Security Incidents mailing list archives

RE: NDRs from spamming

From: "Tenorio, Leandro" <ltenorio () intelaction com>
Date: Thu, 18 Sep 2003 19:59:46 -0300
        A month ago I receive those messages too. I apply the same rule,
forward those netaddr and (211.170.0.0 / 219.0.0.0 / 61.30.0.0) to null
on the internet router, anyone can block those addrs on any firewall
too, and delete the NDRs from the SMTP queue. 
        The fact is, anyone can send a lot of mails to a server, lets
say yahoo.com.tw, and write as reply addr an e-mail address on your
domain, because most of the servers or fw does not make reverse domain
check, yahoo in this case will send you a lot of NDRs, even if you make
reverse domain check,those messages are real NDRs from a real smtp
server.
        About the complains, I doit every time I found an attack, this
is somehow a simple but efective attack, could take u a lot of time to
seach, block and remediate the entire system, sometimes it works,
sometimes not.


I hope this helps,.


-----Original Message-----
From: Justin Cooksey [mailto:justin () cooksey com au] 
Sent: Thursday, September 18, 2003 5:55 AM
To: 'Romulo M. Cholewa'; incidents () securityfocus com
Subject: RE: NDRs from spamming

I have recently had exactly this problem on two independent systems that
I help maintain.
One using Exchange 5.5 SP3, the other Exchange 2000 SP3.
Both systems are not open relays.
Both systems are free from known viri, at the date the incidents were
noticed.
Both had well over 1000 NDRs in the queues when we stopped SMTP
services.

The only reference to this attack I have found on the net is
http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm  as well as news
articles about this site are claiming that its hype to help sell more of
this companies product, which can block RNDR attacks.

I guess one solution is to disable any and all NDR ?

I have found that all these Reverse NDR are coming from Chinese subnets,
and have simply blocked these subnets from seeing the two systems.
Perhaps a bit of overkill as a solution, but it definitely worked.

The following are the subnets I have blocked:
218.70.0.0/255.255.0.0
211.158.32.0/255.255.248.0
211.158.80.0/255.255.248.0

I'm hesitant to send complaints to the listed emails for these subnets.
I'm just not sure if it will be taken seriously.  Does anyone have an
opinion on the worth of sending complaints????

Regards,
Justin Cooksey

-----Original Message-----
From: Romulo M. Cholewa [mailto:rmc () rmc eti br]
Sent: Thursday, 18 September 2003 12:13 AM
To: incidents () securityfocus com
Subject: NDRs from spamming


Hi there,

I've noticed some increasing activity in our postmaster account since 2
weeks ago. We are receiving lots of NDRs from hundreds of non-existent
"pseudo" email addresses. I found out that spammers are using our domain
to fill up the from address (like creating random mailbox/user names and
appending the @domain.com to the address).

In theory, this should not be a real concern, since the worst case
cenario would be receiving lots of NDRs. But in fact, some strange
things are happening.

First, the amount of NDRs are compromising our bandwidth (yes, the NDRs
are in the thousands a day already).

Second, some stupid (or badly configured) anti-spam systems are blocking
my mail server based on the email address (easily forged). Before the
question is raised, no, our server is not accepting mails as an open
relay, so the messages are not being originated here.

So, I would like to ask if this is a known issue. If it is, are there
any counter-measures that could be taken ?

If it is not, I think it would be nice to issue an advisory, or at least
a best-practice about configuring anti-spam tools, to NOT blackhole
other mail servers based solely on from address fields, that can be
easily forged.

Any info on this matter would be greatly appreciated.

Regards,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
PGP Keys Available @ website.

 "I am become Death, the destroyer of worlds." -- Robert Oppenheimer 



------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Current thread:

RE: NDRs from spamming Tenorio, Leandro (Sep 19)
- <Possible follow-ups>
- Re: NDRs from spamming James C. Slora Jr. (Sep 19)
  - Re: NDRs from spamming Bradley D. Moore (Sep 23)
- RE: NDRs from spamming Tenorio, Leandro (Sep 20)