Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

In our continuing blog series about bounce backs and error codes we wanted to talk about NDR Spam or Backscatter Spam. As we all know, spammers are tricky devils and they spend the majority of their time learning to adapt and circumvent email defense systems. One example that demonstrates the type of adaptability that Email Security professionals have to deal with is Backscatter spam. As an operator of a legitimate email server, one of the things your server does to be helpful to other servers is generate email containing error messages when messages encounter problems. For example if somebody sends you an email to an address that doesn’t exist, it is helpful for your server to send the original sender a Non-Delivery Report (NDR) notification to let them know that their message wasn’t delivered.

Unfortunately spammers can exploit this feature by creating a message with a forged Sender (From: field) so that it will reach their intended target. They then send this message to an email address they know doesn’t exist on your server in your domain. Your server kindly sends back a notification to the person it thought sent the message. In fact you just delivered the message for the spammer from your server and IP address which they most likely trust. This type of spam is difficult to detect and block because it is technically a legitimate notification.

The solution to eradicate this type of spam is to perform the test to see if the user exists during the SMTP conversation. By doing that, your server is never actually accepting the message from the sender and therefore need not generate a notification message. The sending server with a legitimate message for a non-existent address is then responsible for notifying it’s own user of the failure.

How to Handle Non-Delivery Reports
With Exchange servers, non-delivery reports (NDRs) are enabled. You can disable them by using Exchange System Manager. You can also specify who can receive copies of NDRs.

To disable NDRs in Exchange 2003, follow these steps:

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
3. Click the Advanced tab.
4. Click to clear the Allow non-delivery reports check box, and then click OK.

To specify who can receive copies of NDRs, follow these steps:

1. Under Administrative Groups, expand First Administrative Group, expand Servers, expand server name, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
2. Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
3. Stop, and then restart the MS Exchange Routing Engine and SMTP services.

“Lock Down”
Another method to ensure that your server is not helping created Backscatter spam is to have a perimeter Lock Down in place. This will protect your entire network and company by using a Perimeter Defense Email system that will protect spam and viruses from ever reaching your network.

We highly recommend that anyone running a Business Email Server invest in an advanced heuristic spam, virus and phishing protection service, with controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.. It will pay off a thousand fold in the long run.  Most good anti-spam solutions do a reasonable job of limiting the impacts of NDR spam attacks.  But almost all still will allow a sender to try quite a few bad recipients before shutting them down.

Additional Resources:
http://support.microsoft.com/kb/294757
How to Read Email Bounces Backs and Errors