Forensic Value of Backscatter from Email Spam

Abstract

Email backscatter is a side effect of email spam, viruses or worms. When a spam or malware-laden email is sent, it nearly always has a forged sender address. If this email fails to reach its recipient, e.g., because the recipientpsilas mailbox is full or the recipient has set up an out-of-the-office auto-responder, the recipientpsilas mail system may attempt to generate and send an automated message replying to the forged sender. This unsolicited message sent to the forged sender is an email backscatter. On massive email spam runs where the same address (or domain) is forged as the sender, there can be significant amounts of backscatter email to the forged address. We consider potential forensic value in the analysis of email backscatter, for example, the times when certain compromised machines were used to send spams. We present results of an analysis performed with our Backscatter Email Analysis Tool (BEAT) of a massive backscatter incident that occurred in mid April, 2008.