Summary
Backscatter is a type of email spam that occurs when spammers forge sender addresses in their emails. When these emails bounce due to invalid recipients or other delivery issues, the Non-Delivery Reports (NDRs) or bounce messages are sent to the forged sender address, which is often an innocent victim. Most emails that are unable to be delivered are rejected with a 5xx response, but backscatter occurs when an intermediate mail server accepts an email, then later discovers it can't be delivered, so sends an asynchronous bounce. This results in the victim receiving a large volume of unwanted bounce messages, which can lead to inbox clutter, security risks, and potential damage to sender reputation, and can indicate a server misconfiguration. DMARC implementation, combined with general Email Authentication helps mitigate this issue by reducing the amount of forged emails being accepted in the first place.
Key findings
- Forged Sender Addresses: Spammers use forged sender addresses in their emails.
- Asynchronous Bounces: Backscatter involves asynchronous Non-Delivery Reports (NDRs) sent to forged addresses.
- Innocent Victims: Innocent recipients receive unwanted bounce messages due to forged addresses.
- Potential Security Risks: Backscatter can result in inbox clutter, security risks, and damaged sender reputation.
- Server Misconfiguration: Backscatter may indicate a server misconfiguration issue.
- NDR Storm: High volumes of NDR can lead to a 'storm' of backscatter.
Key considerations
- DMARC Implementation: Implement DMARC policies to manage how emails failing authentication are handled.
- Email Authentication: Use email authentication methods (SPF, DKIM) to reduce forged emails.
- Bounce Handling: Improve bounce handling processes to minimize the impact of backscatter.
- Server Configuration: Ensure proper server configuration to limit acceptance of emails that will later bounce.
What email marketers say
7 marketer opinions
Backscatter is the result of spammers forging sender addresses in their emails. When these emails bounce due to invalid recipients or other delivery issues, the non-delivery reports (NDRs) or bounce messages are sent to the forged sender address, which is often an innocent victim. This results in the victim receiving a large volume of unwanted bounce messages, potentially leading to inbox clutter, security risks, and damage to sender reputation if they are incorrectly identified as the original spammer.
Key opinions
- Forged Addresses: Backscatter occurs when spammers use forged sender addresses in their emails.
- Bounce Messages: When these forged emails bounce, the NDRs are sent to the forged sender address.
- Victim Receives Spam: The innocent victim whose address was forged receives the unwanted bounce messages.
- Reputation Damage: Backscatter can damage a sender's reputation if they are incorrectly identified as the original spammer.
- Security Risks: Bounce messages may contain malicious content or links, posing security risks to the recipient.
Key considerations
- Sender Authentication: Implement sender authentication mechanisms (SPF, DKIM, DMARC) to prevent spammers from forging your domain.
- Monitoring: Monitor your email reputation to detect and address any backscatter issues.
- Filtering: Use email filtering tools to identify and block backscatter messages.
- Awareness: Educate users about the risks of backscatter and how to identify suspicious emails.
Marketer view
Email marketer from spamhaus.org explains that backscatter is the result of spam emails using forged 'From' addresses. When these emails bounce, the bounce messages are sent to the forged address, causing innocent users to receive unwanted bounce emails.
18 Jun 2022 - spamhaus.org
Marketer view
Email marketer from web.archive.org (originally Cloudmark) explains that backscatter occurs when spammers forge the sender address on their messages. When these messages bounce due to invalid recipients, the bounce messages are sent to the forged sender address. This creates a problem for the innocent party whose address was spoofed, as they receive a large volume of unwanted bounce messages.
20 Jan 2022 - web.archive.org
What the experts say
2 expert opinions
Backscatter happens when spammers send emails with forged sender addresses. Most undeliverable emails get rejected immediately with a 5xx error. However, if a mail server accepts an email and only later can't deliver it, it sends an asynchronous bounce (NDR) to the forged return path, which is the backscatter. This indicates a server misconfiguration and wastes resources.
Key opinions
- Forged Addresses: Spammers use forged sender addresses.
- Asynchronous Bounces: Backscatter is created when mail servers send asynchronous bounces (NDRs) to forged return paths after initially accepting an email.
- Server Misconfiguration: Backscatter indicates a potential server misconfiguration.
- Resource Waste: Backscatter wastes server resources.
Key considerations
- Server Configuration: Ensure proper server configuration to minimize accepting emails that will later bounce.
- Sender Authentication: Implement robust sender authentication (SPF, DKIM, DMARC) to reduce the effectiveness of forged addresses.
- Bounce Handling: Improve bounce handling mechanisms to identify and prevent backscatter.
Expert view
Expert from Word to the Wise explains that Backscatter occurs when spam is sent with forged sender addresses, and the non-delivery reports (NDRs) are sent to the forged address, which is not the originator of the spam. This is detrimental for several reasons, including that it indicates a server misconfiguration and a waste of resources.
17 Apr 2022 - Word to the Wise
Expert view
Expert from Email Geeks explains that the vast majority of mail sent to undeliverable addresses is rejected with a 5xx response at delivery time. However, if an intermediate mail server accepts an email and only later discovers it can’t deliver it, it has to send an asynchronous bounce to the return path. If you fake the return path, the asynchronous bounce sent to a forged email address is backscatter.
9 Jan 2023 - Email Geeks
What the documentation says
4 technical articles
Backscatter is defined as Non-Delivery Reports (NDRs) or bounce messages sent to forged or spoofed sender addresses by mail servers. Spammers forge these addresses, and when emails are undeliverable, receiving servers generate NDRs to the forged address. This results in innocent recipients receiving unwanted bounce messages, potentially creating a 'storm' of backscatter. DMARC can help mitigate this by allowing domain owners to specify how to handle emails that fail authentication, thus reducing forged emails and subsequent bounces.
Key findings
- Forged Sender Addresses: Spammers use forged or spoofed sender addresses.
- NDRs to Forged Addresses: Mail servers generate Non-Delivery Reports (NDRs) to the forged sender addresses when emails are undeliverable.
- Innocent Recipients: Innocent recipients receive unwanted bounce messages.
- Backscatter Storms: A large number of NDRs can create a 'storm' of backscatter.
- Collateral Spam: Backscatter is also known as collateral spam.
Key considerations
- DMARC Implementation: Implement DMARC to specify how to handle emails failing authentication.
- Email Authentication: Employ strong email authentication to reduce acceptance of forged emails.
- Bounce Handling: Improve bounce handling to mitigate backscatter storms.
Technical article
Documentation from ietf.org defines backscatter as Non-Delivery Reports (NDRs) or other "bounces" sent to a forged or spoofed address by a mail server. This occurs when a spammer spoofs the sender address, and the receiving server generates a bounce message due to a delivery failure.
11 Jul 2021 - ietf.org
Technical article
Documentation from learn.microsoft.com explains that backscatter storms are the result of spammers using forged sender addresses. When these emails are undeliverable, the receiving mail servers generate non-delivery reports (NDRs) to the forged sender. A large number of these NDRs can flood the recipient's inbox, creating a 'storm' of backscatter.
27 Mar 2024 - learn.microsoft.com
Can 'invalid recipient' bounce messages be false positives and what should I do about it?
Can smtp.mailfrom be different from return-path and can bounces be returned directly to sender?
How are email bounce rates calculated and what is considered a good bounce rate?
How do I prevent bounces from reaching the return-path when sending transactional emails via PowerMTA?
What causes '550 relaying denied' bounce errors and how to resolve them?
What does it mean when a newsletter autoreplies saying the sending domain doesn't match the email domain?
