[extropy-chat] Clamping down email server

BillK pharos at gmail.com
Sun Oct 15 08:11:36 UTC 2006


On 10/15/06, David Lubkin wrote:
> I've been sending and receiving my email through my hosted FreeBSD
> server for years, fairly smoothly. Of late I've been getting
> thousands of messages a day purportedly from other mail servers,
> rejecting email attributed to my domain, viz., that uses a random
> address like jkkqrlaz at unreasonable.com.
>

This is called NDR (Non Delivery Report) Spam. Or sometimes Reverse NDR Spam.

<http://www.mapilab.com/articles/ndr_spam_attack.html>

Quote:

By default, Microsoft(r) Exchange Server accepts all messages received
via SMTP protocol. In case the server is unable to find a recipient
within the system the message is returned to the sender (non-delivery
report, NDR). This approach, however, may cause a potential security
threat: since the sender's address is not checked, a sender with
malicious intentions may set any address as the reply-to address.
NDR-attacks allow spammers to bypass most of the server side and
client side spam check filters:

    * since Exchange Server returns undelivered messages as an
attachment, spam filters that monitor the message body and headers for
specified keywords operate less than effectively, often allowing such
messages to pass through undetected;
    * many users delete unsolicited mail manually without reading it
(this takes less than a second); however, when they see a message with
'Undelivered Mail' in the subject line they may very well open and
read the attached message, not only potentially wasting their time –
but what if it contains a virus, or more specifically a worm which
would then send messages to all the contacts in their address book?;
    * because the source of such mail is a so-called "honest" server
(one that is not found in SPEWS or ORDB databases), sever filters,
including the latest filters introduced in Microsoft Exchange 2003
Server will pass the message through.
End quote  -----------------


What you need is a 'whitelist' of valid addresses for your domain, so
that you can reject these NDR messages with made-up return addresses.
In rare cases this may cause a false detection when somebody mistypes
your email address.

Or just train your spam filter to know that NDRs are spam. That is
what I've done with my POP3 email. Again, this may also give very
occasional false detections that you have to watch out for.


BillK




More information about the extropy-chat mailing list