Posted on April 11, 2017 11:38 am

Mailer Daemon Spam: What You Need to Know

If your inbox is suddenly getting filled with emails from “mailer daemon”, here’s what you can do. To be clear, what’s happening is (we’ll go into more detail below):

  • Email has been sent out and the recipient can’t be found (or their inox is full)
  • It’s being returned to you because email systems think you sent it

I Am Receiving Mailer Daemon Spam. What Should I Do Now? Can I Stop it?

When you receive lots of delivery failure reports from mailer daemon, do the following:

  1. Scan your computer and devices for malware and viruses.
    • Mailer daemon spam can be the result of an infection with malware (on one of your computers) that sends out emails using your address behind your back; best to rule out this case.
    • Ideally, scan while disconnected from the Internet.
    • If you found infections, do clean your machines and change all passwords, especially those to your email and social accounts.
  2. Report the mailer daemon spam as junk mail in your email program or service.
    • This has the spam filter drop similar useless and annoying delivery failure emails in the future.
  3. If you feel uneasy about clicking “Spam” on what might train the spam filter to eliminate a kind of email you want to receive in the future—delivery failure reports from mailer daemon—, simply delete all the useless emails from mailer daemon.
    • In addition, you can create a filter in your email program or service that automatically deletes all emails from the same mailer daemon address with the same subject.

Now that you know what to do, let us find out how it can happen at all that you receive these puzzling messages.

​Why Does This Exist in the First Place?

Mailer-daemon emails are normally harmless and helpful delivery reports, not spam at all. Let’s find out how and when these mailer daemon messages are generated.

When you send somebody a message and it fails to deliver, you’d want to know, right?

Email is a system with many, many different players that works like a postal system: you hand one server (or “mailer daemon”) your email, that server passes the message on to another and possibly more mailer daemons down the line until, finally, the message is delivered to the recipient’s inbox folder. The whole process can take some time (though usually it is accomplished in seconds, of course), and only that last server knows whether the email could actually be delivered.

How Mailer Daemon Delivery Reports Are Generated

Since you, the sender, would want to know about the failed delivery, the mailer daemon tries to alert you. It does so using what a mailer daemon knows to do best: sending an email.

​So, a mailer daemon error message is generated: it states what happened—typically, that an email could not be delivered—, possibly a reason for the problem and whether the server will try to deliver the email again. This delivery report email is addressed and sent to the the original email’s sender, of course.

How the “original sender” is determined is a story of its own, and my guess is that your guess is wrong.

If you are at all curious why mailer daemons do not use the “From:” line to determine an email’s sender, do not skip the following sidebar.

Sidebar: ​How the Recipient of a Delivery Report is Determined

As you probably know, every email has both one or more recipients and a sender. Recipients go in the “To:”, “Cc:” and “Bcc:” fields, and the email address of the sender appears in the “From:” line. Neither are used by mail servers to deliver email messages, and, in particular, the “From:” field does not determine the email sender—as used for delivery reports bounces, for example.

Instead, when an email is initially sent, the sender and recipient are communicated separately from and before the email’s content (which, for this purpose includes the From: and To: fields).

Imagine me taking a letter to the post office for you. Of course, you have written the recipient’s name and address on the envelope and jotted down your address as well. At the post office, I do not simply hand over the letter for delivery and let the envelope take over, however. I say “This is from Corey Davy at 70 Bowman St.”, instead, and “Send it to Lindsay Page at 4 Goldfield Rd.; yeah, ignore what it says on the envelope.”

This is how email works.

Before dropping the letter into the delivery basked, the post office clerk makes at a note at the back of the envelope: “Return to: Corey Davy, 70 Bowman St.”.

This, too, is roughly how email works. Any email will contain a header line (analogous to “From:” and “To:”) called “Return-Path:” that contains the sender’s address. This address is used to generate delivery failure reports—and mailer daemon spam.

How Does Mailer Daemon Spam Start?

For regular emails, all is fine. If one cannot be delivered—say, because you mistyped the address, or the recipient has not checked a free email account for years and the account expired—, the mailer daemon generates a delivery failure message to you, the original sender.

For junk email, phishing attempts, and messages generated by worms and other malware, the process goes wrong… or, more precisely, the delivery failure is sent the wrong way. To find out why, we have to turn to the sender for a second.

Every email needs to have a sender and From: address. This includes spam and emails that spread malware. Understandably, these senders do not want to use their own email address—or they would be receiving complaints, it would be easy to report them, and they would be inundated in mailer daemon… spam.

To get an email delivered, it is good to have a real email address set as the sender. So, instead of just making up addresses, spammers and viruses will often look up random addresses in people’s address books.

Is Anything Being Done to Stop Mailer Daemon Spam?

If email servers returned delivery reports to all these falsified “senders” when a junk email or malware email could not be delivered, the problem would be much worse than it is: spam is sent in the billions after all, to mostly non-existent addresses.

Fortunately, email servers can take measures to limit the amount of useless delivery notifications they send:

  • ​Mail servers will try to determine whether a return address has been forged before sending a delivery failure message; if the address is obviously not the real sender’s, no error email is sent.
  • They will also examine the message content closely to determine whether it is spam; if the message has a very high probability of being junk mail, the server may simply drop the email without sending a delivery failure—which itself would likely be regarded as nothing but mailer daemon spam.
  • Email servers receiving large amounts of delivery failures for an address—typically with content that is either spam or malware—may either silently delete these messages or quarantine them in the email service’s “Spam” folder.