Skip to content

Fighting backscatter using procmail

You certainly have been hit by a rising and annoying new form of spam and spam-related form of emails : backscattering. Definition from spamresource.com : Backscatter is a certain kind of mail you receive that you didn’t ask to receive. If you’ve ever received a “Your mail could not be delivered” bounce notification, a “Your mail contained a virus” notice, or a request to confirm your signup request for a mailing list you’ve never heard of, you’ve probably received backscatter. The backscatter problem is inherently linked to the spam problem, as most backscatter received is due to somebody else on the internet doing something bad and spam-related.

Now how do you stop this mess ? Being a victim as well, I played with the idea of separating true and false bounces.

How do you get true bounces :

  • by mistyping an email address and getting the bounce back
  • the mailbox of your destinator is full
  • his mail servers are down for a long time
  • etc

You definitively want true bounces back to your inbox ! It allows you to know something went wrong with the email you sent.

Getting false (undesired, aka backscatter) bounces involve someone misusing your email address as someone sending spam. You don’t want this mess in the inbox at all !

Idea : mark all your outgoing email with a special header, and look for it in bounced emails. If found, the bounce is legitimate. If not, it might be a backscatter.

The two email clients I’m using (Apple iMail and Mozilla Thunderbird) allow the user to add its special headers. See here for Thunderbird and my previous post for Apple iMail.

Then, create a new procmail rule :

 # detect bounces without my flag
:0 HB
* ^Subject:.*failure notice|Delivery Status Notification|Undelivered Mail Returned to Sender
* !^X-Your-Special-Header:.*With its content
backscatter

and watch your procmail log. You should see the separation happening : backscatter is sent to a dedicated IMAP folder if the subject is a bounce and your special header isn’t found.

To-do :

  • run for a few weeks and check the logs
  • enhance the bounce detection. Using the subject content might not be the best solution. Check FROM_DAEMON feature of procmail, might be better.
  • add some statistics so the effectiveness is greater

I will welcome your ideas and feedback.

Post a Comment

Your email is never published nor shared. Required fields are marked *

Switch to our mobile site