A few years ago, I was checking my Yahoo! email account and saw that I had received dozens of strange emails. All of them were listed as “undeliverable,” as if I’d sent the emails out, but then they’d gone to a nonexistent email address and bounced back to me. The problem was, I didn’t recall sending that many emails out, especially to questionable email addresses. I opened a few of the emails to see what the message was that I had allegedly sent, and each one of the emails was a spam ad for vitamins and supplements.

You can imagine my confusion: I hadn’t sent any spam emails selling vitamins and supplements, but I was receiving the undeliverable spam messages back to my account. Sure enough, in each message, the “return” address was listed as mine! Now I was concerned. I followed the link in the emails and contacted the company about the my email address being used as the return address on their spam messages (no one responded to me). I also contacted Yahoo! and let them know that I was receiving these “undeliverable” messages, but that I hadn’t sent them in the first place. In short, I was inconvenienced, annoyed, and slightly violated because of spammers using my perfectly legitimate email account as their own return contact.

As it turns out, I wasn’t alone in my “undeliverable” spam troubles, and this problem is growing worse. There’s even a name for it: Backscatter spam.

According to USA Today, backscatter spam now makes up 3 percent of all email sent, and it clogs up the email accounts of hapless users. Backscatter spam consists of NDR (undeliverable) messages, but it’s also floods of “out of office” autoreply messages, waves of “confirm your subscription to our service” emails, and misdirected virus alerts. Spammers create this problem by collecting legit email addresses (like mine), often by employing viruses that attack corporate databases and steal the data. Email addresses that have been in use for a long time (again, like mine) tend to be good targets because they’ve been “floating” around in cyberspace for a while. The real email addresses are then “spoofed” so that any emails the spammers send look like they’re coming from the real email accounts, not from the spammersthemselves. The holder of the legit account is unaware of all of this, meanwhile, until the “undeliverable” spam emails – those sent to inactiveaddresses that can’t receive email – start bouncing back. They go to the return address that the spammers provided, which of course is the one that belongs to the victim. The bounced messages can pack the victim’s inbox full and create a very large headache.

Why would spammers do this? Aside from the obvious desire to avoid bounce-back emails themselves, spammers know that most emails sent without a valid “From:” address (or those sent from addresses and/or domains that are known as spam originators and are blocked accordingly) don’t reach their destinations. A forged return address gives an air of legitimacy to the mailing. The spammers aren’t using your server for their mass mailing; they’re just using your email address in the “From:” field.

How many messages are we really talking about here? Spam email lists are notoriously inaccurate, as a high percentage of the emails on the lists are no longer active or deliverable. Of the undeliverable emails sent, most will simply disappear, but 7-10% of the emails will be accepted by the server on the other end, then sent back as undeliverable later. These are the bounce-backs that end up causing the problem. As Al Iverson wrote on his Spam Resource blog, the math is simple: if a spammer sends 2 million messages in a single mailing, and 40% of the email addresses he uses are invalid, and 9% of those invalid addresses send the message back as undeliverable, that means that 72,000 bounce notifications will go to the return address listed on the spam emails. And that address might be yours or mine.

So what can you do? For one thing, don’t contribute to backscatter yourself. Don’t use a “challenge/response” anti-spam program, since your automated challenge/response messages are a form of backscatter, and they make life more difficult for other legitimate users. Also, don’t use an “out of office” auto-response message if you can help it… Again, this is a form of backscatter, and worse, it lets spammersknow that your address is active. Finally, don’t use a fake bounce-back anti-spam system (a system that sends fake bounce-backs in response to spam in the hope that spammers will take your address off their lists when the spam is undeliverable) – your bounce-back doesn’t go to the spammer, as we’ve already made clear. It goes to a victim whose email address was spoofed as the spammer’s return address, and your bounced message just becomes another of the backscatter messages that the victim receives. Since the spammers never receive the bounced message, they don’t update their own mailing lists based on the bounces, so the fake bounce-back systems are pretty useless.

As for stopping backscatter from hitting your own inbox, it’s generally hard to prevent it if a spammer has used your email address in the “From:” field. A spam filter sometimes helps to stem the tide a bit, so make sure you have one. Also, if you have a domain with a catch-all mailbox (an email inbox that catches any emails sent to your domain that aren’t sent to a specific user’s mailbox), you can deactivate the catch-all, since most backscatter spam heading for your domain will end up there as the spammers try different variations of emails for the return address. Check with your ISP or hosting provider on how to eliminate the catch-all address while still receiving emails directed at specific mailboxes or at certain required accounts, such as “postmaster.”

Backscatter is annoying, but if you get spoofed and end up with an inbox full of undeliverable email, you can rest assured that your reputation is probably safe. Few people in today’s world of spam email believe that the “From:” address in a spam message is the actual source of the message. If you do get backlash from an angry Internet user, show them this article; after all, they might be the next personspoofed by spammers.

Sources for this article: USA Today, Al Iverson’s Spam Resource blog, SpamNation

Photo attributed to freezelight, posted to Flickr, licensed under Creative Commons Attribution-Share Alike 3.0