Getting bounces about e-mail that you didn't send?

You may have a virus if you didn't send out a bulk e-mail campaign in the middle of the night but checked your inbox in the morning and found a lot of bounce messages with the subject lines like "failure notice", "Delivery Status Notification (Failure)", "Mail delivery failed: returning message to sender", "Undeliverable mail:", etc. These messages may also include vacation notices and challenges from challenge-response systems like "Please click here or reply to this message to prove you're a human."

Do you have a virus?

When users get a lot of delivery status notifications for e-mail that they didn't send, often the first concern is that they have a virus problem on their network. However, more than likely you are simply the victim of e-mail address forgery. SpamStopsHere has been seeing a huge increase in incidents of this type of forgery. Spammers don't use their own e-mail address when sending spam, because they don't want the replies. Many recipient e-mail servers do verification checks on the sender's e-mail address, so spammers want to send their e-mail from a valid e-mail address to improve the success of delivery.

Since spammers aren't sending e-mail from their own e-mail address, and they want to send them from a valid e-mail address, they may send the e-mail from your e-mail address, or an e-mail address at your domain. Spammers have been known to cycle through their e-mail lists, changing the sender address for each message generated, each few messages generated, or only once for an entire spam campaign. In the past it wasn't uncommon to make a spammer angry by making spam complaints, which resulted in the spammer using the complaintant's e-mail address for the next spam campaign. Now that most spam is sent from malware infected computers, and spammer networks are anonymous, the methods used to select the e-mail address to send spam from seems completely random.

Getting a delivery status notification to your e-mail address indicating than an e-mail message was not delivered doesn't necessarily mean that your computer sent out the e-mail message. Some sure signs that indicate that your computer did send out the spam would be that the notifications were coming from your outgoing e-mail server, or that the notifications indicated that the spam originated from your IP address or an IP address on your network. You may want to see my previous post on locking down your e-mail server for more information.

How can people forge your email address?

How can someone send e-mail from your e-mail address, without your permission? Unfortunately, although you may need a username and password to read your e-mail, or even send e-mail through your network's e-mail server, there is no authentication required to send e-mail from any e-mail address. Sending e-mail from a different e-mail address is as simple as typing that e-mail address into the e-mail program that you use to send e-mail. You can send e-mail from your boss's e-mail address, or even from Bill Gates, provided you know their e-mail address. It's not difficult to forge an e-mail from someone else, and you shoud assume that any e-mail you receive wasn't sent from the owner of the e-mail address listed in the e-mail message, until proven otherwise.

Why isn't my anti-spam product blocking the bounced e-mail?

Although the e-mail may be unwanted by you, it's actually quite important that you get delivery status notifications about messages that were sent from your e-mail address. Otherwise, how would you know that someone was forging your e-mail address?

Additionally, the e-mail isn't spam. They're typically single messages sent from some of the recipients, who were innocent victims of the spam. Although it may seem like bulk, it's really just individual messages from individual recipients.

Unfortunately your anti-spam service won't know whether you actually sent the e-mail message that generated the notification, so they have no way of knowing that you didn't actually want the notification. If you are getting thousands per hour or something that is seemingly causing issues, your anti-spam products should let you temporarily block all delivery status notificatications during the issue. However, this will block any delivery status notifications regarding e-mail that you actually sent also. It should be quite rare for you to have a delivery problem requiring one, though.

What can you do to fight back?

Many times when a spammer forges an e-mail address to send spam from, they get the e-mail address wrong. More than likely, most spam using a forged an e-mail address at your domain is using an invalid e-mail address at your domain. It's very important not to have a "catch-all" e-mail alias, which is an alias that sends e-mail to any otherwise nonexistent e-mail address to someone's inbox. In the past, these were commonly used to catch e-mail that was mistakenly sent to the wrong e-mail address due to a typo. Now, it's quite a bad idea to use a catch-all alias because you'll get the 95% of e-mail that is sent to invalid e-mail addresses redirected to your inbox, instead of it being properly rejected for being addressed incorrectly. It is also important that your e-mail server be configured to reject e-mail sent to invalid e-mail addresses instead of accepting it.

You can help stop people from forging e-mail from your domain by using sender policy framework, which requires that you publish a domain name service SPF record that indicates what e-mail servers are authorized to send e-mail for your domain. Then any e-mail that doesn't originate from those e-mail servers should be recognized as forged by anyone doing sender policy checks, which currently is quite a small percentage of the Internet population but should continue to grow.