"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Non-delivery report (NDR) messages that have been generated as a result of spam messages are often referred to as "backscatter."
Applies to the following Sophos product(s) and version(s)
Not product specific
It describes the NDR messages generated by mail systems that accept spam messages during an SMTP session. If there is a delivery error ("mailbox full," "user doesn't exist," etc), the system attempts to send a "bounce" message back to the supposed original sender. The bounce message is directed to the email address found in the envelope sender information (the Return-Path header) in the original message. Because this address has been forged in most spam messages, the bounce message is delivered to a mailbox of a sender who did not send the original spam message.
Most email accounts receive very few, if any, backscatter spam messages; however, specific addresses or domains that are favorites of spammers can be the target of hundreds (or even thousands) of messages of this type per day.
SophosLabs will not block all NDR messages from all mail servers because not all NDR messages are backscatter, and mail servers that generate backscatter also send legitimate NDR messages. There are many legitimate bounce messages generated each day, which are delivered to the mail server that originally sent the message. The difficulty lies in differentiating between legitimate bounces and bounces that come as a result of spam messages.
Submit samples to SophosLabs. See How to submit a spam sample to SophosLabs for more information. There may be spam bounces for which SophosLabs can create additional heuristic rules.
For product specific workarounds, see the following article(s):
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.