Security Incidents mailing list archives
RE: NDRs from spamming
From: "Tenorio, Leandro" <ltenorio () intelaction com>
Date: Thu, 18 Sep 2003 19:59:46 -0300
A month ago I receive those messages too. I apply the same rule, forward those netaddr and (211.170.0.0 / 219.0.0.0 / 61.30.0.0) to null on the internet router, anyone can block those addrs on any firewall too, and delete the NDRs from the SMTP queue. The fact is, anyone can send a lot of mails to a server, lets say yahoo.com.tw, and write as reply addr an e-mail address on your domain, because most of the servers or fw does not make reverse domain check, yahoo in this case will send you a lot of NDRs, even if you make reverse domain check,those messages are real NDRs from a real smtp server. About the complains, I doit every time I found an attack, this is somehow a simple but efective attack, could take u a lot of time to seach, block and remediate the entire system, sometimes it works, sometimes not. I hope this helps,. -----Original Message----- From: Justin Cooksey [mailto:justin () cooksey com au] Sent: Thursday, September 18, 2003 5:55 AM To: 'Romulo M. Cholewa'; incidents () securityfocus com Subject: RE: NDRs from spamming I have recently had exactly this problem on two independent systems that I help maintain. One using Exchange 5.5 SP3, the other Exchange 2000 SP3. Both systems are not open relays. Both systems are free from known viri, at the date the incidents were noticed. Both had well over 1000 NDRs in the queues when we stopped SMTP services. The only reference to this attack I have found on the net is http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm as well as news articles about this site are claiming that its hype to help sell more of this companies product, which can block RNDR attacks. I guess one solution is to disable any and all NDR ? I have found that all these Reverse NDR are coming from Chinese subnets, and have simply blocked these subnets from seeing the two systems. Perhaps a bit of overkill as a solution, but it definitely worked. The following are the subnets I have blocked: 218.70.0.0/255.255.0.0 211.158.32.0/255.255.248.0 211.158.80.0/255.255.248.0 I'm hesitant to send complaints to the listed emails for these subnets. I'm just not sure if it will be taken seriously. Does anyone have an opinion on the worth of sending complaints???? Regards, Justin Cooksey -----Original Message----- From: Romulo M. Cholewa [mailto:rmc () rmc eti br] Sent: Thursday, 18 September 2003 12:13 AM To: incidents () securityfocus com Subject: NDRs from spamming Hi there, I've noticed some increasing activity in our postmaster account since 2 weeks ago. We are receiving lots of NDRs from hundreds of non-existent "pseudo" email addresses. I found out that spammers are using our domain to fill up the from address (like creating random mailbox/user names and appending the @domain.com to the address). In theory, this should not be a real concern, since the worst case cenario would be receiving lots of NDRs. But in fact, some strange things are happening. First, the amount of NDRs are compromising our bandwidth (yes, the NDRs are in the thousands a day already). Second, some stupid (or badly configured) anti-spam systems are blocking my mail server based on the email address (easily forged). Before the question is raised, no, our server is not accepting mails as an open relay, so the messages are not being originated here. So, I would like to ask if this is a known issue. If it is, are there any counter-measures that could be taken ? If it is not, I think it would be nice to issue an advisory, or at least a best-practice about configuring anti-spam tools, to NOT blackhole other mail servers based solely on from address fields, that can be easily forged. Any info on this matter would be greatly appreciated. Regards, Romulo M. Cholewa Home : http://www.rmc.eti.br PGP Keys Available @ website. "I am become Death, the destroyer of worlds." -- Robert Oppenheimer ------------------------------------------------------------------------ --- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- RE: NDRs from spamming Tenorio, Leandro (Sep 19)
- <Possible follow-ups>
- Re: NDRs from spamming James C. Slora Jr. (Sep 19)
- Re: NDRs from spamming Bradley D. Moore (Sep 23)
- RE: NDRs from spamming Tenorio, Leandro (Sep 20)