Video Screencast Help
Security Response

Where do Bounce Messages come From?

Created: 25 Jun 2008 21:33:11 GMT • Updated: 23 Jan 2014 18:40:50 GMT
Kelly Conley's picture
0 0 Votes
Login to vote

John Doe, sitting in his office, was scrolling through email in his inbox when he noticed an email with this subject line:

Mail delivery failed: returning message to sender


John thought to himself, “Message delivery failed? Did my message to Jane get blocked?” He then proceeded to open the message and found that it was an online pharmacy spam message he had allegedly sent. John is initially puzzled because he never sent that message himself. Soon, he realizes that the message is NDR spam.

Symantec has observed a wave of non-delivery receipt (NDR) attacks over the past month. While this technique is certainly not new, a spike in volume was significant enough for us to take a deeper look. A lot of people are confused about these messages. Where do they come from? What is the purpose?

This spam type utilizes a crafty technique: rather than inserting the spam victims’ email addresses in the “To” line of the message, NDR spammers insert the addresses into the “From” line. Next, the spammer sends that message to a server with a random inbox as the destination. This message travels to the destination, only to get bounced back to the original “sender” because the mailbox does not exist. Because the “From” line has been spoofed, the spam victim receives the bounced spam message.

Some mail servers are configured to include the entire original message in the bounce. This is the desired result of the NDR spammer, because the spam victim will look at the original spam when combing through the bounce message.

The spammer is gambling on the recipient having a higher likelihood of opening this type of message, since the subject line is vague enough to not indicate obvious spam. Most people use their email accounts daily and when they see a bounce message, the natural instinct is to open it up and check to see which of the sent messages was not received. Of course, if you haven’t sent an email recently and you receive a bounce spam message in your inbox, the chances that it is NDR spam are quite likely. NDR spam appears to be the method of choice lately for spammers. The bottom line is, do not open bounce messages unless you have recently sent mail. Symantec is keeping a close eye on this current wave of NDR spam and as usual are working hard to implement measures to protect end users' email inboxes.