What is backscatterer.org?
Backscatterer.org operates a so-called "Realtime Blackhole List", abbreviated RBL. This is a blacklist for IP addresses of mail servers.
IP addresses of servers can appear on this blacklist if certain automatic messages have been sent through them. These messages can include, among others, the following:
- Non-delivery reports
- Bounce messages
- Out-of-office replies
- Delivery confirmations
Backscatter emails are those automatic email responses generated by a forged sender. If this is the case, such an email can then be delivered to innocent third parties (see diagram).
For more information, please see: https://en.wikipedia.org/wiki/Backscatter_(email)
Why are Hornetsecurity IP addresses listed on backscatterer.org?
The problem: The list does not always reliably distinguish between unwanted backscatter and legitimate automatic emails. As a result, IP addresses that send proper system messages can also be listed.
A detailed explanation requires differentiating between incoming and outgoing emails.
Incoming Emails
Hornetsecurity uses various methods to detect and block incoming backscatter.
Suspicious backscatter messages are, if possible, rejected during the SMTP connection. This means Hornetsecurity does not even accept the message.
As a result, Hornetsecurity does not generate an additional non-delivery report for these rejected messages. This prevents further backscatter from being created.
In addition, Hornetsecurity uses its own bounce management system. This checks whether an incoming non-delivery report corresponds to an actually sent message. This way, legitimate and forged bounce messages can be better distinguished from each other.
Outgoing Emails
Hornetsecurity also sends legitimate automatic messages on behalf of its customers.
An example would be an out-of-office reply:
- A regular email is sent to a Hornetsecurity customer.
- The user’s email system generates an automatic out-of-office reply.
- Hornetsecurity forwards this message to the original sender.
- At the recipient of this automatic out-of-office reply, who operates the RBL Backscatterer as a blacklist, this causes a "hit". The same applies to the other aforementioned email types.
Therefore, an IP address listed on Backscatterer does not automatically mean that spam was sent from that IP address.
Does Hornetsecurity request the removal of its IP addresses from backscatterer.org?
In short - No.
As an external email security provider, Hornetsecurity also sends legitimate automatic messages on behalf of its customers. These include, for example, out-of-office replies and technically necessary non-delivery reports.
Hornetsecurity does not consider these messages to be spam.
Removal from the blacklist provider "backscatterer.org" can only be done for a fee, regardless of whether the sender actually disrupts mail operations. Hornetsecurity therefore considers the operator Backscatterer to be unreliable as long as it also includes legitimate bounce messages and charges a fee for their removal.
What can be done if emails are rejected?
Some communication partners use "backscatterer.org" as a blacklist and reject emails from listed IP addresses already during the SMTP connection.
If "backscatterer.org" is used as the sole decision criterion, legitimate business emails can also be blocked. Such erroneous hits are called "False Positives".
Recommendation for the receiving mail server (External - not a Hornetsecurity customer)
A hit at "backscatterer.org" should not automatically lead to a final rejection of the email.
Instead, the hit can be used as an additional evaluation criterion. Possible actions could then include, for example:
- moving the message to quarantine
- marking the message
- conducting further spam and security checks
- excluding known and trusted senders via a whitelist
Rejection should only occur if further indicators suggest that the message is indeed unwanted or harmful.
Recommendation for Hornetsecurity customers
The configuration of the receiving mail server is the responsibility of the respective operator.
If a legitimate email is rejected due to an entry at "backscatterer.org", we recommend the following procedure:
- Contact the affected communication partner.
- Inform them that the rejection was due to the blacklist "backscatterer.org".
- Ask the operator of the receiving mail server to review their filter rules.
- Recommend not using "backscatterer.org" as the sole criterion for a final rejection.
-
If necessary, the communication partner can add the affected Hornetsecurity IP addresses to their whitelist.