Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

In our continuing blog series about bounce backs and error codes we wanted to talk about NDR Spam or Backscatter Spam. As we all know, spammers are tricky devils and they spend the majority of their time learning to adapt and circumvent email defense systems. One example that demonstrates the type of adaptability that Email Security professionals have to deal with is Backscatter spam. As an operator of a legitimate email server, one of the things your server does to be helpful to other servers is generate email containing error messages when messages encounter problems. For example if somebody sends you an email to an address that doesn’t exist, it is helpful for your server to send the original sender a Non-Delivery Report (NDR) notification to let them know that their message wasn’t delivered.

Unfortunately spammers can exploit this feature by creating a message with a forged Sender (From: field) so that it will reach their intended target. They then send this message to an email address they know doesn’t exist on your server in your domain. Your server kindly sends back a notification to the person it thought sent the message. In fact you just delivered the message for the spammer from your server and IP address which they most likely trust. This type of spam is difficult to detect and block because it is technically a legitimate notification.

The solution to eradicate this type of spam is to perform the test to see if the user exists during the SMTP conversation. By doing that, your server is never actually accepting the message from the sender and therefore need not generate a notification message. The sending server with a legitimate message for a non-existent address is then responsible for notifying it’s own user of the failure.

How to Handle Non-Delivery Reports
With Exchange servers, non-delivery reports (NDRs) are enabled. You can disable them by using Exchange System Manager. You can also specify who can receive copies of NDRs.

To disable NDRs in Exchange 2003, follow these steps:

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
3. Click the Advanced tab.
4. Click to clear the Allow non-delivery reports check box, and then click OK.

To specify who can receive copies of NDRs, follow these steps:

1. Under Administrative Groups, expand First Administrative Group, expand Servers, expand server name, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
2. Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
3. Stop, and then restart the MS Exchange Routing Engine and SMTP services.

“Lock Down”
Another method to ensure that your server is not helping created Backscatter spam is to have a perimeter Lock Down in place. This will protect your entire network and company by using a Perimeter Defense Email system that will protect spam and viruses from ever reaching your network.

We highly recommend that anyone running a Business Email Server invest in an advanced heuristic spam, virus and phishing protection service, with controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.. It will pay off a thousand fold in the long run.  Most good anti-spam solutions do a reasonable job of limiting the impacts of NDR spam attacks.  But almost all still will allow a sender to try quite a few bad recipients before shutting them down.

Additional Resources:
http://support.microsoft.com/kb/294757
How to Read Email Bounces Backs and Errors

Bounce backs and error codes for email can be very mysterious and misleading. To help better understand them, we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series please follow this link.

Have you ever received a bounce back that refers to your message as being blocked because it was considered spam? While the actual language of the bounce back or error message may vary if the error code is a 500 error, that does mean the message could not be delivered to the recipient (400/500 Email Bounce Back Errors Explained). In this particular case, we are referring to bounce backs that reference messages as being denied due to spam or IP reputation. The bounce back message itself will help identify why the message may have been denied (How to Read Email Bounce Backs and Errors); content of the message, unsolicited commercial email, or the Internet Service Provider (ISP) or email provider has a sending IP Address reputation problem (Blacklist).

Example Bounces
551 Denied for Spam
554 Service unavailable; Client host [<hostname>] blocked using Barracuda Reputation
554 Your access to this mail system has been rejected due to the sending MTA’s poor reputation
554 Denied (Mode: normal)
550 5.7.1 Message rejected as spam by Content Filtering
571 spam source blocked – psmtp

Message Content
The subject line and content of an email message are incredibly important! These two components can often lead to a spam filter flagging a message as spam and either placing the message in the recipient’s Junk Folder or worse, sending the message into a black hole never to be seen. We highly recommend taking extra time to ensure that your message has valuable content that someone would want to read and doesn’t sound too “spammy” or “salesy.”  This may seem simple, but it is amazing how often this is overlooked.

Another critical element to consider when constructing your message is that most larger Email Service Providers are using human influence in their spam scoring. This human touch is important to consider as users finally have the power to influence spam filtering. When users mark a message as spam some providers use this data to flag similar emails as spam and may add your email address, domain, or IP to a Blocked List. Sometimes the message is in fact a legitimate mailing that was requested by the end user but in the end if the recipient does not want the message in their inbox, they will often mark it as spam (The Search for the Perfect Spam Filter – October Newsletter).

Email Signatures
We have been seeing more and more issues with email signatures causing messages to be blocked. Just like the content of your message, be sure to keep your signature simple and free of extraneous information. For instance if you are recommending an outside company’s URL, make sure they are not Blacklisted and that they don’t have domain reputation problems. If certain messages are not getting through your recipient’s spam filter, make sure your signature is as clean as possible. You may also consider removing any images in your signature as well as that is a tactic that spammers will often use.

Explicit Blocked List
Another way that you could receive this bounce back message is if your email address or domain has been added to an explicit block list. This means that someone adjusted their spam filters to specifically block messages from your email address or domain. Unfortunately there is not much you can do in this case other than reach out to the recipient by other means to ask if they will consider removing the block. However, if they took the time to adjust the filters they usually have a reason for it.

Blacklist
If your company gets Blacklisted it could cause major trouble for your business and slow down your communication with current customers, prospects and in general, the outside world. A Blacklist, also known as a Real Time Blacklist (RBLs) is a list of problematic IP Addresses that are compiled by organizations monitoring spam on the Internet. There are many such organizations ranging from one person tinkering in their free time to large multinational corporations. MxToolBox provides a Free Blacklist Lookup Tool that will check an IP Address aggainst over 100 different blacklists. We do not control nor are we affiliated with any of the organizations running the lists; the tool simply performs a search against each list and aggregates the data into one result. Without such a tool in place, you would need to go to the website for each list and manually search for yourself. There are many reasons an IP Address may end up on a Blacklist.  More often that not it’s because the administrators controlling it have not taken appropriate steps to secure their email infrastructure or the network has workstations that have been compromised by spammers, hackers, or virus propagators.

Bounce messages are all very different and may contain different language but if they contain wording like Denied, Spam, and the like, it means they were more than likely blocked due to one of the issues listed above. Ensuring that your messages are clean, simple and desirable to the recipient will go a long way to making sure your message reaches the recipient.

Taking the time to ensure that your messages get delivered is incredibly important, take the extra step and get advanced, real-time monitoring of your server against blacklists, as well as availability and performance. Please visit our website to learn more – MxWatch Monitoring – Email | Website | Network.

Additional Resources
400/500 Email Bounce Back Errors Explained
How to Read Email Bounce Backs and Errors
What Blackslists Are & How MxToolBox Helps