Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Browse by Tags

Tagged Content List
  • Blog Post: Improving Backscatter detection with Boomerang

    One of the features we have been working on in Office 365/Exchange Online Protection  (EOP) is called Boomerang which is a mechanism to better detect backscatter spam. Image taken from here . What is Backscatter? Backscatter spam occurs when a spammer spoofs your email address and sends it to a...
  • Blog Post: The Backscatterer.org IP list

    Office 365 (Exchange Online Protection, or EOP) frequently receives questions about the Backscatterer.org IP blocklist. Customers call in and say “Your outbound IPs for the service are on Backscatterer! What are you doing about it?” This often occurs when people go to a 3rd party website...
  • Blog Post: Apple Mail and the Bounce feature

    The other day, I was talking with a friend of mine who owns a Mac and how he finds the Bounce feature of Apple mail very useful.  "Bounce feature?" I asked.  "Is that what I think it is?" I don't use Apple Mail anymore.  I do have a Mac but I use it mostly (though not...
  • Blog Post: The problem of backscatter, part 18 - Wrapping it up

    Backscatter spam is annoying.  It's tough to filter because the contents of it can fool content filters and can also fool end users. Indeed, if your content filter could recognize an NDR and ignore the parts that typically occur in NDRs, you could then filter the rest of the message normally and...
  • Blog Post: The problem of backscatter, part 17 - Limitations of BATV

    While BATV is a good technique, we've seen that there can be some limitations with it when combining it with an SPF policy.  What else do we have to consider with BATV? Catch-all addresses or non-deliverable addresses - Some MTAs will look up the recipient in the SMTP conversation.  For example...
  • Blog Post: The problem of backscatter, part 16 - BATV and SPF

    We've seen that BATV is one of the better mechanisms to stop backscatter, the question now is how do we use it?  What stuff does it potentially break? Some of the commenters in my other posts have alluded to it when they have said that you can't use BATV unless you have an SPF policy that dictates...
  • Blog Post: The problem of backscatter, part 15: BATV in a nutshell

    The following is a diagram that I drew that illustrates a summary of how BATV is supposed to work to prevent backscatter. Note the sequence of steps: Bender sends a message and hands it off through the outbound server. The outbound server signs his SMTP MAIL FROM. The recipient email server, mail.planet...
  • Blog Post: The problem of backscatter, part 14 - Bounce Address Tag Validation

    As we approach the end of my series on backscatter, there is still one more piece of technology that holds real promise to combating backscatter - Bounce Address Tag Validation, or BATV.  That sounds a bit like a successor to HDTV... but it's not. BATV is a more secure mechanism of my part 11 post...
  • Blog Post: The problem of backscatter, part 13 - An idiosyncrasy

    Around the internet world, specifically dealing with email and MTAs, there are people who are familiar with and have expertise with a number of MTAs.  Things like Exchange, Postfix, Sendmail, Qmail, Exim, and so forth.  I am not one of those people.  So, in writing this series I have learned...
  • Blog Post: The problem of backscatter, part 12 - Don't make the problem worse by contributing to it

    Many of the web sites that discuss backscatter encourage mail administrators to not further contribute to the problem of backscatter.  I would be remiss if I did not include a section on it. Don't accept mail, and then bounce.   The primary problem of general backscatter is when email servers...
  • Blog Post: The problem of backscatter, part 11 - Check to see if you sent it in the first place

    Other than content filtering and SPF, there's another way to combat backscatter - check to see if you sent the message in the first place.  We have already seen that NDR messages and backscatter contain a notice from the bouncing email server as well as all or part of the original message. ...
  • Blog Post: The problem of backscatter part 10 - Use SPF

    Using content analysis is one trick you can use to stop backscatter.  Another is to use SPF records. SPF records are designed to help combat backscatter on the theory that the recipient mail server will be able to figure out that your server didn't send it.  Here's how it works: Bob has his...
  • Blog Post: The problem of backscatter, part 9 - Block it with content analysis

    We can see how backscatter is a problem, so how do we go about stopping it?  What are some of the techniques we can employ to keep it out of our inboxes? One such technique is to block all NDR messages, or at least tag phrases and characteristics that commonly occur in NDR backscatter as inputs...
  • Blog Post: The problem of backscatter, part 8 - Why is it so hard to stop?

    I came across the following diagram at this site, and it nicely summarizes the issue of backscatter spam: Getting a single piece of backscatter spam is one thing, getting dozens, hundreds or even thousands of them is a major problem.  While spammers may be nefarious in attempting to spam indirectly...
  • Blog Post: The problem of backscatter, part 7 - What is it?

    Having worked our way through how NDRs and DSNs are supposed to work, we can now finally look at what backscatter actually is. Recall the SMTP protocol - when you send a message, you specify the HELO, the MAIL FROM, the RCPT TO, the DATA (email contents including other miscellaneous headers) and the...
  • Blog Post: The problem of backscatter, part 6 - Who sends the NDRs

    Earlier in my third post , I said that if server A sends a message to server B and server B cannot deliver it, server B sends a message back to server A called an NDR.  It's not quite that simple, there are differing cases on who generates the NDR. Let me quote from Wikipedia since they summarize...
  • Blog Post: The problem of backscatter, part 5 - A bit more on RFC 3464

    Continuing on from my previous post about the format of Delivery Status Notifications, a DSN must be addressed to the return address from the transport envelope which accompanied the original message for which the DSN was generated. (For a message that arrived via SMTP, the envelope return address appears...
  • Blog Post: The problem of backscatter, part 4 - What the RFC says

    As one of the commenters in my previous post mentioned, RFC 3464 specifies the content-type for Delivery Status Notifications. This isn't a series about the RFC specification so I shall attempt to summarize it as best I can. This post is mostly a repost of the RFC itself and I include it for the sake...
  • Blog Post: The problem of backscatter, part 3 - Legitimate bounces

    When a mail server accepts a message and later decides that it can't deliver the message, it is required to send back a bounce email to the sender of the original message. There are a few kinds of bounce notifications that a mail server can send: Recipient does not exist Recipient's email inbox is full...
  • Blog Post: The problem of backscatter, part 2 - The legitimate case

    Before getting into the problem of backscatter, let's look at how the system is supposed to work before spammers ruined it for everyone. Let's say that you want to mail a letter to your friend. You write the letter, put it in an envelope, and write your friend's address in the center of the...
  • Blog Post: The problem of backscatter, part 1

    As the creator, editor and sole content contributor to this blog, I like to write about topics that are relevant to myself at the present moment.  For example, if we are dealing with a breakout of image spam, I will write a few posts about why image spam is difficult to deal with.  If we are...
Page 1 of 1 (21 items)