Jump to content
Sign in to follow this  
myobfool

Reverse NDR Spam

Recommended Posts

My company has AGAIN been listed by SPAMCOP. The below is why.

Aside from the fact that I consider this list to be illegal, possibly actionable in court etc, it belies the fact that I can't control the Non Delivery Notices that my system puts out. This is BRAND NEW, and friends it's going to be a problem.

Do not DARE to tell me that it's the ISP's, I KNOW that. You publish the list, you permit the criteria. IT IS YOUR CHOICE.

At this point I'm not an open relay, but it doesn't matter. AS long as I PERMIT NDR THE SPAMMERS CAN USE MY FLIPPIN SYSTEM.

The short answer of it is:

Spammer spoofs sender to be who they REALLY want to send to.

Sends spam to me to a non-existent address at my domain

My system responds appropriately with an NDR, but since the spammer has built the spam into the message, it RESPONDS TO THE SPOOFED ADDRESS THEREFORE DELIVERING THE spam.

I THINK MOST RBL'S ARE USELESS AND THIS IS ANOTHER EXAMPLE OF WHY.

Spammers have a new means to avoid filters built into many systems. They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents.

CMS calls this a "Reverse NDR attack" (RNDR). A few customers have experienced this, some so badly that over 33% of their Internet messages are attributed to this type of spam.

The end result is the spammer has attained a new form of mail relaying. Your server's resources are being stolen to deliver spam.

--------------------------------------------------------------------------------

How does a "Reverse NDR" attack work?

Step 1 spam email is created with the intended spam victim's address in the sender field and a random, fictitious recipient, at your domain, in the To: field.

Step 2 Your mail server cannot deliver the message and sends an NDR email back to what appears to be the sender of the original message, the spam victim.

Step 3 The return email carries the non-delivery report and possibly the original spam message. Thinking it is email they sent, the spam victim reads the NDR and the included spam.

--------------------------------------------------------------------------------

What are the symptoms of a RNDR attack?

Sluggish email delivery

Outbound queues full of non-delivery notices

Excessive admin time to clear outbound queues

If you are experiencing any of the above, chances are good your mail server is under attack.

Share this post


Link to post
Share on other sites
My company has AGAIN been listed by SPAMCOP.  The below is why. 

Aside from the fact that I consider this list to be illegal, possibly actionable in court etc, it belies the fact that I can't control the Non Delivery Notices that my system puts out.  This is BRAND NEW, and friends it's going to be a problem.

There is nothing illegal about blocking email so your threats are useless.

If you want assistance then post the reject message or IP address you "think" is listed.

everyone is tired of receiving mortgage quotes, penis enlargement, breast enhancement, weight loss, nude 40 year old teenage sluts, Viagra, vacation, lottery, prescription drug, business opportunities, genealogical, university degrees, gambling, get rich quick, MLM, pyramid schemes, Web Cams, Russian brides, work from home, stock scams, pirated software and everything else that is force fed into our inboxes.

Everyone has a right to block anything they want.

Like stated above, if you want assistance post the necessary information or wait untill the IP in question is automatically removed which will be 48 hours from the last spam report.

Share this post


Link to post
Share on other sites
Aside from the fact that I consider this list to be illegal, possibly actionable in court etc, it belies the fact that I can't control the Non Delivery Notices that my system puts out.

There is no guarantee that your e-mail is going to be delivered. An ISP has the absolute right to reject incoming mail from any source, for any reason. If you don't like the ways your ISP is blocking mail, find another ISP that uses a different method or doesn't block at all. If the person you're sending mail to has the issue with their ISP, the same advice follows. The idea that anyone has a legal right to dictate where my mail server receives mail from or how I choose to reject mail is ludicrous.

Share this post


Link to post
Share on other sites
My company has AGAIN been listed by SPAMCOP.  The below is why. 

<snip>

I can't control the Non Delivery Notices that my system puts out.

<snip>

The short answer of it is:

Spammer spoofs sender to be who they REALLY want to send to.

Sends spam to me to a non-existent address at my domain

My system responds appropriately with an NDR, but since the spammer has built the spam into the message, it RESPONDS TO THE SPOOFED ADDRESS THEREFORE DELIVERING THE spam.

<snip>

Spammers have a new means to avoid filters built into many systems.  They take advantage of a mail systems sending of a non-delivery report (NDR) when a message cannot be delivered as addressed and returns the original contents. 

<snip>

Hi, myob,

...The solution is to issue a SMTP reject rather than bounce to the "sender": [spamCop-List] Re: Real help required to stop a spammer spoofing my domain..

Share this post


Link to post
Share on other sites

I thought that reporters were NOT allowed to report these kinds of bounces via spamcop.

However, if I were receiving these bounces because the spammer had used my email address in the return path, you would be getting a report. There is no excuse for a competent admin for accepting email and then sending an email for non-delivery now that the spammers have started using forged return paths. The bounces inflict spam (unsolicited and unwanted email - not to mention helping the spammer disseminate his message) on many people. And cause them anxiety because they are afraid that they will be labeled spammers.

The least an admin could do is run them through a content filter and NOT send those that are identified with spam.

Miss Betsy

Share this post


Link to post
Share on other sites
I thought that reporters were NOT allowed to report these kinds of bounces via spamcop.

However, if I were receiving these bounces because the spammer had used my email address in the return path, you would be getting a report.  There is no excuse for a competent admin for accepting email and then sending an email for non-delivery now that the spammers have started using forged return paths.  The bounces inflict spam (unsolicited and unwanted email - not to mention helping the spammer disseminate his message) on many people.  And cause them anxiety because they are afraid that they will be labeled spammers.

The least an admin could do is run them through a content filter and NOT send those that are identified with spam.

Miss Betsy

Sounds more like an operator error (BOFH) than a misreporting error Miss Betsy :rolleyes:

Share this post


Link to post
Share on other sites

Illegal, no one has the right to block emails. Hmmm, well there are a few people advocating against RBL's who would vigorously argue that point. You are putting out information in error which naive admin's thinking your list is accurate decide to use. Is that actionable, probably, but I'll let the lawyers fight that one out someday. This would not be the ISP's it would be the purveyor of deliberately erroneous information.....hmmm wonder who that would be.

Well there you go, I think you're wrong, you think I'm wrong.

Merlyn you try fairly hard to miss my point so I'll try it again.

Oh and I've read BOFH, and I don't think I am one.

This is a brand new attack. It is real, it is now. Welcome to the new world of spamming. The reverse NDR attack is not stoppable by having the correct settings on your server. The spamcop list chooses to use criteria that includes reverse NDR and it's not appropriate. Anyone can nominate anyone to this list and that begs for abuse.

Do I think I'll win this discussion, no of course not. Your hyperbole on spam (a snip from the main spamcop page) proves that you're not listening. Am I looking at setting up an anti-spam product, of course. I'm not going to win this fight with Spamcop or you, since you can't win a zealot's argument. This type of self inflicted vigilante behavior throws out the good with the bad and then tries to blame the victim.

Oh and don't try the "blame the ISP" argument. You try arguing with some large companies or ISP's, it's a faulty argument and just used to again try to blame the victim. Oh and I wish I could do an SMTP reject, blame Microsoft for my cruddy software.

Enjoy the new twist on spamming. It's going to make a lot of anti-spam software vendors even happier. Get some content filters and stop using a shotgun when a rifle is more appropriate.

Have a nice day. <g>

Share this post


Link to post
Share on other sites

I certainly do not want to argue. Have you asked the Deputies about the reports? I am sure they can give a little insight to this. It would be very interesting.

Also, it is actually very legal to block email according to the CAN spam ACT.

People can advocate the legality of blocking email but the internet is not as public as you think. All those servers are the private property of their owners to do with what they want.

Just like postal mail. I do not accept it all, When I get snail mail spam I place "return to sender" on the envelope and away it goes, right back where it started from.

Share this post


Link to post
Share on other sites
The spamcop list chooses to use criteria that includes reverse NDR and it's not appropriate.

The SpamCop list does NOT choose to include bounces as valid sources. If you have evidence that bounces are being reported as spam, please inform deputies at admin dot spamcop dot net. Users can be fined or have their reporting privliges revoked for such an act. The IP address willgenerally be taken off the list as well.

Anyone can nominate anyone to this list and that begs for abuse.

It is correct that anyone can report an IP, but it takes more than 1 report (and more than 1 reporter) to become listed. From my understanding, it does only take one spamtrap report to be listed however, which has become a problem for machines that send bounces after accepting the message.

Oh and I wish I could do an SMTP reject, blame Microsoft for my cruddy software.

I know of no SMTP server (including Microsoft) that does not support SMTP rejects. Your configuration could make it impossible to implement (i.e. virus scanner accepting all messages to scan, then forwarding them on) Please correct me if I am wrong. What version are you running?

Share this post


Link to post
Share on other sites

spam can be taken care of (voluntarily) at the PC level, by using K9

or other similar products. SpamCop is way too "reactionary". Tell your

ISP (and the ISP at the receiving end) not to use SpamCop - as has been

mentioned by the "SpamCop Fans" that's their right. If they feel they must

use a DNSbl, then suggest they use sbl-xbl.spamhaus.org for a "thoughtful"

approach that is used by large ISP, Corporations, Government and Military.

Help stamp out spam and the precipitous actions of SpamCop drones.

Share this post


Link to post
Share on other sites

I don't understand how using a content filter where I have to look for false positives and false negatives helps to stamp out spam.

And I don't see how sending emails to people to tell them their message that they didn't send was not delivered is useful to anyone. I would like to know how many "real" emails are not delivered compared to the number of bogus emails that are sent. I bet that it would be worth it to have a few "real" emails disappear for everyone concerned.

And while spamcop may not be a good blocklist to use for everyone, I don't understand why someone considers it so bad that he takes the time to keep posting against it. It sounds to me as though someone used the quick reporting and reported his own ISP which may,or may not, be the fault of Spamcop documentation.

Considering that most ISP's don't appear on the spamcop bl, it can't that hard to stay off it.

Miss Betsy

Share this post


Link to post
Share on other sites
I don't understand how using a content filter where I have to look for false positives and false negatives helps to stamp out spam.

Using an "automatic" content filter like K9 means that 99% of spam

can be sent directly to the Wastebasket. Looking for "false positives

or false negatives" is very very minor compared to any time spent

on any SpamCop reporting. Obviously, the way that it "stamps out

spam" is that one does not respond to spam. It's just like any good

consumer, who "votes with their dollars" as to what stays and dies.

I bet that it would be worth it to have a few "real" emails

disappear for everyone concerned.

Not really, unless you get useless email. ;)

Share this post


Link to post
Share on other sites
<snip>

Tell your ISP (and the ISP at the receiving end) not to use SpamCop - as has been

mentioned by the "SpamCop Fans" that's their right. If they feel they must

use a DNSbl, then suggest they use sbl-xbl.spamhaus.org for a "thoughtful"

approach that is used by large ISP, Corporations, Government and Military.

Help stamp out spam and the precipitous actions of SpamCop drones.

...No, tell your (and your correspondents') e-mail service provider to use the SpamCop BL (and all other BLs) appropriately

  • if you want them in your Inbox, the e-mail service provider should pass them to your Inbox
  • if someone else wants them delivered to a "check for spam" folder, the e-mail service provider should deliver them to that person's "check for spam" folder
  • if I want to never see them, the e-mail service provider should just reject them

Share this post


Link to post
Share on other sites
I don't understand how using a content filter where I have to look for false positives and false negatives helps to stamp out spam.

Using an "automatic" content filter like K9 means that 99% of spam can be sent directly to the Wastebasket.

<snip>

...Gee, I guess I will send my bill for the e-mail bandwidth I incur (because of all the spam I receive) to you, then. :lol:

Share this post


Link to post
Share on other sites
Using an "automatic" content filter like K9 means that 99% of spam

can be sent directly to the Wastebasket. Looking for "false positives

or false negatives" is very very minor compared to any time spent

on any SpamCop reporting. Obviously, the way that it "stamps out

spam" is that one does not respond to spam. It's just like any good

consumer, who "votes with their dollars" as to what stays and dies.

By trashing the spam without reporting it just helps the spammers in many ways and it does nothing but waste bandwith and has no effect on stopping the spammers. Spammers want you to delete it. People should complain about every piece of spam they get to the ISP's. Filtering directly to the trash is a waste. Let the ISP's know how you feel about it. spam should be denied at the server and the crap that gets through should be larted to the ISP's.

Share this post


Link to post
Share on other sites
<snip>

Tell your ISP (and the ISP at the receiving end) not to use SpamCop - as has been

mentioned by the "SpamCop Fans" that's their right. If they feel they must

use a DNSbl, then suggest they use sbl-xbl.spamhaus.org for a "thoughtful"

approach that is used by large ISP, Corporations, Government and Military.

Help stamp out spam and the precipitous actions of SpamCop drones.

...No, tell your (and your correspondents') e-mail service provider to use the SpamCop BL (and all other BLs) appropriately

  • if you want them in your Inbox, the e-mail service provider should pass them to your Inbox
  • if someone else wants them delivered to a "check for spam" folder, the e-mail service provider should deliver them to that person's "check for spam" folder
  • if I want to never see them, the e-mail service provider should just reject them

You are advocating "customized customer service", which is definitely

possible (but very unlikely) for an ISP to initiate - and even then, using

Spamhaus would be a better choice (reasons stated) than SpamCop.

Share this post


Link to post
Share on other sites
<snip>

Tell your ISP (and the ISP at the receiving end) not to use SpamCop - as has been

mentioned by the "SpamCop Fans" that's their right. If they feel they must

use a DNSbl, then suggest they use sbl-xbl.spamhaus.org for a "thoughtful"

approach that is used by large ISP, Corporations, Government and Military.

Help stamp out spam and the precipitous actions of SpamCop drones.

...No, tell your (and your correspondents') e-mail service provider to use the SpamCop BL (and all other BLs) appropriately

  • if you want them in your Inbox, the e-mail service provider should pass them to your Inbox
  • if someone else wants them delivered to a "check for spam" folder, the e-mail service provider should deliver them to that person's "check for spam" folder
  • if I want to never see them, the e-mail service provider should just reject them

You are advocating "customized customer service", which is definitely

possible (but very unlikely) for an ISP to initiate <snip>

...Well, yes, I guess so, kind of like customized colors for automobiles, instead of Henry Ford's "any color you want, so long as you want black!" :D

...They probably don't use SpamCop BL, but Yahoo!Mail delivers suspected spam to a "Bulk Mail" folder, so they use my option 2. If I were they, I'd encourage my users to opt for (or perhaps just enforce) option 3, but then they didn't ask me. :lol: That's okay with me, provided they don't start asking me to pay for their heretofore "free" e-mail service (supported by having occasional ads).

Share this post


Link to post
Share on other sites
Obviously, the way that it "stamps out

spam" is that one does not respond to spam. It's just like any good

consumer, who "votes with their dollars" as to what stays and dies.

Only 1% or less of all spam generates a sale. The spammers constantly add emails to their lists, usually by fraudelent means. So the fewer sales they get, the more emails they send.

I would rather "vote with my dollar" for an ISP who doesn't let me see spam and lets my correspondents who haven't chosen reliable email know that they will have to find other ways to contact me. I certainly wouldn't want a friend and definitely not a business relationship that thought I should receive hir precious email even though s/he had not taken care to choose a reliable carrier.

The *sending* end of email is the only one who can put economic pressure on the spammer and the "business sending end" is not likely to do that unless other paying customers complain about lack of service.

I don't know what K-9 is, but I have used spamassassin which let at least 3 or 4 through every day. Yet, the 3 emails that spamassasin tagged (that I noticed) that were not spam were important to me and I would much rather that the correspondent had known that they might get tagged than to have inadvertently deleted them.

It is a matter of cost, however, the content filter people are making a good living anyway while the ISP's don't have to raise rates for email. It is just like people will drive across town to get a bargain and don't count the costs of getting there.

Miss Betsy

Share this post


Link to post
Share on other sites

OK, varying opinions ;) - that's good in a democracy :)

My preference is to be an "individualist" and take personal

action and responsibility, instead of belonging to a "gang".

Can anyone explain why Spammers would send spam, if

everyone deleted it, and never responded to the spam :unsure:

Share this post


Link to post
Share on other sites

Hi, mybuddy! :)

OK, varying opinions ;) - that's good in a democracy :)

...Indeedy! :)

My preference is to be an "individualist" and take personal action and responsibility, instead of belonging to a "gang".

...My way of taking personal responsibility is to find help from others (SpamCop, in this case) to report spam more effectively and quickly than I could do myself. As the only person I know of in my company of over 35,000 people who does this, I think that qualifies me as an "individualist." :D

Can anyone explain why Spammers would send spam, if everyone deleted it, and never responded to the spam  :unsure:

...Well, that question seems to be rather far-fetched -- tantamount to posing the question, "Wouldn't we all be rid of spammers if everyone in the world had an IQ of at least 91?" In a world of however many billion people, perhaps 10% of whom may use e-mail, there will always be enough what we would consider to be the uninformed to justify someone paying someone else to spam.

Share this post


Link to post
Share on other sites

The studies that have been done show that most of the spammers that are actually sending the spew are victims of MLM scams.

They answer a advertisement and send in $300 to over a $1000 dollars for a spamming kit and are promised commisions on sales.

Most never make back 1/2 of what they spent before they realize they have been conned, or they hit a proxy pot which caused their ISP to cut their connection.

The ones selling the kits are rarely touched, but inspite of media tales of their riches, many of them are also in bankruptcy.

But the media's tales of people making money on spam gets enough suckers thinking that they can win a jackpot spamming too.

spam is theft. An ISP that is aware that a spammer is stealing resources from them, or that a customers is stealing resources from other ISPs is facilitating the crime.

It is prudent and proper to protect your own networks from having your resources stolen by spammers.

It has been shown that the only thing that motivates spam friendly networks to boot their spammers is when enough other networks stop accepting packets from them.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
My preference is to be an "individualist" and take personal action and responsibility, instead of belonging to a "gang".

...My way of taking personal responsibility is to find help from others (SpamCop, in this case) to report spam more effectively and quickly than I could do myself. As the only person I know of in my company of over 35,000 people who does this, I think that qualifies me as an "individualist." :D

Nothing personal, you understand :D

But 1 out of 35,000 might be considered an oddball ;)

Share this post


Link to post
Share on other sites

Personally, I appreciate being part of the 'gang'. Considering that the gang's goals are:

1) Stop spam from flooding their inbox.

2) Stop spam from flooding MY inbox.

3) Alert the (sometimes) innocent ISP's when one of their users violates their TOS agreement by sending UCE.

The beautiful thing about the free market system (as Betsy pointed out) is that we all get to 'vote' with our currency. Yourbuddy can join an ISP that provides no filtering, and he can do it all himself. Betsy, myself, and the other loyal users of spamcop who find value in being part of the 'gang' can choose to do so.

I have to admit I generally laugh at these 'damn you spamcop people for blocking my email' threads. Sometimes, valid mistakes are made. More often than not though, people let themselves get all upset for no valid reason. If person A tries to send email to person B and Person B's ISP blocks it based on a spamhaus, spamcop, or any other list... Well then Person A could get a free email address from any one of hundreds of sources to get their mail through. Or Person A could get Person B to add them to a white list. Or Person B could choose to get a different ISP. Hell, Person A could pull out a pen and paper, dust off the fax, or pick up a phone too. My goodness, isn't it amazing that we EVER managed to communicate with each other before 1990!

At the end of the day, we all have choices. Choices about how to communicate (email, fax, phone, flight, etc etc), who provides our services, and how we like to personally work those services. Those who don't like my choice: I'm sorry. Get over it. If you don't like me because I like Spamcop, well then don't send me any emails :)

I didn't create the spam problem, nor did the spam list builders. I personally don't send spam messages, and I choose providers that take a hard line on spam, thus voting with MY dollars. I'd sure like to say a big word of thanks to my fellow 'gang' members for putting forth the effort to report these pesky spammers for the good of the gang. I thank you, my inbox thanks you, and the people I do business with thank you as well, because I can respond to them MUCH faster when I don't have to wade through 80 spam messages a day to get at the 'real' 40 messages that need my attention.

Scotty (Spamcop user since 2000)

P.S. Hmmm... Maybe we shoud all get spam-colored bandanas and come up with a spamcop gang salute, eh? :D

P.P.S. I also choose to 'vote with my time' by ignoring the resident forum troll (I'm sure everyone knows who I'm talking about) :blink:

Edited by fromcali

Share this post


Link to post
Share on other sites

Someone has already answered why JHD does not control spamming. In addition, I believe that it is possible that some people (with the same mentality of virus writers) are not trying to sell anything, but just like the game of getting past content filters.

Spamcop is not so much for the individual user as it is for admins - particularly smaller ones. It is sort of like a coop where they pool their spam to create a blocklist.

For individual users, most would like to have someone else take care of the open proxies, open relays, compromised machines (as well as the viruses which spamcop will not do). If someone is driving recklessly down the highway, no matter how many people he has in the car who are horrified at his driving, he will be stopped and they won't get where they are going. Only my ISP can stop those emails mentioned at the server level - saving both him and me money - and notifying the others in the car that they had better *do* something - get another driver or in the case of a compromised machine, it is more like warning the driver that there is a car in his blind spot.

And since the Internet is a community, the problem of spam is not going to be solved by individual action. In fact, individual action can be just as bad for the community as what is trying to be stopped. From angry people who don't know about forged return paths that bombard some innocent victim with nasty emails to those who want to dDOS spammer sites. If one of them makes a mistake or has a prejudice, that creates another problem. Blocklists are polite: I am sorry but your dog pooped on my lawn so I am closing the gate. If the reply is "Sorry about that. I won't let it happen again." Then you open the gate in the fence. If he lifts his dog over the fence to poop again, then you make it so he can't do that again and no matter how many times he knocks on the gate, you don't let him in.

I would like to see a greater variety of blocklists so that all ISP's would feel comfortable using them and increased consumer education instead of stupid butterflies.

Miss Betsy

Share this post


Link to post
Share on other sites
I have to admit I generally laugh at these 'damn you spamcop people for blocking my email' threads. Sometimes, valid mistakes are made. <snip>

P.S. Hmmm... Maybe we shoud all get spam-colored bandanas and come up with a spamcop gang salute, eh? :D

"valid mistakes"? Is that like a "little bit pregnant"?

"spam colored bandanas and a SpamCop gang salute"?

Sounds about right for "little kids playing cops and robbers".

Beam me up Scotty ...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×