New: Backscatter Protection Agent

This new External Agent (download from here) can help with reducing the damages of “backscatter”, a phenomenon that occurs when a spammers sends forged emails in the name of your domain. Given a sufficiently large amount of forged emails, some of these will be undeliverable, resulting in tons of Delivery Status Notifications (DSNs) flooding your servers. As the DSNs are coming from otherwise legitimate servers, IP-based filtering is no big help here and neither the other tools of ORF, except this new one.

The idea behind the agent is that most DSNs contain the original email and this allows the agent to check if the original email is from your network, by examining whether it shows properties unique to your network.

This agent checks specifically for the Message-ID email header, which has a unique format pattern for every network/server. The agent extracts the Message-ID headers from the bounce report, and matches them with your unique pattern. If none of the Message-IDs are like your pattern, the agent reports that the original email was probably from another network—in other words, it’s a backscatter DSN.

Note that this concept of backscatter detection has not been tested in production enviroments and due to this, we call the agent “experimental”. Finding every Message-ID pattern for your email infrastructure can be quite a challenge, depending on how heterogeneous your network is. This is because the Message-ID may be generated by either the email client (MUA) or the email server (MTA). Neither Outlook, nor Outlook Express generate a Message-ID on their own, but Mozilla Thunderbird does. Without knowing what email clients are used in your network and how they behave, you cannot reliably tell your Message-ID patterns. For example, ISPs have no chance to use this agent.

Despite this limited use, we think the agent may be useful for many smaller networks. Also, there are several ways how we can improve the original idea, for example, by recording the Message-IDs of all outgoing emails in a database or by checking other email properties, but these solutions come at a higher cost—let us know if the agent does not work for your and why, so that we can improve it to cover your requirements.

4 thoughts on “New: Backscatter Protection Agent

  1. Peter Post author

    Prayag,

    The method is outlined in the documentation (sending an email outside the organization) and studyin the pattern. However, it’s not guaranteed that you will have a unique Message-ID pattern at all.

    Please consider that this agent was developed primarily for small organizations with Exchange and Outlook only. For large organizations, Message-ID may not be the way to go. The idea behind the agent can be extended, however, to work for all size.

  2. David

    I’d like to be able to do this for multiple domains. As an ISP we get thousands of NDR’s mostly as a result of forged email address. Is there a way to do this?

  3. Peter Post author

    David, the Backscatter Agent is not really for ISP use. Its design assumes that you can collect all Message-ID patterns and that’s probably not possible for ISPs.
    Anyway, the agent itself allows using combined patterns.

Leave a Reply

Your email address will not be published. Required fields are marked *

AlphaOmega Captcha Classica  –  Enter Security Code