Last modified: Friday, 11-Apr-2008 15:32:48 EDT
Around June 2007, I began receiving lots of backscatter emails on one of my private email accounts. At first, I thought it was a "joe job" attack, since I have reported spam sent to that account, and thought the spammers were retaliating against me. Now, after analyzing the backscatter, I believe it is an automated joe-job-like spamming technique.
Backscatter is caused when a spammer forges an address of a real user in the "From:" field of her spams, and when some of those spams fail to be delivered (for various reasons, such as invalid To: address, etc.), the "bounce" messages come back to the forged From: address.
By November 2007, I was receiving more than 800 per day! So, I began to analyze the SMTP headers of the spam message that provoked the backscatter. I also looked at similar spam messages posted on Usenet in the group news.admin.net-abuse.sightings, and I realized that I was not the only person receiving backscatter.
Here are the results of an interesting discovery I made. In a great number of backscatter messages I received, the spoofed From: address will be linked to a forged Received: line in the RFC822 headers of the embedded spam that provoked the backscatter. Note, not all backscatter contains the headers of the orginal message, so I searched on news.admin.net-abuse.sightings to confirm my hypothesis.
Here are the headers of one such spam (which, in this case did not "bounce", but was reported by the recipient of the spam). It was seen on Google groups:
Return-path: <em...@talk21.com>
Received: from ppp91-122-24-126.pppoe.avangard-dsl.ru ([91.122.24.126])
by ******** with esmtp (Exim 4.66)
(envelope-from <em...@talk21.com>)
id 1IwLhF-0004FH-T3
for ***@********; Sun, 25 Nov 2007 11:55:10 -0600
Received: from [91.122.24.126] by ns2.bt.net; Sun, 25 Nov 2007 17:56:20 +0000
Message-ID: <000701c82f8c$07b7154e$61d26f95@ngixk>
From: "Replica Watches" <em...@talk21.com>
To: "Watches" <***@********>
Subject: Exquisite Replica
Date: Sun, 25 Nov 2007 16:08:57 +0000
The highlighted parts are the forged parts by the spammer. The From: address is obviously forged, as spammers never give their real address. The following Received: line is also forged:
Received: from [91.122.24.126] by ns2.bt.net; Sun, 25 Nov 2007 17:56:20 +0000
We know it is forged because it does not link to the received line that precedes
it, whose "from" part (ppp91-122-24-126.pppoe.avangard-dsl.ru) does
not correspond to the "by" part (ns2.bt.net) of the forged Received
line.
Furthermore, the forgery of the "by" host (ns2.bt.net)
is not arbitrary. The spammers have tried to make it look like <em...@talk21.com> really
sent the spam, by creating a Received: line containing a host tied to talk21.com through its DNS lookup. For example, doing a DNS lookup of talk21.com yields
the following results:
Domain Type Class Result talk21.com. MX IN 10 mx1.talk21.mail.yahoo.com. talk21.com. MX IN 20 mx2.talk21.mail.yahoo.com. talk21.com. NS IN ns2.bt.net. talk21.com. NS IN ns0.bt.net. talk21.com. NS IN ns1.bt.net. ns0.bt.net. A IN 217.35.209.188 ns1.bt.net. A IN 217.32.105.91 ns2.bt.net. A IN 217.32.105.90
Here's another example from Google groups:
From sa...@telesensventures.com Mon Nov 26 00:08:28 2007
Received: from mx0.public.com (mx0.public.com [66.112.160.20])
by public.com (8.12.10/8.12.10) with ESMTP id
lAQ58SST093564 for <x...@public.com>; Mon, 26 Nov 2007 00:08:28
-0500 (EST)
Received: from 121.88.184.97 ([121.88.184.97]) by mx0.public.com
(8.11.6/8.11.6) with ESMTP id lAQ58Rs29724 for <m...@fw.merk.com>;
Mon, 26 Nov 2007 00:08:28 -0500
Received: from [121.88.184.97] by a.ns.joker.com; Mon, 26 Nov 2007
05:08:11 +0000
Message-ID: <000701c82fea$052ea66a$5e6137b7@dtnoh>
From: "Replica Watches" <sa...@telesensventures.com>
To: "Exquisite Replica" <m...@fw.merk.com>
Subject: Exquisite Replica
Date: Mon, 26 Nov 2007 03:20:49 +0000
We apply the same algorithm. We look up the MX for telesensventures.com, for example, using http://www.hscripts.com/tools/HDNT/dns-record.php:
Domain Type Class Result telesensventures.com. MX IN 10 mx0.telesensventures.net. telesensventures.com. MX IN 10 mx10.telesensventures.net. telesensventures.com. NS IN b.ns.joker.com. telesensventures.com. NS IN c.ns.joker.com. telesensventures.com. NS IN a.ns.joker.com.
Once again, it becomes obvious how the spoofed "Received:" line is generated.
I have tried this algorithm on several of the 20,000+ (!) backscattered spams I have received, and it's always the case that the Received: line matches one of the hostnames of the results of an MX lookup of my email address' domain name.
My suspicion is that some spammer software is programmed to prepare spams in this manner. It is likely picking an address for the "From:" among some list of potential addresses. The idea here is that if the spam doesn't make it to its intended destination (perhaps because the "To:" address is incorrect, etc.), it will "bounce" to a real user. The world may never know exactly how this is working...
C.P. Fuhrman, “Analysis of massive backscatter of email spam,” Proc. Montreal Conference on e-Technologies (MCETECH), Practice and Theory of IT Security (PTITS), Montreal, 2008. (slides of presentation)
If you have anything to share about email backscatter (perhaps you're receiving lots of it, too?), contact me at .
[an error occurred while processing this directive]