Ferris Analyst Receives 25,000 Spam Messages Over Two Days

Late last week, a spammer decided to send a large run of spam messages in my name. We estimate that in the space of 48 hours, the spammer's botnet spewed 10 million messages that appeared to come from one of my privately owned domains.

A small percentage of those messages bounced, resulting in 25,000 bounces in my email over a 48-hour period. At its peak, I received one misdirected bounce per second. Many of the bounces included images -- about half a gigabyte of unwanted, "backscatter" email.

What should we learn from this?

  1. We were impressed with how well the Symantec Brightmail spam filter that protects these domains worked. It did a near-perfect job of sifting out the bounces from the real email: better than 99% effectiveness, and no false positives -- although it's hard to be sure when there are so many messages to check in the quarantine. (For clarity, Symantec doesn't protect the ferris.com domain; these forgeries were attacking other, privately owned domains such as richi.co.uk.)
  2. Many email servers behave badly, to the extent that they bounce unwanted email, instead of rejecting it. Some of this is due to configurations that accept everything at the perimeter and only later decide the mailbox doesn't exist. Others seem to be due to badly configured perimeter protection -- including a surprising number of Barracuda appliances. If you're responsible for a mail system that creates such backscatter, please fix it.
  3. Many sites allow their users to auto-reply to email with no regard to whether they're replying to spam (and hence sending irrelevant junk to a forged sender). Incredibly, some of these sites clearly decided the message was spam -- as can be seen from SpamAssassin-like headers or subject tags added to the spam -- yet they still kindly let me know that they're "out of the office" because a spammer falsely used my email address as the spam's sender. This is another form of backscatter; if you're responsible for a mail system that does this, please fix it.

... Richi Jennings

One Comment

  1. Posted December 1, 2006 at 9:44 AM | Permalink

    Hi Richi,
    It is indeed suprising and a little worrying that a major vendor like Barracuda (who our research indicates has about 3% market share worldwide — that’s more than IronPort and Ciphertrust combined) doesn’t prevent backscatter by default.

  2. Posted December 1, 2006 at 10:48 AM | Permalink

    Ken, we’re told by Barracuda that more recent installations don’t do this by default.

Post a comment

You must be logged in to post a comment. To comment, first join our community.