Significant Backscatter

2007-09-21 One-minute read

Experienced my first significant backscatter on one of my domains today. Good times. Here’s how backscatter happens:

  1. spammer forges the sender in email, such as ‘From:’;
  2. server which receives the forged email bounces the message;
  3. since the spammer used my domain as the sender, the bounce comes to my domain;
  4. since the spammer guessed a name that doesn’t actually exist, my mail server is unable to deliver the bounce message locally (generating a double bounce);
  5. my mailserver then sends the double bounce to postmaster at my domain; since I’m the postmaster, it sucks to be me.

Over a 5-hour period, I received 1200 of these little messages. Some of this is caused by my use of qmail. Qmail will accept a message for delivery at the SMTP stage, then realizes there is no suitable recipient. At that point it has to generate a bounce and return it to the sender – who was forged, creating a double bounce. Might become necessary to install chkuser – it refuses to accept email unless there is an actual recipient. We’ll see. At the moment, the rate of backscatter has dropped to a few per hour.