'RES: NDRs from spamming'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    RES: NDRs from spamming
From:       "Romulo M. Cholewa" <rmc () rmc ! eti ! br>
Date:       2003-09-19 10:36:40
[Download RAW message or body]

Hi All (again),

I would like to thank you for all the replies I received. I would like
to write down a summary of what I've found so far about this issue:

 Identification
As you all mentioned, this kind of "behaviour" is a well-known procedure
called "joe-jobbing", and it appears to be a common spammer attack (if
they don't like you maybe you get such a gift), and a way to relay spam
(sort of). I really don't know what triggered the attack, as it seems to
be a targeted one. Maybe I have a close "friend' that is a big spammer,
go figure.

http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm

 Side Effects
There are some strange and unfortunate results:

1. spam blocking
Since you will start sending out lots of NDRs to domains out there, you
may get blocked by misconfigured anti-spam tools. They might be
triggered by the amount of email you are sending them, or just because
your email server use to attach the original message (so message content
scanning anti-spam tools might be triggered as well). Also, instead of
analyzing the headers to find out the originating smtp server, some
anti-spam tools might be configured to block looking for the MX of the
@domain.com in the from: field (bad). This is generally worse when
someone "smart enough" submit your IP to a well-known blackhole list
(even "smarter" if they block you based on NDRs). You will probably sort
things out, but it will take some time.

2. bandwidth
By default, your mail server will issue a NDR for each NDR it receives,
since the mailbox from: names are random. This will probably double the
amount of traffic. IF you are short on bandwidth or server power, it
might be an issue, since these attacks usually generate 10000 NDR mails
a day per domain - double that if you have NDRs enabled - multiply by n
domains if you are an ISP or host mail servers.

 What can be done
There are some things you might do to easy the pain. It probably won't
solve the problem, but might get the side effects under a manageable
threshold.

1. temporarily disable NDRs
This would cut in half the amount of traffic and server load generaded
by the NDRs you receive.

2. track down and block offending SMTP servers
Received lots of messages about this, and it appears to be an effective
counter-measure. Blocking IP subnets like 218.70.0.0/255.255.0.0
211.158.32.0/255.255.248.0 211.158.80.0/255.255.248.0 211.170.0.0 /
219.0.0.0 / 61.30.0.0 (Thanks Justin / Leandro) really reduced the
amount of NDRs received. DON'T forget to block secondary, terciary,
etc., smtp servers, or the NDRs might simply be delivered to them
anyway.

Thanks again.

Regards,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
PGP Keys Available @ website.




Hi there,

I've noticed some increasing activity in our postmaster account since 2
weeks ago. We are receiving lots of NDRs from hundreds of non-existent
"pseudo" email addresses. I found out that spammers are using our domain
to fill up the from address (like creating random mailbox/user names and
appending the @domain.com to the address).

In theory, this should not be a real concern, since the worst case
cenario would be receiving lots of NDRs. But in fact, some strange
things are happening.

First, the amount of NDRs are compromising our bandwidth (yes, the NDRs
are in the thousands a day already).

Second, some stupid (or badly configured) anti-spam systems are blocking
my mail server based on the email address (easily forged). Before the
question is raised, no, our server is not accepting mails as an open
relay, so the messages are not being originated here.

So, I would like to ask if this is a known issue. If it is, are there
any counter-measures that could be taken ?

If it is not, I think it would be nice to issue an advisory, or at least
a best-practice about configuring anti-spam tools, to NOT blackhole
other mail servers based solely on from address fields, that can be
easily forged.

Any info on this matter would be greatly appreciated.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic