ips.backscatter.org, working in cooperation with uceprotect.net is different than most DNS based blacklists. ips.backscatter.org does not maintain a list of IP addresses that have been seen spamming, sending email to honeypots, spamtraps, or any of the other general tactics uses by other DNS blacklists to determine if an email is spam. Instead, they concentrate exclusively on what is called backscatter and sender callouts.
Backscatter is a simple concept to understand, and important to understand, as in the case of ips.backscatter.org, it will not be the spammers server that is blocked, but yours. Given a hypothetical scenario, if a spammer were to send 2 million emails to different recipients, some would deliver, and others would not. Not all spam lists have 100% deliverability, employees come and go, email addresses are retired etc. Of the emails that are unable to be delivered due to a “user not known” type of error, a non delivery response, or bounce, should be sent back to the sending server, or in this case, the spammer. However, misconfigured email servers, will instead send the bounce to the listed FROM: address within the headers of the email.
This means, that any email address used as the FROM: field, will receive the bulk of all bounced emails from the misconfigured server. In such cases, ips.backscatter.org will block your server because it is your server that is hurting innocent servers that played no role in this process.
Sender callouts are an entirely different tactic. Most email servers support a command called VRFY. VRFY allows a remote sender to probe the recipient server, and ask if a user is known. This probe happens extremely quickly, and uses very little data and resources to check. Most email administrators have disabled this feature, as spammers have been using it to clean their lists of addresses, as well as perform fast dictionary attacks.
However, there is one more command, slightly higher up in the chain, that can also answer if a user is known or not, which is the RCPT command. ips.backscatter.org considers you to be an abuser if you circumvent the disabling of VRFY, and go up the chain to RCPT to test for a valid user. If you enable sender callouts in your email server, you are trying to detect when a spammer is working his way up the chain of your server to verify a user, by making a connection back to the person making the original connection. The large problem with this technique is that the address you will be checking is almost always spoofed. If the address is spoofed, you will be probing, and in cases of high volume, essentially attacking, a completely innocent remote server. Spammers never use legitimate email addresses, they are always spoofed.
On the surface, to a new email server administrator, sender callouts seems like a good thing, and without spammers, sender callouts would be a valuable way to detect the legitimacy of a sender. Thought, as a result of the mere existence of spammers, using something like sender callouts is completely futile, and will only work toward implicating your server in some form of attack against an unknown third party. ips.backscatter.org will list your server if you are known to employ sender callout practices.
ips.backscatter.org gathers most of it’s information from it’s partnership with the uceprotect.net DNSBL project.
Listing in ips.backscatter.org comes down to two criteria. If your system is seen sending backscatter or sender callouts, you will be listed. This can be problematic for some email server administrators, as sender callouts are a common misconfiguration of some email servers. It also sounds like a good idea on the surface, to a new email administrator. As long as you read the documentation to your server, and do not allow backscatter or sender callouts, your system will not be listed.
The ips.backscatter.org is different than other DNS based blacklists. To use ips.backscatter.org, you are not looking for a normal DNS response of an IP address to a reverse IP address lookup. To use ips.backscatter.org, you will need to determine specifically how to have your mail server look at each individual email, parsing specifically the MAIL FROM: header, looking for a value of “<>” or “postmaster”. If you detect those values, you should block or score against that sender.
It would be a bad idea to permanently block the sender, as backscatter can happen from large and well known free mail providers. One viable option is to reject the email, but not reject the host.
Removal from ips.backscatter.org is extremely strict. Upon detection, your IP address will be listed for 4 weeks from the point of last seen abuse. If no further abuse is seen, your IP address will expire in exactly 4 weeks. If 4 weeks is too long for your organization to wait, there is a process called “expressdelisting”, which is explained when you lookup your IP within the ips.backscatter.org IP lookup tools. Not all IP addresses are eligible for expressdelisting.
The simplest thing to do is to avoid becoming listed, which means contacting your email server vendor, or reading the documentation to be certain your server is configured correctly.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
We’ve seen Twittersphere explode with bite-sized information security (InfoSec) news over the past few years and we’ve…[Read More]
Managing credit cards is the key to good credit. It's more important than low rates and credit...[Read More]
Using a data breach check tool is the best way to find out if you have accounts...[Read More]
Many are resigned to stay silent about the pain of being scammed, but today’s guest helps empower…[Read More]