Updated Handling of Outbound NDR Messages

As part of our ongoing efforts to maximize deliverability for our outbound mail, we will be implementing a new policy, effective next week, by which NDR (bounce) messages – typically generated in response to spam messages sent to invalid addresses at a customer’s domain – will be directed by default to quarantine by our outbound filtering service.

This change is designed to decrease the chance of backscatter, which can decrease deliverability  rates by impacting the reputation of our IP addresses and of our customers’ domains.  Most customers – including all customers using the service in accordance with our recommendations – will be unaffected by this change.

In all cases, no action is necessary by customers.

For more detailed information on backscatter and the rare circumstances in which this can occur, please read on.

Let’s say a spammer sends a large quantity of spam messages to various email addresses at OurCustomer.com, and in so doing spoofs the supposed sending addresses of those messages, using (among other sending addresses) a From address of Jane@InnocentCompany.com.

The question is what happens when some of those spam messages are sent to invalid addresses at the recipient OurCustomer.com domain.

In most cases, our inbound filtering service will recognize that the recipient address is invalid, and will reject the message.  Our service can do this in one of two ways.  First, if the customer domain is configured to block messages to unknown recipients — which is our recommended configuration — we will immediately block the message to an invalid address.  Or second, if the domain is configured to pass through unfiltered all messages for unknown users, our service will perform recipient checks by connecting to the customer’s mail server to initiate an SMTP conversation to validate that address.  Assuming the customer mail server rejects that recipient address (which all correctly configured mail servers should do), we will reject messages sent to that invalid address, in the envelope phase of the SMTP conversation.  In both of these scenarios, no bounce message (and no backscatter) is generated.

However, there are rare scenarios in which our service will accept inbound messages for invalid recipient addresses.  This can occur specifically when the customer domain is not configured to block messages to unknown users, AND when the customer’s mail server does not reject the invalid address during a recipient validation check (or if the message is sent to multiple recipients at the customer domain, and some of the recipient addresses are valid).  If the customer’s mail server then subsequently rejects the message, a bounce (NDR) message is generated.  If the customer is using our outbound filtering service, that NDR is sent outbound through our outbound filtering service to the original sending address.

Returning to our example above, the OurCustomer.com server would send an NDR message to the spoofed sending address, Jane@InnocentCompany.com.  This bounce message to Jane@InnocentCompany.com is known as ‘backscatter’.  In some cases even a single backscatter message sent or forwarded to a spam trap address is enough to trigger blacklisting.

Had the original spam message been blocked in the envelope phase of the SMTP conversation, the spoofed sending domain would be uninvolved, and no backscatter would have been generated.

The best way to prevent this scenario from occurring is to simply configure our service to block all messages to unknown recipients at your domain(s).  This is our recommended configuration, for many reasons, including this one.

If for some reason that cannot be done, customers should make sure that their mail server blocks messages to unknown recipients during the envelope phase of the SMTP conversation, rather than after the data phase.  Almost all mail servers handle this correctly by default, but a few mail server software packages, such as qmail, wait until the completion of the data phase to generate an error message based on an invalid recipient address.  Patches have been available to fix this problem for many years.

Again, no action is necessary by customers.

If you have any questions about backscatter, or whether your mail server is at risk, please don’t hesitate to get in touch with our support team.

Thanks for your attention.

This entry was posted in Mail Assure. Bookmark the permalink.