Bounce Messages

Bounce messages, or non-delivery report (NDR) messages, that have been generated as a result of spam messages are referred to as "backscatter".

If there is a delivery error ("mailbox full," "user doesn't exist," etc), the system attempts to send a "bounce" message back to the supposed original sender. The bounce message is directed to the email address found in the envelope sender information (the Return-Path header) in the original message. Because this address has been forged in most spam messages, the bounce message is delivered to a mailbox of a sender who did not send the original spam message.

Most email accounts receive very few, if any, backscatter spam messages. However, specific addresses or domains that are favorites of spammers can be the target of hundreds, or even thousands, of messages of this type per day.

SophosLabs will not block all NDR messages from all mail servers because not all NDR messages are backscatter, and mail servers that generate backscatter also send legitimate NDR messages. There are many legitimate bounce messages generated each day, which are delivered to the mail server that originally sent the message. The difficulty lies in differentiating between legitimate bounces and bounces that come as a result of spam messages.

Sophos recommends that bounce messages be allowed, but if you receive a large number of bounces caused by spam messages to spoofed senders (backscatter), you may want to quarantine or discard bounce messages. Note that this can affect the delivery of legitimate bounce messages.