NDR SPAM

Apr 16, 2008 | mail, security, spam | 0 comments

I’ve gotten several calls recently about an odd type of spam attack that also happened to me a few days ago.

As other clients had reported, I began getting “non-delivery reports” – messages from mail servers all over the world that messages from me had not been delivered. Typically the sender is “System Administrator” or the like. Of course, I hadn’t sent any such messages.

In the next hour or two, similar messages started coming in faster and faster until they were arriving every minute or two.

They tapered off after a while and stopped in a couple of days.

If you’re running current antivirus software, chances are good that you don’t have a virus and nothing is originating from your computer. These messages are yet another attempt to get through your spam filter. It works this way:

  • The spammer finds an email server that sends NDRs when a message arrives that does not match anyone in the company. The mail server for @fictitiouscompany.com might take a message for john@fictitiouscompany.com, but would send an NDR if a message arrives for oswaldrabbit@fictitiouscompany.com.
  • The spammer decides to send you spam. Presumably you and a million others, but you’re the most special, right?
  • The spammer sends his spam to fictitiouscompany.com. He shows your email address as the sender and intentionally sends it to a bad email address that doesn’t exist on the fictitiouscompany.com server.
  • Since the server is sending NDRs, it does as it’s told and sends a message to you that the message wasn’t delivered.
  • Here’s the trick – the original email (the spam) is usually attached to the NDR. Voila! The spammer has bypassed your spam filter and you have his spam.

Very few people will open the attachment to a non-delivery report, and fewer still will respond to it or click on a link in it, but spammers are working on volume. They only need a very, very small number of people to respond for their scheme to work.

This is nothing new. I don’t know why it’s happening in volume all of a sudden. There’s an easy workaround if it happens to you while you’re using Outlook: create a rule that deletes all messages with “undeliverable” in the subject line.

My clients running Small Business Server are not contributing to this problem – I’ve turned on recipient filtering in Exchange Server. If a message arrives that is not addressed to an active mailbox, the message is dropped with no notice to the sender. More and more servers worldwide are being set up that way but there will always be some servers for the spammers to exploit.

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This