Troy, Michigan -- August 11, 2006 --
Senior support technicians at Computer Mail Services, Inc. (CMS)
have recently been following a rise in a certain type of spam email
attack called Reverse NDR (RNDR). The rise in RNDR email volume
appears to coincide with spammers changing the methods and format of
their search for valid email addresses.
Historically, email addresses
used in the RNDR form of spam email have been harvested from the
Internet or other sources and represented possibly valid recipients.
Spammers then target these harvested addresses by using
non-delivery notices generated by mail systems as a backdoor to
placing their messages in recipient inboxes. While the volumes of
spam email sent to a particular site was large, they were in a
certain, almost legitimate format.
Recently, CMS and their
customers noticed larger than usual volumes of filtered RNDR mail
containing randomly generated character strings as an address.
Coinciding with the appearance random addressing is a massive
increase in volume. In one instance, a CMS customer has noticed a
day-to-day increase of 1600% in RNDR-type spam trapped by their CMS
Praetor Messaging Firewall. CMS’ own corporate email servers have
on several days seen RNDR-type spam volume increases of over 4000%
Spammer motivation for this new
addressing approach and the massive volume increases could fall into
several categories from simply a “shotgun” approach to reach valid
email addresses to malicious attempts to bring “Denial-of-Service”
(DOS) style attacks to vulnerable email servers.
The “Shotgun” addressing
approach would simply use a utility to create email addresses of
every possible letter combination for mailing to recipients at a
targeted domain. “Eventually, the random address generator hits
upon a valid recipient address but to find these people, the
increase in email volume will be huge” said Alan A. Sitek, Vice
President of Development at CMS. With spam still profitable and
sending email free, even successfully reaching a small percentage of
people with large volumes of RNDR mail generates profits.
If the spammer intent is a
Denial-of-Service (DOS) attack then their motivations are much more
malicious. DOS attacks will overload the targeted servers to slow
and possibly halt their operations. Perhaps spammers are targeting
spam filtering appliances, some of which are known to be
vulnerable. The actual motivation for DOS attacks on a particular
server is hard to define. While using this scheme to turn a profit
cannot be ruled out, in the past DOS attacks have been used for
several reasons: revenge, random maliciousness or the need to
prevent some group from spreading ideas and opinions.
Other possibilities include an
attempt to overload and reduce the effectiveness of the Bayesian
filters present in almost all email filtering software and
services. Forcing email administrators to train their Bayesian
filters on the huge volumes of RNDR spam. With overloaded and over
trained Bayesian filters, it may be simpler to successfully send
spam email at a later date.
Computer Mail Services, Inc.
was the first to report Reverse NDR spam in June of 2003. They
quickly updated their Praetor Messaging Firewall software to control
and prevent this type of attack. In
2003 Neil Berger, President of NSB Systems and Consulting Inc.
stated, “Almost every installation I’ve encountered suffers from the
problem of Reverse NDR. Not only does Reverse NDR eat up huge
amounts of mail server resources, but also the enterprise’s domain
risks being blacklisted by ISPs, customers, and organizations with
which the enterprise does business.”
Today while CMS’ Praetor
customers are secure, many other spam appliances and filters have
not instituted protections against RNDR attacks and remain
vulnerable. Computer Mail Services is continuing to study email
traffic for any indications of further changes in spammer tactics.
ABOUT COMPUTER MAIL SERVICES, INC.
Founded in 1982,
Sterling Heights, Michigan-based Computer Mail Services, Inc. (CMS) is a privately
held company with expertise in the development of messaging related
products: Praetor, XE-Filter, BL-Monitor and ES-Insight.
Praetor is a registered trademark of
Computer Mail Services, Inc. XE-Filter, ES-Insight and BL‑Monitor
are trademarks of Computer Mail Services, Inc.
# # #