Suped

What is backscatter and how does it work in email?

7 Marketer opinions2 Expert opinions4 Technical articles5 Resources

Summary

Backscatter is a type of email spam that occurs when spammers forge sender addresses in their emails. When these emails bounce due to invalid recipients or other delivery issues, the Non-Delivery Reports (NDRs) or bounce messages are sent to the forged sender address, which is often an innocent victim. Most emails that are unable to be delivered are rejected with a 5xx response, but backscatter occurs when an intermediate mail server accepts an email, then later discovers it can't be delivered, so sends an asynchronous bounce. This results in the victim receiving a large volume of unwanted bounce messages, which can lead to inbox clutter, security risks, and potential damage to sender reputation, and can indicate a server misconfiguration. DMARC implementation, combined with general Email Authentication helps mitigate this issue by reducing the amount of forged emails being accepted in the first place.

Key findings

  • Forged Sender Addresses: Spammers use forged sender addresses in their emails.
  • Asynchronous Bounces: Backscatter involves asynchronous Non-Delivery Reports (NDRs) sent to forged addresses.
  • Innocent Victims: Innocent recipients receive unwanted bounce messages due to forged addresses.
  • Potential Security Risks: Backscatter can result in inbox clutter, security risks, and damaged sender reputation.
  • Server Misconfiguration: Backscatter may indicate a server misconfiguration issue.
  • NDR Storm: High volumes of NDR can lead to a 'storm' of backscatter.

Key considerations

  • DMARC Implementation: Implement DMARC policies to manage how emails failing authentication are handled.
  • Email Authentication: Use email authentication methods (SPF, DKIM) to reduce forged emails.
  • Bounce Handling: Improve bounce handling processes to minimize the impact of backscatter.
  • Server Configuration: Ensure proper server configuration to limit acceptance of emails that will later bounce.

What email marketers say
7Marketer opinions

Backscatter is the result of spammers forging sender addresses in their emails. When these emails bounce due to invalid recipients or other delivery issues, the non-delivery reports (NDRs) or bounce messages are sent to the forged sender address, which is often an innocent victim. This results in the victim receiving a large volume of unwanted bounce messages, potentially leading to inbox clutter, security risks, and damage to sender reputation if they are incorrectly identified as the original spammer.

Key opinions

  • Forged Addresses: Backscatter occurs when spammers use forged sender addresses in their emails.
  • Bounce Messages: When these forged emails bounce, the NDRs are sent to the forged sender address.
  • Victim Receives Spam: The innocent victim whose address was forged receives the unwanted bounce messages.
  • Reputation Damage: Backscatter can damage a sender's reputation if they are incorrectly identified as the original spammer.
  • Security Risks: Bounce messages may contain malicious content or links, posing security risks to the recipient.

Key considerations

  • Sender Authentication: Implement sender authentication mechanisms (SPF, DKIM, DMARC) to prevent spammers from forging your domain.
  • Monitoring: Monitor your email reputation to detect and address any backscatter issues.
  • Filtering: Use email filtering tools to identify and block backscatter messages.
  • Awareness: Educate users about the risks of backscatter and how to identify suspicious emails.
Marketer view

Email marketer from spamhaus.org explains that backscatter is the result of spam emails using forged 'From' addresses. When these emails bounce, the bounce messages are sent to the forged address, causing innocent users to receive unwanted bounce emails.

February 2023 - spamhaus.org
Marketer view

Email marketer from web.archive.org (originally Cloudmark) explains that backscatter occurs when spammers forge the sender address on their messages. When these messages bounce due to invalid recipients, the bounce messages are sent to the forged sender address. This creates a problem for the innocent party whose address was spoofed, as they receive a large volume of unwanted bounce messages.

December 2022 - web.archive.org
Marketer view

Email marketer from talosintelligence.com explains that backscatter spam is the automatic response from mail servers to forged or non-existent sender addresses used in spam emails. When a spammer sends a message with a fake 'From' address and the email bounces, the bounce message (backscatter) is sent to the unsuspecting victim whose address was forged.

June 2021 - talosintelligence.com
Marketer view

Email marketer from Reddit explains that backscatter is a negative consequence of email spam where innocent users receive bounce messages due to spammers forging sender addresses. This can lead to inbox clutter and potential security risks if the bounce messages contain malicious content or links.

October 2023 - Reddit
Marketer view

Email marketer from StackExchange explains that backscatter happens when a spammer sends an email with a forged sender address. If the recipient server rejects the email or if the email bounces, a non-delivery report (NDR) is sent to the forged sender address, which is an innocent victim. This results in the victim receiving bounce messages for emails they never sent.

April 2021 - StackExchange
Marketer view

Email marketer from mailchannels.com explains that backscatter is a result of spammers using forged sender addresses. This results in bounce messages being sent to the forged address when the email can't be delivered. This not only floods inboxes, but can also damage a sender's reputation if they are incorrectly identified as the original spammer.

November 2023 - mailchannels.com
Marketer view

Marketer from Email Geeks explains backscatter is, in simple terms, bounces for email you didn't send (e.g., spoofed email).

March 2023 - Email Geeks

What the experts say
2Expert opinions

Backscatter happens when spammers send emails with forged sender addresses. Most undeliverable emails get rejected immediately with a 5xx error. However, if a mail server accepts an email and only later can't deliver it, it sends an asynchronous bounce (NDR) to the forged return path, which is the backscatter. This indicates a server misconfiguration and wastes resources.

Key opinions

  • Forged Addresses: Spammers use forged sender addresses.
  • Asynchronous Bounces: Backscatter is created when mail servers send asynchronous bounces (NDRs) to forged return paths after initially accepting an email.
  • Server Misconfiguration: Backscatter indicates a potential server misconfiguration.
  • Resource Waste: Backscatter wastes server resources.

Key considerations

  • Server Configuration: Ensure proper server configuration to minimize accepting emails that will later bounce.
  • Sender Authentication: Implement robust sender authentication (SPF, DKIM, DMARC) to reduce the effectiveness of forged addresses.
  • Bounce Handling: Improve bounce handling mechanisms to identify and prevent backscatter.
Expert view

Expert from Word to the Wise explains that Backscatter occurs when spam is sent with forged sender addresses, and the non-delivery reports (NDRs) are sent to the forged address, which is not the originator of the spam. This is detrimental for several reasons, including that it indicates a server misconfiguration and a waste of resources.

April 2023 - Word to the Wise
Expert view

Expert from Email Geeks explains that the vast majority of mail sent to undeliverable addresses is rejected with a 5xx response at delivery time. However, if an intermediate mail server accepts an email and only later discovers it can’t deliver it, it has to send an asynchronous bounce to the return path. If you fake the return path, the asynchronous bounce sent to a forged email address is backscatter.

July 2024 - Email Geeks

What the documentation says
4Technical articles

Backscatter is defined as Non-Delivery Reports (NDRs) or bounce messages sent to forged or spoofed sender addresses by mail servers. Spammers forge these addresses, and when emails are undeliverable, receiving servers generate NDRs to the forged address. This results in innocent recipients receiving unwanted bounce messages, potentially creating a 'storm' of backscatter. DMARC can help mitigate this by allowing domain owners to specify how to handle emails that fail authentication, thus reducing forged emails and subsequent bounces.

Key findings

  • Forged Sender Addresses: Spammers use forged or spoofed sender addresses.
  • NDRs to Forged Addresses: Mail servers generate Non-Delivery Reports (NDRs) to the forged sender addresses when emails are undeliverable.
  • Innocent Recipients: Innocent recipients receive unwanted bounce messages.
  • Backscatter Storms: A large number of NDRs can create a 'storm' of backscatter.
  • Collateral Spam: Backscatter is also known as collateral spam.

Key considerations

  • DMARC Implementation: Implement DMARC to specify how to handle emails failing authentication.
  • Email Authentication: Employ strong email authentication to reduce acceptance of forged emails.
  • Bounce Handling: Improve bounce handling to mitigate backscatter storms.
Technical article

Documentation from ietf.org defines backscatter as Non-Delivery Reports (NDRs) or other "bounces" sent to a forged or spoofed address by a mail server. This occurs when a spammer spoofs the sender address, and the receiving server generates a bounce message due to a delivery failure.

November 2021 - ietf.org
Technical article

Documentation from learn.microsoft.com explains that backscatter storms are the result of spammers using forged sender addresses. When these emails are undeliverable, the receiving mail servers generate non-delivery reports (NDRs) to the forged sender. A large number of these NDRs can flood the recipient's inbox, creating a 'storm' of backscatter.

June 2024 - learn.microsoft.com
Technical article

Documentation from DMARC.org discusses that backscatter occurs when a spammer forges the sender address, and the email bounces because the recipient address is invalid. DMARC helps mitigate backscatter by allowing domain owners to specify how email should be handled if it fails authentication checks, reducing the likelihood of forged emails being accepted and subsequently bouncing.

March 2022 - dmarc.org
Technical article

Documentation from proofpoint.com explains that backscatter, also known as collateral spam, occurs when a spammer sends email using a forged or non-existent return address. If the email cannot be delivered, the receiving mail server sends a bounce message to the forged address. The recipient of the bounce message is an innocent bystander who never sent the original email.

April 2024 - proofpoint.com

Related resources
5Resources

What is email backscatter & tips to prevent | Zoho Mail
What is email backscatter & tips to prevent | Zoho Mail

Email backscatters are unsolicited bulk bounce messages that a user receives for emails that they did not send. Learn how to prevent it.

Zoho
What is Email Backscatter and How to Prevent It | Barracuda Campus
What is Email Backscatter and How to Prevent It | Barracuda Campus

Email backscatter is unwanted email that occurs when a spam or phishing email is sent with a spoofed sender address. When the email cannot be delivered, a bounce message is generated and sent ...

Barracuda Campus
What is backscatter and how is it used for email spamming? - The ...
What is backscatter and how is it used for email spamming? - The ...

What is backscatter? Attackers often forge the from and reply-to address of an email to send spam messages. When a receiving server receives such email spam with a forged sender address and later realizes that it cannot deliver the email message, it sends a bounce message. But, as the sender address in the received email […]

The Security Buddy
Default Virtualmin postfix configuration causes backscatter spam ...
Default Virtualmin postfix configuration causes backscatter spam ...

Summary: The default virtualmin postfix config causes backscatter spam and a solution is needed. None of the solutions I tried worked. My IP address was recently blacklisted at backscatterer.org. Usually this is because mail to non-existent users (such as typo@mydomain) is bouncing back to fictitious senders instead of being rejected or discarded, but Virtualmin configures that pretty well. In my case, incoming spam was being forwarded to a third party which rejected it immediately and my post...

Virtualmin Community
What Are Backscatter Emails? | Spike Glossary
What Are Backscatter Emails? | Spike Glossary

Backscatter emails are auto-generated email bounce messages received by an individual for emails that they never sent

Spike

Related questions