Security Incidents mailing list archives
RE: NDRs from spamming
From: "Tenorio, Leandro" <ltenorio () intelaction com>
Date: Fri, 19 Sep 2003 13:42:36 -0300
Thanks Romulo for your summary, a very good practice. I want to add a note, if you can block the Subnets at routing level instead of firewall level, will keep your firewall log files more clean, or at least check firewall logs for other suspicius activity. It´s common to hide an attack with a lot of "noise". -----Original Message----- From: Romulo M. Cholewa [mailto:rmc () rmc eti br] Sent: Friday, September 19, 2003 7:37 AM To: incidents () securityfocus com Subject: RES: NDRs from spamming Hi All (again), I would like to thank you for all the replies I received. I would like to write down a summary of what I've found so far about this issue: Identification As you all mentioned, this kind of "behaviour" is a well-known procedure called "joe-jobbing", and it appears to be a common spammer attack (if they don't like you maybe you get such a gift), and a way to relay spam (sort of). I really don't know what triggered the attack, as it seems to be a targeted one. Maybe I have a close "friend' that is a big spammer, go figure. http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm Side Effects There are some strange and unfortunate results: 1. spam blocking Since you will start sending out lots of NDRs to domains out there, you may get blocked by misconfigured anti-spam tools. They might be triggered by the amount of email you are sending them, or just because your email server use to attach the original message (so message content scanning anti-spam tools might be triggered as well). Also, instead of analyzing the headers to find out the originating smtp server, some anti-spam tools might be configured to block looking for the MX of the @domain.com in the from: field (bad). This is generally worse when someone "smart enough" submit your IP to a well-known blackhole list (even "smarter" if they block you based on NDRs). You will probably sort things out, but it will take some time. 2. bandwidth By default, your mail server will issue a NDR for each NDR it receives, since the mailbox from: names are random. This will probably double the amount of traffic. IF you are short on bandwidth or server power, it might be an issue, since these attacks usually generate 10000 NDR mails a day per domain - double that if you have NDRs enabled - multiply by n domains if you are an ISP or host mail servers. What can be done There are some things you might do to easy the pain. It probably won't solve the problem, but might get the side effects under a manageable threshold. 1. temporarily disable NDRs This would cut in half the amount of traffic and server load generaded by the NDRs you receive. 2. track down and block offending SMTP servers Received lots of messages about this, and it appears to be an effective counter-measure. Blocking IP subnets like 218.70.0.0/255.255.0.0 211.158.32.0/255.255.248.0 211.158.80.0/255.255.248.0 211.170.0.0 / 219.0.0.0 / 61.30.0.0 (Thanks Justin / Leandro) really reduced the amount of NDRs received. DON'T forget to block secondary, terciary, etc., smtp servers, or the NDRs might simply be delivered to them anyway. Thanks again. Regards, Romulo M. Cholewa Home : http://www.rmc.eti.br PGP Keys Available @ website. Hi there, I've noticed some increasing activity in our postmaster account since 2 weeks ago. We are receiving lots of NDRs from hundreds of non-existent "pseudo" email addresses. I found out that spammers are using our domain to fill up the from address (like creating random mailbox/user names and appending the @domain.com to the address). In theory, this should not be a real concern, since the worst case cenario would be receiving lots of NDRs. But in fact, some strange things are happening. First, the amount of NDRs are compromising our bandwidth (yes, the NDRs are in the thousands a day already). Second, some stupid (or badly configured) anti-spam systems are blocking my mail server based on the email address (easily forged). Before the question is raised, no, our server is not accepting mails as an open relay, so the messages are not being originated here. So, I would like to ask if this is a known issue. If it is, are there any counter-measures that could be taken ? If it is not, I think it would be nice to issue an advisory, or at least a best-practice about configuring anti-spam tools, to NOT blackhole other mail servers based solely on from address fields, that can be easily forged. Any info on this matter would be greatly appreciated. --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: NDRs from spamming Tenorio, Leandro (Sep 19)
- <Possible follow-ups>
- Re: NDRs from spamming James C. Slora Jr. (Sep 19)
- Re: NDRs from spamming Bradley D. Moore (Sep 23)
- RE: NDRs from spamming Tenorio, Leandro (Sep 20)