Jump to content
Sign in to follow this  
myobfool

Reverse NDR Spam

Recommended Posts

My preference is to be an "individualist" and take personal action and responsibility, instead of belonging to a "gang".

...My way of taking personal responsibility is to find help from others (SpamCop, in this case) to report spam more effectively and quickly than I could do myself. As the only person I know of in my company of over 35,000 people who does this, I think that qualifies me as an "individualist." :D

Nothing personal, you understand :D

...Sure do! :D

But 1 out of 35,000 might be considered an oddball  ;)

...Sure am! :lol:

Share this post


Link to post
Share on other sites
How does a "Reverse NDR" attack work? 

Step 1  spam email is created with the intended spam victim's address in the sender field and a random, fictitious recipient, at your domain, in the To: field. 

Step 2  Your mail server cannot deliver the message and sends an NDR email back to what appears to be the sender of the original message, the spam victim. 

Step 3  The return email carries the non-delivery report and possibly the original spam message.  Thinking it is email they sent, the spam victim reads the NDR and the included spam. 

--------------------------------------------------------------------------------

What are the symptoms of a RNDR attack?

  Sluggish email delivery 

  Outbound queues full of non-delivery notices 

  Excessive admin time to clear outbound queues

If you are experiencing any of the above, chances are good your mail server is under attack.

Here's the bottom line:

If you configure your mail system in such a way that it can be abused to spam people, it will eventually be listed. There are ways to change the configuration of you mail system to prevent this from happening. You may need to add or remove certain software packages, but it can be done. It is the responsibility of the owner of the mail system to make sure that it cannot be abused.

THAT is the issue, not that SpamCop is listing the server in question. YOUR server is sending mail to people that did not request it.

Share this post


Link to post
Share on other sites

SpamCop does not report bounces so your whole argument is baseless

If you are not a spammer you have a security problem with your network. It only takes an employee (or yourself) to open a "exe" file and your computer becomes a slave zombie for one to do what ever (format hard drive even)

Of course it may be your set-up is misconfigured without an IP to go by we do not know if you are even truthful

Share this post


Link to post
Share on other sites

Well I'm off Spamcop now so there you go. The final answer is that:

I bought a Barracuda firewall. It does an LDAP lookup so if you aren't in my Exchange 5.5 database you are gone. (and no I still did not see a way to do an SMTP reject, and yes Micro$oft software bites)

98% of the mail I got in, and that I am 100% sure got me listed were reverse NDR attacks. i.e. a spam was sent into a non-existent address at my domain... the sender was spoofed, so my system responds with a NDR to the address. (I looked at my message queue and you don't want to know how many I was getting to bozo[at]myaddress.com for fake addresses)

Since SpamTrap addresses are out there for spammers, I would contend that is why I was accused of "sending mail to spamtraps", give me a few names of a spamtrap and I'll check one of the 10,000 messages I killed on Thursday.

Today is Monday, since Thursday when I put the box on I've received 27,000 messages at my domain. 26,500 were spam and killed by my new box, and 95% of them were NDR spam. That would certainly explain why my mailserver was brought to its knees.

Again I remind you, your list is very likely going to falsely list people. I was not on ANY of the other lists, ORDB, Spamhaus, etc. only yours! I met none of the open relay criteria and yes kids I tested it myself.

I understand the attitude about spam, but some of you with your arrogant in your face attitude don't help the situation. I was a victim, I was falsely accused because of this new style of attack and most of you pretty much told me to rub rocksalt.

And yes, I really truly think you could get sued....if your information is faulty, you publish it to the internet, tell people to use it and have been told it's wrong..... you could get sued. Win? Who knows, but don't keep saying "we have the right and you can't sue us". I would not "bet" on that statement which I keep reading over and over again.......

You have no rights if you get sued, except to defend yourself. You may be vindicated, you may not be. But do NOT keep saying, you can't sue us. McDonalds got sued for warm coffee for pete's sake.

Give you a clue guys, any of you who respond to NDR's will likely be next. spam traps are not foolproof. Oh and why give myself grief by listing my address. Trust you, I suspect not.

For those of you who are actually technically interested, reverse NDR is only about a month old. Look up the tech notes, it's fiendishly clever and bypasses most of the normal security an email system has.

Share this post


Link to post
Share on other sites

Have you considered disabling the sending of NDRs until the attack stops?

Share this post


Link to post
Share on other sites

I am not technically fluent, but I do not see the difference between spam coming from a spammer and spam coming to me because the spammer forged my email address. It is still unsolicited (I never sent the email) and definitely is as unwanted as spam.

I agree that it makes life difficult for those who are using the internet to keep up with all the spammer tricks. But some offline merchants have a difficult time with shoplifters. Life is full of unnecessary precautions and techniques because of unscrupulous people.

Miss Betsy

Share this post


Link to post
Share on other sites
Have you considered disabling the sending of NDRs until the attack stops?

This person has not given us any clue as to what they are on about or any of the supposed afflicted IP address (yes we get spammers often proclaiming innocence)

SpamCop does not allow bounces to be reported? SpamCop looks for originating IP to be blocked. They have a misconfigured server and are blaming SpamCop the messenger

It would help if this person gave some info to check? A blocked IP number would help correct their problem

It is obvious they have misconfigured something and wrongly blaming SpamCop

Share this post


Link to post
Share on other sites
I bought a Barracuda firewall. 

3627[/snapback]

Is there any disadvantage to being blacklisted by spamcop.net if you are using a barracuda firewall? These devices are typically configured to receive incoming mail, and not send outbound mail.

Oh, I guess your real mail senders would not receive your bounces if they subscribed to the spamcop DNSBL. That could be a problem.

Share this post


Link to post
Share on other sites
caltrans.ca.gov,Apr 13 2006, 11:16 AM]Is there any disadvantage to being blacklisted by spamcop.net if you are using a barracuda firewall?  These devices are typically configured to receive incoming mail, and not send outbound mail.

Oh, I guess your real mail senders would not receive your bounces if they subscribed to the spamcop DNSBL. That could be a problem.

41996[/snapback]

Are you expecting a response from someone making their last post here over 2 years ago? There is now a Geek / Tech stuff forum section that was set up to handle questions like this.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×