Q: What is 'backscatter' and why should I worry about it as a LISTSERV Site Administrator?
Answer by Ben Parker Chief Corporate Consultant, L-Soft
Backscatter email (also known as outscatter, misdirected bounces, blowback or collateral spam) is a side-effect of email spam, viruses and worms, where a LISTSERV server receives spam and bogus command emails and sends acknowledgement or rejection messages to an innocent party's email address. This occurs because the From: address in the original message to LISTSERV is forged to contain the email address of the victim. Since these messages coming back from LISTSERV were not solicited by the recipients, are substantially similar to each other, and are delivered in bulk quantities, they may be treated as unsolicited bulk email or spam. As such, LISTSERV systems that generate email backscatter can end up being blacklisted, which negatively affects your server's email reputation and reduces your deliverability of (wanted) list email.
The important question is how is it possible to effectively deal with the 'backscatter' problem with LISTSERV tools already available, without compromising important LISTSERV features such as opt-in subscription confirmation. Several possible steps are briefly outlined below. These are not mutually exclusive and probably should be combined in some manner. This is really a "defense in depth" strategy. It should be emphasized that all of this is fairly fluid and may change significantly within a year's timeframe as anti-spammers get more aggressive and spammers get more wily in working around the newer defenses. It is truly a never-ending battle.
Separate outgoing mail streams
Split outgoing email from LISTSERV using SMTP Delivery Pools(1) so that list message email goes out of a different mail server than administrative email (command responses, errors, renewals, probes, etc.) This usually requires two separate SMTP machines. Generally, you cannot do this by assigning two IP's to one machine, unless the mailer application(s) can be configured to exclusively bind to a single IP address.
Presumably all of your lists are already configured as confirmed opt-in so no list message email should be going to any spam-trap addresses and all such mail is wanted by your recipients/subscribers. It is the administrative emails that produce the auto-responses that get your server black-listed. This physical separation of outgoing email will increase deliverability of your list email, making subscribers happier.
Filter incoming email
Use DNSBLs(2) and other SMTP methods (e.g. PTR record lookup) to validate incoming mail to LISTSERV and keep non-legitimate mail from reaching LISTSERV. If the incoming email is from a known source of spam and is blocked or refused at the point of acceptance, LISTSERV will not need to waste time processing it and also will not send out any 'backscatter' emails that can lead to black-listing.
On Windows, the LISTSERV SMTP Listener can be configured(1) to use SpamAssassin (or similar anti-spam application) to apply these filtering methods directly. You can also use another mail server software on the machine with LISTSERV (or a separate 'gateway' mail server or similar filtering device) that implements these methods as the first-stage mail receiver before forwarding mail on to LISTSERV. One such Windows mail server is MailEnableTM (3). There may be others. On Unix, Sendmail, Postfix and other mailers can all be configured to apply these incoming mail screening methods.
Configure LISTSERV to suppress some of its auto-response messages
What can be suppressed are messages sent to non-subscribers of lists configured as Send= Private (or variations thereof) whether the From: address is spoofed or not.
Example:
Subject: Rejected posting to LISTNAME@PEACH.EASE.LSOFT.COM From: "PEACH.EASE.LSOFT.COM LISTSERV Server (15.5)" <LISTSERV@PEACH.EASE.LSOFT.COM> Date: Thu, 28 Sep 2009 18:08:10 -0400
You are not authorized to send mail to the LISTNAME list from your user@EXAMPLE.COM account. You might be authorized to post to the list from another of your accounts, or perhaps when using another mail program configured to use a different email address, ...
This message is found in the MSG_POSTING_REJECT_NOTAUTH template. To suppress this rejection message, edit the template and replace the template contents with these 2 lines:
.QQ .* do not send this message to stop backscatter emails
(All template names refer to LISTSERV version 16.0, but these mail templates are the same in 15.5, 15.0 and 14.5)
The important thing to remember about disabling any auto-response templates is that disabling them to reduce unwanted 'backscatter' emails to forged or stolen addresses (including spam trap addresses) also prevents these same messages from being sent to legitimate subscribers attempting to send legitimate messages to a list.
If you have decided to proceed with disabling such auto-response message templates there are several other templates you may also want to consider disabling such as:
MSG_POSTING_REJECT_SPAM_DETECTED
Your posting to the &LISTNAME list has been rejected because it has been identified as &SPAM;. Since you are reading these lines, this diagnostic was presumably incorrect ...
MSG_POSTING_REJECT_BAD_ATTACHMENT
(this template has several variations)
Your posting to the &LISTNAME list has been rejected because it contains the '&VIRUS_NAME;'...
Your posting to the &LISTNAME list has been rejected because it only contains material in a format disallowed by the list configuration. ...
LISTSERV was unable to process your multipart MIME message because it did not contain any MIME body part in a format that LISTSERV understands. ...
Your posting to the &LISTNAME list has been rejected because it contains an attachment of type '&TYPE;'. The &LISTNAME list has been configured to reject such attachments; ...
MSG_POSTING_REJECT_CONTENTFILTER
Your posting to the &LISTNAME list has been rejected by the content filter. &COMMENT
Note: This message will only be sent if any of your CONTENT_FILTER settings use the REJECT option. You can .QQ this message template or you can simply use the DISCARD option in your CONTENT_FILTER instead of REJECT.
The following message templates also generate rejection messages but these are very seldom used, so it is not likely to be necessary to .QQ them, although you can do so.
MSG_POSTING_REJECT_DIGESTREPLY
Your message is being returned to you unprocessed because it appears to be one of the &LISTNAME digests.
MSG_POSTING_REJECT_DUPMSG
Your message is being returned to you unprocessed because it appears to have already been distributed to the &LISTNAME list. That is, a message with identical text (but possibly with different mail headers) has been posted to the list recently,...
MSG_POSTING_REJECT_EMPTYJOB
Your message is being returned to you unprocessed because no command was found in the message body. LISTSERV expects commands in the body of the message rather than in the message subject because some users have no control over the contents of the "Subject:" field on outgoing messages.
MSG_POSTING_REJECT_EMPTYMSG
LISTSERV does not allow the distribution of empty messages to a mailing list, because some users are unable to see the "Subject:" field from the original message.
There are also templates that generate auto-responses but which must NOT be suppressed:
CONFIRM1
Your &CMD requires confirmation ...
This template is used for almost all kinds of command and subscription confirmations. Suppressing this template will seriously cripple LISTSERV's essential operation.
MSG_POSTING_CONFIRM_DASHREQUEST
To cut down on spam, this server requires positive confirmation of messages posted to the &LISTNAME-request address. You must now confirm that the enclosed message did originate from you. ...
This message is sent to people writing to the Listname-Request address to contact the list owner. If suppressed, the list owner can never be contacted via the Listname-Request address.
MSG_POSTING_FORWARD_EDITOR
Your &MSGREF has been submitted to the moderator of the &LISTNAME list: &MBX(&MODERATOR).
This message is sent to persons who post a message to a moderated list. It can be suppressed, but then the sender has no way to know what happened to their message. Some list owners already suppress this message in an attempt to disguise the fact that messages to their list are moderated, but most subscribers quickly figure this out.
Remember, by disabling auto-response message templates to cut down on the 'backscatter' you will also be preventing real subscribers from being notified of a problem. Each site administrator needs to decide for themselves how bad the 'backscatter' problem for their server really is and how much they are willing to inconvenience real subscribers to reduce their backscatter problem.
How can you measure how effective this auto-response suppression method is? When an auto-response message of this nature is suppressed, this fact is recorded in the LISTSERV log file like this:
27 Sep 2009 06:40:48 Processing file 32472 from MAILER@TRAINING.LSOFT.COM 27 Sep 2009 06:40:48 -> Removing unwanted MIME message parts... 27 Sep 2009 06:40:48 -> Rejected: (message suppressed by mail template)
So all you need to do is count the number of these in each log file and you will know how many possible backscatter messages per day you are preventing.
Further reading on this topic:
Backscatter (email): http://en.wikipedia.org/wiki/Backscatter_(e-mail) Backscatter Summary: http://spamlinks.net/prevent-secure-backscatter.htm Postfix Backscatter Howto: http://www.postfix.org/BACKSCATTER_README.html
Notes:
(1) Information on 'SMTP Delivery Pools' and 'Configuring SMTPL.exe to use spam-filtering' can be requested from L-Soft Support.
(2) A DNSBL (DNS-based Blackhole List, Block List, or Blacklist) is list of IP addresses published through the Internet Domain Name Service (DNS) in a special format. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming. Most mail server software can be configured to reject messages which have been sent from a site listed on one or more such lists. For more information see: http://en.wikipedia.org/wiki/DNSBL
(3) For more information on MailEnableTM see: http://www.mailenable.com
|