How to Block NDR Spam

Email systems support a service called Delivery Status Notification or DSN for short. This feature allows end users to be notified of successful or failed delivery of email messages. Examples include sending a report when email delivery has been delayed or when an email message has been successfully delivered.
A non-delivery report or NDR is a DSN message sent by the email server (mail transfer agent or MTA for short) that informs the sender that the delivery of the email message failed. While there are various events that can trigger an NDR, the most common cases are when the recipient of the message does not exist or when the destination mailbox is full. A simple email message is typically made up of a set of headers and at least one body. An example of this can be seen in figure 1. In this example, the email is sent from user1@domain1.com to user2@domain2.com. If the domain name domain2.com does not exist or does not have an email server, then the MTA at “domain1.com” will send an NDR to user1@domain1.com. When the domain name exists and the MTA at domain2.com is accepting email, the behavior is different. In this case, the domain2.com email server should check if the destination mailbox exists and is accepting emails. If this is not the case, then the MTA should reject the email message. However, many mail servers will accept any email and then bounce the email later on if the destination address does not exist.
The SMTP protocol does not support authentication of the sender address. As a result, email messages can claim to be coming from any valid email address. Spammers have long known about this and tend to make use of fake addresses when sending their bulk mail. Since successful spam relies on targeting the largest number of clients possible, spammers tend to have large lists of email addresses. Some of the email addresses in their list might not exist or have been disabled. In many of these cases, the mail server handling the nonexistent email address may send an NDR to the faked sender address in the original email. If this address belongs to a valid user then what happens is that this user ends up receiving the non-delivery reports. Since the emails sent out by the spammer tend to be in large numbers, thousands of NDRs may end up in the victim's mailbox. The resulting emails are known as NDR spam or backscatter and an example is illustrated in figure 3.
Many mail servers are known to block email coming from non-existent domain names. Therefore spammers spoof email addresses which have valid working domain names to bypass this simple check. The result is that the victim MTA handling the email address that was faked by the spammers will receive a large number of NDR messages. These email messages can be difficult to block as it is not straightforward to distinguish between a legitimate NDR and one generated by spam.
It is unlikely that the spammers make use of this method to guarantee the delivery of the spam message. This is especially true when the address being spammed with NDRs is receiving hundreds of emails in a short time. Apart from this, the presentation of the spam message is reduced since the message can be truncated or appear as an attachment. Therefore the message is less likely to be read. An example of an NDR spam email message can be seen in figure 4.
If you are responsible for a network that is a victim of NDR spam or backscatter, there are only a few preventive measures that you can take. One of the more straightforward solutions is to turn off your catchall mailboxes3. When this feature is disabled, unless the spammer spoofs your email address, your mail server will not be accepting non-delivery reports for email addresses which do not exist on your mail server.