July 2011 IT Business Consulting Newsletter

Spammers and Your Email Account

By Tom K

You open your Email and suddenly there are 50 “Non-Delivery Reports” in your in-box!
    And they keep coming!!
        And coming!!!

You think...
* Does my PC have a virus?
* Is this bad?
* Why are they there?
* How can I stop them?

Well, it might be a virus and it might not. It might be bad, or it might just be a temporary nuisance.

I’ve had a number of enquiries concerning Non-Delivery Reports over the last few weeks, as the spammers seem to be kicking it up a notch.
As these newsletters are for you, I’ll push this in front of the scheduled topic to address your questions.

So, in this month’s article I explain what these Non-Delivery Reports are, why they happen, and how to determine whether their arrival is a serious concern or a temporary nuisance.

What are Non-Delivery Reports?

Non-Delivery Reports (NDRs) are an important part of the Internet mail system. Under normal conditions they advise a sender if an email they sent wasn't delivered (which has saved pretty much everyone some embarrassment). The NDR, which is issued by the intended recipient’s mail server or spam filter, usually provides a reason in text or code why the email was not delivered, and usually contains information on the original email & the path it took through the mail system. Typical reasons for non-delivery are: the recipient does not exist, the address is bad, the recipient in-box is full, or the recipient mail system considers your email to be spam or infected.

The subject lines of the NDRs, depending on the issuing mail system, can be Non-Delivery Report, Failure Notice, Delivery Status, Returned Mail, Undeliverable Mail, Undelivered Mail, Message you sent blocked, etc. These non-delivery messages are often referred to as "bounce" messages, as the bad/ incorrectly addressed/ spam emails are bounced back to the "sender" (per the "reply to" address – very important as we discuss below).

Unfortunately, the corruption of the purpose of the NDR is yet another aggravating aspect of spam.

Excessive Non-Delivery Reports

As mentioned, the occasional NDR / Bounce message is normal, and often helpful. The concern is when the occasional turns into hundreds! I refer to this as a “Bounce Flood”.   A Bounce Flood will occur from two situations; your PC has a virus, or a spammer has spoofed your address as the “reply to” address in a spam attack.

Bounce Flood via Spoofed Email Address

Most Bounce Floods in corporate settings are due to spoofed “reply to” email addresses. In a corporate setting, all PCs should be well protected and monitored with a corporate Anti Virus solution and a centralized Windows Update tool, so an infected PC should be a rarity (see previous newsletters March 2010 “Protect Your Company from Viruses and Malware with Enterprise Anti Virus Systems” and June 2010 “Centrally Manage Microsoft Updates Across Your Enterprise”). I do, however, show you how to check for an infected PC below.

Since emails require a “reply to” address, the spammer grabs a single valid email address (presumably at random) and sticks it in the “reply to” field of his spam attack. The spam attack goes out and any device rejecting an email from the attack sends a non-delivery report to the “reply to” address. The Bounce Flood then hits the unfortunate spoofed “reply to” email account. This account now receives ALL the non-delivery messages and spam rejection notices from ALL the servers and spam filters that respond to the spam attack.

Note the Bounce Flood is not a spam attack, but is the unfortunate feedback of a spam attack.

Bounce Flood via Infected PC

An infected PC can also trigger a Bounce Flood. Some viruses will turn the PC into a Spam machine. When this happens, the PC will send out spam directly, most often using its own Reply To address, so the NDRs are actually coming to the offending PC.

Other viruses will turn the PC into a member of a “bot-net” where it can be controlled at the will of the “bot master”. Bot-Nets are the most prolific spam generators. If your PC is in a bot-net you will usually not get bounce messages, as the spam being sent from the bot-net usually has a spoofed Reply To address.

Spoofed Address or Infected PC?

The easiest way to tell whether your Bounce Flood is due to a spoofed email address or an infected PC is to look at a few of the Non-Delivery Reports. These reports indicate the IP address of the device that originated the spam email. While it is easy to spoof the “reply to” address, it is much more difficult to spoof the originating IP address. If you’re not sure what you’re looking at in the NDR, give me a call and I’ll show you what to look for.

In most instances, the originating IPs will be different in each NDR, indicating the attack was from multiple PCs (that evil bot-net). If this is the case, your "reply to" address has been spoofed, and it is but a nuisance. If the IP address listed is your public IP address, you’ve got a problem and should seek immediate professional help!

As mentioned, if one of your PCs is a member of a bot-net, you’ll probably never see an NDR due to this activity. The easiest way to check for internal bot-net members is to monitor for direct PC mail transmission (SMTP out) using your firewall. This is very easy to configure.

Note that if your firewall was set up properly, it should NOT be possible for an infected PC or bot-net member to send out general spam emails. We typically configure the firewall to prevent this activity.

What Can You Do for Relief?

If you are a victim of a Bounce Flood, you can create a rule in Outlook to deliver all bounce messages to a specific folder (a new "bounce" folder) rather than your In-Box, based on key phrases contained in the subject line. You should be able to catch at least 90% of the bounce messages with 5 or 6 key phrases (Delivery Status, Returned Mail, Undeliverable mail, Undelivered mail, Message you sent blocked, etc). Note if you create this rule, you will also filter out any valid bounce messages you may receive, so if you proceed you should monitor the bounce folder and kill the rule when the bounce flood subsides.

Our experience with Bounce Floods indicates that the number of bounce messages is reduced over a short time as the spam sending IP addresses are identified due to volume. Then after a few days the bounce messages just stop, presumably when the contract for the bot-net that is performing the spam attack expires. In one very typical case, the user’s In-Box received 96 bounces on day one, 42 on day two, and 15 on day three, after which the bounce flood subsided.

Long Term Relief

There may be long-term relief in the future. Those who write rules for the Internet are working on a new protocol that compares the sending mail domain, the IP address registered to that domain, and the mail header information to ensure everything agrees before accepting mail, which would make spoofing a "reply to" address impossible. Two systems are in use (in their infancy), but both are dependent on wide range acceptance, as both rely on their being implemented on the mail sending system & the mail receiving system to be effective. We have been researching & experimenting with what looks like the “more likely to gain acceptance” solution, and will keep you appraised.

As always, if you have any questions or comments concerning this article, I’d be happy to discuss them with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.

Next month I’ll shift back to the promised discussion of VPNs (Virtual Private Networks). These gems allow you to connect remote offices securely and inexpensively, and enable your staff to work remotely from anywhere. See "Virtual Private Networks (VPNs) – a key Business Enabler".