RE: NDRs from spamming

From: Tenorio, Leandro (ltenorio_at_intelaction.com)
Date: 09/19/03

  • Next message: Romulo M. Cholewa: "RES: NDRs from spamming"
    Date: Thu, 18 Sep 2003 19:59:46 -0300
    To: "Justin Cooksey" <justin@cooksey.com.au>, "Romulo M. Cholewa" <rmc@rmc.eti.br>, <incidents@securityfocus.com>
    
    

            A month ago I receive those messages too. I apply the same rule,
    forward those netaddr and (211.170.0.0 / 219.0.0.0 / 61.30.0.0) to null
    on the internet router, anyone can block those addrs on any firewall
    too, and delete the NDRs from the SMTP queue.
            The fact is, anyone can send a lot of mails to a server, lets
    say yahoo.com.tw, and write as reply addr an e-mail address on your
    domain, because most of the servers or fw does not make reverse domain
    check, yahoo in this case will send you a lot of NDRs, even if you make
    reverse domain check,those messages are real NDRs from a real smtp
    server.
            About the complains, I doit every time I found an attack, this
    is somehow a simple but efective attack, could take u a lot of time to
    seach, block and remediate the entire system, sometimes it works,
    sometimes not.

    I hope this helps,.

    -----Original Message-----
    From: Justin Cooksey [mailto:justin@cooksey.com.au]
    Sent: Thursday, September 18, 2003 5:55 AM
    To: 'Romulo M. Cholewa'; incidents@securityfocus.com
    Subject: RE: NDRs from spamming

    I have recently had exactly this problem on two independent systems that
    I help maintain.
    One using Exchange 5.5 SP3, the other Exchange 2000 SP3.
    Both systems are not open relays.
    Both systems are free from known viri, at the date the incidents were
    noticed.
    Both had well over 1000 NDRs in the queues when we stopped SMTP
    services.

    The only reference to this attack I have found on the net is
    http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm as well as news
    articles about this site are claiming that its hype to help sell more of
    this companies product, which can block RNDR attacks.

    I guess one solution is to disable any and all NDR ?

    I have found that all these Reverse NDR are coming from Chinese subnets,
    and have simply blocked these subnets from seeing the two systems.
    Perhaps a bit of overkill as a solution, but it definitely worked.

    The following are the subnets I have blocked:
    218.70.0.0/255.255.0.0
    211.158.32.0/255.255.248.0
    211.158.80.0/255.255.248.0

    I'm hesitant to send complaints to the listed emails for these subnets.
    I'm just not sure if it will be taken seriously. Does anyone have an
    opinion on the worth of sending complaints????

    Regards,
    Justin Cooksey

    -----Original Message-----
    From: Romulo M. Cholewa [mailto:rmc@rmc.eti.br]
    Sent: Thursday, 18 September 2003 12:13 AM
    To: incidents@securityfocus.com
    Subject: NDRs from spamming

    Hi there,

    I've noticed some increasing activity in our postmaster account since 2
    weeks ago. We are receiving lots of NDRs from hundreds of non-existent
    "pseudo" email addresses. I found out that spammers are using our domain
    to fill up the from address (like creating random mailbox/user names and
    appending the @domain.com to the address).

    In theory, this should not be a real concern, since the worst case
    cenario would be receiving lots of NDRs. But in fact, some strange
    things are happening.

    First, the amount of NDRs are compromising our bandwidth (yes, the NDRs
    are in the thousands a day already).

    Second, some stupid (or badly configured) anti-spam systems are blocking
    my mail server based on the email address (easily forged). Before the
    question is raised, no, our server is not accepting mails as an open
    relay, so the messages are not being originated here.

    So, I would like to ask if this is a known issue. If it is, are there
    any counter-measures that could be taken ?

    If it is not, I think it would be nice to issue an advisory, or at least
    a best-practice about configuring anti-spam tools, to NOT blackhole
    other mail servers based solely on from address fields, that can be
    easily forged.

    Any info on this matter would be greatly appreciated.

    Regards,

    Romulo M. Cholewa
    Home : http://www.rmc.eti.br
    PGP Keys Available @ website.

     "I am become Death, the destroyer of worlds." -- Robert Oppenheimer
    
    

    ------------------------------------------------------------------------

    ---
    Attend Black Hat Briefings & Training Federal, September 29-30
    (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event
    in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September
    6.Visit us: www.blackhat.com
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    Attend Black Hat Briefings & Training Federal, September 29-30
    (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event
    in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September
    6.Visit us: www.blackhat.com
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Romulo M. Cholewa: "RES: NDRs from spamming"