Skip Navigation Links 

Posted: 6/16/2008 14:53

Backscatter Spam Attacks Directed At Campus

University IT Services has been receiving many reports of users finding large amounts of unexplained nondelvery messages in their inboxes.  These nondelivery (or "bounce") messages appear to indicate that the user has been sending spam to external servers, and that the messages have been rejected by the remote servers.

These messages have been the source of confusion and concern for those individuals who have received a flood of messages. In most cases, the users who are receiving these nondelivery messages did not send the original spam messages which external mail servers are rejecting. Because of the nature of email systems, there are no restrictions on what address is designated as the "From:" address in external email.  This means that if a spammer chooses to forge an email address as being from a University of Arkansas address as the "From" address, there is nothing preventing the spammer from doing so.  Many external mail servers and spam filters may be configured to generate a nondelivery report should the user be over quota, the email account is no longer valid, or otherwise rejects the message as being junk mail.  As a result, these messages, sometimes known as backscatter spam, will flood back into the University of Arkansas and our users' inboxes.

The good news is that the flood of messages will generally slow down after about a day as the spammer switches the "From" address.  UITS staff has been tuning its spam filters to reduce the amount of this form of backscatter spam, but we cannot eliminate it entirely.  This is because in certain cases our users would want to receive nondelivery reports which are legitimate.  Unfortunately, there is no way to distinguish whether the non-delivery report is due to a spammer forging a user's email address, or is the result of an email one of our users actually sent.

The best way to handle the flood of bounced messages is to create a set of email client filters using the seven most common subject lines and redirect them to a separate folder.  This will help you keep a cleaner Inbox, but allow you a chace to see if an actual email was not delivered due to a typographic error in the address, or the recipient being over quota.  The following is a list of subject lines which can be used to filter a large number of this type of junk email.  Please refer to the documentation for your email client of choice for directions on filtering messages automatically.

  • Returned mail
  • Delivery Status Notification
  • Undelivered Mail Returned to Sender
  • failure notice
  • blocked by our bulk email filter
  • Undeliverable
  • Delivery Norification