Getting "Message Delivery Failures" or "Undelivered" from messages You Didn't Send

What you're seeing is called backscatter
Backscatter is the name given to messages that are generated when a spammer or worm (worm=computer infected with a spambot virus) uses your mail address in the From: line of their messages. If the spam message can't be delivered for any reason, the receiving host will send back a non-delivery report or bounce, to your address because it was in the From: line. Legitimate bounces come back to you when you enter a recipients address wrong or their mailbox is full but if you're getting bounces from messages you didn't send then you're seeing backscatter. These bounces from mail servers, usually have a subject of "Delivery notification: delivery has failed", "Returned Mail: see transcript", "failure notice", "Mail Delivery Failed", "UNDELIVERABLE" or "Undelivered" etc. The messages typically originate from "MAILER-DAEMON", "postmaster","Mail delivery subsystem", etc. If a spammer sends a large number of messages, you may receive literally hundreds or thousands of 'bounces'.

Why do spammers do this?
Many mail systems will not deliver mail if the From: line in the message references a spammers domain so they try to get past this test by using addresses at other people's domains instead.

Where do they get the addresses?
They simply take a randomly chosen address from the same list of addresses to which they send spam.

The backscatter problem
Backscatter is a growing issue because SPAM is increasing at an unprecedented rate. You get backscatter messages because of two problems. One as already discussed, a spammer has started a SPAM run forging your email address as the From: address and two, poorly configured servers don't properly reject it, instead they send a "bounce" non-delivery notification to the forged "From:" address. So you get notices about messages you didn't send. Sadly, there are too many email servers on the Internet today that create backscatter.

What do we do?
In the Spring of 2008, backscatter became an issue as it was affecting 2-3 users per week. As of 5/9/08 the DoIT has implemented countermeasures for backscatter. Do we catch it all? ...no. Prior to these measures in an isolated case we had one user receiving 4500 undeliverable messages per day for 3 days.

What can you do?
The bad news is, you can't stop spammers from forging your email address or spambots from using it either. Compounding the issue, until the mail servers that create backscatter by bouncing SPAM are configured not to do so, the backscatter problem will continue.
The good news is that in *most* cases once the spammer's SPAM run has completed, the backscatter will soon cease as well. The problem you are having with backscatter may periodically repeat as a result of spammer's actions.
One action you can take is to configure a GroupWise rule to delete or move bounce-type messages to a special folder. You will need to keep in mind that legitimate bounces are also subject to your rule's actions. With that in mind you will want to disable the rule once the backscatter subsides. For an example of creating such a rule see "Moving Received Items to a Folder" at: http://wind.caspercollege.edu/~doit/gw_training/rules.html#move

Conditional tests to use in a rule for catching bounces
When configuring a rule to catch bounced messages, here's a good place to start. These tests may or may not work for you. They will probably reduce the number of bounces you see, but they will not catch all of them.

Include entries where ...
From contains 'mailer-daemon or postmaster or "mail delivery"'
or
Subject contains 'blocked or delivery or failure or returned or undeliver*'

As a last resort
Your CC email address can be changed.


| Casper College Home | Computer Help Home |