We've experienced ourselves, and have had some reports from our clients of a large amount of "backscatter" coming into our mail system. Backscatter is made up of bounced mail notifications, but not from any mail that you might have sent. It is from spam which has your mail address used as the sender, ie: in the "From: " header.

This is a technique used by spammers to mask their identity and increase their odds of successful delivery by using an address that is "real". The term for this spamming technique is a "Joe Job" (specifically in that wiki entry see the section titled "Joe-job-like automated spam".)

I'll delve into more technical aspects of this later, but the most important question I need to answer now is: "Can digital.forest make it stop?"

The short answer is unfortunately "no", mostly because we can not control the behavior of spammers. However there may be some things we can do to minimize the annoyance. That requires some consideration of unintended consequences though as it attacks symptoms, not causes. Let's break down the process into simple steps and examine what we can do and the results that would come of it:

1. The spammer sends out mail with your address as the sender.
Nothing can be done to prevent this unfortunately. Just as anyone can use your physical address on a piece of paper mail as the return, the same applies to e-mail. How did they get your address? Any number of ways: published in WHOIS records, harvested from the web, harvested from mailing lists, harvested through Microsoft Outlook viruses, etc, etc.

Further these mails are NOT being sent from digital.forest's servers. They are being generated and relayed from thousands of compromised hosts (usually infected Windows desktops) on broadband networks all over the globe. These computers are referred to as "zombies" or "bots" in the network security world, and are literally numbered in the hundreds of millions (called "botnets".)

There have been some technologies proposed, and some even partially adopted, to put some sort of check into the mail process that verifies that the sender is the actual sender. "SenderID", Sender Policy Framework (SPF), etc. We can implement some or all of these, but it would only serve to reduce the percentage of mail that bounces by a small amount, as these solutions are far from universally deployed, or even agreed upon.

2. The mail recipient's server accepts or rejects the spam, but then bounces it, or sends a challenge-response, or other auto-reply.
Again, this is something digital.forest has no control over. If these servers recognize the incoming message as spam, then they should not bounce it. It should be just ignored, filtered, discarded, etc. There used to be a school of thought that bouncing, rejecting, or sending a challenge-response would somehow convince the spammer to not send you any more mail. The reality is that the spammer doesn't care. In fact they have masked the true source and are redirecting these bounces, rejections, etc elsewhere! Unfortunately some percentage of the mail servers, and mail operators still want to bounce or reject spam, so all these bounces, rejections, challenge-response notices, etc go flooding back towards the supposed sender.

3. Here come the bounces, right at you!
So here is the point at which we can do something, because this is the first time digital.forest systems are directly involved. Unfortunately as I said earlier this is attacking a symptom, not the root cause, and will have unintended consequences. We can create server-side filters to discard bounce messages. Like SPF, this will only cut down on the backscatter by some percentage because not all bounces are crafted the same. Additionally much of the backscatter is not bounces, but various sorts of auto-replies, vacation messages, out-of-the-office notices, and challenge-response systems. Even if we filter, we can't stop them all. If we do filter, the consequence will be that you will not be notified if your legitimate sent mail has bounced. If mail you send does not reach the person you sent it to, you want to be notified. So we're stuck between the proverbial rock and hard place. If you choose to start filtering bounces, you can - usually by writing a rule on the mail server that DISCARDS (NOT rejects!) mail with a return-path of "<>" - a common bounce attribute. If you need some help with this process you can contact technical support or submit a trouble ticket and we can assist you. Just keep in mind the potential consequences of this action.

The good news is that these automated joe jobs rarely go on for very long, as the spammer needs to constantly cycle through senders to mask their identity. The backscatter should stop somewhere around 5-7 days. I realize that is small consolation, but please know that we are right there with you. Our long-published email addresses (like abuse@forest.net, support@forest.net, and many of the personal addresses like mine that have been in operation for the lifetime of digital.forest) can experience large volumes of backscatter, several thousand messages per hour. If it were within our power to stop these, we certainly would.

Regards,
Chuck Goolsbee
VP Technical Operations
digital.forest, Inc