Gmail Delivery Notification Is Likely a Scam
If you receive messages about failed email delivery to your Gmail inbox, do not worry and do not respond to them. Scammers use spam mailings of email programs to bypass email filters and distribute malicious links.
Gmail users on Reddit and Google’s support pages have reported repeated messages with the subject line “Delivery status notification (failed)” over the past year (they’ve been popping up in my inbox more frequently in recent weeks). Here’s how the attack works and what to do about it.
How phishing using mail daemons works
Mailer-daemon is a program that manages email delivery and sends automatic notifications to the sender if the message is not delivered, such as if you typed the address incorrectly or the recipient’s mailbox is full. It is certainly a legitimate and useful service, but it can be relatively easily exploited to trick users into clicking malicious links and gaining access to their information or devices.
The Gmail version of this scam comes from mailer-daemon[at]googlemail[dot]com and includes a text box at the top that says: “Address not found: Your message was not delivered to [your username]@google.com because the address was not found or could not be used to receive mail.” There is also a “Learn more” link that is activated, as well as a link to Google’s support pages.
At first glance, this looks legitimate, but your email address is @gmail.com, not @google.com. If you scroll down, you’ll likely find an image, attachment, or additional forwarded message that clearly looks like spam. If you click anywhere or download the attachment, you could install malware on your device. You could also be redirected to a fake page, such as a Facebook login screen, asking you to enter your credentials. At a minimum, engaging with them may show the scammers that your email address is valid.
The reason for this is because of the way the mail daemon is set up. Scammers can put any address in the header of an email. If it’s your address, you’ll get whatever comes back. They can spam thousands of people with emails that appear to be from you, but the attack makes it appear as if the emails are addressed to you and from you, so it may be a more targeted phishing attempt to trick you into believing that there’s a problem with your inbox and you need to do something about it.
What to do if you receive spam from a mail daemon
If you receive bounce notifications, you can ignore and delete them. You can also report these emails as spam without opening them to prevent similar messages from reaching your inbox. However, keep in mind that the mail daemon is legitimate and you may still want to know if your sent emails are being returned.
As always, do not click on links or images in messages or open attachments in unwanted messages.
Attackers don’t need access to your account for this purpose, so the account itself is likely safe. However, you should make sure you have a strong password with multi-factor authentication or a passkey for Google.