A New Form of SPAM – Backscatter SPAM

We’ve been receiving many reports of users finding large amounts of unexplained nondelivery messages in their inboxes. These nondelivery (or “bounce”) messages typically from MAILER-DAEMON appear to indicate that the user has been sending Spam to external servers, and the Spam messages have been rejected by the remote servers.

These messages have been the source of confusion and concern for the people who have received them. The users who receive these nondelivery messages did not send the original Spam messages that are being rejected, making it seem as though the users’ accounts have been hijacked for the purposes of sending Spam. In fact, the users’ accounts have not been compromised.

Because of the nature of the e-mail systems, there are no restrictions on what e-mail address is designated as the “from” address in external e-mail. This means that if a Spammer elects to forge a Wesleyan e-mail address as the “from” address for Spam messages, there is nothing preventing the Spammer from doing so. Over the past two weeks , it appears that more Spammers are doing this. Because many Spam filtering servers around the Internet are configured to send a nondelivery report to the from address of offending messages (even if the “from” address is forged), many of these nondelivery reports are ending up in our users’ mailboxes. This phenomenon is called backscatter Spam. The act of forging the “from” address for such purposes is also referred to as a JoeJob.

While there are some measures that we can take to reduce backscatter Spam, we cannot eliminate it entirely. This is because in certain cases our users would want to receive nondelivery reports that are legitimate (unfortunately there is no way to distinguish whether the non-delivery report is due to a forged “from” address). We are working to refine our procedures for filtering backscatter Spam.

If you need further information, please contact your Desktop Support Specialist or the Helpdesk.