If you are getting delivery failure messages in your Gmail inbox, don’t be alarmed—and don’t engage with them. Scammers are using mailer-daemon spam to bypass email filters and spread malicious links.
Gmail users on Reddit and in Google’s support pages have reported receiving repeated messages with the subject line “Delivery Status Notification (Failure)” over the last year (they’ve found their way into my inbox more frequently in recent weeks as well). Here’s how this attack works and what you need to do about it.
How mailer-daemon phishing works
Mailer-daemon is a program that manages email delivery and sends automated notifications to the sender if the message bounces—for example, if you type the address incorrectly or the recipient’s inbox is full. This is obviously a legitimate and useful service, but it can be co-opted relatively easily to trick people into clicking malicious links and compromising their information or devices.
The Gmail version of this scam comes from mailer-daemon[at]googlemail[dot]com and includes a text box at the top stating “Address not found: Your message wasn’t delivered to [your handle]@google.com because the address couldn’t be found, or is unable to receive mail.” There’s a clickable “Learn More” link as well as a link to Google support pages.
This looks pretty legit at first glance—however, your email is @gmail.com, not @google.com. Then if you scroll down, there’s likely an included image, attachment, or additional forwarded message that pretty clearly looks like spam. If you were to click anywhere or download the attachment, you could install malware on your device. You could also be taken to a spoofed page, such as the Facebook login screen, with a prompt to enter your credentials. At the very least, engaging may alert the scammers that your email address is live.
The reason this works is because of how mailer-daemon is set up. Scammers can put any address in the email header. If it’s yours, you’ll receive anything that bounces back. They could blast thousands of people with spam that appears to come from you, but this attack makes messages look like they are both to you and from you, so it could be a more targeted phishing attempt to make you believe there’s a problem with receiving mail to your inbox and that there’s something you need to do about it.
What to do if you get mailer-daemon spam
If you get failed delivery notifications, you can ignore and delete them. You can also report these emails as spam without opening them to block similar messages from reaching your inbox. Note, though, that mailer-daemon is legitimate, and you may still want to know if an email you send bounces.
As always, don’t click any links or images in the message or open any attachments in unsolicited communication.
Bad actors don’t actually need access to your account to set this up, so more than likely your account itself is safe. But you should make sure you have a strong password with multi-factor authentication or a passkey enabled for Google.
