Technical Bulletin NDRs (Non-Delivery Receipts) Overview What’s an NDR NDR spam: Why am I receiving an NDR for a message I didn’t send? Challenges and growth in NDR spam What steps can I take now? What’s coming next in NDR blocking technology?

Overview You may have noticed messages in your inbox with the subject "Delivery Status Notification" or "Returned mail: user unknown" that refer to recipients you don't recognize. This technical bulletin describes the messaging trends associated with these types of delivery messages, called NDRs, and shows you how to use your message security service to reduce the volume of NDR spam.

What’s an NDR? A non-delivery receipt (NDR) is a message that a mail server sends to notify the sender when a problem occurs with delivery. For example, if you type a recipient's address incorrectly, the receiving server will send you a message that looks similar to this:

Undelivered Mail Returned to Sender Your message did not reach some or all of the intended recipients. Subject: Report update The following recipient(s) could not be reached: [email protected] on 03/15/2008 11:09 PM The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.

Page 1 of 5

Types of normal NDR messages include: • • • •

User unknown: The recipient's address doesn't exist on the receiving server, and the message is bounced Server resources are unavailable; for example, the recipient's mailbox is full Auto-reply vacation or out-of-office messages Auto-reply list server or mailing list responses

NDR spam: Why am I receiving an NDR for a message I didn’t send? NDRs are a normal part of email exchanges, but spammers' activities can cause spikes in NDR activity. Spammers send junk messages to thousands of email addresses, some of which exist and some of which do not. To give the appearance that their messages are legitimate, spammers use a practice called "spoofing," whereby they manipulate the "From" address to use a real domain or sender. When a spammer sends email to an invalid address, the receiving mail server sends an NDR message to the "From" address, rather than to the actual sending server. Because spammers spoof common addresses, such as sales or info of well-known companies, these NDRs may be destined for your mail server.

The good news is that your message security service recognizes the spam content in an NDR, and blocks large numbers of these messages so they never reach your mail server.

Page 2 of 5

Challenges and growth in NDR spam NDR messages have two characteristics that can allow them to reach your inbox: •

Some mail servers do not follow standard protocol, sending only the header information in an NDR rather than the full content of a message. Without message content, the message security service may not be able to differentiate between an NDR generated by a spammer's message and a legitimate NDR generated by a message you sent.



The mail servers that generate NDRs are legitimate senders. Therefore, blocking messages based on sender behavior would result in blocking valid email.

Another challenge is that the growth in NDRs is driven by the overall growth in spam activity. The more messages spammers send, the greater the number of spam messages sent to invalid addresses, resulting in more NDRs.

Customers of the message security service are not any more susceptible to NDR spam than other email users. Spammers try to use legitimate domains and user names, and they may coincidentally use those of message security customers.

What steps can I take now? The message security service continues to block thousands of NDR spam messages every day, and at the same time, ensures that legitimate NDR notifications reach your inbox. Here's how you can use your service to further reduce the volume of invalid NDRs:

Page 3 of 5

Turn on Non-Account Bouncing If Non-Account Bouncing is on, your message security service rejects any messages addressed to recipients who don't have an account on the service. Therefore, this option helps stop invalid NDRs in two ways: •

It stops NDRs for invalid users from reaching your mail server. If an NDR is sent to a user that doesn't exist on your mail server, the message security service bounces it before your server can accept it.



It prevents your mail server from sending out invalid NDRs themselves. If the message security service receives a message addressed to an invalid user, it bounces it back to the sender, before your server can accept it and send an NDR.

Use Content Manager If your service includes Content Manager, you have a powerful tool for blocking NDRs. Because NDRs typically contain specific words in their subject lines, you can create custom content filters that block messages containing these words. Note, however, that this type of filter—no matter how specific—can also block valid NDRs and some legitimate messages. That's why we strongly recommend that you follow a few guidelines when using filters to block NDRs: •

Use filters temporarily—that is, only when users are experiencing NDR issues. Typically, NDR "attacks" are not permanent, continuing for only a few days.



Apply filters only to the specific users who are experiencing NDR issues. That way, other users can continue to receive valid NDRs.



Set filters to quarantine messages instead of deleting (blackholing) them, so you can deliver any messages that were falsely quarantined.

To help you get started, we've developed a content filter that can significantly reduce the volume of NDRs your users receive. It uses a simple regular expression to look for keywords that often appear in the subject lines of NDRs. You can use it "as is" or fine-tune it as necessary, by adding or removing keywords. Here's how to set it up: Step 1: Create New User Organization Create a new suborganization below your user organization. This suborganization lets you use the NDR filter temporarily, and for only specific users who are experiencing NDR issues. Step 2: Create Content Filter In the new suborganization, go to Inbound Content Manager, and add a new content filter with the following settings: Match: Any Rule Select Location: Subject Line Select Filter Type: matches regex Value: Delivery\sStatus\sNotification|Delivery\sFailure|failure\snotice| Mail\sSystem\sError|Unzustellbar|Undeliverable|Mail\scould\snot\sbe \sdelivered|Returned\smail|Undelivered\sMail Disposition: User Quarantine or Quarantine Redirect

Page 4 of 5

Step 3: Move Users to New Organization Move all users that are experiencing NDR issues to the suborganization in which you created the NDR content filter. Remember to move users back to the parent organization after the volume of quarantined NDRs has dropped.

What’s coming next in NDR blocking technology? As part our ongoing work to stop email threats, we're developing commands that will allow administrators to easily turn NDR filtering on and off. This feature will filter all NDRs (both valid and spam NDRs) but not most vacation and out-of-office vacation replies. The new feature will be available in all message security services, including those that don't include Content Manager. It’s targeted for release in May.

Page 5 of 5

Technical Bulletin

Mar 15, 2008 - A non-delivery receipt (NDR) is a message that a mail server sends to notify the ... Auto-reply list server or mailing list responses ... The good news is that your message security service recognizes the spam content in an NDR,.
Download PDF
163KB Sizes 2 Downloads 385 Views
Report

Recommend Documents

technical bulletin - Defender2.net
Oct 4, 2012 - member, with the curved edge against the existing weld nut. 10. Position the step assembly to the chassis and install/torque the new retaining ...