Knowledge Base

Backscatter and spam

This article discusses backscatter, some possible ways to help reduce it, and why there is no easy way to resolve the problem.

What is backscatter?

Backscatter is a side effect of spammers sending forged bulk messages (spam) that appear to originate from valid e-mail addresses. Spammers do this to increase the likelihood of their messages getting through filters and reaching recipients. If spammers use e-mail addresses from your domain in their forged messages, you may receive backscatter.

The following steps outline how backscatter is generated:

  1. The spammer generates a message that contains a forged sender (FROM) e-mail address. The sender e-mail address is real and valid (for our example, we will use the fictional e-mail address [email protected]).
  2. The spammer sends the forged message to a recipient e-mail address that is not on the domain.
  3. The recipient's mail server rejects the message as spam, and sends a bounce notification to the supposed sender (in this case, [email protected]).
  4. Kelly's inbox at [email protected] now has a bounce notification message (“backscatter”) in it.

This example scenario describes the process for one message, but spammers will usually send many, many messages. This generates a large number of bounce notification messages, all of which in this case go to [email protected].

Reducing backscatter

Because of how the SMTP protocol works, there is unfortunately no one single “fix” that can be done to eliminate all backscatter all of the time.

However, there are a few things you can do to help reduce the likelihood of receiving backscatter:

  • Minimize e-mail address collection: Try to avoid posting valid e-mail addresses on your website. There are many bots that crawl web pages searching for e-mail addresses. If your site content does not contain any of your e-mail addresses, it is less likely that spammers can use them as forged sender identities.
    Instead of posting e-mail addresses on your site, you can use a contact form. Alternatively, you can obfuscate an e-mail address to make it harder for bots to find it. In our example above, the [email protected] address could be published on a website as kelly [at] example [dotcom]. There are also JavaScript libraries available that can help mask e-mail addresses.
  • Enable Sender Policy Framework (SPF): Enabling SPF on your domain may help reduce backscatter, though unfortunately many e-mail servers do not actually honor SPF settings. For information about how to configure SPF for your account, please see this article.