it contains.”
“However,” he continued, “some NDRs do not include parts of the original message. In this case, there are no clues that can be used to determine whether the bounce is bogus or not. It’s these empty NDRs that BATV is extremely helpful in identifying.”