RE: NDRs from spamming

["Tenorio, Leandro" <ltenorio () intelaction com>]

        Thanks Romulo for your summary, a very good practice.
I want to add a note, if you can block the Subnets at routing level instead of firewall level, will keep your firewall 
log files more clean, or at least check firewall logs for other suspicius activity. It´s common to hide an attack with 
a lot of "noise".



-----Original Message-----
From: Romulo M. Cholewa [mailto:rmc () rmc eti br] 
Sent: Friday, September 19, 2003 7:37 AM
To: incidents () securityfocus com
Subject: RES: NDRs from spamming

Hi All (again),

I would like to thank you for all the replies I received. I would like to write down a summary of what I've found so 
far about this issue:

 Identification
As you all mentioned, this kind of "behaviour" is a well-known procedure called "joe-jobbing", and it appears to be a 
common spammer attack (if they don't like you maybe you get such a gift), and a way to relay spam (sort of). I really 
don't know what triggered the attack, as it seems to be a targeted one. Maybe I have a close "friend' that is a big 
spammer, go figure.

http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm

 Side Effects
There are some strange and unfortunate results:

1. spam blocking
Since you will start sending out lots of NDRs to domains out there, you may get blocked by misconfigured anti-spam 
tools. They might be triggered by the amount of email you are sending them, or just because your email server use to 
attach the original message (so message content scanning anti-spam tools might be triggered as well). Also, instead of 
analyzing the headers to find out the originating smtp server, some anti-spam tools might be configured to block 
looking for the MX of the @domain.com in the from: field (bad). This is generally worse when someone "smart enough" 
submit your IP to a well-known blackhole list (even "smarter" if they block you based on NDRs). You will probably sort 
things out, but it will take some time.

2. bandwidth
By default, your mail server will issue a NDR for each NDR it receives, since the mailbox from: names are random. This 
will probably double the amount of traffic. IF you are short on bandwidth or server power, it might be an issue, since 
these attacks usually generate 10000 NDR mails a day per domain - double that if you have NDRs enabled - multiply by n 
domains if you are an ISP or host mail servers.

 What can be done
There are some things you might do to easy the pain. It probably won't solve the problem, but might get the side 
effects under a manageable threshold.

1. temporarily disable NDRs
This would cut in half the amount of traffic and server load generaded by the NDRs you receive.

2. track down and block offending SMTP servers Received lots of messages about this, and it appears to be an effective 
counter-measure. Blocking IP subnets like 218.70.0.0/255.255.0.0 211.158.32.0/255.255.248.0 211.158.80.0/255.255.248.0 
211.170.0.0 / 219.0.0.0 / 61.30.0.0 (Thanks Justin / Leandro) really reduced the amount of NDRs received. DON'T forget 
to block secondary, terciary, etc., smtp servers, or the NDRs might simply be delivered to them anyway.

Thanks again.

Regards,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
PGP Keys Available @ website.




Hi there,

I've noticed some increasing activity in our postmaster account since 2 weeks ago. We are receiving lots of NDRs from 
hundreds of non-existent "pseudo" email addresses. I found out that spammers are using our domain to fill up the from 
address (like creating random mailbox/user names and appending the @domain.com to the address).

In theory, this should not be a real concern, since the worst case cenario would be receiving lots of NDRs. But in 
fact, some strange things are happening.

First, the amount of NDRs are compromising our bandwidth (yes, the NDRs are in the thousands a day already).

Second, some stupid (or badly configured) anti-spam systems are blocking my mail server based on the email address 
(easily forged). Before the question is raised, no, our server is not accepting mails as an open relay, so the messages 
are not being originated here.

So, I would like to ask if this is a known issue. If it is, are there any counter-measures that could be taken ?

If it is not, I think it would be nice to issue an advisory, or at least a best-practice about configuring anti-spam 
tools, to NOT blackhole other mail servers based solely on from address fields, that can be easily forged.

Any info on this matter would be greatly appreciated.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world's premier technical IT security event.  Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 
12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------