Back scattering

MailCleaner Support
Added almost 3 years ago

This is rare spam attack. The spammers are faking error messages.

For example if you send a real message but the recipient has a full mailbox then you ll get an error message to tell you the recipient was over quota.
The back scattering attack is about faking those messages and attach the spam to the error.
The mail RFC says that those error message have to be sent by an empty mail address.
Most of the time, they will have a subject like

T="Mail delivery failed: returning message to sender"

Usually backscattering is made that way :
- the attacker finds out a mail server that attaches the body of the original mail to the NDR when it generates an NDR
- the attacker send mails to inknown addresses to that server spoofing the mail address of the real target of the spam as sender.
- the targeted mail server rejects the message since the destination address doesnt exist
- the NDR is sent to the real target for the spam as he (she) is seen as the original sender

You can have a more detailled description of the attack here :

The only way to stop those messages it is a feature at user level. The user has to log on his/her MailCleaner user page and change his/her preference for the "Retain error messages " setting.

Once this is done the user wont get errors messages anymore (including the real ones).
Such attacks usually last only 3-4 days, so the user will need to change this setting back to normal after a few days via :

Configuration->Adrdress settings -> Retain error message

Note : Administrators can connect to ths private user page via

Management-> users->choose user->Actions-> Open user's interface

and change the setting for the user.