RES: NDRs from spamming

From: Romulo M. Cholewa (rmc_at_rmc.eti.br)
Date: 09/19/03

  • Next message: James C. Slora Jr.: "Re: NDRs from spamming" 
    Date: Fri, 19 Sep 2003 07:36:40 -0300
To: incidents@securityfocus.com

    Hi All (again),

    I would like to thank you for all the replies I received. I would like
    to write down a summary of what I've found so far about this issue:

     Identification
    As you all mentioned, this kind of "behaviour" is a well-known procedure
    called "joe-jobbing", and it appears to be a common spammer attack (if
    they don't like you maybe you get such a gift), and a way to relay spam
    (sort of). I really don't know what triggered the attack, as it seems to
    be a targeted one. Maybe I have a close "friend' that is a big spammer,
    go figure.

    http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm

     Side Effects
    There are some strange and unfortunate results:

    1. spam blocking
    Since you will start sending out lots of NDRs to domains out there, you
    may get blocked by misconfigured anti-spam tools. They might be
    triggered by the amount of email you are sending them, or just because
    your email server use to attach the original message (so message content
    scanning anti-spam tools might be triggered as well). Also, instead of
    analyzing the headers to find out the originating smtp server, some
    anti-spam tools might be configured to block looking for the MX of the
    @domain.com in the from: field (bad). This is generally worse when
    someone "smart enough" submit your IP to a well-known blackhole list
    (even "smarter" if they block you based on NDRs). You will probably sort
    things out, but it will take some time.

    2. bandwidth
    By default, your mail server will issue a NDR for each NDR it receives,
    since the mailbox from: names are random. This will probably double the
    amount of traffic. IF you are short on bandwidth or server power, it
    might be an issue, since these attacks usually generate 10000 NDR mails
    a day per domain - double that if you have NDRs enabled - multiply by n
    domains if you are an ISP or host mail servers.

     What can be done
    There are some things you might do to easy the pain. It probably won't
    solve the problem, but might get the side effects under a manageable
    threshold.

    1. temporarily disable NDRs
    This would cut in half the amount of traffic and server load generaded
    by the NDRs you receive.

    2. track down and block offending SMTP servers
    Received lots of messages about this, and it appears to be an effective
    counter-measure. Blocking IP subnets like 218.70.0.0/255.255.0.0
    211.158.32.0/255.255.248.0 211.158.80.0/255.255.248.0 211.170.0.0 /
    219.0.0.0 / 61.30.0.0 (Thanks Justin / Leandro) really reduced the
    amount of NDRs received. DON'T forget to block secondary, terciary,
    etc., smtp servers, or the NDRs might simply be delivered to them
    anyway.

    Thanks again.

    Regards,

    Romulo M. Cholewa
    Home : http://www.rmc.eti.br
    PGP Keys Available @ website.

    Hi there,

    I've noticed some increasing activity in our postmaster account since 2
    weeks ago. We are receiving lots of NDRs from hundreds of non-existent
    "pseudo" email addresses. I found out that spammers are using our domain
    to fill up the from address (like creating random mailbox/user names and
    appending the @domain.com to the address).

    In theory, this should not be a real concern, since the worst case
    cenario would be receiving lots of NDRs. But in fact, some strange
    things are happening.

    First, the amount of NDRs are compromising our bandwidth (yes, the NDRs
    are in the thousands a day already).

    Second, some stupid (or badly configured) anti-spam systems are blocking
    my mail server based on the email address (easily forged). Before the
    question is raised, no, our server is not accepting mails as an open
    relay, so the messages are not being originated here.

    So, I would like to ask if this is a known issue. If it is, are there
    any counter-measures that could be taken ?

    If it is not, I think it would be nice to issue an advisory, or at least
    a best-practice about configuring anti-spam tools, to NOT blackhole
    other mail servers based solely on from address fields, that can be
    easily forged.

    Any info on this matter would be greatly appreciated.

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: James C. Slora Jr.: "Re: NDRs from spamming"

    Relevant Pages

    • Re: all port scan attack
      ... My main concern is that a lot of the NDRs are actually from System ... a while ago) closed my server off to relaying according to this site. ... If your mail server isn't properly configured to not "relay" then this could ... ISA simply sends the incomming SMTP traffic to your mail ...
      (microsoft.public.isa)
    • RE: Setting up a mail server
      ... another server has already done that. ... Setting up a mail server ... >need something robust enough to handle at least 15000 emails per day. ... >will only be receiving not sending. ...
      (Fedora)
    • RE: Virus? Trojan?
      ... and not Yaha.M -- at least, I am still receiving, and have only ... > Since the infections are still coming I've notified the administrator of ... prevent that IP accessing their mail server: ... server is the mail-exchanger (AFAICT, ...
      (Incidents)
    • Re: Mails "Bounce" feature
      ... Accept the message during its dialog with Z, but bounce the message ... So if Z is a genuine mail server ... email is accepted by the receiving server, ... this should be done by the receiving mail server ...
      (comp.sys.mac.apps)
    • RE: Need your help!!!
      ... What I found out that the people connect to our server ... to send spam out are originated from 211.158.0.0/16. ... > double that if you have NDRs enabled - multiply by n ... > systems are blocking my mail server based on the ...
      (Security-Basics)