Re: NDRs from spamming

["James C. Slora Jr." <Jim.Slora () phra com>]

Justin Cooksey wrote


> I have recently had exactly this problem on two independent systems that
> I help maintain. One using Exchange 5.5 SP3, the other Exchange 2000 SP3.
> Both systems are not open relays.
> Both systems are free from known viri, at the date the incidents were
noticed.
> Both had well over 1000 NDRs in the queues when we stopped SMTP services.

> I guess one solution is to disable any and all NDR ?

NDR is pretty worthless nowadays IMO. Most are for spam anyway. Sending NDRs
just lets the spammers validate their address lists - they send mail to
impossible addresses fishing for NDRs, then send mail to their normal
recipients to see if the response is different.

Also, if all the sender information is faked by the spammer or the message
was sent through a proxy, your NDR does not even go to the people who tried
to send the mail - so you either are left with undeliverable NDRs or you end
up bombarding the victim of a joe job.

One method of handling the badly addressed mail is to add the bogus
recipient addresses into a bitbucket mailbox. If you can afford the time for
manual NDR decisions you can notify legitimate senders and send the rest to
the bitbucket.

> I have found that all these Reverse NDR are coming from Chinese subnets,
> and have simply blocked these subnets from seeing the two systems.
> Perhaps a bit of overkill as a solution, but it definitely worked.

> The following are the subnets I have blocked:
> 218.70.0.0/255.255.0.0
> 211.158.32.0/255.255.248.0
> 211.158.80.0/255.255.248.0

> I'm hesitant to send complaints to the listed emails for these subnets.
> I'm just not sure if it will be taken seriously.  Does anyone have an
> opinion on the worth of sending complaints????

Complaints are not helpful, but notifications to responsible and ethical
admins are ;)

It takes plenty of research to determine whether there is a responsible and
ethical upstream contact for spam sources. You will probably also need help
from a Chinese speaker to communicate effectively with the source contacts.
English has generally not been useful to me in dealing with far east
domains, but others have reported success when they communicate in the
native language of their contacts.

FWIW I'd rather block spam sources than try to navigate the abuse process,
since spam is a well-funded commercial and criminal enterprise with
high-level support around the world. I save my reporting time for the script
kiddies and worms, where smaller effort can reap larger rewards.


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------