RealTime IT News

Bouncebacks: The Hidden Cost of Spam

A nasty side effect of spam and e-mailed viruses is costing companies an estimated $5 billion per year in IT resources, according to security services company IronPort.

The culprit: Bounced e-mail message warnings sent from servers advising an e-mail sender that the e-mail they tried to send was undeliverable.

Since virtually all spammers and scammers do not use their own return addresses on the junk mail that they send, many bounce messages actually end up in an innocent third party's system.

This may sound like a trivial annoyance, but according to a study conducted by IronPort, which offers an e-mail filtering service to corporate customers, 55 percent of the Fortune 500 companies have had a disruption in service or a full-scale network outage due to their networks being flooded with bogus bounce messages.

"This is e-mail's dirty little secret," said Patrick Peterson, IronPort's vice president of technology.

"Everybody knows about spam and viruses. But people don't think about bouncebacks as being a problem. And the people who do know... well, no one wants to share the fact that they're very vulnerable to a denial of service attack from bounces."

E-mail protocols were designed in a more innocent time when most users were scientists, academics and technology mavens who respected Internet etiquette.

Sadly, the protocols that worked so well 10 years ago are increasingly being abused by spammers to pump their junk into in-boxes with unfortunate results for communications systems.

Spammers and other scammers sometimes use e-mail addresses associated with well-known companies in an effort to appear more legitimate: E-mail addresses of antivirus companies and software manufacturers often appear in virus-laden message or cheap software spam.

Response rates to spam are typically low -- around 1 percent or less. Spammers increase their odds of success by blasting out millions of pieces of garbage e-mail.

However, spam mailing lists are often riddled with incorrect or out of date addresses -- IronPort estimates that at least 20 percent of the recipients' addresses on spammers' lists are unreachable.

As a result, 10 million piece of spam will create around two million bounce messages.

The flood of system activity produced by such a large spam campaign can knock even the largest corporate e-mail systems offline. Smaller scale spam campaigns can create a resource-draining annoyance.

"Bouncebacks are a serious problem," said Mark Sunner, chief technology officer at MessageLabs, an e-mail filtering company. "They are definitely causing a burden for corporate customers in general."

Sunner and Peterson also said that bounce messages can be used to deliberately attack mail systems, with the attacker knowing that the volume of bouncebacks from a particular mailing list is likely to take down the victim's servers.

"There's no real industry focus around solving this problem -- all the emphasis seems to be on solving spam," said Peterson.

E-mailed viruses also create a spike in bounce messages. Most viruses are now programmed to insert a random e-mail address, culled from the infected machines address book, as the 'sender' address.

All bounce warnings go back to that address. Since antivirus software does a decent job of protecting systems, the deluge of bounce messages often cause more damage to networks than the actual virus itself.

"On days where virus/worm attacks happen we expect bounces to increase," said Mary Youngblood, EarthLink's manager of abuse.

"Our systems are designed to absorb the spike in bounce processing. We can see the after effects of virus/worms for weeks, even months from the amount of bounces that are generated."

IronPort's study states that global e-mail is currently made up of only about 20 percent legitimate messages.

Spam makes up 67 percent, misdirected bounces make up 9 percent, viruses make up 3 percent and phishing e-mails make up less than 1 percent.

Iron Port culled this information from a sampling of roughly 25 percent of the world's e-mail.

The company believes the global volume of bounced e-mail messages is about 4.5 billion messages per day.

Around 10 percent of these bounces are valid, so roughly 90 million misdirected bounces are wending their way through the global network every day.

When misdirected bounce messages land in user's in-boxes, IT staff may waste time explaining the situation to users who are confused by return-to-sender messages that have no connection with the e-mail they've actually sent out.

IronPort arrived at its $5 billion per year cost by estimating that if even only 0.2 percent of these messages generate an IT trouble ticket at a big corporation, it would amount to 900,000 tickets per day.

At a global ticket cost of (US) $20 per ticket, this equals (US) $4.5 billion annually consumed by misdirected bounces.