We've observed an end to the previous NDR storm, but continue to see some spammers falsifying the "From" address of their spam messages, resulting in some users receiving numbers of bounce messages for messages they didn't send.

What is an NDR?

A non-delivery receipt (NDR) is a message that a mail server sends to notify the sender when a problem occurs with delivery.

For example, if you type a recipient's address incorrectly, the receiving server might send you a message that looks similar to this: 

Undelivered Mail Returned to Sender  
Your message did not reach some or all of the intended recipients.
Subject: Report update The following recipient(s) could not be reached: webmmaster@yourcompany.com on 05/15/2008 08:09 PM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. 

Types of normal NDR messages include:
 

• User unknown: The recipient's address doesn't exist on the receiving server, and the message is bounced
• Server resources are unavailable; for example, the recipient's mailbox is full
• Auto-reply vacation or out-of-office messages
• Auto-reply list server or mailing list responses 

NDR spam: Why am I receiving an NDR for a message I didn’t send?

NDRs are a normal part of email exchanges, but spammers' activities can cause spikes in NDR activity. Spammers send junk messages to thousands of email addresses, some of which exist and some of which do not. To give the appearance that their messages are legitimate, spammers use a practice called "spoofing," whereby they manipulate the "From" address to use a real domain or sender.
 
When a spammer sends email to an invalid address, the receiving mail server sends an NDR message to the "From" address, rather than to the actual sending server. Because spammers spoof common addresses, such as sales or info of well-known companies, these NDRs may be destined for your mail server.



The good news is that your message security service recognizes the spam content in an NDR, and blocks large numbers of these messages so they never reach your mail server.

Following is the summary of recent email threats and trends.

Anti-Bot-net Protection: Our recently introduced advanced bot-net protection continues to perform well against the growing number of bot-net attacks. We've observed that bot-net generated spam now comprises over 20% of the spam traffic, and on April 14, a single powerful attack accounted for 46% of all spam volume.

This graph shows the actual bot-net activity patterns. Spammers try to take advantage of the reactive nature of most spam protections by attacking with maximum volume when defenses are low.

Advanced Anti-virus Heuristics: In January, we completed the release of advanced anti-virus heuristics that specifically targeted zero-hour attacks (the period of vulnerability between a new virus in the wild and release of the anti-virus signature file). If the bot-net protection identifies a suspicious message, the anti-virus heuristics also scan the message for zero-hour viruses.

We've observed a number of attacks in which the anti-virus heuristics successfully identified viruses. For example, the anti-virus heuristics identified a viral message pattern -- later identified as a new strain of the Spy Agent Downloader ( http://vil.nai.com/vil/content/v_141846.htm ) -- in the wild at 11:12 AM GMT. At 2:50 PM GMT, when the volumes had grown dramatically, we received the new virus signature file from one of the anti-virus engines. 

Filter Updates: We continue to update filters to combat spammers’ tactics. Attacks blocked include new variations of pharmaceutical and automotive scams, penny stock ploys (ZYTO Corp), and numerous phishing attacks.

Spam Traffic Trends: Spam levels continue to remain high, and April 23rd brought a record level of spam for the year, with the 194 spam messages per user per day. With such high spam volume, organizations with in-house solutions require equally high capacity to handle the load. Since spikes in spam can happen overnight, we must carry precautionary -- but generally unused—capacity to avoid a meltdown.

An often endless battle for us is the battle against SPAM. We spend a great deal of effort and resources fighting spammers and educating our users on various tools and techniques used in the war. One common method for spammers to add new email addresses is the use of special software known as mail "harvesting bots" or "harvesters", which spider web pages to obtain e-mail addresses. If your web site contains an email address that is readable by a machine in the form of <username> at <domain> then your mail address is easily picked up by email harvest software. This includes email addreses that may be embedded in hidden fields in your forms.

One such method of fixing this problem is to obfuscate your email address and "mailto:" tag with encoded HTML characters. For example, this address, support@ihwy.com, works like you would expect a normal email address to work but is actually obfuscated and hidden SPAM Harvesters.

You can access this tool by going to: http://www.ihwy.com/Tools/Email-Obfuscation-Tool.aspx