• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance

June 25, 2008

Views: 58,132

You might remember a while ago we mentioned MP3 spam, which in October last year was the latest evolution in spam.

Currently there is a new type annoying mail-server owners the world over, it’s known as NDR or Backscatter Spam and involved NDRs or Non Delivery Reports (those emails you get when you send a mail to a non-working or no longer active account).

Research shows that up to 90% of emails received by companies are spam, and spammers have adopted a variety of methods to bypass spam filters used in anti-spam software. In the beginning, spam was mainly text based but over the past few years, spammers have resorted to using embedded images and attaching common file types such as mp3s and Excel documents in emails to gain access to mailboxes. Another option is NDR or non-delivery report spam.

NDRs are a common part of email exchanges. Users receive NDRs, for example, when an email does not arrive at a recipient’s address and notification is sent to the sender. However, spammers can cause a considerable increase in NDR activity because they send junk mail to thousands of email addresses. Some are genuine but others are not and these are used to generate NDR messages by manipulating the ‘From’ address to use a real domain sender. This results in email users receiving NDRs from people they had never sent an email to in the first place.

This white paper explains what NDR spam is and how administrators can take effective measures to reduce the impact on their email servers.

To download a copy of the white paper, please visit:

http://www.gfi.com/whitepapers/ndr-spam.pdf [PDF]

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Countermeasures, Spammers & Scammers Tagged With: anti-spam, gfi, scammers, spam, spammers



Reader Interactions

Comments

  1. Cor-Paul says

    June 25, 2008 at 8:26 am

    Interesting article. I wonder whether it is possible to keep track of outgoing emails for a certain amount of time and check incoming bouncing messages to see if they are really a NDR and not spam. On the other hand, this may also cause the DDoS to be more successful if not implemented well :)

  2. Navin says

    June 25, 2008 at 9:49 am

    I guess thats possible Cor-paul, infact till today that’s what I thought happened:)!! But this just goes to show that spam is evolving almost synonymously with filters (which as of now seem to be doing a fairly good job of keeping spam out (even though darknet’s mails seem to be going into my spam folder in Yahoomail :( )

  3. Bogwitch says

    June 25, 2008 at 10:33 am

    It’s annoying, and I hate to admit it, but NDRs are now causing the emails to be read by users.
    I get several reports from concerned users who believe that their computers have been compromised with malware of one form or another because the email was ‘sent by them’
    It’s all about educating the users, some of whom are uneducatable.

  4. Navin says

    June 25, 2008 at 11:28 am

    whats that got to do wid NDR’s?? Aren’t NDR’s generated by the mail server (atleast traditionally) when the reciever’s email is dead (or so to say)??Maybe I’m just not understanding your comment:(!!

  5. Bogwitch says

    June 25, 2008 at 1:11 pm

    You’re right, my comment is confusing. Some NDR will include the original message and unless I am very much mistaken, some spam is masquerading as an NDR report with the body of the supposed NDR containing the SPAM.

  6. Elwing says

    June 25, 2008 at 1:26 pm

    Dealing with NDRs from a server perspective is quite a nasty rabbit hole to start down. One the one hand, you want to stop NDR spam from being sent by your mail server, but at the same time, you also want legitimate NDRs to go out to people who genuinely need to know that a user is no longer at that address.

  7. Cor-Paul says

    June 25, 2008 at 1:31 pm

    Bogwitch from what I understand the spam is not about the message but about DDoSing the email server of the victim. If it were about the message I think it would be filtered by SPAM filters like ‘normal’ SPAM.

  8. Navin says

    June 25, 2008 at 2:19 pm

    not necessarily Cor-Paul, the messages may not be detected by spam filters mainly by confirming the identity of the sender (the header of the email), which unfortunately is possible to easily clone. So while DDoSing the email server of the victim poses a threat that can be exploited for unscrupulous purposes, even advertising can be sent staight to your inbox using NDR’s (coz most if not all mail servers recognise the NDR’s as important “inbox-worthy” mail!!

  9. Sleepy says

    June 25, 2008 at 4:18 pm

    Interesting article. While the problem does seem relevant, and I can see Cor-Paul’s DoS point, I believe the white paper is referring to the scenario that Bogwitch pointed out. I feel I must comment though; I’m never too impressed by “marketing white papers”. It’s hard for me to take info from a marketing white paper seriously without independent verification….they are trying to sell us something.

  10. Ian Kemmish says

    June 25, 2008 at 4:59 pm

    This vector for spam became obvious to me around 2006 when a bunch of share price pump-and-dumpers were forging their From: addresses to look like the spam came from me.

    My ISP (Demon) allows me to ask that all incoming NDR mail be discrarded, which is certainly useful to turn on during such episodes.

    Far worse than “pukka” NDRs, however, is “whitelist” software, which attaches an advert for itself to the spam before forwarding it to whoever is named in the “From:” header. Not just the cheap-and-nasty stuff, but also big name brands such as S******c’s spam filtering service ended up forwarding the pump-and-dump spam to me in this way. I told the big name companies that it was only a matter of time before spammers deliberately started exploiting this weakness in their software, but of course they didn’t listen….

    It was also amusing to note how many people seemed to have both received the spam and saved it on their computers, because a few months later, I started receiving a whole different bunch of spam addressed to the specific (garbage) addresses the first group of spammers had forged!

  11. Sleepy says

    June 25, 2008 at 7:03 pm

    @Ian Could you please expound on the “whitelist” software exploiting that you mention.? I have been looking into it but I have failed to find anything relevant to the scenario you laid out…although, admittedly, your post is a little confusing to me. Thanks!

    I’d like to add (referencing my earlier comment) that I do use GFI products (event monitor) so I don’t consider myself biased towards the company. I just don’t care for white papers that try to sell me things.

    To follow up;
    After having further researched it, I think I understand what Ian was talking about. I’d still like to hear more about the specifics of how this “whitelist software” interacts with the relevant material of the paper referenced in this article. If anyone has the time to explain it to me or point me to a reference I’d appreciate it. Thanks!

  12. david says

    June 26, 2008 at 4:26 pm

    If people start using SPF this wouldn’t happen. Also depending on the antispam product that you use you can define or set the spam score of this NDR so it’s effect is not that bad for the end user.

  13. grav says

    June 28, 2008 at 7:42 pm

    Can you imagine what would happen if botnets (or zombie networks) and spam teamed up? Not only would the initial millions of computers be sent spam, everybody on their list would be sent something as well. This pattern could continue exponentially! What if the email clients were compromised into downloading malicious code? It would be a bot-army of spamming computers!!!

    Just my $0.02

  14. Navin says

    June 29, 2008 at 5:42 am

    @ grav
    if there was something lyk tht happening widout any initial warning den it wud have disastrous results (kinda like a zero day attack) but I doubt that would happen…In real life email filters would almost instantaneously be updated and these malicious emails would be deliberately “lost-in-transit”. That’s what I feel…..

    I really liked your $0.02 BTW, it’d make a good hollywood flick

  15. Darknet says

    June 29, 2008 at 8:16 am

    Yeah most spam actually already comes from Botnets, it’s one of the biggest uses for compromised computers.

    It’s the reason why many mail services blacklist SMTP sends from dynamic IP pools and many ISP’s block outgoing traffic on port 25 to stop these botnets from working.

  16. Navin says

    June 29, 2008 at 11:24 am

    Ah…the ever so popular port 25
    I’ll never get bored reading about ways to misuse this port….I think the world of hacking would be very lonely widout this port!!

  17. grav says

    June 30, 2008 at 6:32 pm

    The “coolest” use of botnets is by far to cause a DOS attack.
    I don’t know where I was reading it, but a massive attack was performed on one of the former USSR countries. Hackers and botnet leaders flooded the whole infrastructure with millions upon millions of requests and crippled a whole country’s system for about a week.

    @ Navin

    Yup, I love :25 as well! Only problem is that with the recent burst of SPAM, my ISP is blocking me from connecting to any SMTP server than their own (their’s requires a password as well as a username, so it’s out of the question.)

    I’m sure that there is a work-around but I cannot find one. So far, I had just been using the telnet client with CMD to send prank mail to all my friends. I suppose one suitable workaround would be to just set up s SMTP server on your own machine and then just connect to “localhost” when you would send anonymous mail. Only thing is that your IP address would be tracked immediately. Other workarounds might include connecting to an open relay server, but those are becoming harder and harder to find…

    I suppose you could also log onto a school workstation or a library one and just use their smtp server to send mail. In general, they are more lax about protocol.

  18. Sleepy says

    June 30, 2008 at 6:49 pm

    I’m not so sure that’s a “cool” use of a botnet. But for the sake of learning I’ll leave my comments at that. I’m glad Darknet gives those of us interested in security a place to discuss things but posts like that sure remind me that we are not all necessarily working with the same agenda.

    Good post nonetheless grav.

  19. grav says

    June 30, 2008 at 7:32 pm

    Sleepy, you have made my day

    I know that you understood that I was joking when I called it cool : )

    The people that do things like that are in my opinion, royal douches

    I would not like to imagine a week without internet in my WHOLE FRICKING COUNTRY!!!

    Thank You Sleepy

  20. Navin says

    July 1, 2008 at 9:49 am

    Once again man, I point out the dependence of your country on the net…its absolutely amusing (while also amazingly serious) to say tht a day widout the internet and boom!!( tht’s for dramatic effect BTW), your entire system from medicine to defence to transport all comes to a grinding halt…screeeeeeeeeech!! (another dramatic effect)…Its hard to think how your country worked 3 decades ago (before the internet came into the picture)

  21. grav says

    July 1, 2008 at 6:50 pm

    @ Navin

    It is not only my country
    but pretty much any “modernized” country whose infrastructure is its most important sector

    I bet you have a cellphone
    I bet you watch TV (once in a while)
    I bet you drive or take same sort of public transportation
    Have you ever been on a plane?

    The internet affects everything (or just about) in the vast majority of countries

    I don’t know if you have a mall – or for that matter any big chain stores by you – but if you do, the surveillance cameras and motion detectors and the little things that beep of you run out the door without paying are all connected somehow. For most countries, having the internet inoperable in the wake of some huge DOS attack is just as crippling – if not more crippling – than having the electricity go out.

    Corporations and even some consumers have generators and can live without electricity for a while. Can people adapt to having the anarchy of a crippled infrastructure? In this case I am referring to an attack on the whole infrastructure, not just internet.

    Just my $0.02 : )

    I can imagine a life without the Internet. A while back we were moving and for 6 months could not use the Internet for technical reasons. It wasn’t that bad.

    Could I imagine what would happen if the whole country did not have internet access?

    No. I could not. It would be like trying to return to telegram after decades of the telephone.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 223

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 330

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 527

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 512

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 704

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,913

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,292,298)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,074)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,616)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,676)
  • Password List Download Best Word List – Most Common Passwords (933,466)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,133)
  • Hack Tools/Exploits (673,289)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,145)

Search

Recent Posts

  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy