Bouncebacks: The Hidden Cost of Spam

A nasty side effect of spam and e-mailed viruses is costing companies an
estimated $5 billion per year in IT resources, according to security
services company IronPort.

The culprit: Bounced e-mail message warnings sent from servers advising
an e-mail sender that the e-mail they tried to send was undeliverable.

Since virtually all spammers and scammers do not use their own return
addresses on the junk mail that they send, many bounce messages actually end
up in an innocent third party’s system.

This may sound like a trivial annoyance, but according to a study
conducted by IronPort, which offers an e-mail filtering service to corporate
customers, 55 percent of the Fortune 500 companies have had a disruption in
service or a full-scale network outage due to their networks being flooded
with bogus bounce messages.

“This is e-mail’s dirty little secret,” said Patrick Peterson, IronPort’s
vice president of technology.


“Everybody knows about spam and viruses. But
people don’t think about bouncebacks as being a problem. And the people who
do know… well, no one wants to share the fact that they’re very vulnerable
to a denial of service attack from bounces.”

E-mail protocols were designed in a more innocent time when most users
were scientists, academics and technology mavens who respected Internet
etiquette.


Sadly, the protocols that worked so well 10 years ago are
increasingly being abused by spammers to pump their junk into in-boxes with
unfortunate results for communications systems.

Spammers and other scammers sometimes use e-mail addresses associated
with well-known companies in an effort to appear more legitimate: E-mail
addresses of antivirus companies and software manufacturers often appear in
virus-laden message or cheap software spam.

Response rates to spam are typically low — around 1 percent or less.
Spammers increase their odds of success by blasting out millions of pieces
of garbage e-mail.

However, spam mailing lists are often riddled with incorrect or out of
date addresses — IronPort estimates that at least 20 percent of the
recipients’ addresses on spammers’ lists are unreachable.


As a result, 10
million piece of spam will create around two million bounce messages.

The flood of system activity produced by such a large spam campaign can
knock even the largest corporate e-mail systems offline. Smaller scale spam
campaigns can create a resource-draining annoyance.

“Bouncebacks are a serious problem,” said Mark Sunner, chief technology
officer at MessageLabs, an e-mail filtering company. “They are definitely
causing a burden for corporate customers in general.”

Sunner and Peterson also said that bounce messages can be used to
deliberately attack mail systems, with the attacker knowing that the volume
of bouncebacks from a particular mailing list is likely to take down the
victim’s servers.

“There’s no real industry focus around solving this problem — all the
emphasis seems to be on solving spam,” said Peterson.

E-mailed viruses also create a spike in bounce messages. Most viruses are
now programmed to insert a random e-mail address, culled from the infected
machines address book, as the ‘sender’ address.


All bounce warnings go back
to that address. Since antivirus software does a decent job of protecting
systems, the deluge of bounce messages often cause more damage to networks
than the actual virus itself.

“On days where virus/worm attacks happen we expect bounces to increase,”
said Mary Youngblood, EarthLink’s manager of abuse.


“Our systems are designed to absorb the spike in bounce processing. We can see the after
effects of virus/worms for weeks, even months from the amount of bounces
that are generated.”

IronPort’s study states that global e-mail is currently made up of only
about 20 percent legitimate messages.


Spam makes up 67 percent, misdirected
bounces make up 9 percent, viruses make up 3 percent and phishing e-mails
make up less than 1 percent.

Iron Port culled this information from a sampling of roughly 25 percent
of the world’s e-mail.

The company believes the global volume of bounced e-mail messages is
about 4.5 billion messages per day.


Around 10 percent of these bounces are
valid, so roughly 90 million misdirected bounces are wending their way
through the global network every day.

When misdirected bounce messages land in user’s in-boxes, IT staff may
waste time explaining the situation to users who are confused by
return-to-sender messages that have no connection with the e-mail they’ve
actually sent out.

IronPort arrived at its $5 billion per year cost by estimating that if
even only 0.2 percent of these messages generate an IT trouble ticket at a
big corporation, it would amount to 900,000 tickets per day.


At a global
ticket cost of (US) $20 per ticket, this equals (US) $4.5 billion annually
consumed by misdirected bounces.

News Around the Web