Marker Seven was recently inquired about an issue with a client's email account regarding spam email. The client's email account has seemingly been sending out spam mail, only to be bounced back into their own inbox as a delivery failure notice. However, no outgoing messages of the sort were found in the sent or in the outbox. After receiving an example delivery failure email and doing some research, Marker Seven has identified the problem and recommended a course of action to reduce the number of spam emails our client will receive in their inbox .
Marker Seven determined the problem occurring is a Reverse NDR attack, also called "backscatter spam" or "bounce spam". This particular spamming technique relies on mail servers returning messages to the sender, and involves a forged valid email address, which in this case was our client's. The forged email address is placed in the "From" field, and a fictitious address with a valid domain is placed in the "To" field. The email server of the recipient domain is not able to deliver the message because the fictitious recipient does not exist, and subsequently sends a NDR (Non-Delivery Report) email back to the supposed sender, our client. This method of spamming is ideal for spammers because it avoids most spam filters within the original recipient's server since it is coming from a valid email address. It is also a very successful spamming technique because either way the spam email arrives into an inbox—either into the original recipient's inbox or bounced back into the spoofed domain's inbox.
Some could simply disregard the spam; however, backscatter spam should not just be ignored. When dealing with huge numbers of NDR emails, which our client happens to be experiencing, their email server will eventually run out of space and valuable bandwidth will be wasted. Furthermore, the company receiving the spam mail initially could blacklist our client's email domain. After being placed on one or two blacklists, our client may eventually find they cannot send out legitimate emails.
Unfortunately, due to the way that SMTP was designed, it is very difficult to minimize, let alone solve, this spamming problem. In fact, the most effective "solution" lies with the email admin servers who are unknowingly bouncing spam messages back to the senders. However, there are a few actions our client can take in attempt to mitigate the problem.
The first possible fix is to create a SPF (Sender Policy Framework) entry in their Domain Name System. This is basically a whitelist of server IPs that are authorized to send emails from their domain, and would prevent the spammer from being able to use their domain. However, since our client's email domain is public to its employees, this approach is not the most feasible.
Another potential fix would be to create DKIM (DomainKeys Identified Mail) entry in their Domain Name System. DKIM is an email authentication method that uses public-key encryption to determine if an email is authentic. If a recipient's server also supports DKIM, the tampered emails would be detected and not bounced back. And even if the spam emails are bounced back, they would not possess the unique code the DKIM tags its outgoing emails with, and thus, would be dropped as junk mail. However, the downside to this technique is that all modified emails appear fraudulent, even if altered by a legitimate agent.
Basic anti-spam or antivirus software can help the problem, but again, can potentially block authentic NDRs.
In essence, there is no fool-proof way to stop backscatter, only several partly-successful techniques. However, the combination of many will help minimize the amount of rubbish in our client's inbox.