Non-delivery report (NDR) backscatter refers to bounce messages users receive for emails they didn’t send. It is caused by spammers spoofing the users’ From address in their messages to make them seem they came from the forged senders. When one of their messages gets sent to a nonexistent recipient, that person’s destination email server returns a bounce notification to the owner of the From address.
Think of NDR backscatter as a snail mail you supposedly sent to someone who no longer lives at the street address indicated. As such, it was returned to the sender, that is, you. That means someone (maybe a fraudster asking for donations) is pretending to be you. The strategy allows them to hide their real identity if an investigation on the case (filed by a victim or someone tricked into donating) ensues.
Read More about “NDR Backscatter”
While most email accounts don’t receive much NDR backscatter, some can. That makes the email address or domain owner a suspect in an investigation of the spam attack.
What Causes NDR Backscatter?
Before answering this question, we first need to learn a mail server’s possible responses to spam. These are to reject, drop, quarantine, and bounce.
- Reject: The recipient mail server can reject an incoming email while the sending server remains connected. If the message gets rejected, the sending server can report the problem to the actual sender.
- Drop: The recipient mail server can accept the entire message. If the email turns out to be spam or malicious, it gets deleted automatically.
- Quarantine: The recipient mail server can accept the entire message. If the email turns out to be spam or malicious, it gets quarantined or ends up in the Junk or Spam folder. It will eventually get deleted automatically.
- Bounce: The recipient mail server can accept the entire message. If the email turns out to be spam or sent to a nonexistent address, a bounce message gets sent back to the supposed sender notifying him message delivery failed.
Now we can answer the question. NDR backscatter occurs when the recipient mail server uses the bounce method. The owner of the spoofed From email address gets the notification.
How Can Users Avoid Getting NDR Backscatter?
Any best practice against malware and spam can work against NDR backscatter. These include:
- Using a spam filter: That entails classifying emails based on specific criteria. Users can program their Simple Mail Transfer Protocol (SMTP) servers to apply anti-spam techniques automatically.
- Never clicking suspicious links: Suspicious links are usually embedded in spam. While they may contain popular brands (which they often do), they also have unnecessary and seemingly random alphanumeric characters. The trick to avoiding threats is not even opening emails from people you don’t know.
- Keeping employee and customer email addresses private: Know that much like street addresses, email addresses are considered personally identifiable information (PII) that users should never reveal to anyone else. Only their owners have the right to distribute them.
- Enabling HTTPS for Web-based email to encrypt data: While not foolproof, this strategy reduces spoofing, a crucial step in spamming.
- Using strong passwords: In some cases, cybercriminals obtain access to other people’s email accounts by guessing their passwords. That allows them to abuse the compromised email addresses for their attacks.
More specific anti-NDR backscatter techniques, meanwhile, include:
- Rejecting spam at the connection stage: Users can configure their mail servers to perform several checks when an SMTP connection is established. The automated checks can include recipient validation (making sure the To address exists), anti-forgery checks (ensuring the From address hasn’t been spoofed), ensuring the From address isn’t on any blocklist and many more.
- Filtering NDR backscatter: Some spam filtering systems have the option to detect and reject NDR backscatter emails. They are automatically sent to the Junk or Spam folder and later deleted.
- Detecting fake bounce messages: Users can employ the Bounce Address Tag Validation “tag” in outgoing emails. That way, they can reliably detect incoming fake bounce messages.
While most of today’s operating systems (OSs), mail services, email filters, and antimalware solutions can already protect very well from NDR backscatter, enabling additional measures such as those mentioned above helps, too.