Bounce Messages - NDR (Non-Delivery Receipt) ISSUE

5/19/2008

The new NDR filter was implemented for all customers.

Hereafter substantially all bounce/NDR messages will be quarantined, rather than passed through to user inboxes.

5/6/2008 Update

(Modified from 5/6/2008 Notice from Postini)

Receiving invalid NDR bounces?
You're not the only one.

May 6 2008 - Postini announced the details of an upcoming tool that Bee.Net will be able to implement to filter NDRs. This tool is scheduled for release between May 10-24 - depending on which Postini subsystem we use. However, they have not yet released the system implementation schedule.

Background: Spammers have increased their utilization of "spoofing" or "joe-jobbing" (falsifying the "From" address of an email) in the last few weeks, resulting in some users receiving an increased numbers of bounce messages for mail they did not send. Postini captures the majority of NDRs when the bouncing server preserves the original spam content.

Technical Bulletin

(modified from Bulletin received from Postini on 4/16/2008)

NDRs (Non-Delivery Receipts)

Overview

You (or your staff or customers of IT Consultants whose clients use Bee.Net's Postini services )  may have noticed messages in your (their)  inbox with the subject "Delivery Status Notification" or "Returned mail: user unknown" that refer to recipients you (they) don't recognize. This technical bulletin describes the messaging trends associated with these types of delivery messages, called NDRs, and what can be done to reduce the volume of NDR messages now, and what Postini is working on to reduce the volume of NDR messages even further.

What steps can I take now?

If you or your staff or your customers are experiencing an issue of receiving a high number of NDR messages now, please allow a few days for the issue to go away on its own.  However, if it does not, Bee.Net may be able to help change certain settings on your (the users') Postini configuration to reduce the volume of NDR messages getting through to the inbox.  However, such efforts are likely to provide limited relief, and may result in the blocking or quarantining of NDR messages which you (they) do want to receive.

What’s coming in May 2008 in NDR blocking technology?

As part of Postini's ongoing work to stop email threats, they are developing commands that will allow Bee.Net and Administrators for Postini services used by Bee.Net's customers who have their own mail servers, to easily turn NDR filtering on and off. This feature will filter all NDRs (both valid and spam NDRs) but not most vacation and out-of-office vacation replies.

The new feature will be available to all of our Postini customers. It’s targeted for release in May.

 

Here is technical information regarding NDRs which may be of interest to some of our customers and their IT staff and consultants:

What’s an NDR?

A non-delivery receipt (NDR) is a message that a mail server sends to notify the sender when a problem occurs with delivery.

For example, if you type a recipient's address incorrectly, the receiving server will send you a message that looks similar to this:

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Undelivered Mail Returned to Sender

Your message did not reach some or all of the intended recipients.

Subject: Report update

The following recipient(s) could not be reached:

[email protected] on 03/15/2008 11:09 PM

The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Types of normal NDR messages include:

  1. User unknown: The recipient's address doesn't exist on the receiving server, and the message is bounced
  2. Server resources are unavailable; for example, the recipient's mailbox is full
  3. Auto-reply vacation or out-of-office messages
  4. Auto-reply list server or mailing list responses

NDR spam: Why am I receiving an NDR for a message I didn’t send?

NDRs are a normal part of email exchanges, but spammers' activities can cause spikes in NDR activity. Spammers send junk messages to thousands of email addresses, some of which exist and some of which do not. To give the appearance that their messages are legitimate, spammers use a practice called "spoofing," whereby they manipulate the "From" address to use a real domain or sender.

When a spammer sends email to an invalid address, the receiving mail server sends an NDR message to the "From" address, rather than to the actual sending server. Because spammers spoof common addresses, such as sales or info of well-known companies, these NDRs may be destined for your mail server.

The good news is that Postini recognizes the spam content in an NDR, and blocks large numbers of these messages so they never reach your mail server.

Challenges and growth in NDR spam

NDR messages have two characteristics that can allow them to reach your inbox:

  1. Some mail servers do not follow standard protocol, sending only the header information in an NDR rather than the full content of a message. Without message content, the message security service may not be able to differentiate between an NDR generated by a spammer's message and a legitimate NDR generated by a message you sent.
  2. The mail servers that generate NDRs are legitimate senders. Therefore, blocking messages based on sender behavior would result in blocking valid email.

Another challenge is that the growth in NDRs is driven by the overall growth in spam activity. The more messages spammers send, the greater the number of spam messages sent to invalid addresses, resulting in more NDRs.

Customers of Bee.Net and Postini are not any more susceptible to NDR spam than other email users. Spammers try to use legitimate domains and user names, and they may coincidentally use those of Bee.Net/Postini customers.