Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

The problem of backscatter, part 7 - What is it?

The problem of backscatter, part 7 - What is it?

  • Comments 1

Having worked our way through how NDRs and DSNs are supposed to work, we can now finally look at what backscatter actually is.

Recall the SMTP protocol - when you send a message, you specify the HELO, the MAIL FROM, the RCPT TO, the DATA (email contents including other miscellaneous headers) and the QUIT.  Here's a sample email:

HELO mail.evergreenterrace.com
MAIL FROM:
homer_simpson@example.com
RCPT TO: krusty_the_clown@example.org (this is wrong, it should be krusty_the_klown@example.org)
DATA

This is a sample message to generate an NDR message.  Krusty_the_clown@example.org does not exist, it will bounce.
.
QUIT

The message goes out from Homer's web server.  The mail is routed to example.org's mail server.  Rather than looking up the email address during the SMTP conversation and rejecting the message with a 5xx level error (which would force Homer's email server to send the NDR), Krusty's email server accepts the message with a 250.  However, later on, Krusty's email server sees that the email address Homer sent to doesn't exist, so it looks at the SMTP MAIL FROM, in this case homer_simpson@example.com, and sends an NDR back to Homer indicating that the message couldn't be delivered.

But, what if it wasn't Homer who sent the message?  Let's say Jerk Q. Spammer decides to send a spam message to Krusty.  What Jerk would do if he were a nice guy is put his email address in the SMTP MAIL FROM.  But, Jerk is a jerk, he doesn't do that.  He puts Homer's email address in the SMTP MAIL FROM, because the SMTP protocol allows you to put any email address you want in the field.

HELO mail.scammers.com
MAIL FROM:
homer_simpson@example.com (this is not Homer, it is Jerk Q. Spammer forging Homer's email address)
RCPT TO:
krusty_the_clown@example.org
DATA

Get cheap Viagra!  Check out the following website to get it because you obviously need it!
.
QUIT

Once again, Krusty's email web server accepts the message with a 250 but finds that it cannot deliver it so it looks at the email address in the SMTP MAIL FROM.  In this case, it is homer_simpson@example.com and the mail server sends an NDR "back" to Homer.

Homer turns on his computer (hey, they have the Internet on computers now) and opens up his email.  He takes a look and sees the following in his email inbox (the first 5 lines below are the message headers and do not appear in the body contents):

Date: Tue, 8 Jul 2008 22:26:56 +0000 (UTC)
From: MAILER-DAEMON (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: Krusty_the_clown@example.org
Content-Type: multipart/report; report-type=delivery-status; b
oundary="67A3E14185FC.1215556016/mail.example.org"

This is the Postfix program at host mail.example.org. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to <postmaster>

- The Postfix program

krusty_the_clown@example.org: host mail.example.org[292.85.201.114] said: 550-5.1.1 The email account that you tried to reach does not exist. (in reply to the end of DATA command)

--- Below this line is a copy of the message.

Return-Path: homer_simpson@example.com
Received: (qmail 32443 invoked by uid 507); 9 Jul 2008 05:02:16 +0800
Delivered-To: krusty_the_clown@example.org
Date: Tue, 08 Jul 2008 10:47:32 -0700
From: Homer
To: Krusty
Subject: Get cheap viagra!
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Get cheap Viagra!  Check out the following website to get it because you obviously need it!

Homer didn't send the message but it sure looks like he did.  But in fact what happened was Jerk Q. Spammer forged his email address and the receiving email server sent it back to Homer and not Jerk, even though Homer didn't send it.  The result?  Homer receives an NDR message with spam attached to it, and this entire type of spamming-by-proxy is known as backscatter.
Leave a Comment
  • Please add 4 and 7 and type the answer here:
  • Post