25 June 2008 | 57,543 views

NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance

Prevent Network Security Leaks with Acunetix

You might remember a while ago we mentioned MP3 spam, which in October last year was the latest evolution in spam.

Currently there is a new type annoying mail-server owners the world over, it’s known as NDR or Backscatter Spam and involved NDRs or Non Delivery Reports (those emails you get when you send a mail to a non-working or no longer active account).

Research shows that up to 90% of emails received by companies are spam, and spammers have adopted a variety of methods to bypass spam filters used in anti-spam software. In the beginning, spam was mainly text based but over the past few years, spammers have resorted to using embedded images and attaching common file types such as mp3s and Excel documents in emails to gain access to mailboxes. Another option is NDR or non-delivery report spam.

NDRs are a common part of email exchanges. Users receive NDRs, for example, when an email does not arrive at a recipient’s address and notification is sent to the sender. However, spammers can cause a considerable increase in NDR activity because they send junk mail to thousands of email addresses. Some are genuine but others are not and these are used to generate NDR messages by manipulating the ‘From’ address to use a real domain sender. This results in email users receiving NDRs from people they had never sent an email to in the first place.

This white paper explains what NDR spam is and how administrators can take effective measures to reduce the impact on their email servers.

To download a copy of the white paper, please visit:

http://www.gfi.com/whitepapers/ndr-spam.pdf [PDF]



Recent in Countermeasures:
- Don’t Get Hacked – Have A Free Acunetix Security Scan
- Bro – Passive Open-Source Network Traffic Analyzer
- Hook Analyser 3.1 – Malware Analysis Tool

Related Posts:
- Carders Scamming Spammers!
- PDF & Image Attachment Spam – The New Problem with E-mail
- Spam on the Increase – Image Spam Accounting for More

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,051 views
- Password Hasher Firefox Extension - 116,934 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,543 views

Low-cost VPS Hosting

21 Responses to “NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance”

  1. Cor-Paul 25 June 2008 at 8:26 am Permalink

    Interesting article. I wonder whether it is possible to keep track of outgoing emails for a certain amount of time and check incoming bouncing messages to see if they are really a NDR and not spam. On the other hand, this may also cause the DDoS to be more successful if not implemented well :)

  2. Navin 25 June 2008 at 9:49 am Permalink

    I guess thats possible Cor-paul, infact till today that’s what I thought happened:)!! But this just goes to show that spam is evolving almost synonymously with filters (which as of now seem to be doing a fairly good job of keeping spam out (even though darknet’s mails seem to be going into my spam folder in Yahoomail :( )

  3. Bogwitch 25 June 2008 at 10:33 am Permalink

    It’s annoying, and I hate to admit it, but NDRs are now causing the emails to be read by users.
    I get several reports from concerned users who believe that their computers have been compromised with malware of one form or another because the email was ‘sent by them’
    It’s all about educating the users, some of whom are uneducatable.

  4. Navin 25 June 2008 at 11:28 am Permalink

    whats that got to do wid NDR’s?? Aren’t NDR’s generated by the mail server (atleast traditionally) when the reciever’s email is dead (or so to say)??Maybe I’m just not understanding your comment:(!!

  5. Bogwitch 25 June 2008 at 1:11 pm Permalink

    You’re right, my comment is confusing. Some NDR will include the original message and unless I am very much mistaken, some spam is masquerading as an NDR report with the body of the supposed NDR containing the SPAM.

  6. Elwing 25 June 2008 at 1:26 pm Permalink

    Dealing with NDRs from a server perspective is quite a nasty rabbit hole to start down. One the one hand, you want to stop NDR spam from being sent by your mail server, but at the same time, you also want legitimate NDRs to go out to people who genuinely need to know that a user is no longer at that address.

  7. Cor-Paul 25 June 2008 at 1:31 pm Permalink

    Bogwitch from what I understand the spam is not about the message but about DDoSing the email server of the victim. If it were about the message I think it would be filtered by SPAM filters like ‘normal’ SPAM.

  8. Navin 25 June 2008 at 2:19 pm Permalink

    not necessarily Cor-Paul, the messages may not be detected by spam filters mainly by confirming the identity of the sender (the header of the email), which unfortunately is possible to easily clone. So while DDoSing the email server of the victim poses a threat that can be exploited for unscrupulous purposes, even advertising can be sent staight to your inbox using NDR’s (coz most if not all mail servers recognise the NDR’s as important “inbox-worthy” mail!!

  9. Sleepy 25 June 2008 at 4:18 pm Permalink

    Interesting article. While the problem does seem relevant, and I can see Cor-Paul’s DoS point, I believe the white paper is referring to the scenario that Bogwitch pointed out. I feel I must comment though; I’m never too impressed by “marketing white papers”. It’s hard for me to take info from a marketing white paper seriously without independent verification….they are trying to sell us something.

  10. Ian Kemmish 25 June 2008 at 4:59 pm Permalink

    This vector for spam became obvious to me around 2006 when a bunch of share price pump-and-dumpers were forging their From: addresses to look like the spam came from me.

    My ISP (Demon) allows me to ask that all incoming NDR mail be discrarded, which is certainly useful to turn on during such episodes.

    Far worse than “pukka” NDRs, however, is “whitelist” software, which attaches an advert for itself to the spam before forwarding it to whoever is named in the “From:” header. Not just the cheap-and-nasty stuff, but also big name brands such as S******c’s spam filtering service ended up forwarding the pump-and-dump spam to me in this way. I told the big name companies that it was only a matter of time before spammers deliberately started exploiting this weakness in their software, but of course they didn’t listen….

    It was also amusing to note how many people seemed to have both received the spam and saved it on their computers, because a few months later, I started receiving a whole different bunch of spam addressed to the specific (garbage) addresses the first group of spammers had forged!

  11. Sleepy 25 June 2008 at 7:03 pm Permalink

    @Ian Could you please expound on the “whitelist” software exploiting that you mention.? I have been looking into it but I have failed to find anything relevant to the scenario you laid out…although, admittedly, your post is a little confusing to me. Thanks!

    I’d like to add (referencing my earlier comment) that I do use GFI products (event monitor) so I don’t consider myself biased towards the company. I just don’t care for white papers that try to sell me things.

    To follow up;
    After having further researched it, I think I understand what Ian was talking about. I’d still like to hear more about the specifics of how this “whitelist software” interacts with the relevant material of the paper referenced in this article. If anyone has the time to explain it to me or point me to a reference I’d appreciate it. Thanks!

  12. david 26 June 2008 at 4:26 pm Permalink

    If people start using SPF this wouldn’t happen. Also depending on the antispam product that you use you can define or set the spam score of this NDR so it’s effect is not that bad for the end user.

  13. grav 28 June 2008 at 7:42 pm Permalink

    Can you imagine what would happen if botnets (or zombie networks) and spam teamed up? Not only would the initial millions of computers be sent spam, everybody on their list would be sent something as well. This pattern could continue exponentially! What if the email clients were compromised into downloading malicious code? It would be a bot-army of spamming computers!!!

    Just my $0.02

  14. Navin 29 June 2008 at 5:42 am Permalink

    @ grav
    if there was something lyk tht happening widout any initial warning den it wud have disastrous results (kinda like a zero day attack) but I doubt that would happen…In real life email filters would almost instantaneously be updated and these malicious emails would be deliberately “lost-in-transit”. That’s what I feel…..

    I really liked your $0.02 BTW, it’d make a good hollywood flick

  15. Darknet 29 June 2008 at 8:16 am Permalink

    Yeah most spam actually already comes from Botnets, it’s one of the biggest uses for compromised computers.

    It’s the reason why many mail services blacklist SMTP sends from dynamic IP pools and many ISP’s block outgoing traffic on port 25 to stop these botnets from working.

  16. Navin 29 June 2008 at 11:24 am Permalink

    Ah…the ever so popular port 25
    I’ll never get bored reading about ways to misuse this port….I think the world of hacking would be very lonely widout this port!!

  17. grav 30 June 2008 at 6:32 pm Permalink

    The “coolest” use of botnets is by far to cause a DOS attack.
    I don’t know where I was reading it, but a massive attack was performed on one of the former USSR countries. Hackers and botnet leaders flooded the whole infrastructure with millions upon millions of requests and crippled a whole country’s system for about a week.

    @ Navin

    Yup, I love :25 as well! Only problem is that with the recent burst of SPAM, my ISP is blocking me from connecting to any SMTP server than their own (their’s requires a password as well as a username, so it’s out of the question.)

    I’m sure that there is a work-around but I cannot find one. So far, I had just been using the telnet client with CMD to send prank mail to all my friends. I suppose one suitable workaround would be to just set up s SMTP server on your own machine and then just connect to “localhost” when you would send anonymous mail. Only thing is that your IP address would be tracked immediately. Other workarounds might include connecting to an open relay server, but those are becoming harder and harder to find…

    I suppose you could also log onto a school workstation or a library one and just use their smtp server to send mail. In general, they are more lax about protocol.

  18. Sleepy 30 June 2008 at 6:49 pm Permalink

    I’m not so sure that’s a “cool” use of a botnet. But for the sake of learning I’ll leave my comments at that. I’m glad Darknet gives those of us interested in security a place to discuss things but posts like that sure remind me that we are not all necessarily working with the same agenda.

    Good post nonetheless grav.

  19. grav 30 June 2008 at 7:32 pm Permalink

    Sleepy, you have made my day

    I know that you understood that I was joking when I called it cool : )

    The people that do things like that are in my opinion, royal douches

    I would not like to imagine a week without internet in my WHOLE FRICKING COUNTRY!!!

    Thank You Sleepy

  20. Navin 1 July 2008 at 9:49 am Permalink

    Once again man, I point out the dependence of your country on the net…its absolutely amusing (while also amazingly serious) to say tht a day widout the internet and boom!!( tht’s for dramatic effect BTW), your entire system from medicine to defence to transport all comes to a grinding halt…screeeeeeeeeech!! (another dramatic effect)…Its hard to think how your country worked 3 decades ago (before the internet came into the picture)

  21. grav 1 July 2008 at 6:50 pm Permalink

    @ Navin

    It is not only my country
    but pretty much any “modernized” country whose infrastructure is its most important sector

    I bet you have a cellphone
    I bet you watch TV (once in a while)
    I bet you drive or take same sort of public transportation
    Have you ever been on a plane?

    The internet affects everything (or just about) in the vast majority of countries

    I don’t know if you have a mall – or for that matter any big chain stores by you – but if you do, the surveillance cameras and motion detectors and the little things that beep of you run out the door without paying are all connected somehow. For most countries, having the internet inoperable in the wake of some huge DOS attack is just as crippling – if not more crippling – than having the electricity go out.

    Corporations and even some consumers have generators and can live without electricity for a while. Can people adapt to having the anarchy of a crippled infrastructure? In this case I am referring to an attack on the whole infrastructure, not just internet.

    Just my $0.02 : )

    I can imagine a life without the Internet. A while back we were moving and for 6 months could not use the Internet for technical reasons. It wasn’t that bad.

    Could I imagine what would happen if the whole country did not have internet access?

    No. I could not. It would be like trying to return to telegram after decades of the telephone.