Where do Bounce Messages come from?

John Doe, sitting at his office, was scrolling through his inbox when he noticed this email:

Subject: Mail delivery failed: returning message to sender

John thought to himself "Message delivery failed? Did my message to Jane get blocked?" Then, he proceeded to open the message and found that it was an online pharmacy spam message he allegedly ‘sent'. John is initially puzzled because he never sent that message himself. Soon, he realizes that the message is NDR spam.

Symantec has observed a wave of Non-Delivery Receipt (NDR) attacks over last month. While this technique is certainly not new, a spike in volume was significant enough for us to take a deeper look. A lot of people are confused about these messages. Where do they come from? What is the purpose?

This spam type is a crafty technique used by some spammers. Rather than inserting the spam victims' email addresses in the ‘To' line of the message, NDR spammers insert the addresses into the ‘From' line. Next, the spammer sends that message to a server with a random inbox as the destination. This message travels to the destination, only to get bounced back to the original ‘sender' because the mailbox does not exist. Because the ‘From' line has been spoofed, the spam victim receives the bounced spam message. Some mail servers are configured to include the entire original message in the bounce. This is the desired result of the NDR spammer as the spam victim will look at the original spam when combing through the bounce message.

The spammer is gambling on the recipient having a higher likelihood of opening this type of message since the subject line is vague enough to not indicate obvious spam. Most people use their emails daily and when they see a bounce message the natural instinct is to open it up and check to see which of the sent messages was not received. Of course if you haven't sent an email recently and you receive a bounce spam in your inbox the chances that it is NDR spam are highly likely as it appears to be the spam type of choice recently for spammers. Do not open bounce messages unless you have recently sent mail.

Kelly Conley is Manager of Anti-Spam Research, Symantec Security Response