Backscatter

"Backscatter" is basically "bounce emails you receive for messages you never sent". These are usually bounced spam messages from spammers using your email address as a forged From address.

When email is delivered to a system, if there is a problem delivering the email (e.g. the account does not exist, the user is over quota, etc.) then most systems will generate a "bounce" email back to the sender to let them know there was a problem. The way to determine the original sender of the email, and thus where to send the bounce, is to use the From address on the original email.

Unfortunately, there is no way for systems to verify that a From address is correct (there are attempts like SPF and DomainKeys, although these have flaws). When spammers send email, they almost always forge the From address the email is sent from. This is why blocking specific sender addresses is ineffective: spammers usually forge every email to come from a different address.

If there is a problem delivering the email the spammer has sent, then a bounce will be sent back to the From address on the email, which is whatever the spammer has made up. The problem occurs when spammers use your email address as the From address on messages. In these cases, you may get many bounce emails appearing in your inbox for emails you never sent! This is called "backscatter", and is unfortunately a consequence of how the internet email system was originally set up.

However, there are some things that can be done to try and reduce backscatter. When most systems bounce an email, they include all or part of the original email in the bounce. What we can do is check the original email as attached in the bounce, and see that it appears to have been sent through our server. If not, then we know it was an email sent by a spammer with a forged From address. When this happens, we mark the email as "backscatter", and by default file it into your Spam folder. This action can be changed on the Advanced → Spam/Virus Protection screen.

Unfortunately the backscatter filter isn't perfect. To work, the "bounce" email has to have part of the original message in it so that we can check if you were actually the original sender. Quite a few systems don't include the original message in the "bounce" (the most common being challenge/response systems that are supposed to stop spam, and just end up adding to the problem for others). In these cases, we can't determine the true original sender of the email, and thus we can't mark the emails as backscatter.

Our testing suggests the backscatter filter is still very effective, catching around 90% to 95% of all unsolicited bounce emails. Unfortunately, if for some reason a spammer is forging your address on their emails, then they may do so for millions of spam emails. Most systems will absorb, SMTP block, or discard the spam emails, but if even only 1000 of those end up bouncing (generating backscatter) and 5–10% get through, then that's still around 50 to 100 emails that arrive in your inbox. A lot better than 1000, but still annoying Unfortunately, there's not much we can do to improve that until more systems correctly attach the original email to the bounce message.

As part of the backscatter analysis process, we attach a header to the email when we think it might be backscatter. The header is called X-Backscatter and can be one of the values: