Spammers turn to fake non-delivery reports
The cloud security firm saw a 2,000 per cent increase in the number of malware laden non-delivery report (NDR) messages in August, compared to the average monthly number in the first six months of 2009.
Legitimate NDRs are automated messages sent to someone by a mail server when it cannot deliver an email to the intended recipient. This is usually because the email address has been entered incorrectly, the account has been deleted or the recipient's inbox is full.
Around one in five global spam emails detected by PandaLabs is using this technique, making it one of the most pervasive forms of spam currently in use.
"There is presently no consensus on whether NDRs are a technique used to evade anti-spam filters, or a collateral effect of dictionary attacks. Either way, this technique is now among the most widely used," said Luis Corrons, technical director at PandaLabs.
"Since most NDRs are legitimate emails and part of the mail server functionality, many traditional anti-spam techniques did not detect or block them up until now."
Corrons explained that the messages themselves are usually legitimate, and that botnets are being used to exploit this mail server function by using the sender's real name to trigger the message response.
The spammer's payload is then included as an attachment to the fake non-delivery notice. While in most cases users have not sent the supposedly undelivered email, they are still sufficiently curious to open it, said Pandalabs.