'Backscatter spam' gums up many e-mail inboxes

SAN FRANCISCO -- E-mail users worldwide are being buried in a blizzard of bounced messages caused by spammers.

Dubbed "backscatter spam," this latest fad is clogging e-mail accounts and slowing victims' inboxes to a crawl. Up to 3% of all e-mail today is backscatter, says Dmitry Samosseiko, manager of SophosLabs Canada. "It is a major problem, and it is getting worse," he says.

How it works: Spammers collect real e-mail addresses, often through computer viruses that steal addresses from corporate databases. Then they fake — or "spoof" — those addresses to send spam that appears to come from an individual.

The trouble comes when spam sent from your spoofed address is aimed at e-mail addresses that don't actually exist. (Spammers often blast messages to bulk e-mail lists that include e-mail addresses that are old or non-existent.) The bounced-back e-mail is returned to the e-mail address of the victimized user.

"Spoofing bites the innocent," Proofpoint CEO Gary Steele says.

The unintended effect of backscatter is the equivalent of an inbox spam attack, says Jose Nazario, senior security researcher at Arbor Networks.

Matt Villano knows from personal travails.

For several days, strange e-mail stamped "undeliverable" poured into the inbox of Northern California freelance writer. Thousands of messages seemed to indicate that junk mail from Villano — hawking everything from designer watches to erectile-dysfunction pills — had been sent back to him after missing their targets.

"It was irritating but also debilitating in the sense that it made me wonder if legitimate clients would blacklist me because someone was using my e-mail to spam," Villano says. He fears that as a freelancer, who frequently mentions his e-mail address on websites, he is likely to be spoofed again.

Backscatter most often afflicts users who have had the same e-mail address for a long time, and therefore are more likely to have it floating in cyberspace, Samosseiko says.

Any "solid" anti-spam software program should filter backscatter spam, says Adam O'Donnell, director of emerging technologies at Cloudmark, a messaging-security company. But many consumers do not use spam filters, or they use filters that are ineffective, he adds.

Computer-security administrators also are adopting a free technology standard called BATV (Bounce Address Tag Validation) to mark outgoing e-mail with a special tag to eliminate bounce-back spam e-mail messages, says Sven Krasser, director of data mining research at Secure Computing.