You may at times receive what looks like bounced E-mail messages (often containing SPAM advertising) returned to you that appears like it was sent from your own email. This is called “Backscatter” and does not mean your email account has been hacked. They are bounce emails you receive for messages sent by spammers & Scammers using other email systems (not yours) but using your E-mail address is the original “FROM” field of the email.

When email is delivered to a system, if there is a problem delivering the email such as the account doesn’t exist, mailbox is full, etc., then most email systems will generate a “bounce” email back to the sender to let them know there was a problem. The way to determine the original sender of the email and thus where to send the bounce is by using the ‘From’ address on the original email.

There is no way for systems to verify that a ‘From’ address is correct (there are attempts like SPF and DomainKeys, though these have flaws) and has not been forged. When spammers send email, they almost always forge the ‘From’ address the email is sent from. That is why blocking specific sender addresses does not work as spammers usually forge every email to come from a different address. Spammers may use known email addresses (gathered from other sources or pulled from Internet pages you post on) or just from random. It can be of some help if you do not post your e-mail address “in the open” on web pages including social (Facebook, MySpace, Linkin, etc.) networking sites.

If the spammer’s email message is not delivered, then a bounce will be sent back to the ‘From’ address on the email, which is whatever the spammer has made up. The problem occurs when spammers use YOUR email address as the ‘From’ address on emails. In these cases, you will get many bounce emails appearing in your inbox for emails you never sent!

This is called “backscatter”, and is unfortunately a consequence of just how the internet email system was setup decades ago.

There are a few things you can do to try and reduce backscatter. When most systems bounce an email, they include all or part of the original email in the bounce. What we can do is check the original email as attached in the bounce, and see that it appears to have been originally sent through your own email server. If not, then you will know it was an email sent by a spammer with a forged ‘From’ address.

Some Email systems have a backscatter filter which will recognize these messages as backscatter and that is why they are sent automatically to your Spam or Junk folder. Backscatter filters are not perfect. To work, the “bounce” email has to have part of the original message in it so we can check if you were actually the original sender. Quite a few systems don’t include the original message in the “bounce” (the most common being challenge/response systems that are supposed to stop spam, and just end up adding to the problem for others). In those cases, the filters can not determine the true original sender of the email, and thus can’t mark the emails as backscatter.

If for some reason a spammer is forging your address on their emails, then they can send millions of spam emails. Most systems will absorb, SMTP block, or discard the spam emails, but for those systems that do bounce them, if even 1000 of those generate backscatter bounces and 5% to 10% get through, that’s still around 50 to 100 emails that get through, a lot better than 1000, but still waytoo much. Unfortunately there is not much that can be done to improve that until more systems correctly attach the original email in the bounce message.

If you forward email from one email system to another email system (such as: Yahoo to Gmail) this can reduce the end email system (Gmail in this instance) from being able to properly filter Backscatter and spam email that comes through the forwarding system. It is highly recommended to notify your friends to use your new e-mail address.

Note that you may receive email you think is backscatter but actually did in fact originate from your own computer. Much of the SPAM sent today is done through automated servers or users’ own computers infected by viruses or malware. There are hundreds (possibly thousands!) of malware on people’s own computers that’s sole purpose is to use your own email client and email address book to send SPAM. We highly recommend installing and using regularly Malwarebytes Anti-Malware available Free. Anti-virus programs rarely find or remove these types of malware.
It is also somewhat common for your email account to be hacked. Dictionary and random (brute force) hacks are where they try to login to your email account from their computer (or other infected PC’s) trying many password combinations until they successfully access your email account. This is why it is very important to use stronger passwords containing symbols (where allowed) such as: !@#$ and mixed CaSe LeTTers in addition to numbers.

As part of the backscatter analysis process, many systems attach a header to the email when they think it might be backscatter. The header is X-Backscatter and can be one of the values:

NotFound1 – We thought this email might be backscatter (eg the From address is a postmaster type address), but we couldn’t find the original message attached in any way.

NotFound2/3/4 – We thought we had found the attached original message, but something about it was corrupted and it’s not a valid format message.

Backscatter Whitelist Hosts
As mentioned in the above, bounces where the original email does not appear to have come through one of your own email hosts is marked as spam backscatter. If you regularly send email through an email server that is not part of your own email server, then if any of those emails bounce, they could be classed as backscatter as they did not pass through one of your own email servers.

Share