Paubox blog: HIPAA compliant email made easy

Understanding email spoofing and backscatter

Written by Kirsten Peremore | January 16, 2024

Email spoofing is a tactic attackers use to modify the email header and display the message as if it was sent by a different sender. This technique is often used for malicious purposes like phishing or spreading malware. On the other hand, email backscatter occurs when email servers mistakenly send bounce messages to the forged return addresses in spoofed emails. These bounce messages, intended for the sender's address, flood the inboxes of individuals or organizations whose addresses have been forged.

 

The relationship between email spoofing and backscatter

When an attacker sends a spoofed email, they manipulate the "From" field to display an innocent party's email address instead of their own. If this spoofed email is sent to an invalid address or is rejected by a recipient's email server for reasons like being marked as spam, the server typically generates an automated bounce-back message. Since the server believes the spoofed address to be the sender, the bounce-back message is sent there, not to the actual originator of the email. 

This results in backscatter, where the inboxes of those whose addresses were used in the spoofing are inundated with these unwarranted bounce messages. The consequences of backscatter are twofold. For the individuals or organizations whose email addresses were spoofed, it leads to the confusion and inconvenience of receiving a flood of non-deliverable reports or complaints for emails they never sent. For the recipients of the spoofed emails, it creates a misleading situation where they may believe a trusted sender has sent them spam or malicious content, potentially damaging trust and communication channels. 

See also: HIPAA Compliant Email: The Definitive Guide

 

Detecting and preventing email spoofing

A combination of sophisticated tools and vigilant practices are employed to effectively identify and combat email spoofing:

  • One method is the use of advanced spam filters. These filters scrutinize emails for signs of spoofing, such as irregularities in the email header or the email content that seems inconsistent with the purported sender's typical messages.
  • Another line of defense lies in email authentication protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). 
  • On the organizational and individual levels, protection against email spoofing involves both technological solutions and informed behavior. Training and educating staff or individuals about the risks of phishing and scrutinizing email content is a necessary step.
  • Implementing advanced email security solutions that go beyond basic filters to provide comprehensive phishing protection is another step. These solutions use machine learning and other advanced technologies to detect and block sophisticated spoofing attempts that bypass simpler filters.
  • Lastly, have a solid incident response plan that details the steps to take in case of a suspected breach, including how to identify and contain the threat, how to communicate within the organization and with external parties, and how to learn from the incident to prevent future breaches.

See also: What is spoofing?

 

Managing backscatter

The strategies for healthcare providers email administrators to implement include:  

  • They can configure their email servers to use outbound spam filtering, which prevents the dispatch of spoofed emails that might cause backscatter. 
  • Rigorous inbound filtering also helps by blocking bounce messages from known spam sources. 
  • Administrators can look for inconsistencies in the return path or discrepancies between the sender's address and the server's domain to differentiate backscatter from legitimate bounce messages. 
  • Administrators should enable SPF (Sender Policy Framework) to verify outgoing emails' authenticity when configuring mail servers, reducing the chance of their domain being spoofed. 
  • Update their mail server software to ensure it has the latest security features and is less vulnerable to being exploited for backscatter generation. 
  • Lastly, setting up feedback loops with major email service providers alerts administrators when their domain is misused for sending spam, enabling them to take prompt action.

See also: What is a spoofed website?