NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance

You might remember a while ago we mentioned MP3 spam, which in October last year was the latest evolution in spam.

Currently there is a new type annoying mail-server owners the world over, it’s known as NDR or Backscatter Spam and involved NDRs or Non Delivery Reports (those emails you get when you send a mail to a non-working or no longer active account).

Research shows that up to 90% of emails received by companies are spam, and spammers have adopted a variety of methods to bypass spam filters used in anti-spam software. In the beginning, spam was mainly text based but over the past few years, spammers have resorted to using embedded images and attaching common file types such as mp3s and Excel documents in emails to gain access to mailboxes. Another option is NDR or non-delivery report spam.

NDRs are a common part of email exchanges. Users receive NDRs, for example, when an email does not arrive at a recipient’s address and notification is sent to the sender. However, spammers can cause a considerable increase in NDR activity because they send junk mail to thousands of email addresses. Some are genuine but others are not and these are used to generate NDR messages by manipulating the ‘From’ address to use a real domain sender. This results in email users receiving NDRs from people they had never sent an email to in the first place.

This white paper explains what NDR spam is and how administrators can take effective measures to reduce the impact on their email servers.

To download a copy of the white paper, please visit:

http://www.gfi.com/whitepapers/ndr-spam.pdf [PDF]

Posted in: Countermeasures, Spammers & Scammers

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

21 Responses to NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance

  1. Cor-Paul June 25, 2008 at 8:26 am #

    Interesting article. I wonder whether it is possible to keep track of outgoing emails for a certain amount of time and check incoming bouncing messages to see if they are really a NDR and not spam. On the other hand, this may also cause the DDoS to be more successful if not implemented well :)

  2. Navin June 25, 2008 at 9:49 am #

    I guess thats possible Cor-paul, infact till today that’s what I thought happened:)!! But this just goes to show that spam is evolving almost synonymously with filters (which as of now seem to be doing a fairly good job of keeping spam out (even though darknet’s mails seem to be going into my spam folder in Yahoomail :( )

  3. Bogwitch June 25, 2008 at 10:33 am #

    It’s annoying, and I hate to admit it, but NDRs are now causing the emails to be read by users.
    I get several reports from concerned users who believe that their computers have been compromised with malware of one form or another because the email was ‘sent by them’
    It’s all about educating the users, some of whom are uneducatable.

  4. Navin June 25, 2008 at 11:28 am #

    whats that got to do wid NDR’s?? Aren’t NDR’s generated by the mail server (atleast traditionally) when the reciever’s email is dead (or so to say)??Maybe I’m just not understanding your comment:(!!

  5. Bogwitch June 25, 2008 at 1:11 pm #

    You’re right, my comment is confusing. Some NDR will include the original message and unless I am very much mistaken, some spam is masquerading as an NDR report with the body of the supposed NDR containing the SPAM.

  6. Elwing June 25, 2008 at 1:26 pm #

    Dealing with NDRs from a server perspective is quite a nasty rabbit hole to start down. One the one hand, you want to stop NDR spam from being sent by your mail server, but at the same time, you also want legitimate NDRs to go out to people who genuinely need to know that a user is no longer at that address.

  7. Cor-Paul June 25, 2008 at 1:31 pm #

    Bogwitch from what I understand the spam is not about the message but about DDoSing the email server of the victim. If it were about the message I think it would be filtered by SPAM filters like ‘normal’ SPAM.

  8. Navin June 25, 2008 at 2:19 pm #

    not necessarily Cor-Paul, the messages may not be detected by spam filters mainly by confirming the identity of the sender (the header of the email), which unfortunately is possible to easily clone. So while DDoSing the email server of the victim poses a threat that can be exploited for unscrupulous purposes, even advertising can be sent staight to your inbox using NDR’s (coz most if not all mail servers recognise the NDR’s as important “inbox-worthy” mail!!

  9. Sleepy June 25, 2008 at 4:18 pm #

    Interesting article. While the problem does seem relevant, and I can see Cor-Paul’s DoS point, I believe the white paper is referring to the scenario that Bogwitch pointed out. I feel I must comment though; I’m never too impressed by “marketing white papers”. It’s hard for me to take info from a marketing white paper seriously without independent verification….they are trying to sell us something.

  10. Ian Kemmish June 25, 2008 at 4:59 pm #

    This vector for spam became obvious to me around 2006 when a bunch of share price pump-and-dumpers were forging their From: addresses to look like the spam came from me.

    My ISP (Demon) allows me to ask that all incoming NDR mail be discrarded, which is certainly useful to turn on during such episodes.

    Far worse than “pukka” NDRs, however, is “whitelist” software, which attaches an advert for itself to the spam before forwarding it to whoever is named in the “From:” header. Not just the cheap-and-nasty stuff, but also big name brands such as S******c’s spam filtering service ended up forwarding the pump-and-dump spam to me in this way. I told the big name companies that it was only a matter of time before spammers deliberately started exploiting this weakness in their software, but of course they didn’t listen….

    It was also amusing to note how many people seemed to have both received the spam and saved it on their computers, because a few months later, I started receiving a whole different bunch of spam addressed to the specific (garbage) addresses the first group of spammers had forged!

  11. Sleepy June 25, 2008 at 7:03 pm #

    @Ian Could you please expound on the “whitelist” software exploiting that you mention.? I have been looking into it but I have failed to find anything relevant to the scenario you laid out…although, admittedly, your post is a little confusing to me. Thanks!

    I’d like to add (referencing my earlier comment) that I do use GFI products (event monitor) so I don’t consider myself biased towards the company. I just don’t care for white papers that try to sell me things.

    To follow up;
    After having further researched it, I think I understand what Ian was talking about. I’d still like to hear more about the specifics of how this “whitelist software” interacts with the relevant material of the paper referenced in this article. If anyone has the time to explain it to me or point me to a reference I’d appreciate it. Thanks!

  12. david June 26, 2008 at 4:26 pm #

    If people start using SPF this wouldn’t happen. Also depending on the antispam product that you use you can define or set the spam score of this NDR so it’s effect is not that bad for the end user.

  13. grav June 28, 2008 at 7:42 pm #

    Can you imagine what would happen if botnets (or zombie networks) and spam teamed up? Not only would the initial millions of computers be sent spam, everybody on their list would be sent something as well. This pattern could continue exponentially! What if the email clients were compromised into downloading malicious code? It would be a bot-army of spamming computers!!!

    Just my $0.02

  14. Navin June 29, 2008 at 5:42 am #

    @ grav
    if there was something lyk tht happening widout any initial warning den it wud have disastrous results (kinda like a zero day attack) but I doubt that would happen…In real life email filters would almost instantaneously be updated and these malicious emails would be deliberately “lost-in-transit”. That’s what I feel…..

    I really liked your $0.02 BTW, it’d make a good hollywood flick

  15. Darknet June 29, 2008 at 8:16 am #

    Yeah most spam actually already comes from Botnets, it’s one of the biggest uses for compromised computers.

    It’s the reason why many mail services blacklist SMTP sends from dynamic IP pools and many ISP’s block outgoing traffic on port 25 to stop these botnets from working.

  16. Navin June 29, 2008 at 11:24 am #

    Ah…the ever so popular port 25
    I’ll never get bored reading about ways to misuse this port….I think the world of hacking would be very lonely widout this port!!

  17. grav June 30, 2008 at 6:32 pm #

    The “coolest” use of botnets is by far to cause a DOS attack.
    I don’t know where I was reading it, but a massive attack was performed on one of the former USSR countries. Hackers and botnet leaders flooded the whole infrastructure with millions upon millions of requests and crippled a whole country’s system for about a week.

    @ Navin

    Yup, I love :25 as well! Only problem is that with the recent burst of SPAM, my ISP is blocking me from connecting to any SMTP server than their own (their’s requires a password as well as a username, so it’s out of the question.)

    I’m sure that there is a work-around but I cannot find one. So far, I had just been using the telnet client with CMD to send prank mail to all my friends. I suppose one suitable workaround would be to just set up s SMTP server on your own machine and then just connect to “localhost” when you would send anonymous mail. Only thing is that your IP address would be tracked immediately. Other workarounds might include connecting to an open relay server, but those are becoming harder and harder to find…

    I suppose you could also log onto a school workstation or a library one and just use their smtp server to send mail. In general, they are more lax about protocol.

  18. Sleepy June 30, 2008 at 6:49 pm #

    I’m not so sure that’s a “cool” use of a botnet. But for the sake of learning I’ll leave my comments at that. I’m glad Darknet gives those of us interested in security a place to discuss things but posts like that sure remind me that we are not all necessarily working with the same agenda.

    Good post nonetheless grav.

  19. grav June 30, 2008 at 7:32 pm #

    Sleepy, you have made my day

    I know that you understood that I was joking when I called it cool : )

    The people that do things like that are in my opinion, royal douches

    I would not like to imagine a week without internet in my WHOLE FRICKING COUNTRY!!!

    Thank You Sleepy

  20. Navin July 1, 2008 at 9:49 am #

    Once again man, I point out the dependence of your country on the net…its absolutely amusing (while also amazingly serious) to say tht a day widout the internet and boom!!( tht’s for dramatic effect BTW), your entire system from medicine to defence to transport all comes to a grinding halt…screeeeeeeeeech!! (another dramatic effect)…Its hard to think how your country worked 3 decades ago (before the internet came into the picture)

  21. grav July 1, 2008 at 6:50 pm #

    @ Navin

    It is not only my country
    but pretty much any “modernized” country whose infrastructure is its most important sector

    I bet you have a cellphone
    I bet you watch TV (once in a while)
    I bet you drive or take same sort of public transportation
    Have you ever been on a plane?

    The internet affects everything (or just about) in the vast majority of countries

    I don’t know if you have a mall – or for that matter any big chain stores by you – but if you do, the surveillance cameras and motion detectors and the little things that beep of you run out the door without paying are all connected somehow. For most countries, having the internet inoperable in the wake of some huge DOS attack is just as crippling – if not more crippling – than having the electricity go out.

    Corporations and even some consumers have generators and can live without electricity for a while. Can people adapt to having the anarchy of a crippled infrastructure? In this case I am referring to an attack on the whole infrastructure, not just internet.

    Just my $0.02 : )

    I can imagine a life without the Internet. A while back we were moving and for 6 months could not use the Internet for technical reasons. It wasn’t that bad.

    Could I imagine what would happen if the whole country did not have internet access?

    No. I could not. It would be like trying to return to telegram after decades of the telephone.