Like many researchers interested in email spam, I keep a number of spamtrap email addresses. These are addresses that exist purely to receive spam. They're useful to see how spammers' tactics are changing, and to keep an eye on spam volume trends.

Today, my spamtraps are chock-a-block full of non-delivery reports, out-of-office notifications, and other automatic replies. All of them are replies to some Chinese spam that's doing the rounds.

So what's going on here? This type of email is known as backscatter. Although it's not sent by spammers, it is itself, to all intents and purposes, spam.

As you're probably aware, the vast majority of spam is sent using a forged sender address (in the From: header). It's easy to do: the Internet email protocol was invented years ago, during a kinder, gentler time. Back then, the only users were experimental souls, who were trusted by all the other users, so there's little or no authentication of email message headers.

Spammers often pluck random email addresses from their spam lists to use as the forged sender address. So that means, from time to time, one of my spamtraps gets used as the forged sender of a spammer's campaign.

Of course, all this means that if an email server receives a spam message with a forged sender, any reply that's generated is going to go to the forged email address. In this case, it's my spamtrap that's getting the replies.

This shouldn't happen -- or at least not very often -- for at least two reasons:

1. Email servers shouldn't auto-reply to spam, because they should be running decent spam filters. Filters will all-but prevent spam from reaching the software robots that do the out-of-office replies.
2. Non-delivery notifications shouldn't be sent as fresh email messages. Email servers shouldn't reply to a failed message, but should instead reject the message.

The first reason is, I hope, self-explanatory. But the second is a more subtle point -- yet very important.

You see, if you mistype someone's email address, the bounce message you get back may look like a reply generated by the receiving email server, but it's not. It's actually generated by your server, in response to the receiving server rejecting the message during the SMTP protocol's exchange. (For those who speak fluent SMTP, I'm talking about throwing a 5xx error.)

Or, at least, that's how it should be. However, sometimes servers are misconfigured, causing non-delivery 'bounce' replies -- or backscatter spam.

Over the years, several ideas have been proposed to combat backscatter, such as Bounce Address Tag Validation, Sender Policy Framework, and DomainKeys Identified Mail. However, none of these have really lived up to the hype with which they were born. The best way to avoid backscatter is not to send it in the first place.

Don't be that guy: Configure your email servers correctly, so you're not sending backscatter spam. The Internet thanks you for your cooperation!
 

Richi Jennings is an independent analyst, specializing in blogging, email, spam, security, and other technology topics. His writing has won American Society of Business Publication Editors and Jesse H. Neal awards. You can encircle him at +richi, follow him as @richi on Twitter, pretend to be his friend at Facebook.com/richij or just use boring old email: io@richij.com.