Backscatter analyses

Last modified: Monday, 24-Jan-2011 00:52:31 EST

Around June 2007, I began receiving lots of backscatter emails on one of my private email accounts. At first, I thought it was a "joe job" attack, since I have reported spam sent to that account, and thought the spammers were retaliating against me. Now, after analyzing the backscatter, I believe it is an automated joe-job-like spamming technique.

Backscatter is caused when a spammer forges an address of a real user in the "From:" field of her spams, and when some of those spams fail to be delivered (for various reasons, such as invalid To: address, etc.), the "bounce" messages come back to the forged From: address.

By November 2007, I was receiving more than 800 per day! So, I began to analyze the SMTP headers of the spam message that provoked the backscatter. I also looked at similar spam messages posted on Usenet in the group news.admin.net-abuse.sightings, and I realized that I was not the only person receiving backscatter.

Link between forged "From:" and "Received:" lines

Here are the results of an interesting discovery I made. In a great number of backscatter messages I received, the spoofed From: address will be linked to a forged Received: line in the RFC822 headers of the embedded spam that provoked the backscatter. Note, not all backscatter contains the headers of the orginal message, so I searched on news.admin.net-abuse.sightings to confirm my hypothesis.

Here are the headers of one such spam (which, in this case did not "bounce", but was reported by the recipient of the spam). It was seen on Google groups:

Return-path: <em...@talk21.com>
Received: from ppp91-122-24-126.pppoe.avangard-dsl.ru ([91.122.24.126])
        by ******** with esmtp (Exim 4.66)
        (envelope-from <em...@talk21.com>)
        id 1IwLhF-0004FH-T3
        for ***@********; Sun, 25 Nov 2007 11:55:10 -0600
Received: from [91.122.24.126] by ns2.bt.net; Sun, 25 Nov 2007 17:56:20 +0000
Message-ID: <000701c82f8c$07b7154e$61d26f95@ngixk>
From: "Replica Watches" <em...@talk21.com>
To: "Watches" <***@********>
Subject: Exquisite Replica
Date: Sun, 25 Nov 2007 16:08:57 +0000

The highlighted parts are the forged parts by the spammer. The From: address is obviously forged, as spammers never give their real address. The following Received: line is also forged:

Received: from [91.122.24.126] by ns2.bt.net; Sun, 25 Nov 2007 17:56:20 +0000

We know it is forged because it does not link to the received line that precedes it, whose "from" part (ppp91-122-24-126.pppoe.avangard-dsl.ru) does not correspond to the "by" part (ns2.bt.net) of the forged Received line.

Furthermore, the forgery of the "by" host (ns2.bt.net) is not arbitrary. The spammers have tried to make it look like <em...@talk21.com> really sent the spam, by creating a Received: line containing a host tied to talk21.com through its DNS lookup. For example, doing a DNS lookup of talk21.com yields the following results:

DomainTypeClassResult
talk21.com.MXIN10 mx1.talk21.mail.yahoo.com.
talk21.com.MXIN20 mx2.talk21.mail.yahoo.com.
talk21.com.NSINns2.bt.net.
talk21.com.NSINns0.bt.net.
talk21.com.NSINns1.bt.net.
ns0.bt.net.AIN217.35.209.188
ns1.bt.net.AIN217.32.105.91
ns2.bt.net.AIN217.32.105.90

Here's another example from Google groups:

From sa...@telesensventures.com Mon Nov 26 00:08:28 2007
Received: from mx0.public.com (mx0.public.com [66.112.160.20])
        by public.com (8.12.10/8.12.10) with ESMTP id
        lAQ58SST093564 for <x...@public.com>; Mon, 26 Nov 2007 00:08:28
        -0500 (EST)
Received: from 121.88.184.97 ([121.88.184.97]) by mx0.public.com
        (8.11.6/8.11.6) with ESMTP id lAQ58Rs29724 for <m...@fw.merk.com>;
        Mon, 26 Nov 2007 00:08:28 -0500
Received: from [121.88.184.97] by a.ns.joker.com; Mon, 26 Nov 2007
        05:08:11 +0000
Message-ID: <000701c82fea$052ea66a$5e6137b7@dtnoh>
From: "Replica Watches" <sa...@telesensventures.com>
To: "Exquisite Replica" <m...@fw.merk.com>
Subject: Exquisite Replica
Date: Mon, 26 Nov 2007 03:20:49 +0000

We apply the same algorithm. We look up the MX for telesensventures.com, for example, using http://www.hscripts.com/tools/HDNT/dns-record.php:

DomainTypeClassResult
telesensventures.com.MXIN10 mx0.telesensventures.net.
telesensventures.com.MXIN10 mx10.telesensventures.net.
telesensventures.com.NSINb.ns.joker.com.
telesensventures.com.NSINc.ns.joker.com.
telesensventures.com.NSINa.ns.joker.com.

Once again, it becomes obvious how the spoofed "Received:" line is generated.

I have tried this algorithm on several of the 20,000+ (!) backscattered spams I have received, and it's always the case that the Received: line matches one of the hostnames of the results of an MX lookup of my email address' domain name.

My suspicion is that some spammer software is programmed to prepare spams in this manner. It is likely picking an address for the "From:" among some list of potential addresses. The idea here is that if the spam doesn't make it to its intended destination (perhaps because the "To:" address is incorrect, etc.), it will "bounce" to a real user. The world may never know exactly how this is working...

Publications

C.P. Fuhrman, “Analysis of massive backscatter of email spam,” Proc. Montreal Conference on e-Technologies (MCETECH), Practice and Theory of IT Security (PTITS), Montreal, 2008. (slides of presentation)

Contact

If you have anything to share about email backscatter (perhaps you're receiving lots of it, too?), contact me at .

--
Christopher Fuhrman Christopher Fuhrman