stormbrew

What is Backscatter

These days, one of the main ways spammers get into your mailbox is through a technique called ‘backscatter’. Backscatter happens when a mail server accepts an email and later decides that it can’t deliver it, and so informs the sender through a bounce. Unfortunately, what spammers do is they send their spam to accounts they know do this with a bogus Reply-To field (that’d be you). Thus you get, in your inbox, bounces to email you never sent, usually containing some kind of Cialis or Windows XP For Free scam. In theory, the spammers are using the relatively high trust level of a legitimate mail server in order to get spam to you, where an open relay (the previous method of choice) would get them rejected quite quickly.

Nowadays, though, allowing your server to send backscatter is a one way ticket to no-trust zone. You’ll get added to all the lists if your server is believed to do this. So, in the end, the spammers are back to square one — but they don’t really care.

The solution is relatively simple — for the most part. If you can’t accept and deliver an email, your server should reject it immediately. All of the major mail servers are now capable of doing this out of the box (except, unfortunately, qmail which requires plugins to do this correctly. But no one runs a vanilla qmail install out of the box anymore).

GMail

Unfortunately, there’s one situation where this becomes a difficult again. This situation is when you’re forwarding. When an email is forwarded, say from my host at stormbrew.ca to stormbrew@gmail.com (for illustration only, this is not my configuration), stormbrew.ca believes it can accept this email. It knows that it will then need to forward the email, but it has no reason to believe it can’t do this.

So it accepts it, adds it to its queue, eventually decides to send it to gmail, and then waits for gmail to give a response.

And this is where it becomes impossible to prevent backscatter. Normally, the reasons for rejecting an email would be largely permanent (mailbox doesn’t exist) and thus fixable by simply changing the forward to an account that does work, or temporary (server is overwhelmed and wants you to back off on sending for a while) and can simply be solved by your mail server deferring its email.

Where gmail makes this an exceptionally difficult problem is in how it rejects mail that it considers to be spam. Most mail servers (mine included) silently reject spam. Whether at the point of reception, or later after the mail has been queued, but without an error or a bounce. GMail, on the other hand, will loudly reject the email immediately as an error:

2011-02-15 02:46:42.363718500 delivery 23672: failure: ##.###.###.##_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.1_[##.##.###.###_#]_Our_system_has_detected_that_this_message_is_likely/550-5.7.1_unsolicited_mail._To_reduce_the_amount_of_spam_sent_to_Gmail,_this/550-5.7.1_message_has_been_blocked._Please_visit___________________________/550-5.7.1_http://mail.google.com/support/bin/answer.py?hl=en&answer=188131_for/550_5.7.1_more_information._r13si6986867yhh.42/

It will, however, continue to accept email that does not trigger its spam filter. So this behaviour is neither temporary nor permanent in the traditional sense, though the error message indicates a permanent error.

Upon receiving this error code, my mail server will send a bounce — the absolutely correct behaviour since in normal circumstances you’d want to know if the forwarded mailbox was full or no longer existed. But this just plays into the hands of the spammer, giving them another free port to send spam to/from.

Please note that this is true regardless of whether or not you follow the advice at Google’s page on forwarding best practices. That only affects whether your host will be identified as a spam-source directly due to this behaviour, and even if you filter spam before sending it on to gmail it’s unlikely that you’ll be 100% successful by google’s standards (where they have much more computing power to throw at this problem). You will still likely wind up backscattering due to this.

Google should, if it does not want to accept these messages, silently bury them as pretty much every other mail exchange does. Spammers keep finding new ways to exploit attempts to reply to spam to indicate its spammyness, and this is no exception.

Solutions

As the title suggests, you should try to avoid forwarding your email to a gmail account if at all possible. If you can, and you intend to use gmail as your email UI, you should probably use Google Apps to run your domain through.

Another, less extreme, solution if you only want it for an account or two, is to use gmail’s ability to pull from your server rather than pushing to it. I have never set this up, but I know others have done it and I don’t expect it’s too difficult. It does require that your mailbox be exposed as POP3, as far as I know.

I’d really like to see Google drop this method of rejecting spam, though. I see what they’re trying to do, but I strongly feel that it makes them a poor email citizen (though they are a great one in many other ways).