Have you ever received a Non-Delivery Report (NDR) or a Non-Delivery Notification (NDN) of an email that informs you that your email could not be delivered, even though you didn’t send out the email in the first place? If so, you are likely a victim of email backscatter.
Normally, a person might receive NDRs in bulk, informing them that their emails could not be delivered. These are usually so many emails that it becomes overwhelming for the recipient and the ingress email server to handle those requests. This results in lag, or the mail server may even become completely inoperational, like in a DDoS attack.
This might be normal, provided that you sent out the emails from your domain, and in that quantity. However, if you didn’t send out the emails initially, those NDRs might just be backscatter.
Table of Contents
What is an email backscatter?
Backscatter or bulk non-delivery reports are when you receive emails informing you that the email could not be delivered (whatever the reason), but you didn’t send out the emails in the first place.
This happens when a hacker spoofs the From:
header, or the “return path” in an email, and replaces the original email address with another legitimate email address, enhancing the deliverability of the email, and making it look like the email came from you.
When such an email is sent out and is not delivered, the receiving mail server automatically responds with an NDR. An NDR is issued against every email that could not be delivered. However, the NDR is issued to the email address in the From:
header of the received email, which is spoofed in this case.
Therefore, instead of the NDRs being directed toward the original sender, innocent users face such consequences.
Note that not all spoofed emails generate backscatter. Mail servers are configured to handle spam and spoofed emails. They might even be configured to allow them through, or simply reject them without a bounce-back message. However, you will only have backscatter if the mail server is configured to send out bounce-back messages, and the hacker has sent out a lot of spoofed emails.
What causes email backscatter
If you are a victim of backscatter, it is not because of bad luck. The attacker likely targeted your domain on purpose and wanted to impersonate a legitimate member of the domain to get their hands on sensitive information.
Other times, a hacker may have gotten your email address off of a forum and decided to use it, since it was a legitimate domain.
Other times, a hacker would simply use a domain to use its credibility and trust to enhance their deliverability.
The spoofed emails could result in a bounce-back due to any of the following reasons:
- The recipient email addresses do not exist.
- There is spam or malicious content in the email.
- The email header failed to pass the security checks.
What it means to have email backscatter
On the face of it, email backscatter may not look as evil as it is. You are only receiving a few hundred extra emails than usual, which you can simply ignore. How bad could it be?
Things are a bit more complicated than that. It is not about the unwanted NDRs in your inbox, but the fact that someone else is spoofing your domain’s name, and perhaps representing you or your organization in a way it shouldn’t. They could be impersonating you to get sensitive information from people in the same organization, or spreading malicious content using your domain’s name, destroying its credibility.
Here is a list of downsides of having backscatter:
- A hacker is impersonating your domain and perhaps performing malicious acts with it, impacting your credibility.
- If the spoofed emails end up in the spam folders, then that will negatively impact your email deliverability and trustworthiness.
- Your domain might be blacklisted and blocked from sending emails in the future.
- The Email Service Provider (ESP) might block your account from receiving further emails because of the rate of incoming emails.
- Your inbox might flood with NDRs, causing the storage to run out, or you might miss out on the important emails in the rush.
For these reasons, you must take the necessary steps and precautions to prevent backscatter as well as prevent hackers from spoofing your domain in the first place.
How to prevent email backscatter
It is possible to eliminate, or at least reduce backscatter on your domain. The approach for this is both preventing the hacker from spoofing your particular domain and then preventing NDrs from landing in your inbox.
Of course, it would be better if your domain was not compromised in the first place, but we cannot control the hackers. So in the case your domain is used for spoofing emails, there is still something you can do about it.
Here are a few ways to prevent email backscatter:
-
Configure SPF, DKIM, and DMARC
Email security mainly relies on 3 standards, which are Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting And Conformance (DMARC). These policies work together to check the authenticity and legitimacy of an email, and then determine whether the email should be sent through to the inbox, sent to the spam folder, or rejected altogether.
SPF defines the servers that are allowed to send your domain emails, whereas DKIM includes a verifiable digital signature in an email to determine its authenticity. DMARC defines the rules for handling unverified emails from SPF and DKIM.
If all three of these policies are configured correctly, hackers will not be able to spoof emails using your domain name successfully.
You can check your domain’s email security using our Email Security & Deliverability Checker.
-
Use disposable email aliases
Email aliases are like nicknames for the same email address. You can change email aliases and redirect them to the same email account. This allows you to quickly change to a brand new email alias if the older one starts receiving a lot of spam.
This technique allows you to use a different alias in case the old alias starts receiving backscatter.
-
Avoid leaving email addresses in public spaces
Hackers normally collect email addresses and legitimate domains from public forums. Try not to leave your email addresses in such places as they could be used for spoofing.
If you absolutely have to leave your email address, then I suggest that you use a disposable alias instead.
-
Apply filter to block NDRs/NDNs
You can apply filters for regular non-delivery report expressions that will automatically block such emails. This will prevent hundreds and thousands of backscattering emails from ending up in your inbox.
One caveat of this is that the legitimate NDRs would also get blocked as long as this filter is in place.
With these policies and preventive measures in practice, you should be able to prevent hackers from spoofing your domain or prevent backscatter in case they have already spoofed it.
Closing words
If you are receiving bulk non-delivery reports on your domain email address, know that a hacker is attempting to use it to send out emails on your behalf. Before that happens, learn how you can reduce the risk or mitigate backscatter altogether, so that your organization’s reputation and trust are not altered.