NDR Spam a.k.a. Backscatter has been around for years but has only recently hit the radar as a major spam issue mainly due to the rise of the botnet and spammers desperation to get messages through to the end user.

What is an NDR?
NDR short for Non Delivery Receipt is an automated email sent by an MTA that informs the sender there has been a problem with the delivery of the message they have sent.

NDRs are also referred to as Delivery Status Notifications (DSN) or simply bounce messages.

So what is NDR Spam?
NDR Spam occurs when spammers fake your email address in the From field when sending their spam. If the intended recipient of the spam does not exist or has no space left in their inbox etc. then you’ll receive a Non Delivery Receipt for an email you never actually sent.

Also contributing to this problem is Challenge/Response spam filtering services, Out Of Office notifications, List auto replies and any other auto-responder type email.

Why has it become a problem?
Spammers are constantly looking for ways to evade anti-spam filters. The recent sharp rise in NDR spam suggests that rather than just having some bad email addresses on their lists that bounce, they have started to target email addresses that bounce in order to get their spam content through to your inbox. They can do this by using totally random email addresses but with a legitimate domain that is destined to bounce or they can compile lists of email addresses that bounce when spammed. It’s even possible the spammers are targeting domains that they know return bounces with the full message attached. Basically the spammer wants to relay his spam via a legitimate mail server to get it in your inbox even if it doesn’t look pretty.

How big is the problem?
NDR spam is currently about 2% of all spam that’s down from over 4% a couple of weeks ago. It’s possible this method hasn’t been effective enough for the spammers. We believe that over 50% of these bounces are coming from the one botnet alone. NDR spam can be broken down into three main categories, an NDR with the full message attached, an NDR with only the spammy headers attached or an NDR with no spam content at all.

Detecting NDR Spam
There are several problems associated with detecting this particular type of spam.

  • An NDR is technically a legitimate email coming from a legitimate mail server. This means that detecting this type of spam becomes more difficult.
  • Some NDRs have no spam content attached in the message so there is no way to differentiate these from legitimate NDRs using traditional content filtering methods.
  • Challenge/Response emails cannot be blocked for obvious reasons.
  • Each MTA has a different format of NDR making them difficult to detect.

    • The good news…

  • Currently more than 95% of all NDR spam contains some spam content that we can use to identify and block these messages using traditional content filtering. We are detecting the vast majority of this spam already and are working hard to catch all of these. In the mean time we have introduced a rule that customers can turn on to block all NDRs if they are having an issue with it.
  • We are also investigating the implementation of Bounce Address Tag Validation (BATV) in our products. This is a method for determining whether a bounce address specified in an email is valid. It is designed to reject bounce messages to forged return addresses.

    • Reducing Outbound NDR Spam
    Reducing the amount of NDRs sent by your server would also help this situation with the added benefit of reducing the load on your server.

    There are two types of bounce synchronous and asynchronous. Synchronous bouncing occurs when the remote mail server rejects the message during the SMTP conversation. This helps reduce load on your server by preventing it having to send an NDR. Unfortunately this can open your server up to dictionary attacks but there are solutions to that issue such as tar pitting. An asynchronous bounce happens when the remote mail server accepts the message and later decides there is a problem with delivery so it returns it by sending an NDR to the return path of the message. I would recommend using synchronous bouncing if it is a feature of your mail server.

    We could suggest that all responsible Administrators should leave the Original message in their NDRs making it much easier to identify and block these messages with existing anti-spam technologies but on the flip-side if no NDR messages had the spam content in them then it wouldn’t be worth the spammers while sending them. Each approach has its advantages and disadvantages.