Backscatter

If you suddenly start receiving a large number of bounce emails for messages you don't remember sending, you may be experiencing backscatter.

Backscatter is a term for bounce emails you receive for messages you never sent. Usually, this happens if a spammer has forged your email address on spam they send. If these spam messages are undeliverable, this will cause them to be bounced to your address, instead of to the spammer who actually sent the message.

How do I know if I am experiencing backscatter?

If you are receiving an unusual number of bounce emails for no reason, it may be backscatter.

It is also a good idea to check to make sure your account has not been accessed by someone you don't know, as it is also possible to receive bounce messages if there are emails being sent from your account directly.

To check to make sure your account is secure, log in to Settings → Privacy & Security, then find the Logged in sessions section and click Review. Here, you can view your currently logged in sessions. If there is a currently logged in session that you don't recognize, click Log out next to the session. To check to see if someone has recently accessed your account, click View all logins in the last 4 weeks. If there are recent failed login attempts that you don't recognize, there is no need to worry. If there are recent successful login attempts, change your password immediately to secure your account.

If you don't see any unusual logins, and you are still seeing a large number of bounce messages for emails you didn't send, you are experiencing backscatter.

Why does backscatter happen?

When an email is delivered to an email service, such as Fastmail, Gmail, and Yahoo, and there is a problem delivering the email to the user, most systems will send a bounce email back to the sender to let them know there was a problem. Most systems use the From: address on the email to see where to send the bounce email.

Unfortunately, there is no certain way for systems to check that a From: address on an email is correct. When spammers send email, they almost always forge the From: address the email is sent from. This is why blocking specific sender addresses often doesn't work: spammers usually forge every email so it looks like it is coming from a different address.

If there's a problem delivering the email the spammer has sent, then a bounce will be sent back to the From: address on the email, which is whatever the spammer has made up. The problem occurs when spammers use your email address as the From: address on messages. If this happens, you may get many bounce emails appearing in your inbox for emails you never sent. This is backscatter, and is unfortunately a consequence of how the internet email system was originally set up.

What can I do to stop receiving backscatter?

There are some things that can be done to try and reduce backscatter. When most systems bounce an email, they include all or part of the original email in the bounce. What we can do is check the original email that is attached in the bounce, and see if it appears to have been sent through our server. If not, then we know it was an email sent by a spammer with a forged From: address. When this happens, we mark the email as "backscatter", and file it into your Spam folder by default. This action can be changed on the Settings → Spam Protection screen.

Unfortunately the backscatter filter isn't perfect. To work, the bounce email has to have part of the original message in it so that we can check if you were actually the original sender. Quite a few systems don't include the original message in the bounce. In these cases, we can't determine the true original sender of the email, and so we can't mark the emails as backscatter.

Our testing suggests the backscatter filter is still very effective, catching around 90% to 95% of all unsolicited bounce emails. Unfortunately, if for some reason a spammer is forging your address on their emails, then they may do so for millions of spam emails. Most systems will refuse to process these spam emails at all, but if even only 1000 of those end up bouncing (generating backscatter) and 5–10% get through, then that's still around 50 to 100 emails that arrive in your inbox. This is a lot better than 1000, but is still frustrating. Unfortunately, there's not much we can do to improve that until more systems correctly attach the original email to the bounce message.

Technical information

As part of the backscatter analysis process, we attach a header to the email when we think it might be backscatter. The header is called X-Backscatter: and can be one of these values:

  • Yes — This email is detected as backscatter.
  • NotFound1 — We thought this email might be backscatter (eg the From: address is a postmaster type address), but we couldn't find the original message attached in any way.
  • NotFound2, NotFound3, NotFound4 — We thought we had found the attached original message, but something about it was corrupted and it's not a valid message.
Was this article helpful?
28 out of 32 found this helpful