This solution applies to all Email Security Gateways with firmware releases prior to 3.5.12. Email Security Gateways on firmware verisons 3.5.12 and above can implement Invalid Bounce Suppression as described in Solution #00003619.
When spammers spoof email addresses to obfuscate their identities, bounce messages from unsuspecting relays are often sent to those innocent recipients whose email addresses have been spoofed. This effect is often referred to as email backscatter.
Some email security vendors believe that spammers use bounce messages as a mechanism to deliver email to end users. However, because most email servers do not include the entire original message when sending bounces, the actual bounce contents including message headers, message MIME part headers, and sometimes html code do not serve as effective enticements to end users. As such, Barracuda Networks believes that these bounce messages are simply a side effect of the increases in spam and spoofing in general.
There are three parties in any transaction involving backscatter.
- The spammer that is spoofing the address.
- The unsuspecting relay that is generating the bounce message. Organizations running email servers should avoid becoming an unsuspecting relay by deploying an email security solution that prevents backscatter, such as the Email Security Gateway. For more information about how the Email Security Gateway prevents backscatter, please refer to Solution #00001720.
- The backscatter recipient.
Tips for backscatter recipients:
- Implement sender authentication techniques such as SPF or DKIM. These sender authentication techniques enable email servers or email security solutions, such as the Email Security Gateway, to easily identify or block emails that are spoofing your addresses. For more information about SPF, visit http://www.openspf.org. For more information about DKIM, visit http://www.dkim.org.
- Use external blacklists. While the policies of the Barracuda Blacklist do not target email servers that generate backscatter, there are several community DNSBLs that list email servers that are the subject of backscatter complaints. By implementing these DNSBLs, Email Security Gateway customers can block, quarantine, or tag any messages originating from email servers that are known to generate backscatter.
- If appropriate, block all bounce messages at the perimeter. The primary reason most users value bounce messages is that these bounce messages help relieve problems associated with mistyping recipient email addresses. What most people don't realize is that most legitimate bounce messages of this sort are generated by their own email servers inside their perimeter rather than by the recipient email server outside the perimeter. The reason is that most current email servers and email security solutions (including the Email Security Gateway) reject messages sent to invalid recipients using an SMTP reject code during the mail transaction rather than by receiving the email message and sending a bounce. When the sending email server inside the perimeter receives the SMTP reject code, it generally notifies the sender. As such, it is generally safe to reject all incoming bounce messages.
- If you are able to route both your inbound and outbound mail through the Email Security Gateway, you will be able to use the Invalid Bounce Suppression feature. This feature will tag all outgoing messages and accept bounces for only those messages that it sent. This feature can be found in Block/Accept > Sender Authentication. If you are currently only relaying inbound email through your Email Security Gateway, you should plan for the appropriate increase in email traffic. Your Barracuda Networks sales representative can work with you to size your system accordingly in preparation for this capability. For more information about enabling Invalid Bounce Suppression, please refer to Solution #00003619.